CrowdStrike Falcon 2.0.0
App Vendor: CrowdStrike Falcon
App Category: Endpoint
Connector Version: 2.0.0
API Version: 1.0.0
About App
CrowdStrike Falcon is a comprehensive cybersecurity platform that provides advanced threat protection, endpoint security, and threat intelligence to defend against cyberattacks and secure organizations' digital assets. It utilizes cloud-native technology and artificial intelligence to deliver real-time threat detection and response capabilities.
The CrowdStrike Falcon app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add Hosts to Static Host Group | This action adds hosts to a static host group in CrowdStrike Falcon. |
Adding IOA Exclusion (Deprecated) | The action adds an IOA exclusion. |
Add Tags To Falcon Grouping | This action assigns tags to hosts. |
Assign Prevention Policies to Host Groups | This action assigns prevention policies to host groups. |
Assign Sensor Policies to Host Groups | This action assigns sensor policies to host groups. |
Bulk Fetch Indicators | This action is used to fetch details about a batch of indicators. Results can be filtered using FQL query. |
Contain a Host | This action contains a host using its ID. |
Create Host Group | This action creates a host group. |
Create Machine Learning Exclusion | This action creates a machine-learning exclusion. |
Create Response Time File | The action creates a response time file. |
Create Sensor Visibility Learning Exclusion | This action creates a sensor visibility exclusion. |
Delete Indicator ID | This action deletes indicators. |
Delete ML Exclusion | The action deletes a machine learning (ML) exclusion. |
Delete Response Time File | The action deletes the response time file. |
Delete SV Exclusion | The action deletes an SV exclusion. |
Fetch Detection Details | The action retrieves a particular detection's details. |
Fetch Detection IDs | The action searches for detections in order to learn more about activity in your environment. |
Fetch Incident Detail | The action retrieves a particular incident's details. |
Fetch Particular IOA Exclusion | The action retrieves the particular IOA exclusion. |
Fetch Particular ML Exclusion Details | The action retrieves details of an ML exclusion. |
Fetch Particular Sensor Visibility Exclusion | The action retrieves a particular sensor visibility exclusion. |
Fetch Real Time Policy Agent IDs | The action retrieves the real-time policy agent IDs. |
Fetch Real Time Policy Hosts | The action retrieves the real-time policy hosts. |
Fetch Real Time Response Script | This action searches and filters existing scripts uploaded to CrowdStrike Falcon. |
Find Existing Prevention Policies | The action finds existing prevention policies. |
Find Existing Sensor Policies | The action finds existing sensor policies. |
Find Host Group Members | This action retrieves the IDs of hosts in a host group. |
Find Host Groups | The action searches for host groups. |
Find Host With Device Query | The action searches for hosts with various device filters. |
Find Indicator IDs | This action finds IDs of indicators. |
Find IOA Exclusion | The action searches for IOA exclusion. |
Find Machine Learning Exclusion | The action searches for machine learning exclusions. |
Find Sensor Visibility Exclusion | The action retrieves the list of all sensor visibility exclusions. |
Get Aggregated Alerts | This action fetches aggregated alerts from CrowdStrike Falcon. |
Get Alert Details | This action is used to fetch the details of an alert from CrowdStrike Falcon. |
Get Device Info By ID | The action searches for the device information using its device ID. |
Get Host Details | This action retrieves detailed information of one or more hosts. |
Get Incident IDs | This action gets incident IDs. |
Get Real Time Response Scripts | This action retrieves real time response scripts using its IDs. |
Get Remediation Details | This action retrieves remediation details using remediation IDs. |
Get Response Time Files | The action retrieves the response time files. |
Get Status of Host | This action retrieves the status of a host. |
Get Vulnerability Details | This action retrieves details of a vulnerability using the vulnerability ID. |
Get Vulnerability List | This action retrieves the list of vulnerabilities from CrowdStrike Falcon |
Lift Host Containment | The action lists the containment of a host. |
List All Alerts | This action fetches all alerts from CrowdStrike Falcon. |
List Hidden Host IDs | This action gets a list of hidden host IDs. |
List Reponse Time File | The action retrieves the list of all the response time files. |
Modify Detections | The action modifies detections. |
Modify Incidents | This action modifies incidents in CrowdStrike Falcon. |
Modify ML Exclusion | The action modifies the machine learning exclusion. |
Modify SV Exclusion | The action modifies the SV exclusion. |
Query Indicator | This action queries for various indicators. |
Real Time Execute Command Single Host | The action executes a command on a single host. |
Real Time Read Command | The action executes the RTR read-only command across the hosts mapped to the given batch ID. |
Real Time Response Admin Command | The action executes the RTR admin command across the hosts mapped to the given batch ID. |
Real Time Write Command | The action executes the RTR write-only command across the hosts mapped to the given batch ID. |
Remove Hosts from Static Host Group | This action removes hosts from a static host group in CrowdStrike Falcon. |
Removing Falcon Grouping Tags | This action removes restrictions on the host using policy with tags. |
Retrieve Zero Trust Assessment Data by Host | The action retrieves ZTA data by the host. |
Retrieving Host NIC History | The action can be used to retrieve host NIC history. |
Retrieving Host With Device Scroll | The action can be used to retrieve the host with the device scroll. |
Retrieving Indicator ID Details | The action retrieves the indicator ID details. |
Retrieving Last Logged User Info | The action retrieves the last logged-in user information. |
Search Host for Observed Indicator | The action searches hosts for observed indicators. |
Search Vulnerabilities | This action searches for vulnerabilities using FQL filters. |
Send Real Time Response to a Batch of Hosts | The action initiates a session with one or more hosts. |
Send Real Time Response to a Single Host | The action initiates a real-time session for a single host. |
Update Alerts | This action updates alerts in CrowdStrike Falcon. |
Update Detection Status | This action updates the status of the detections in incidents. |
Update Indicators | The action updates the indicators. |
Upload Indicators | This action is used to upload indicators in CrowdStrike Falcon. |
Generic Action | This is a generic action used to make requests to any CrowdStrike Falcon endpoint. |
Configuration Parameters
The following configuration parameters are required for the CrowdStrike Falcon app to communicate with the CrowdStrike Falcon enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to access Crowdstrike Falcon. Example: https://api.crowdstrike.com | Text | Required | |
Client ID | Enter the client ID. | Text | Required | |
Client Secret Key | Enter the client secret key to authenticate with Crowdstrike Falcon. | Password | Required | |
Verify | Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. | Boolean | Optional | By default, the verification is not enabled. |
Timeout | Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with CrowdStrike Falcon. | Integer | Optional | Allowed range: 15-120 Default value: 15 |
Action: Add Hosts to Static Host Group
This action adds hosts to a static host group in CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host group IDs | Enter one or more static host group IDs to which you want to add the hosts. Example: ["8015xxxxxxxx105d"] | Any | Required | |
Name | Enter the action name to add the hosts. Example: filter | Text | Required | |
Value | Enter the host IDs to be added to the static host group. Example: device_id:['e139xxxxxxxx5885', '8393xxxxxxxx9650','389axxxxxxxx5e80'] | Text | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| String | Trace ID for the request |
| Array | List of errors, if any |
| Array | List of resources returned in the response |
| String | The unique identifier for the static host group |
| String | The type of group (e.g., static) |
| String | The name of the group |
| String | The description of the group |
| String | The assignment rule for the group |
| String | ID of the user who created the group |
| String | Timestamp when the group was created |
| String | ID of the user who last modified the group |
| String | Timestamp when the group was last modified |
Action: Adding IOA Exclusion (Deprecated)
The action adds an IOA exclusion to CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Cl Regex | Enter the CL regex. | Text | Required | |
Comment | Enter a comment. | Text | Required | |
Description | Enter the description. | Text | Required | |
Detection JSON | Enter the detection JSON. | Any | Optional | |
Group | Enter the groups. Example: ['2345jdsie3xxxx'] | Any | Optional | |
IFN Regex | Enter the IFN regex. | Text | Required | |
Name | Enter the name. Example: Example IOA Exclusion | Text | Required | |
Pattern ID | Enter the pattern ID. Example: 10197 | Text | Required | |
Pattern Name | Enter the pattern name. Example: sampletemplatedetection | Text | Required |
Action: Add Tags To Falcon Grouping
This action adds Falcon grouping tags to hosts. These tags are used to dynamically assign hosts to host groups based on custom keywords you define.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID List | Enter the list of host IDs to assign the tags. Example: ['bf4fbxxxxxx4b8026'] | Any | Required | |
Tags List | Enter the list of tags. Example: ["falcongroupingtags/tag1", "falcongroupingtags/tag2"] | Any | Required | Each tag must use the format FalconGroupingTags/{tagName}. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to process the query |
| String | Indicates the service that processed the request |
| String | Unique identifier for tracing the request |
| Array | List of resources affected by the request |
| String | The unique identifier for the host |
| Boolean | Indicates if the host information was updated |
| Integer | HTTP status code of the operation |
| Array | Errors encountered during the request, if any |
Action: Assign Prevention Policies to Host Groups
This action assigns prevention policies to host groups.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the action parameter name. Example: group_id | Text | Required | Allowed value: group_id |
Host Group ID | Enter the ID of the host groups to which you want to assign the policy. Example: 80156bb05a144660b89426884720105d | Text | Required | |
Policy IDs | Enter one or more unique IDs of the prevention policy to assign the host group. Example: b0ceca08642b4103a344f8251c492861 | Any | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to process the query |
| String | Unique identifier for tracing the request |
| Array | List of resources affected by the request |
| Array | Errors encountered during the request, if any |
Action: Assign Sensor Policies to Host Groups
This action assigns sensor policies to host groups.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the action parameter name. Example: group_id | Text | Required | Allowed value: group_id |
Host Group ID | Enter the ID of the host groups to which you want to assign the policy. Example: 80156bb05a144660b89426884720105d | Text | Required | |
Policy IDs | Enter one or more unique IDs of the sensor update policy to assign the host group. Example: ["b0ceca08642b4103a344f8251c492861"] | Any | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to process the query |
| String | Unique identifier for tracing the request |
| Array | List of resources affected by the request |
| Array | Errors encountered during the request, if any |
Action: Bulk Fetch Indicators
This action gets detailed info about a larger batch of indicators by specifying Falcon Query Language (FQL) filters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter | Enter the FQL filter query to narrow the results. Filter values are case-sensitive. Example: type: "domain" | Text | Optional | For more information about allowed filters, see CrowdStrike Falcon API Documentation. |
Example Request
[
{
"filters": "type:\"domain\""
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| Object | Pagination information |
| Integer | Limit on the number of items per page |
| Integer | Total number of indicators |
| String | Name of the service powering the response |
| String | Trace ID for the request |
| Null | Errors in the response, if any |
| Array | List of indicators |
| String | Unique identifier for the indicator |
| String | Type of the indicator |
| String | Value of the indicator |
| String | Source of the indicator |
| String | Action to take on the indicator |
| String | Severity level of the indicator |
| Array | List of host groups associated with the indicator |
| Boolean | Indicates if the indicator is applied globally |
| Array | List of platforms the indicator applies to |
| Array | Tags associated with the indicator |
| Boolean | Indicates if the indicator is deleted |
| String | Timestamp when the indicator was created |
| String | Email of the user who created the indicator |
| String | Timestamp when the indicator was last modified |
| String | Email of the user who last modified the indicator |
Action: Contain a Host
This action contains a potentially compromised host from communicating using its ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host ID | Enter the ID (agent ID) of the host you want to contain. Example: ["cdc40c8ad8314cf296016a507460c563"] | Any | Required | You can get the agent ID from a detection, the Falcon console, or the streaming API in CrowdStrike Falcon. |
Example Request
[
{
"host_id": [
"cdc40c8ad8314cf296016a507460c563"
]
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| String | Name of the service powering the response |
| String | Trace ID for the request |
| Array | Errors in the response, if any |
| Array | List of hosts contained |
| String | Unique identifier for the host |
| String | Endpoint to access the host |
Action: Create Host Group
This action is used to create a host group. Host groups determine which policies are applied to which hosts. The host group type can be dynamic or static. After a group is created, its type can’t be changed.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Resource | Enter the details to create a host. Example: [{"name":"test group","description":"sample test","group_type":"dynamic"}] | List | Required | For more information, see CrowdStrike Falcon API Documentation. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| String | Trace ID for the request |
| Array | List of errors, if any |
| Array | List of resources returned in the response |
| String | The unique identifier for the host group |
| String | The type of group (e.g., dynamic) |
| String | The name of the group |
| String | The description of the group |
| String | The assignment rule for the group |
| String | ID of the user who created the group |
| String | Timestamp when the group was created |
| String | ID of the user who last modified the group |
| String | Timestamp when the group was last modified |
Action: Create Machine Learning Exclusion
This action creates a machine learning exclusion in CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Excluded From | Enter if the hosts are excluded from blocking (detections and preventions) or extraction (uploads to CrowdStrike Falcon). | Any | Required | Allowed values:
|
Comment | Enter a comment for the audit log. | Text | Required | |
Groups | Enter the host groups to which the exclusion applies. To apply the exclusion to all groups, enter ['all']. | Any | Required | |
Exclusion Pattern | Enter the exclusion pattern in glob syntax. Example: /foo | Text | Required | For more information about the Glob Syntax, see CrowdStrike Falcon Documentation. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | Time taken for the query in seconds |
| String | Unique identifier for tracing the request |
| Array | List of errors (empty if no errors) |
| Array | List of machine learning exclusions |
| String | Unique identifier for the exclusion |
| String | Value or pattern excluded from machine learning operations |
| String | Regular expression pattern value |
| String | Hash of the exclusion value |
| Array | List of operations from which the exclusion is applied (e.g., "blocking", "extraction") |
| Array | List of groups (empty in this case) |
| Boolean | Indicates if the exclusion is applied globally |
| String | Timestamp when the exclusion was last modified |
| String | User who last modified the exclusion |
| String | Timestamp when the exclusion was created |
| String | User who created the exclusion |
Action: Create Response Time File
The action creates a response time file in CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Path | Enter the file path. Example: /tmp/intel.pdf | Text | Required | |
File Name | Enter the file name. Example: response file | Text | Required | |
Description | Enter the description. | Text | Optional |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata object containing additional information |
| String | Indicates the API service that powered the response |
| Float | The time taken for the query in seconds |
| String | Unique identifier for tracing the API request |
| Object | Details of resources affected by the operation |
| Integer | Number of resources affected by the operation |
Action: Create Sensor Visibility Learning Exclusion
This action creates a sensor visibility exclusion.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Comment | Enter the comment. | Text | Required | |
Groups | Enter the host groups to which the exclusion applies. To apply the exclusion to all groups, enter ['all']. | Any | Required | |
Value | Enter the exclusion pattern in glob syntax. Example: "/foo" | Text | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Meta information about the API response |
| Number | Time taken for the query in seconds |
| String | Unique trace ID for the API request |
| Array | List of errors (empty if no errors) |
| Array | List of resources (in this case, exclusions) |
| String | Unique identifier for the exclusion |
| String | The trusted file path excluded from sensor visibility |
| String | Regular expression value for the exclusion |
| String | Hash value of the trusted file path |
| Array | List of groups associated with the exclusion |
| Boolean | Indicates if the exclusion is applied globally |
| String (ISO 8601) | Date and time when the exclusion was last modified |
| String | Username of the user who last modified the exclusion |
| String (ISO 8601) | Date and time when the exclusion was created |
| String | Username of the user who created the exclusion |
Action: Delete Indicator ID
This action deletes indicators in CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator ID | Enter the list of indicator IDs. Example: $list[5130b3232266ec3d0712faaa503b0702dbfd5cced6aa725efd2bb19de1898655,16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d] For single indicators: 16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d | List | Optional | You can retrieve this using the action Find Indicator IDs. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Meta information about the API response |
| Number | Time taken for the query in seconds |
| String | Unique trace ID for the API request |
| Array | List of errors (empty if no errors) |
| Array | List of indicator IDs deleted |
Action: Delete ML Exclusion
The action deletes a machine learning (ML) exclusion.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ML Exclusion IDs | Enter one or more ML exclusion IDs. Example: ['b0ceca08642b4103a344f8251c492861'] | Any | Required | |
Comment | Enter a comment. | Text | Optional |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Meta information about the API response |
| Number | Time taken for the query in seconds |
| String | Unique trace ID for the API request |
| Array | List of errors (empty if no errors) |
| Array | List of machine learning exclusions IDs deleted |
Action: Delete Response Time File
The action deletes a response time file.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File ID | Enter the response time file ID. Example: xxxxxxc611ec85f082cab6337bcd_1cff909fxxxxxx | Text | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Meta information about the API response |
| Number | Time taken for the query in seconds |
| String | Unique trace ID for the API request |
| Array | List of errors (empty if no errors) |
| Array | List of Real Time Response "put" file IDs deleted |
Action: Delete SV Exclusion
The action deletes SV exclusions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
SV Exclusion IDs | Enter the SV exclusion IDs. Example: ['b0ceca08642b4103a344f8251c492861'] | Any | Required | |
Comment | Enter a comment. | Text | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Meta information about the API response |
| Number | Time taken for the query in seconds |
| String | Unique trace ID for the API request |
| Array | List of errors (empty if no errors) |
| Array | List of sensor visibility exclusion IDs deleted |
Action: Fetch Detection Details
The action retrieves detection details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detection IDs | Enter the detection ID list. Example: ["ldt:3752xxxxxxxx9964:8175xxxx2029"] | List | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
{app_instance} | JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.response | JSON Object | Includes the response received from the app action. |
app_instance.response.meta | Object | Metadata about the response |
app_instance.response.meta.query_time | Number | Time taken to process the query |
app_instance.response.meta.powered_by | String | Indicates the service powering the API |
app_instance.response.meta.trace_id | String | Trace ID for the query |
app_instance.response.resources | Array | List of detection resources |
app_instance.response.resources.cid | String | Customer ID associated with the detection |
app_instance.response.resources.detection_id | String | Unique identifier for the detection |
app_instance.response.resources.device | Object | Details of the device associated with the detection |
app_instance.response.resources.device.device_id | String | Unique identifier for the device |
app_instance.response.resources.device.cid | String | Customer ID of the device |
app_instance.response.resources.device.agent_load_flag | String | Flags set when the agent was loaded |
app_instance.response.resources.device.agent_local_time | String | Local time on the agent |
app_instance.response.resources.device.agent_version | String | Version of the agent |
app_instance.response.resources.device.bios_manufacturer | String | BIOS manufacturer |
app_instance.response.resources.device.bios_version | String | BIOS version |
app_instance.response.resources.device.config_id_base | String | Base configuration ID |
app_instance.response.resources.device.config_id_build | String | Build configuration ID |
app_instance.response.resources.device.config_id_platform | String | Platform configuration ID |
app_instance.response.resources.device.external_ip | String | External IP address of the device |
app_instance.response.resources.device.hostname | String | Hostname of the device |
app_instance.response.resources.device.first_seen | String | Timestamp of when the device was first seen |
app_instance.response.resources.device.last_seen | String | Timestamp of when the device was last seen |
app_instance.response.resources.device.local_ip | String | Local IP address of the device |
app_instance.response.resources.device.mac_address | String | MAC address of the device |
app_instance.response.resources.device.major_version | String | Major version of the device OS |
app_instance.response.resources.device.minor_version | String | Minor version of the device OS |
app_instance.response.resources.device.os_version | String | Operating system version |
app_instance.response.resources.device.platform_id | String | Platform ID of the device |
app_instance.response.resources.device.platform_name | String | Platform name of the device |
app_instance.response.resources.device.product_type | String | Product type of the device |
app_instance.response.resources.device.product_type_desc | String | Description of the product type |
app_instance.response.resources.device.status | String | Status of the device |
app_instance.response.resources.device.system_manufacturer | String | System manufacturer of the device |
app_instance.response.resources.device.system_product_name | String | System product name of the device |
app_instance.response.resources.device.modified_timestamp | String | Timestamp of when the device was last modified |
app_instance.response.resources.behaviors | Array | List of behaviors associated with the detection |
app_instance.response.resources.behaviors.device_id | String | Unique identifier for the device associated with the behavior |
app_instance.response.resources.behaviors.timestamp | String | Timestamp of the behavior |
app_instance.response.resources.behaviors.behavior_id | String | Unique identifier for the behavior |
app_instance.response.resources.behaviors.filename | String | Name of the file associated with the behavior |
app_instance.response.resources.behaviors.alleged_filetype | String | Alleged filetype associated with the behavior |
app_instance.response.resources.behaviors.cmdline | String | Command line executed for the behavior |
app_instance.response.resources.behaviors.scenario | String | Scenario under which the behavior was identified |
app_instance.response.resources.behaviors.severity | Integer | Severity of the behavior |
app_instance.response.resources.behaviors.confidence | Integer | Confidence level of the behavior |
app_instance.response.resources.behaviors.ioc_type | String | Type of indicator of compromise |
app_instance.response.resources.behaviors.ioc_value | String | Value of the indicator of compromise |
app_instance.response.resources.behaviors.ioc_source | String | Source of the indicator of compromise |
app_instance.response.resources.behaviors.ioc_description | String | Description of the indicator of compromise |
app_instance.response.resources.behaviors.user_name | String | Username associated with the behavior |
app_instance.response.resources.behaviors.user_id | String | User ID associated with the behavior |
app_instance.response.resources.behaviors.control_graph_id | String | Control graph ID associated with the behavior |
app_instance.response.resources.behaviors.triggering_process_graph_id | String | Triggering process graph ID |
app_instance.response.resources.behaviors.sha256 | String | SHA-256 hash of the file |
app_instance.response.resources.behaviors.md5 | String | MD5 hash of the file |
app_instance.response.resources.behaviors.parent_details | Object | Details of the parent process |
app_instance.response.resources.behaviors.parent_details.parent_sha256 | String | SHA-256 hash of the parent file |
app_instance.response.resources.behaviors.parent_details.parent_md5 | String | MD5 hash of the parent file |
app_instance.response.resources.behaviors.parent_details.parent_cmdline | String | Command line executed by the parent process |
app_instance.response.resources.behaviors.parent_details.parent_process_graph_id | String | Graph ID of the parent process |
app_instance.response.resources.behaviors.pattern_disposition | Integer | Pattern disposition of the behavior |
app_instance.response.resources.email_sent | Boolean | Indicates if an email was sent |
app_instance.response.resources.first_behavior | String | Timestamp of the first behavior |
app_instance.response.resources.last_behavior | String | Timestamp of the last behavior |
app_instance.response.resources.max_confidence | Integer | Maximum confidence level of the detection |
app_instance.response.resources.max_severity | Integer | Maximum severity level of the detection |
app_instance.response.resources.max_severity_displayname | String | Display name of the maximum severity |
app_instance.response.resources.show_in_ui | Boolean | Indicates if the detection should be shown in the UI |
app_instance.response.resources.status | String | Status of the detection |
app_instance.response.resources.adversary_ids | Null | List of adversary IDs associated with the detection |
app_instance.response.resources.hostinfo | Object | Host information |
app_instance.response.resources.hostinfo.active_directory_dn_display | Null | Active Directory distinguished name display |
app_instance.response.resources.hostinfo.domain | String | Domain of the host |
app_instance.response.resources.seconds_to_triaged | Integer | Seconds taken to triage the detection |
app_instance.response.resources.seconds_to_resolved | Integer | Seconds taken to resolve the detection |
app_instance.response.errors | Array | List of errors, if any |
Action: Fetch Detection IDs
The action searches for detections to learn more about activity in your environment.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Parameters | Enter any additional parameters to narrow the result. | Key Value | Optional | You can fetch detection IDs using FQL filters. For more information, see Falcon Query Language reference. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | Time taken to process the query |
| String | Indicates the service powering the API |
| String | Trace ID for the query |
| Array | List of detection IDs |
Action: Fetch Incident Detail
The action retrieves a particular incident's details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Incident IDs | Enter the incident ID list. Example: [inc:a8ecce2f41df4112ae07d4e0c86d0795:3afxxx] | List | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | Time taken to process the query |
| String | Indicates the service powering the API |
| String | Trace ID for the query |
| Array of JSON Objects | List of incidents with details |
Action: Fetch Particular IOA Exclusion
The action retrieves the particular IOA exclusion.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IOA Exclusion IDs | Enter one or more IOA exclusion IDs. Example: b0ceca08642b4103a344f8251c492861 | Any | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | The time taken to execute the query |
| String | Trace ID for the request |
| Array | List of errors, if any |
| Array | List of IOA exclusions |
| String | The unique identifier for the IOA exclusion |
| String | Name of the exclusion |
| String | Description of the exclusion |
| String | ID of the pattern |
| String | Name of the pattern |
| String | Regex pattern for the indicator file name |
| String | Regex pattern for the command line |
| String | JSON representation of the detection |
| Array | List of groups associated with the exclusion |
| Boolean | Indicates if the exclusion is applied globally |
| String | Timestamp of the last modification |
| String | User who last modified the resource |
| String | Timestamp when the resource was created |
| String | User who created the resource |
Action: Fetch Particular ML Exclusion Details
The action retrieves details of ML exclusions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
ML Exclusion IDs | Enter one or more ML exclusion IDs. Example: ["b0ceca08642b4103a344f8251c492861"] | Any | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the API response |
| Float | Time taken to execute the query |
| String | Service powering the API |
| String | Trace ID for the API request |
| Object | Errors encountered during the request, if any |
| Array | List of ML exclusions returned by the API |
| String | The unique identifier for the ML exclusion |
| String | The ML exclusion value |
| String | The regular expression value for the ML exclusion |
| String | Hash of the ML exclusion value |
| Array | Groups associated with the ML exclusion |
| Boolean | Indicates if the exclusion is applied globally |
| Array | List of actions from which the ML exclusion is excluded |
| String | Timestamp for when the ML exclusion was last modified |
| String | User who last modified the ML exclusion |
| String | Timestamp for when the ML exclusion was created |
| String | User who created the ML exclusion |
Action: Fetch Particular Sensor Visibility Exclusion
The action retrieves a particular sensor visibility exclusion.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Sensor Visibility Exclusion IDs | Enter the SV exclusion IDs. Example: b0ceca08642b4103a344xxxx | Any | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Meta information about the API response |
| Number | Time taken for the query in seconds |
| String | Unique trace ID for the API request |
| Array | List of errors (empty if no errors) |
| Array | List of resources (in this case, exclusions) |
| String | Unique identifier for the exclusion |
| String | The trusted file path excluded from sensor visibility |
| String | Regular expression value for the exclusion |
| String | Hash value of the trusted file path |
| Array | List of groups associated with the exclusion |
| Boolean | Indicates if the exclusion is applied globally |
| String (ISO 8601) | Date and time when the exclusion was last modified |
| String | Username of the user who last modified the exclusion |
| String (ISO 8601) | Date and time when the exclusion was created |
| String | Username of the user who created the exclusion |
Action: Fetch Real Time Policy Agent IDs
The action retrieves the real-time policy agent IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Parameters | Enter any extra parameters. | Key Value | Optional | Allowed keys:
For more information, see CrowdStrike API Documentation. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Meta information about the API response |
| Number | Time taken for the query in seconds |
| String | Unique trace ID for the API request |
| Array | List of errors (empty if no errors) |
| Array | List of real-time policy agent IDs |
Action: Fetch Real Time Policy Hosts
The action retrieves the real-time policy hosts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Parameters | Enter any extra parameters | Key Value | Optional | Allowed keys:
For more information, see CrowdStrike API Documentation. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| Object | Pagination details for the response |
| Integer | Offset for the pagination |
| Integer | Limit for the pagination |
| Integer | Total number of records |
| String | Trace ID for the query |
| Array | List of errors, if any |
| Array | List of resources (hosts) |
| String | Unique identifier for the device |
| String | Customer ID |
| String | Agent load flags |
| String | Agent local time |
| String | Agent version |
| String | BIOS manufacturer |
| String | BIOS version |
| String | Build number of the OS |
| String | Base configuration ID |
| String | Build configuration ID |
| String | Platform configuration ID |
| String | CPU signature |
| String | External IP address |
| String | MAC address |
| String | Hostname of the device |
| String | Timestamp when the device was first seen |
| String | Timestamp when the device was last seen |
| String | Local IP address |
| String | Major version of the OS |
| String | Minor version of the OS |
| String | OS version |
| String | Platform ID |
| String | Platform name |
| Array | List of policies applied to the device |
| String | Type of policy |
| String | Policy ID |
| Boolean | Indicates if the policy is applied |
| String | Settings hash of the policy |
| String | Date when the policy was assigned |
| String | Date when the policy was applied |
| Array | List of rule groups for the policy |
| String | Indicates if the device is in reduced functionality mode |
| Object | Device policies |
| Array | List of groups the device belongs to |
| String | Hash of the group |
| String | Product type |
| String | Description of the product type |
| String | Provision status of the device |
| String | Serial number of the device |
| String | Major version of the service pack |
| String | Minor version of the service pack |
| String | Pointer size (in bits) |
| String | Status of the device |
| String | System manufacturer |
| String | System product name |
| Array | List of tags associated with the device |
| String | Timestamp when the resource was last modified |
| String | Timestamp for slow changing modifications |
| Object | Metadata for the resource |
| String | Version of the resource metadata |
Action: Fetch Real Time Response Script
This action searches and filters existing scripts uploaded to CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional Data | Enter any additional parameters. | Key Value | Optional | You can fetch real time response scripts using FQL filters. For more information, see Falcon Query Language reference. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| Object | Pagination details for the response |
| Integer | Offset for the pagination |
| Integer | Limit for the pagination |
| Integer | Total number of records |
| String | Trace ID for the query |
| Array | List of errors, if any |
| Array | List of script IDs |
Action: Find Existing Prevention Policies
The action finds existing prevention policies.
Action Input Parameters
No input parameters are required for this action.
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | The time taken to execute the query |
| Object | Pagination details |
| Integer | The pagination offset |
| Integer | The pagination limit |
| Integer | Total number of items |
| String | The trace ID for the request |
| Array | List of errors |
| Array | List of prevention policies |
| String | The unique identifier for the prevention policy |
| String | The name of the prevention policy |
| String | Description of the prevention policy |
| String | The platform for which the policy is applicable |
| Array | List of groups associated with the policy |
| Boolean | Indicates if the policy is enabled |
| String | Email of the user who created the policy |
| String | Timestamp when the policy was created |
| String | Email of the user who last modified the policy |
| String | Timestamp when the policy was last modified |
| Array | List of prevention settings associated with the policy |
| String | Name of the prevention setting |
| Array | List of settings under the prevention setting |
| String | The unique identifier for the setting |
| String | The name of the setting |
Action: Find Existing Sensor Policies
The action searches existing sensor policies.
Action Input Parameters
No input parameters are required for this action.
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | The time taken to execute the query |
| Object | Pagination details |
| Integer | The pagination offset |
| Integer | The pagination limit |
| Integer | Total number of items |
| String | The trace ID for the request |
| Array | List of errors |
| Array | List of prevention policies |
| String | The unique identifier for the prevention policy |
| String | The name of the prevention policy |
| String | Description of the prevention policy |
| String | The platform for which the policy is applicable |
| Array | List of groups associated with the policy |
| Boolean | Indicates if the policy is enabled |
| String | Email of the user who created the policy |
| String | Timestamp when the policy was created |
| String | Email of the user who last modified the policy |
| String | Timestamp when the policy was last modified |
| Array | List of prevention settings associated with the policy |
| String | Name of the prevention setting |
| Array | List of settings under the prevention setting |
| String | The unique identifier for the setting |
| String | The name of the setting |
Action: Find Host Group Members
This action retrieves the IDs of hosts in a host group.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host Group ID | Enter the host group ID to retrieve the hosts. Example: 006exxxxxxxxa3e7 | Text | Required | |
Limit | Enter the maximum number of hosts to be retrieved. | Integer | Optional | The default value is 5. Hosts are sorted alphabetically by name. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | The time taken to execute the query |
| Object | Pagination details |
| Integer | The pagination offset |
| Integer | The pagination limit |
| Integer | Total number of items |
| String | The trace ID for the request |
| Array | List of errors |
| Array | List of host IDs |
Action: Find Host Groups
The action searches for host groups.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional Data | Enter any additional parameters to search for host groups. | Key Value | Optional | You can fetch host groups using FQL filters. For more information, see Falcon Query Language reference. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | The time taken to execute the query |
| Object | Pagination details |
| Integer | The pagination offset |
| Integer | The pagination limit |
| Integer | Total number of items |
| String | The trace ID for the request |
| Array | List of errors |
| Array | List of host group IDs |
Action: Find Host With Device Query
The action searches for hosts with various filters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Extra Parameters | Enter additional parameters such as device_id, external_ip, hostname, local_ip, mac_address, os_version, platform_name, and more. Example: 'filter': 'hostname:‘test',local_ip:'192.168.1.1'' | Key Value | Optional | For more information about device filters, see CrowdStrike API Documentation. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | The time taken to execute the query |
| Object | Pagination details |
| Integer | The pagination offset |
| Integer | The pagination limit |
| Integer | Total number of items |
| String | The trace ID for the request |
| Array | List of errors |
| Array | List of host IDs |
Action: Find Indicator IDs
This action finds IDs of indicators.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter Value | Enter filters to narrow the result. Example: type:"md5", value:"test.com" | Text | Optional | Supported filters are type, value, action, mobile_action, severity, platforms, tags, expiration, expired, applied_globally, host_groups, created_on, created_by, modified_on, modified_by, and source. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | The time taken to execute the query |
| Object | Pagination details |
| Integer | The pagination offset |
| Integer | The pagination limit |
| Integer | Total number of items |
| String | The trace ID for the request |
| Array | List of errors |
| Array | List of indicator IDs |
Action: Find IOA Exclusion
The action searches for IOA exclusions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional Parameters | Enter any additional parameters while finding IOA exclusions. | Key Value | Optional | Allowed keys:
For more information, see CrowdStrike API Documentation. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | The time taken to execute the query |
| String | Trace ID for the request |
| Array | List of errors, if any |
| Array | List of IOA exclusions |
| String | The unique identifier for the IOA exclusion |
| String | Name of the exclusion |
| String | Description of the exclusion |
| String | ID of the pattern |
| String | Name of the pattern |
| String | Regex pattern for the indicator file name |
| String | Regex pattern for the command line |
| String | JSON representation of the detection |
| Array | List of groups associated with the exclusion |
| Boolean | Indicates if the exclusion is applied globally |
| String | Timestamp of the last modification |
| String | User who last modified the resource |
| String | Timestamp when the resource was created |
| String | User who created the resource |
Action: Find Machine Learning Exclusion
The action searches for machine learning exclusions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional Parameters | Enter the additional parameters. | Key Value | Optional | Allowed keys:
For more information, see CrowdStrike API Documentation. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the API response |
| Float | Time taken to execute the query |
| String | Service powering the API |
| String | Trace ID for the API request |
| Object | Errors encountered during the request, if any |
| Array | List of ML exclusions returned by the API |
| String | The unique identifier for the ML exclusion |
| String | The ML exclusion value |
| String | The regular expression value for the ML exclusion |
| String | Hash of the ML exclusion value |
| Array | Groups associated with the ML exclusion |
| Boolean | Indicates if the exclusion is applied globally |
| Array | List of actions from which the ML exclusion is excluded |
| String | Timestamp for when the ML exclusion was last modified |
| String | User who last modified the ML exclusion |
| String | Timestamp for when the ML exclusion was created |
| String | User who created the ML exclusion |
Action: Find Sensor Visibility Exclusion
The action retrieves the list of all the sensor visibility exclusions.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional Parameters | Enter additional parameters. | Key Value | Optional |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Meta information about the API response |
| Number | Time taken for the query in seconds |
| String | Unique trace ID for the API request |
| Array | List of errors (empty if no errors) |
| Array | List of resources (in this case, exclusions) |
| String | Unique identifier for the exclusion |
| String | The trusted file path excluded from sensor visibility |
| String | Regular expression value for the exclusion |
| String | Hash value of the trusted file path |
| Array | List of groups associated with the exclusion |
| Boolean | Indicates if the exclusion is applied globally |
| String (ISO 8601) | Date and time when the exclusion was last modified |
| String | Username of the user who last modified the exclusion |
| String (ISO 8601) | Date and time when the exclusion was created |
| String | Username of the user who created the exclusion |
Action: Get Aggregated Alerts
This action fetches aggregated alerts from CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter a name for the aggregate query, which is used to identify the results returned. Example: sample aggregate search | Text | Required | |
Aggregate Type | Enter the type of aggregation to perform. | Text | Required | Allowed values are date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, and percentiles. |
Aggregate Field | Enter the field to compute the aggregation. This can be any field returned in the response, such as severity or tactic_id. | Text | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| Object | Information about writes in the response |
| Integer | Number of resources affected by writes |
| String | Name of the API powering the response |
| String | Trace ID for the request |
| Array | List of resources in the response |
| String | Name of the grouping |
| Array | List of buckets in the resource |
| Integer | Label of the bucket |
| Integer | Count of alerts in the bucket |
| Array | List of errors in the response |
Action: Get Alert Details
This action is used to fetch the details of an alert from CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert IDs | Enter a list of alert IDs to get details. Example: 28a1xxxxxxxx3914:ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-117-1930xxxxxxxx9544 | List | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata related to the query |
| Number | Time taken for the query in seconds |
| Object | Details about resources affected by the query |
| Number | Number of resources affected |
| String | Indicates the source that powered the response |
| String | Unique identifier for tracing purposes |
| Array | List of errors encountered (if any) |
| Array | List of alerts and related details |
| String | Activity ID related to the alert |
| String | Aggregate ID of the alert |
| String | Unique identifier for the alert |
| String | Composite ID of the alert |
| Number | Confidence level of the alert |
| String | Timestamp of the alert context |
| String | Timestamp when the alert was created |
| String | Description of the alert |
| String | Display name of the alert |
| String | End time of the alert |
| String | Link to Falcon host for more details |
| String | Unique identifier of the alert |
| String | Country code of the alert location |
| String | Name of the alert |
| String | Objective associated with the alert |
| String | Okta application ID associated with the alert |
| Number | Pattern ID of the alert |
| String | Product related to the alert |
| String | Scenario associated with the alert |
| Number | Severity level of the alert |
| Boolean | Indicates if the alert should be displayed in the user interface |
| String | Name of the source account associated with the alert |
| String | Okta ID of the source account associated with the alert |
| String | IPv4 address of the source endpoint |
| String | IP address of the source endpoint |
| String | Identifier of the SSO application associated with the alert |
| String | URI of the SSO application associated with the alert |
| String | Start time of the alert |
| String | Status of the alert |
| String | Tactic associated with the alert |
| String | ID of the tactic associated with the alert |
| String | Technique associated with the alert |
| String | ID of the technique associated with the alert |
| String | Timestamp of the alert |
| String | Type of the alert |
| String | Timestamp when the alert was last updated |
Action: Get Device Info By ID
The action searches for the device information using the device ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the ID of the device to retrieve details. Example: 8cfcb75a73aa48ac7b4f544b04a905b3 | Text | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| Object | Pagination details for the response |
| Integer | Offset for the pagination |
| Integer | Limit for the pagination |
| Integer | Total number of records |
| String | Trace ID for the query |
| Array | List of errors, if any |
| Array | List of resources (hosts) |
| String | Unique identifier for the device |
| String | Customer ID |
| String | Agent load flags |
| String | Agent local time |
| String | Agent version |
| String | BIOS manufacturer |
| String | BIOS version |
| String | Build number of the OS |
| String | Base configuration ID |
| String | Build configuration ID |
| String | Platform configuration ID |
| String | CPU signature |
| String | External IP address |
| String | MAC address |
| String | Hostname of the device |
| String | Timestamp when the device was first seen |
| String | Timestamp when the device was last seen |
| String | Local IP address |
| String | Major version of the OS |
| String | Minor version of the OS |
| String | OS version |
| String | Platform ID |
| String | Platform name |
| Array | List of policies applied to the device |
| String | Type of policy |
| String | Policy ID |
| Boolean | Indicates if the policy is applied |
| String | Settings hash of the policy |
| String | Date when the policy was assigned |
| String | Date when the policy was applied |
| Array | List of rule groups for the policy |
| String | Indicates if the device is in reduced functionality mode |
| Object | Device policies |
| Array | List of groups the device belongs to |
| String | Hash of the group |
| String | Product type |
| String | Description of the product type |
| String | Provision status of the device |
| String | Serial number of the device |
| String | Major version of the service pack |
| String | Minor version of the service pack |
| String | Pointer size (in bits) |
| String | Status of the device |
| String | System manufacturer |
| String | System product name |
| Array | List of tags associated with the device |
| String | Timestamp when the resource was last modified |
| String | Timestamp for slow changing modifications |
| Object | Metadata for the resource |
| String | Version of the resource metadata |
| String | Kernel version of the device |
Action: Get Host Details
This action retrieves detailed information for one or more host IDs. It provides insights into the host's policies, configurations, and connection details, ensuring comprehensive visibility into the host's security posture.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host IDs | Enter the list of host IDs to fetch details. You can enter up to 5000 IDs. Example: $list[5b62f6d1a451c8c1a8828ce28265d65b,5c4a1e9ffc24464a9776c61af] | List | Required |
|
Example Request
[
{
"host_ids": [
"cdc40c8ad8314cf296016a507460c563"
]
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| Object | Contains metadata about the response such as the query time, powered by and trace ID. |
| Array of Objects | List of resources related to the response, each representing a host. |
| String | The unique identifier of the device. Example: abcd1234wxyz56 |
| String | The CrowdStrike Falcon customer identifier associated with the device. Example: 0123456789ABCDEFGHIJKLMNOPQRSTUV |
| String | The version of the agent installed on the device. Example: 3.5.5606.0 |
| String | The manufacturer of the BIOS. Example: Phoenix Technologies LTD |
| String | The version of the BIOS. Example: 6.00 |
| String | The base configuration ID of the device. Example: 65994753 |
| String | The build configuration ID of the device. Example, 5606 |
| String | The platform configuration ID of the device. The platform configuration ID. Example: 3. |
| String | The external IP address of the device. Example: 24.xx.20.181. |
| String | The MAC address of the device. Example: 00-50-xx-8c-17-81. |
| String | The hostname of the device. Example: example_host. |
| String | The timestamp when the device was first seen. Example: 2017-07-19T02:08:24Z. |
| String | The timestamp when the device was last seen. Example: 2017-09-25T23:45:55Z. |
| String | The local IP address of the device. |
| String | The domain to which the device belongs. |
| String | The major version of the operating system. |
| String | The minor version of the operating system. |
| String | The version of the operating system. Example: Windows 7. |
| String | The build ID of the operating system. Example: 19H1323. |
| String | The platform ID of the device. |
| String | The name of the platform. Example: Windows, macOS |
| Array of Objects | List of policies applied to the device. |
| String | The type of policy. Example: prevention, sensor-update |
| String | The unique identifier of the policy. Example: aaabbbdddcccddd. |
| Boolean | Indicates if the policy is applied. |
| Object | Contains details of device policies. |
| Object | Contains details of the prevention policy. |
| Object | Contains details of the sensor update policy. |
| String | The status of the device. Example: normal. |
| String | The product name of the system. Example: VMware Virtual Platform |
| String | The timestamp when the device details were last modified. Example: 2017-09-25T23:46:06Z |
| String | The kernel version of the operating system. Example: 6.1.7601.17592 |
Action: Get Incident IDs
This action gets incident IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter any FQL filter or sort parameters while fetching incident IDs. Example: host_ids: '9a07d39f8c9f430eb3e474d1a0c16ce9' | Key Value | Optional | For filtering options, see CrowdStrike API Documentation. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | Time taken to process the query |
| String | Indicates the service powering the API |
| String | Trace ID for the query |
| Array of JSON Objects | List of incidents with details |
Action: Get Real Time Response Scripts
This action retrieves real time response (RTR) scripts using its IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Script ID | Enter the list of script IDs. Example: ['fc4974cd1f9011ec8b82ba35da7e613b_9236b0e5b28946de8fc2d278cecba38d'] | List | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| Object | Pagination details for the response |
| Integer | Offset for the pagination |
| Integer | Limit for the pagination |
| Integer | Total number of records |
| String | Trace ID for the query |
| Array | List of errors, if any |
| Array | The script details |
Action: Get Remediation Details
This action retrieves remediation details using remediation IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Remediation IDs | Enter one or more remediation IDs. Example: $list['5ddb0407bef249c19c7a975f17979a1f_eecd9a8f319940dfb0255e5d436822d9'] | List | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | Time taken for the query to execute, in seconds |
| String | Source or system that powered the response |
| String | Unique identifier for tracing the request |
| Array | List of remediation resources |
| String | Identifier for the remediation resource |
| String | Reference version or number associated with the remediation |
| String | Title or name describing the remediation |
| String | Action recommended for remediation |
| String | Optional link for further information about the remediation |
Action: Get Response Time Files
The action retrieves the response time files.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File IDs | Enter the list of file IDs. Example: $list[1246eaf04dc611ec85f082cab6337bcd_1cxxxxx] | List | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | The time taken for the query in seconds |
| String | The source powering the API response |
| String | Unique identifier for tracing purposes |
| Array | List of resources (RTR scripts) |
| String | Identifier for the RTR script |
| String | Name of the RTR script |
| String | Description of what the RTR script does |
| String | Use case scenario for the RTR script |
| Array | Categories that the RTR script belongs to |
| Array | Roles that have access to execute the RTR script |
| String | SHA-256 hash of the RTR script |
| Number | Size of the RTR script in bytes |
| String | Platform for which the RTR script is intended (e.g., Windows) |
| String | Detailed content or script code |
| String | Creator of the RTR script |
| String | Timestamp when the RTR script was created |
| String | Last modifier of the RTR script |
| String | Timestamp when the RTR script was last modified |
| Number | Revision number of the RTR script |
| Boolean | Indicates if the RTR script workflow is enabled |
| Array | Tags associated with the RTR script's workflow |
| String | Schema for the input expected by the RTR script's workflow |
| String | Schema for the output produced by the RTR script's workflow |
| Boolean | Indicates if executing the RTR script is disruptive |
| Boolean | Indicates if the RTR script modifies the system |
Action: Get Status of Host
This action gets the status of hosts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IDs | Enter the IDs of the hosts to get status. Example: $list[5b62f6d1a451c8c1a8828ce28265d65b,5c4a1e9ffc24464a9776c61af] | List | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata related to the query |
| Number | Time taken for the query in seconds |
| String | Unique ID for tracing the query |
| Array | List of resources (hosts) |
| String | Unique identifier of the host |
| String | Unique customer identifier for the host |
| String (Timestamp) | Last seen timestamp of the host in UTC |
| String | Current state of the host (e.g., "online", "offline") |
| null or Array | Errors related to the query (if any) |
Action: Get Vulnerability Details
This action retrieves details of vulnerabilities.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Vulnerability IDs | Enter the vulnerability IDs. Example: $list[3e32646d80e94c875f9db78ae533d3a3_ff751484b9433cb899a9e4755cce7a7a]. | List | Optional |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the API response |
| Number | Time taken for the query in seconds |
| String | Indicates the service powering the API (spapi in this case) |
| String | Unique identifier for tracing/debugging purposes |
| Array | List of vulnerability resources |
| String | Unique identifier for the vulnerability resource |
| String | Customer identifier associated with the vulnerability |
| String | Asset identifier associated with the vulnerability |
| String | ID of the vulnerability (e.g., CVE ID) |
| String | Metadata ID specific to the vulnerability |
| Array | List of data providers for the vulnerability |
| String | Timestamp when the vulnerability was created |
| String | Timestamp when the vulnerability was last updated |
| String | Status of the vulnerability (e.g., open, closed) |
| Array | List of applications affected by the vulnerability |
| Object | Information related to suppression of the vulnerability |
| Object | Details about the specific application affected |
| Object | Details about the CVE (Common Vulnerabilities and Exposures) |
| String | CVE ID for the vulnerability |
| Number | Base score of the vulnerability |
| String | Severity level of the vulnerability |
| Number | Exploit status of the vulnerability |
| String | Expert rating for the vulnerability |
| String | Remediation level for the vulnerability |
| Object | Information related to CISA (Cybersecurity and Infrastructure Security Agency) |
| Boolean | Indicates if the vulnerability is considered a CISA Key Event (KEV) |
| String | Due date associated with the CISA advisory |
| String | Published date for spotlight information related to the vulnerability |
| Array | List of actors associated with the vulnerability |
| String | Description of the vulnerability |
| String | Published date of the vulnerability |
| Array | List of vendor advisories related to the vulnerability |
| Array | List of references related to the vulnerability |
| Number | Exploitability score of the vulnerability |
| Number | Impact score of the vulnerability |
| String | Vector string describing the CVSS (Common Vulnerability Scoring System) metrics |
| Object | Information related to the host affected by the vulnerability |
| Object | Details about remediation steps for the vulnerability |
Action: Get Vulnerability List
This action gets the list of vulnerabilities from CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the maximum number of vulnerability records to be returned. Example: 10 | Integer | Optional | |
Filter | Enter the FQL filter to limit the results. Example: created_timestamp:>'2024-03-12t03:27'. | Text | Required | For filtering options, see CrowdStrike API Documentation. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the API response |
| Number | Time taken for the query in seconds |
| String | Indicates the service powering the API (spapi in this case) |
| String | Unique identifier for tracing/debugging purposes |
| Array | List of vulnerability IDs |
Action: Lift Host Containment
The action lifts the containment of a host.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host IDs | Enter the host agent ID (AID) of the host. Example: ["123456789"] | List | Required | Get the AID from a detection, the Falcon console, or the streaming API in CrowdStrike Falcon. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata related to the query |
| Number | Time taken for the query in seconds |
| String | Unique ID for tracing the query |
| Array | List of resources (hosts) |
| String | Unique identifier of the host |
| String | Unique customer identifier for the host |
| String (Timestamp) | Last seen timestamp of the host in UTC |
| String | Current state of the host (e.g., "online", "offline") |
| null or Array | Errors related to the query (if any) |
Action: List All Alerts
This action fetches all alerts from CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filter | Enter a query to filter alerts. Example: product:'idp' | Text | Optional | |
Limit | Enter the maximum number of alerts to return. | Integer | Optional | Default limit is 100 |
Offset | Enter the offset to return results | Integer | Optional | Default value is 0 |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata related to the query |
| Number | Time taken for the query in seconds |
| String | Unique ID for tracing the query |
| Array | List of alert IDs |
Action: List Reponse Time File
The action retrieves the list of all the response time files.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Additional Parameters | Enter the extra parameters for retrieving the files. | Key Value | Optional |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| Object | Pagination details for the response |
| Integer | Offset for the pagination |
| Integer | Limit for the pagination |
| Integer | Total number of records |
| String | Trace ID for the query |
| Array | List of errors, if any |
| Array | List of file IDs |
Action: Modify Detections
The action modifies detections.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Detection IDs | Enter one or more IDs of the detections that you want to modify. Example: ["ldt:3752xxxxxxxx9964:8175xxxx2029"] | Any | Required | |
Status | Enter the status associated with the detections | Text | Required | Allowed values are new, in_progress, true_positive, false_positive, and ignored. |
Assigned User | Enter the user's unique ID to whom you want to assign the detections. Example: 1234567891234567891 | Text | Optional |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the detection |
| Number | Time taken for the query in seconds |
| Object | Details of writes related to the detection |
| Integer | Number of affected resources |
| String | Unique trace ID for the detection request |
Action: Modify Incidents
This action modifies incidents in CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter the specific detail of the incident that you want to update. | Text | Required | Allowed values are add_tag, delete_tag, unassign, update_name, update_assigned_to_v2, update_description, and update_status. |
Value | Enter the updated value for the specified name. Example: If “Name” is add_tag, you can enter the tags you want to add to the incident. | Text | Required | |
Incident IDs | Enter one or more IDs of incidents that you want to update. Example: [inc:a8ecce2f41df4112ae07d4e0c86d0795:3afxxx] | Any | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the request |
| Number | Time taken for the query in seconds |
| String | Unique trace ID for the incident request |
Action: Modify ML Exclusion
The action modifies the machine learning exclusion.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Data | Enter the data that needs to be updated in key-value format. Example: {'excluded_from':['blocking','extraction']} | Key Value | Required | |
ML Exclusion ID | Enter the ML exclusion IDs. Example: 'b0ceca08642b4103a344f8251c492861' | Text | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the API response |
| Float | Time taken to execute the query |
| String | Service powering the API |
| String | Trace ID for the API request |
| Object | Errors encountered during the request, if any |
| Array | List of ML exclusions returned by the API |
| String | The unique identifier for the ML exclusion |
| String | The ML exclusion value |
| String | The regular expression value for the ML exclusion |
| String | Hash of the ML exclusion value |
| Array | Groups associated with the ML exclusion |
| Boolean | Indicates if the exclusion is applied globally |
| Array | List of actions from which the ML exclusion is excluded |
| String | Timestamp for when the ML exclusion was last modified |
| String | User who last modified the ML exclusion |
| String | Timestamp for when the ML exclusion was created |
| String | User who created the ML exclusion |
Action: Modify SV Exclusion
The action modifies a sensor visibility (SV) exclusion.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Data | Enter the data you want to update. Example: {'value':'sv_name'} | Key Value | Required | |
SV Exclusion ID | Enter the SV exclusion ID. Example: b0ceca08642b4103a344f8251c492861 | Text | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Meta information about the API response |
| Number | Time taken for the query in seconds |
| String | Unique trace ID for the API request |
| Array | List of errors (empty if no errors) |
| Array | List of resources (in this case, exclusions) |
| String | Unique identifier for the exclusion |
| String | The trusted file path excluded from sensor visibility |
| String | Regular expression value for the exclusion |
| String | Hash value of the trusted file path |
| Array | List of groups associated with the exclusion |
| Boolean | Indicates if the exclusion is applied globally |
| String (ISO 8601) | Date and time when the exclusion was last modified |
| String | Username of the user who last modified the exclusion |
| String (ISO 8601) | Date and time when the exclusion was created |
| String | Username of the user who created the exclusion |
Action: Query Indicator
This action queries for various indicators in CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Offset | Enter the starting row number to return from the index. | Integer | Optional | Default is 0. |
Limit | Enter the number of rows to return. | Integer | Optional | Default is 100. |
Sort | Enter the sorting order. Example: published_date|asc. | Text | Optional | |
Filter | Enter the filter. Example: _marker, actors, deleted. | Text | Optional | |
Search | Enter the generic substring search. | Text | Optional | |
Include Deleted | Specify if deleted indicators should be included. | Boolean | Optional | Default is false |
Include Relations | Specify if relations should be included. | Boolean | Optional | Default is false |
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Object | Contains the details of the response. |
| Array of Objects | List of errors related to the request, if any. |
| Object | Metadata about the response such as pagination limit, offset and limit. |
| Array of Objects | List of indicator resources related to the query. |
| String | A marker for the resource. Example: "1717408640a479be6300bbe61d6ac71572f605a524". |
| Array of Objects | List of actors related to the indicator. |
| Boolean | Indicates if the indicator has been deleted. Example: false. |
| Array of Objects | List of domain types related to the indicator. |
| String | The unique identifier of the indicator. Example: "hash_sha256_df8c1e38200681e2b07b3c2db38ca07ff89172fc2ef975135a10bd7caef1c6dd". |
| String | The indicator value. Example: "df8c1e38200681e2b07b3c2db38ca07ff89172fc2ef975135a10bd7caef1c6dd". |
| Array of Objects | List of IP address types related to the indicator. |
| Array of Objects | List of kill chains related to the indicator. |
| Array of Objects | List of labels associated with the indicator. |
| Integer | The timestamp when the label was created. Example: 1717408615. |
| Integer | The timestamp when the label was last valid. Example: 1717408640. |
| String | The name of the label. Example: “MaliciousConfidence/High”. |
| Integer | The timestamp when the indicator was last updated. Example: 1717408640. |
| String | The confidence level of the malicious indicator. Example: "high". |
| Array of Strings | List of malware families associated with the indicator. Example: ["Mofksys"]. |
| Integer | The timestamp when the indicator was published. Example: 1717408615. |
| Array of Objects | List of relations associated with the indicator. |
| Integer | The timestamp when the relation was created. Example: 1717408615. |
| String | The unique identifier of the related indicator. Example: "hash_sha1_90b6160e521bf376bad3cc0bb89fd8f86dcd7214". |
| String | The value of the related indicator. Example: “90b6160e521bf376bad3cc0bb89fd8f86dcd7214”. |
| Integer | The timestamp when the related indicator was last valid. Example: 1717408615. |
| String | The type of the related indicator. Example: "hash_sha1". |
| Array of Objects | List of reports related to the indicator. |
| Array of Objects | List of targets associated with the indicator. |
| Array of Strings | List of threat types associated with the indicator. Example: ["Commodity", "CredentialHarvesting", "InformationStealer"]. |
| String | The type of the indicator. Example: "hash_sha256". |
| Array of Objects | List of vulnerabilities associated with the indicator. |
Action: Real Time Execute Command Single Host
The action executes a command on a single host.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base Command | Enter the base command. Example: ls | Text | Required | |
Device ID | Enter the device ID. Example: 9daac64e7e8xxxxx | Text | Required | |
Command | Enter the command. Example: cd | Text | Required | |
Session ID | Enter the session ID. Example: 3ee4c4-2e74-4967-884f-17xxx | Text | Required | |
IDs | Enter the IDs. Example: 234sdfkuixxxxx | Text | Optional | |
Persist All | Specify if you want to persist all. | Boolean | Optional | Default is true |
Action: Real Time Read Command
The action executes the RTR read-only command across the hosts mapped to the given batch ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base Command | Enter the base command. Example: Is | Text | Required | |
Batch ID | Enter the batch ID. Example: ea263243-ff2f-4aee-a606-xxxx | Text | Required | |
Command | Enter the command. Example: cd | Text | Required | |
Optional Hosts | Enter the optional hosts. | Text | Optional | |
Persist All | Specify if you want to persist all. | Boolean | Optional | Default is true |
Action: Real Time Response Admin Command
The action executes the RTR admin command across the hosts mapped to the given batch ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base Command | Enter the base command. Example: ls | Text | Required | |
Batch ID | Enter the batch ID. Example: ea263243-ff2f-4aee-a606-xxxx | Text | Required | |
Command | Enter the command. Example: cd | Text | Required | |
Optional Hosts | Enter the optional hosts. | Text | Optional | |
Persist All | Specify if you want to persist all. | Boolean | Optional | Default is true |
Action: Real Time Write Command
The action executes the RTR write-only command across the hosts mapped to the given batch ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base Command | Enter the base command. Example: ls | Text | Required | |
Batch ID | Enter the batch ID. Example: ea263243-ff2f-4aee-a606-xxx | Text | Required | |
Command | Enter the command. Example: cd | Text | Required | |
Optional Hosts | Enter the optional hosts. | Text | Optional | |
Persist All | Specify if you want to persist all. | Boolean | Optional | Default is true |
Action: Remove Hosts from Static Host Group
This action removes hosts from a static host group.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host IDs | Enter one or more static host group IDs from which you want to remove the hosts. Example: ["8015xxxxxxxx105d"] | Any | Required | |
Name | Enter the action name. Example: filter | Text | Required | |
Value | Enter the host IDs to be removed from the static host group. Example: (device_id:['e139xxxxxxxx5885', '8393xxxxxxxx9650','389axxxxxxxx5e80']) | Text | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| String | Indicates the API powering the response |
| String | Trace ID for the request |
| Array | List of resources affected by the operation |
| String | The unique identifier of the host |
| Boolean | Indicates if the host was successfully removed |
| Integer | HTTP status code of the operation |
| Object | Errors, if any, returned by the operation |
Action: Removing Falcon Grouping Tags
This action removes restrictions on the host using policy with tags.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID List | Enter one or more device IDs. Example: ["bf4fbxxxxxx4b8026"] | Any | Required | |
Tags List | Enter the list of tags to be removed. Example: ["falcongroupingtags/tag1"] | Any | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| String | Indicates the API powering the response |
| String | Trace ID for the request |
| Array | List of resources affected by the operation |
| String | The unique identifier of the host group |
| Boolean | Indicates if the tags are successfully removed |
| Integer | HTTP status code of the operation |
| Object | Errors, if any, returned by the operation |
Action: Retrieve Zero Trust Assessment Data by Host
The action retrieves ZTA data by the host.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Agent IDs | Enter the agent IDs (AID). Example: 8b83xxxxxxxx2098072c0496f8a0000 | Text | Required | You can get the agent ID from a detection, the Falcon console, or the streaming API in CrowdStrike Falcon. |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata of the response |
| Float | Time taken to query the data |
| String | Trace identifier for the query |
| Array | List of errors, if any |
| Array | List of resources |
| String | Agent ID of the host |
| String | Customer ID of the host |
| String | System serial number of the host |
| String | Platform of the host |
| String | Description of the product type |
| String | Last modified time of the resource |
| String | Status of the sensor file |
| Object | Assessment details of the host |
| Integer | Sensor configuration score |
| Integer | Operating system score |
| Integer | Overall assessment score |
| String | Version of the assessment |
| Object | Items of the assessment |
| Array | List of operating system signals |
| String | ID of the OS signal |
| String | Name of the OS signal |
| String | Group name of the OS signal |
| String | Criteria of the OS signal |
| String | Indicates if the OS signal meets the criteria |
Action: Retrieving Host NIC History
The action can be used to retrieve host NIC history.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Customer ID | Enter the customer ID. Example: 456789abcdefghijklmnopqrstuv-wx | Text | Required | |
Device IDs | Enter the device IDs. Example: ['abcuu32534z'] | List | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| String | Source of the response data |
| String | Trace ID for the query |
| Array | List of resources returned by the query |
| String | The unique identifier for the host |
| String | CID of the host |
| Array | History of NIC configurations for the device |
| String | IP address of the device at a given time |
| String | MAC address of the device at a given time |
| String | Timestamp of the NIC configuration |
| Array | List of errors encountered during the query |
Action: Retrieving Host With Device Scroll
The action can be used to retrieve the hosts with device scroll.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the limit for the result. | Integer | Optional | Default is 100 |
Offset | Enter the offset. | Text | Optional | Default is 0 |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| Object | Pagination details for the response |
| Integer | Total number of hosts |
| String | Offset for pagination |
| Integer | Expiration timestamp for the pagination offset |
| String | Service powering the response |
| String | Trace ID for the request |
| Array | List of host identifiers |
| Array | List of errors encountered during the request |
Action: Retrieving Indicator ID Details
The action retrieves the indicator ID details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Indicator IDs | Enter the list of indicator IDs. Example: $list[5130b3232266ec3d0712faaa503b0702dbfd5cced6aa725efd2bb19de1898655,16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d] or for single indicator it can be used this way as well: 16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d | List | Optional |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| Object | Pagination details |
| Integer | Limit on the number of results returned |
| Integer | Total number of results available |
| String | Cursor for fetching the next set of results |
| String | Service that powered the response |
| String | Trace ID for the request |
| Null | Error information (null if no errors) |
| Array | List of indicator IDs |
| Array | List of errors (empty array if no errors) |
Action: Retrieving Last Logged User Info
The action retrieves the last logged-in user information.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Customer ID | Enter the customer ID. Example: 456789abcdefghijklmnopqrstuv-wx | Text | Required | |
Device IDs | Enter the device IDs. Example: ['abcuu32534z'] | List | Required |
Action: Search Host for Observed Indicator
The action searches host for observed indicator.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IOC Type | Enter the IOC type. | Text | Required | Allowed values:
|
IOC Value | Enter the IOC value. | Text | Required | |
Extra Parameters | Enter the extra parameters. | Key Value | Optional |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Float | Time taken to execute the query |
| Object | Pagination details |
| Integer | Limit on the number of results returned |
| Integer | Total number of results available |
| String | Cursor for fetching the next set of results |
| String | Service that powered the response |
| String | Trace ID for the request |
| Null | Error information (null if no errors) |
| Array | List of host IDs |
| Array | List of errors (empty array if no errors) |
Action: Search Vulnerabilities
This action searches for vulnerabilities using FQL filters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Sort | Specify the sorting order. Example: sort: last_seen.desc. | Text | Optional | |
Facet | Enter facet to limit the response. Example: $list[cve] | List | Optional | Allowed values:
|
Limit | Enter the maximum number of vulnerability records to be returned. Example: 10 | Integer | Optional | |
Filter | Enter the Falcon Query Language (FQL) filter to limit the results. Example: created_timestamp: '2024-03-12t03:27' | Text | Required | Allowed filters:
|
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the API response |
| Number | Time taken for the query in seconds |
| String | Indicates the service powering the API (spapi in this case) |
| String | Unique identifier for tracing/debugging purposes |
| Array | List of vulnerability resources |
| String | Unique identifier for the vulnerability resource |
| String | Customer identifier associated with the vulnerability |
| String | Asset identifier associated with the vulnerability |
| String | ID of the vulnerability (e.g., CVE ID) |
| String | Metadata ID specific to the vulnerability |
| Array | List of data providers for the vulnerability |
| String | Timestamp when the vulnerability was created |
| String | Timestamp when the vulnerability was last updated |
| String | Status of the vulnerability (e.g., open, closed) |
| Array | List of applications affected by the vulnerability |
| Object | Information related to suppression of the vulnerability |
| Object | Details about the specific application affected |
| Object | Details about the CVE (Common Vulnerabilities and Exposures) |
| String | CVE ID for the vulnerability |
| Number | Base score of the vulnerability |
| String | Severity level of the vulnerability |
| Number | Exploit status of the vulnerability |
| String | Expert rating for the vulnerability |
| String | Remediation level for the vulnerability |
| Object | Information related to CISA (Cybersecurity and Infrastructure Security Agency) |
| Boolean | Indicates if the vulnerability is considered a CISA Key Event (KEV) |
| String | Due date associated with the CISA advisory |
| String | Published date for spotlight information related to the vulnerability |
| Array | List of actors associated with the vulnerability |
| String | Description of the vulnerability |
| String | Published date of the vulnerability |
| Array | List of vendor advisories related to the vulnerability |
| Array | List of references related to the vulnerability |
| Number | Exploitability score of the vulnerability |
| Number | Impact score of the vulnerability |
| String | Vector string describing the CVSS (Common Vulnerability Scoring System) metrics |
| Object | Information related to the host affected by the vulnerability |
| Object | Details about remediation steps for the vulnerability |
Action: Send Real Time Response to a Batch of Hosts
The action initiates a session with one or more hosts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Host IDs | Enter one or more IDs of the hosts you want to start a session with. Example: [9daac64e7e8f453488bfde9f573960b1] | Any | Required | |
Existing Batch ID | Enter the ID of the batch of hosts. | Text | Optional | |
Queue Offline | Specify if the session must be queued offline. By default, it is queued. | Boolean | Optional |
Action: Send Real Time Response to a Single Host
The action initiates a real-time session for a single host.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the device ID. Example: 9daac64e7e8f453xxxx | Text | Required | |
Origin | Enter the origin. Example: ls | Text | Required | |
Queue Offline | Enter the queue offline. | Text | Optional | Default value is true. |
Action: Update Alerts
This action updates alerts in Crowdstrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert IDs | Enter a list of alert IDs to update. | List | Required | |
Action | Enter the action to perform on the alerts. | Text | Required | Allowed values:
For more information, see CrowdStrike API Documentation. |
Action Value | Enter the value to use for the action. Example: malicious | Text | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | Time taken to process the query |
| Object | Details about the writes performed |
| Integer | Number of alerts updated |
| String | API used to power the response |
| String | Unique identifier for tracing the request |
Action: Update Detection Status
This action updates the status of the detections in incidents.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Update Detects | Specify if you want to update the associated detects. | Boolean | Optional | Default value is false. |
Overwrite Detects | Specify if you want to overwrite the associated detects. | Boolean | Optional | Default value is false. |
Name | Enter the action parameter. To update the detect status, enter update_status. | Text | Required | |
Value | Enter the updated detection value. | Text | Required | This value will be applied to each incident whose ID is listed in 'incident IDs'. |
Incident IDs | Enter one or more incidents IDs whose detections you want to update. Example: ["inc:62e9c3d557a5479258d9ac63a2efb118:131b5xxxx"] | Any | Required |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata about the response |
| Number | Time taken to process the query |
| String | API used to power the response |
| String | Unique identifier for tracing the request |
Action: Update Indicators
The action updates the indicators.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IOC ID | Enter the ID of the indicator you want to update. Example: 9f8c43311b1801ca4159fc07d319610582c2003ccde8934d5412b1781e841e9e | Text | Required | |
Additional Data | Enter any additional data for updating the indicator. Example: {'source':'testsource','action':'detect'} | Key Value | Optional | |
Comment | Enter a comment about the update. | Text | Optional |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata of the response |
| Float | Time taken to execute the query |
| Object | Pagination details |
| Integer | Limit on the number of results |
| Integer | Total number of results |
| String | Name of the service that powered the response |
| String | Trace ID for the request |
| Null | Errors in the response, if any |
| Array | List of updated indicators |
| String | Unique identifier of the indicator |
| String | Type of the indicator |
| String | Value of the indicator |
| String | Source of the indicator |
| String | Action to be taken for the indicator |
| String | Severity level of the indicator |
| String | Description of the indicator |
| Array | Platforms associated with the indicator |
| Array | Tags associated with the indicator |
| String | Expiration date and time of the indicator |
| Boolean | Indicates if the indicator has expired |
| Boolean | Indicates if the indicator has been deleted |
| Boolean | Indicates if the indicator is applied globally |
| String | Creation date and time of the indicator |
| String | Email of the user who created the indicator |
| String | Modification date and time of the indicator |
| String | Email of the user who modified the indicator |
Action: Upload Indicators
This action is used to upload indicators in CrowdStrike Falcon.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IOC Type | Enter the IOC type. | Text | Required | Allowed values:
|
IOC Value | Enter the IOC value. | Text | Required | |
Action | Enter the action to be performed on the indicators. | Text | Required | Allowed values:
allow, prevent_no_ui, and prevent actions are only applicable to hashes. |
Severity | Enter the severity level to apply to the indicator. | Text | Optional | Allowed values:
If the Actions are prevent or detect, then Severity is mandatory. |
Mobile Action | Enter the mobile action to be performed on the indicators. | Text | Optional | Allowed values:
If Mobile Actions are prevent or detect, then Severity is mandatory. |
Platforms | Enter the platforms that the indicator applies to. | Any | Required | Allowed values:
If the Platforms are android and ios, then Mobile Action is mandatory. |
Comment | Enter a comment about the uploading indicator. | Text | Optional | |
Applied Globally | Specify if the values apply globally. | Boolean | Optional | Default value is true. |
Additional Data | Enter any additional data while uploading the indicator. | Key Value | Optional |
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Object | Metadata of the response |
| Float | Time taken to execute the query |
| Object | Pagination details |
| Integer | Limit on the number of results |
| Integer | Total number of results |
| String | Name of the service that powered the response |
| String | Trace ID for the request |
| Null | Errors in the response, if any |
| Array | List of updated indicators |
| String | Unique identifier of the indicator |
| String | Type of the indicator |
| String | Value of the indicator |
| String | Source of the indicator |
| String | Action to be taken for the indicator |
| String | Severity level of the indicator |
| String | Description of the indicator |
| Array | Platforms associated with the indicator |
| Array | Tags associated with the indicator |
| String | Expiration date and time of the indicator |
| Boolean | Indicates if the indicator has expired |
| Boolean | Indicates if the indicator has been deleted |
| Boolean | Indicates if the indicator is applied globally |
| String | Creation date and time of the indicator |
| String | Email of the user who created the indicator |
| String | Modification date and time of the indicator |
| String | Email of the user who modified the indicator |
Action: Generic Action
This is a generic action used to make requests to any Crowdstrike Falcon endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the HTTP method to use. Example: GET | Text | Required | Allowed values:
|
Endpoint | Enter the Crowdstrike endpoint to use. Example: /devices/entities/devices/v1 | Text | Required | |
Payload JSON | Enter the payload in JSON format. Example: {"data": [{"reason": "test"}]} | Text | Optional | |
Query Params | Enter the query parameters in JSON format. Example: {"limit": "10"} | Key Value | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys:
|