Skip to main content

Cyware Orchestrate

CrowdStrike Falcon 2.0.0

App Vendor: CrowdStrike

App Category: Endpoint

Connector Version: 2.2.0

API Version: 1.0.0

About App

CrowdStrike Falcon is a comprehensive cybersecurity platform that provides advanced threat protection, endpoint security, and threat intelligence to defend against cyberattacks and secure organizations' digital assets. It utilizes cloud-native technology and artificial intelligence to deliver real-time threat detection and response capabilities.

The CrowdStrike Falcon app is configured with Orchestrate to perform the following actions:

Action Name

Description

Add Hosts to Static Host Group 

This action adds hosts to a static host group in CrowdStrike Falcon.

Adding IOA Exclusion (Deprecated) 

The action adds an IOA exclusion.

Add Tags To Falcon Grouping 

This action assigns tags to hosts.

Assign Prevention Policies to Host Groups 

This action assigns prevention policies to host groups.

Assign Sensor Policies to Host Groups 

This action assigns sensor policies to host groups.

Bulk Fetch Indicators 

This action is used to fetch details about a batch of indicators. Results can be filtered using FQL query.

Contain a Host 

This action contains a host using its ID.

Create Host Group 

This action creates a host group.

Create Machine Learning Exclusion 

This action creates a machine-learning exclusion.

Create Response Time File 

The action creates a response time file.

Create Sensor Visibility Learning Exclusion 

This action creates a sensor visibility exclusion.

Delete Indicator ID 

This action deletes indicators.

Delete ML Exclusion 

The action deletes a machine learning (ML) exclusion.

Delete Response Time File 

The action deletes the response time file.

Delete SV Exclusion 

The action deletes an SV exclusion.

Fetch Detection Details 

The action retrieves a particular detection's details.

Fetch Detection IDs 

The action searches for detections in order to learn more about activity in your environment.

Fetch Incident Detail 

The action retrieves a particular incident's details.

Fetch Particular IOA Exclusion 

The action retrieves the particular IOA exclusion.

Fetch Particular ML Exclusion Details 

The action retrieves details of an ML exclusion.

Fetch Particular Sensor Visibility Exclusion 

The action retrieves a particular sensor visibility exclusion.

Fetch Real Time Policy Agent IDs 

The action retrieves the real-time policy agent IDs.

Fetch Real Time Policy Hosts 

The action retrieves the real-time policy hosts.

Fetch Real Time Response Script 

This action searches and filters existing scripts uploaded to CrowdStrike Falcon.

Find Existing Prevention Policies 

The action finds existing prevention policies.

Find Existing Sensor Policies 

The action finds existing sensor policies.

Find Host Group Members 

This action retrieves the IDs of hosts in a host group.

Find Host Groups 

The action searches for host groups.

Find Host With Device Query 

The action searches for hosts with various device filters.

Find Indicator IDs 

This action finds IDs of indicators.

Find IOA Exclusion 

The action searches for IOA exclusion.

Find Machine Learning Exclusion 

The action searches for machine learning exclusions.

Find Sensor Visibility Exclusion 

The action retrieves the list of all sensor visibility exclusions.

Get Aggregated Alerts 

This action fetches aggregated alerts from CrowdStrike Falcon.

Get Alert Details 

This action is used to fetch the details of an alert from CrowdStrike Falcon.

Get Device Info By ID 

The action searches for the device information using its device ID.

Get Host Details 

This action retrieves detailed information of one or more hosts.

Get Host Details for Observed Indicator

This action retrieves the host details using observed indicator.

Get Incident IDs 

This action gets incident IDs.

Get Real Time Response Scripts 

This action retrieves real time response scripts using its IDs.

Get Remediation Details 

This action retrieves remediation details using remediation IDs.

Get Response Time Files 

The action retrieves the response time files.

Get Status of Host 

This action retrieves the status of a host.

Get Vulnerability Details 

This action retrieves details of a vulnerability using the vulnerability ID.

Get Vulnerability List 

This action retrieves the list of vulnerabilities from CrowdStrike Falcon

Lift Host Containment 

The action lists the containment of a host.

List All Alerts 

This action fetches all alerts from CrowdStrike Falcon.

List Hidden Host IDs 

This action gets a list of hidden host IDs.

List Reponse Time File 

The action retrieves the list of all the response time files.

Modify Detections 

The action modifies detections.

Modify Incidents 

This action modifies incidents in CrowdStrike Falcon.

Modify ML Exclusion 

The action modifies the machine learning exclusion.

Modify SV Exclusion 

The action modifies the SV exclusion.

Query Indicator 

This action queries for various indicators.

Real Time Execute Command Single Host 

The action executes a command on a single host.

Real Time Read Command 

The action executes the RTR read-only command across the hosts mapped to the given batch ID.

Real Time Response Admin Command 

The action executes the RTR admin command across the hosts mapped to the given batch ID.

Real Time Write Command 

The action executes the RTR write-only command across the hosts mapped to the given batch ID.

Remove Hosts from Static Host Group 

This action removes hosts from a static host group in CrowdStrike Falcon.

Removing Falcon Grouping Tags 

This action removes restrictions on the host using policy with tags.

Retrieve Zero Trust Assessment Data by Host 

The action retrieves ZTA data by the host.

Retrieving Host NIC History 

The action can be used to retrieve host NIC history.

Retrieving Host With Device Scroll 

The action can be used to retrieve the host with the device scroll.

Retrieving Indicator ID Details 

The action retrieves the indicator ID details.

Retrieving Last Logged User Info 

The action retrieves the last logged-in user information.

Search Host for Observed Indicator 

The action searches hosts for observed indicators.

Search Vulnerabilities 

This action searches for vulnerabilities using FQL filters.

Send Real Time Response to a Batch of Hosts 

The action initiates a session with one or more hosts.

Send Real Time Response to a Single Host 

The action initiates a real-time session for a single host.

Update Alerts 

This action updates alerts in CrowdStrike Falcon.

Update Detection Status 

This action updates the status of the detections in incidents.

Update Indicators 

The action updates the indicators.

Upload Indicators 

This action is used to upload indicators in CrowdStrike Falcon.

Generic Action 

This is a generic action used to make requests to any CrowdStrike Falcon endpoint.

Configuration Parameters

The following configuration parameters are required for the CrowdStrike Falcon app to communicate with the CrowdStrike Falcon enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

Base URL 

Enter the base URL to access Crowdstrike Falcon. 

Example: 

https://api.crowdstrike.com

Text

Required

Client ID 

Enter the client ID.

Text

Required

Client Secret Key 

Enter the client secret key to authenticate with Crowdstrike Falcon.

Password

Required

Verify 

Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in incorrectly establishing the connection. 

Boolean

Optional

By default, the verification is not enabled.

Timeout 

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with CrowdStrike Falcon. 

Integer

Optional

Allowed range:

15-120

Default value:

15

Action: Add Hosts to Static Host Group

This action adds hosts to a static host group in CrowdStrike Falcon.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Host group IDs 

Enter one or more static host group IDs to which you want to add the hosts.

Example:

["8015xxxxxxxx105d"]

List

Required

Name 

Enter the action name to add the hosts.

Example:

filter

Text

Required

Value 

Enter the host IDs to be added to the static host group.

Example:

device_id:['e139xxxxxxxx5885', '8393xxxxxxxx9650','389axxxxxxxx5e80']

Text

Required

Action Response Parameters 

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Float

Time taken to execute the query

app_instance.response.meta.trace_id

String

Trace ID for the request

app_instance.response.errors

Array

List of errors, if any

app_instance.response.resources

Array

List of resources returned in the response

app_instance.response.resources.id

String

The unique identifier for the static host group

app_instance.response.resources.group_type

String

The type of group (e.g., static)

app_instance.response.resources.name

String

The name of the group

app_instance.response.resources.description

String

The description of the group

app_instance.response.resources.assignment_rule

String

The assignment rule for the group

app_instance.response.resources.created_by

String

ID of the user who created the group

app_instance.response.resources.created_timestamp

String

Timestamp when the group was created

app_instance.response.resources.modified_by

String

ID of the user who last modified the group

app_instance.response.resources.modified_timestamp

String

Timestamp when the group was last modified

Action: Adding IOA Exclusion (Deprecated)

The action adds an IOA exclusion to CrowdStrike Falcon.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Cl Regex 

Enter the CL regex.

Text

Required

Comment 

Enter a comment.

Text

Required

Description 

Enter the description.

Text

Required

Detection JSON 

Enter the detection JSON.

Text

Optional

Group 

Enter the groups.

Example:

['2345jdsie3xxxx']

List

Optional

IFN Regex 

Enter the IFN regex.

Text

Required

Name 

Enter the name.

Example: 

Example IOA Exclusion

Text

Required

Pattern ID

Enter the pattern ID.

Example:

10197

Text

Required

Pattern Name 

Enter the pattern name.

Example:

sampletemplatedetection

Text

Required

Action: Add Tags To Falcon Grouping

This action adds Falcon grouping tags to hosts. These tags are used to dynamically assign hosts to host groups based on custom keywords you define.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Device ID List 

Enter the list of host IDs to assign the tags.

Example: 

['bf4fbxxxxxx4b8026']

List

Required

Tags List 

Enter the list of tags. 

Example: 

["falcongroupingtags/tag1", "falcongroupingtags/tag2"]

List

Required

Each tag must use the format FalconGroupingTags/{tagName}.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Float

Time taken to process the query

app_instance.response.meta.powered_by

String

Indicates the service that processed the request

app_instance.response.meta.trace_id

String

Unique identifier for tracing the request

app_instance.response.resources

Array

List of resources affected by the request

app_instance.response.resources.device_id

String

The unique identifier for the host

app_instance.response.resources.updated

Boolean

Indicates if the host information was updated

app_instance.response.resources.code

Integer

HTTP status code of the operation

app_instance.response.errors

Array

Errors encountered during the request, if any

Action: Assign Prevention Policies to Host Groups

This action assigns prevention policies to host groups.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Name 

Enter the action parameter name.

Example:

group_id

Text

Required

Allowed value:

group_id

Host Group ID 

Enter the ID of the host groups to which you want to assign the policy.

Example:

80156bb05a144660b89426884720105d

Text

Required

Policy IDs 

Enter one or more unique IDs of the prevention policy to assign the host group.

Example:

b0ceca08642b4103a344f8251c492861

List

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Float

Time taken to process the query

app_instance.response.meta.trace_id 

String

Unique identifier for tracing the request

app_instance.response.resources 

Array

List of resources affected by the request

app_instance.response.errors 

Array

Errors encountered during the request, if any

Action: Assign Sensor Policies to Host Groups

This action assigns sensor policies to host groups.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Name 

Enter the action parameter name.

Example:

group_id

Text

Required

Allowed value: group_id

Host Group ID 

Enter the ID of the host groups to which you want to assign the policy.

Example:

80156bb05a144660b89426884720105d

Text

Required

Policy IDs 

Enter one or more unique IDs of the sensor update policy to assign the host group.

Example: 

["b0ceca08642b4103a344f8251c492861"]

List

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Float

Time taken to process the query

app_instance.response.meta.trace_id 

String

Unique identifier for tracing the request

app_instance.response.resources 

Array

List of resources affected by the request

app_instance.response.errors 

Array

Errors encountered during the request, if any

Action: Bulk Fetch Indicators

This action gets detailed info about a larger batch of indicators by specifying Falcon Query Language (FQL) filters.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filter 

Enter the FQL filter query to narrow the results. Filter values are case-sensitive.

Example:

type: "domain"

Text

Optional

For more information about allowed filters, see CrowdStrike Falcon API Documentation.

Example Request

[
    {
        "filters": "type:\"domain\""
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Float

Time taken to execute the query

app_instance.response.meta.pagination

Object

Pagination information

app_instance.response.meta.pagination.limit

Integer

Limit on the number of items per page

app_instance.response.meta.pagination.total

Integer

Total number of indicators

app_instance.response.meta.powered_by

String

Name of the service powering the response

app_instance.response.meta.trace_id

String

Trace ID for the request

app_instance.response.errors

Null

Errors in the response, if any

app_instance.response.resources

Array

List of indicators

app_instance.response.resources.id

String

Unique identifier for the indicator

app_instance.response.resources.type

String

Type of the indicator

app_instance.response.resources.value

String

Value of the indicator

app_instance.response.resources.source

String

Source of the indicator

app_instance.response.resources.action

String

Action to take on the indicator

app_instance.response.resources.severity

String

Severity level of the indicator

app_instance.response.resources.host_groups

Array

List of host groups associated with the indicator

app_instance.response.resources.applied_globally

Boolean

Indicates if the indicator is applied globally

app_instance.response.resources.platforms

Array

List of platforms the indicator applies to

app_instance.response.resources.tags

Array

Tags associated with the indicator

app_instance.response.resources.deleted

Boolean

Indicates if the indicator is deleted

app_instance.response.resources.created_on

String

Timestamp when the indicator was created

app_instance.response.resources.created_by

String

Email of the user who created the indicator

app_instance.response.resources.modified_on

String

Timestamp when the indicator was last modified

app_instance.response.resources.modified_by

String

Email of the user who last modified the indicator

Action: Contain a Host

This action contains a potentially compromised host from communicating using its ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host ID 

Enter the ID (agent ID) of the host you want to contain. 

Example:

["cdc40c8ad8314cf296016a507460c563"]

List

Required

You can get the agent ID from a detection, the Falcon console, or the streaming API in CrowdStrike Falcon.

Example Request

[
    {
        "host_id": [
            "cdc40c8ad8314cf296016a507460c563"
        ]
    }
]

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Float

Time taken to execute the query

app_instance.response.meta.powered_by 

String

Name of the service powering the response

app_instance.response.meta.trace_id 

String

Trace ID for the request

app_instance.response.errors 

Array

Errors in the response, if any

app_instance.response.resources 

Array

List of hosts contained

app_instance.response.resources.id 

String

Unique identifier for the host

app_instance.response.resources.path 

String

Endpoint to access the host

Action: Create Host Group

This action is used to create a host group. Host groups determine which policies are applied to which hosts. The host group type can be dynamic or static. After a group is created, its type can’t be changed.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Resource 

Enter the details to create a host.

Example:

[{"name":"test group","description":"sample test","group_type":"dynamic"}]

List

Required

For more information, see CrowdStrike Falcon API Documentation.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Float

Time taken to execute the query

app_instance.response.meta.trace_id 

String

Trace ID for the request

app_instance.response.errors 

Array

List of errors, if any

app_instance.response.resources 

Array

List of resources returned in the response

app_instance.response.resources.id 

String

The unique identifier for the host group

app_instance.response.resources.group_type 

String

The type of group (e.g., dynamic)

app_instance.response.resources.name 

String

The name of the group

app_instance.response.resources.description 

String

The description of the group

app_instance.response.resources.assignment_rule 

String

The assignment rule for the group

app_instance.response.resources.created_by 

String

ID of the user who created the group

app_instance.response.resources.created_timestamp 

String

Timestamp when the group was created

app_instance.response.resources.modified_by 

String

ID of the user who last modified the group

app_instance.response.resources.modified_timestamp 

String

Timestamp when the group was last modified

Action: Create Machine Learning Exclusion

This action creates a machine learning exclusion in CrowdStrike Falcon.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Excluded From 

Enter if the hosts are excluded from blocking (detections and preventions) or extraction (uploads to CrowdStrike Falcon).

List

Required

Allowed values:

  • blocking

  • extraction

Comment 

Enter a comment for the audit log.

Text

Required

Groups 

Enter the host groups to which the exclusion applies. To apply the exclusion to all groups, enter ['all'].

List

Required

Exclusion Pattern 

Enter the exclusion pattern in glob syntax.

Example:

/foo

Text

Required

For more information about the Glob Syntax, see CrowdStrike Falcon Documentation.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id

String

Unique identifier for tracing the request

app_instance.response.errors

Array

List of errors (empty if no errors)

app_instance.response.resources

Array

List of machine learning exclusions

app_instance.response.resources.id

String

Unique identifier for the exclusion

app_instance.response.resources.value

String

Value or pattern excluded from machine learning operations

app_instance.response.resources.regexp_value

String

Regular expression pattern value

app_instance.response.resources.value_hash

String

Hash of the exclusion value

app_instance.response.resources.excluded_from

Array

List of operations from which the exclusion is applied (e.g., "blocking", "extraction")

app_instance.response.resources.groups

Array

List of groups (empty in this case)

app_instance.response.resources.applied_globally

Boolean

Indicates if the exclusion is applied globally

app_instance.response.resources.last_modified

String

Timestamp when the exclusion was last modified

app_instance.response.resources.modified_by

String

User who last modified the exclusion

app_instance.response.resources.created_on

String

Timestamp when the exclusion was created

app_instance.response.resources.created_by

String

User who created the exclusion

Action: Create Response Time File

The action creates a response time file in CrowdStrike Falcon.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

File Path 

Enter the file path.

Example:

/tmp/intel.pdf

Text

Required

File Name 

Enter the file name.

Example:

response file

Text

Required

Description 

Enter the description.

Text

Optional

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata object containing additional information

app_instance.response.meta.powered_by

String

Indicates the API service that powered the response

app_instance.response.meta.query_time

Float

The time taken for the query in seconds

app_instance.response.meta.trace_id

String

Unique identifier for tracing the API request

app_instance.response.meta.writes

Object

Details of resources affected by the operation

app_instance.response.meta.writes.resources_affected

Integer

Number of resources affected by the operation

Action: Create Sensor Visibility Learning Exclusion

This action creates a sensor visibility exclusion.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Comment 

Enter the comment.

Text

Required

Groups 

Enter the host groups to which the exclusion applies. To apply the exclusion to all groups, enter ['all'].

List

Required

Value 

Enter the exclusion pattern in glob syntax.

Example:

"/foo"

Text

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Meta information about the API response

app_instance.response.meta.query_time

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id

String

Unique trace ID for the API request

app_instance.response.errors

Array

List of errors (empty if no errors)

app_instance.response.resources

Array

List of resources (in this case, exclusions)

app_instance.response.resources.id

String

Unique identifier for the exclusion

app_instance.response.resources.value

String

The trusted file path excluded from sensor visibility

app_instance.response.resources.regexp_value

String

Regular expression value for the exclusion

app_instance.response.resources.value_hash

String

Hash value of the trusted file path

app_instance.response.resources.groups

Array

List of groups associated with the exclusion

app_instance.response.resources.applied_globally

Boolean

Indicates if the exclusion is applied globally

app_instance.response.resources.last_modified

String (ISO 8601)

Date and time when the exclusion was last modified

app_instance.response.resources.modified_by

String

Username of the user who last modified the exclusion

app_instance.response.resources.created_on

String (ISO 8601)

Date and time when the exclusion was created

app_instance.response.resources.created_by

String

Username of the user who created the exclusion

Action: Delete Indicator ID

This action deletes indicators in CrowdStrike Falcon.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator ID 

Enter the list of indicator IDs.

Example:

$list[5130b3232266ec3d0712faaa503b0702dbfd5cced6aa725efd2bb19de1898655,16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d]

For single indicators: 16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d

List

Optional

You can retrieve this using the action Find Indicator IDs.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Meta information about the API response

app_instance.response.meta.query_time 

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id 

String

Unique trace ID for the API request

app_instance.response.errors 

Array

List of errors (empty if no errors)

app_instance.response.resources 

Array

List of indicator IDs deleted

Action: Delete ML Exclusion

The action deletes a machine learning (ML) exclusion.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

ML Exclusion IDs 

Enter one or more ML exclusion IDs.

Example:

['b0ceca08642b4103a344f8251c492861']

List

Required

Comment 

Enter a comment.

Text

Optional

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Meta information about the API response

app_instance.response.meta.query_time 

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id 

String

Unique trace ID for the API request

app_instance.response.errors 

Array

List of errors (empty if no errors)

app_instance.response.resources 

Array

List of machine learning exclusions IDs deleted

Action: Delete Response Time File

The action deletes a response time file.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

File ID 

Enter the response time file ID.

Example:

xxxxxxc611ec85f082cab6337bcd_1cff909fxxxxxx

Text

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Meta information about the API response

app_instance.response.meta.query_time 

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id 

String

Unique trace ID for the API request

app_instance.response.errors 

Array

List of errors (empty if no errors)

app_instance.response.resources 

Array

List of Real Time Response "put" file IDs deleted

Action: Delete SV Exclusion

The action deletes SV exclusions.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

SV Exclusion IDs 

Enter the SV exclusion IDs.

Example:

['b0ceca08642b4103a344f8251c492861']

List

Required

Comment 

Enter a comment.

Text

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Meta information about the API response

app_instance.response.meta.query_time 

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id 

String

Unique trace ID for the API request

app_instance.response.errors 

Array

List of errors (empty if no errors)

app_instance.response.resources 

Array

List of sensor visibility exclusion IDs deleted

Action: Fetch Detection Details

The action retrieves detection details.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Detection IDs

Enter the detection ID list.

Example:

["ldt:3752xxxxxxxx9964:8175xxxx2029"]

List

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance}

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Number

Time taken to process the query

app_instance.response.meta.powered_by

String

Indicates the service powering the API

app_instance.response.meta.trace_id

String

Trace ID for the query

app_instance.response.resources

Array

List of detection resources

app_instance.response.resources.cid

String

Customer ID associated with the detection

app_instance.response.resources.detection_id

String

Unique identifier for the detection

app_instance.response.resources.device

Object

Details of the device associated with the detection

app_instance.response.resources.device.device_id

String

Unique identifier for the device

app_instance.response.resources.device.cid

String

Customer ID of the device

app_instance.response.resources.device.agent_load_flag

String

Flags set when the agent was loaded

app_instance.response.resources.device.agent_local_time

String

Local time on the agent

app_instance.response.resources.device.agent_version

String

Version of the agent

app_instance.response.resources.device.bios_manufacturer

String

BIOS manufacturer

app_instance.response.resources.device.bios_version

String

BIOS version

app_instance.response.resources.device.config_id_base

String

Base configuration ID

app_instance.response.resources.device.config_id_build

String

Build configuration ID

app_instance.response.resources.device.config_id_platform

String

Platform configuration ID

app_instance.response.resources.device.external_ip

String

External IP address of the device

app_instance.response.resources.device.hostname

String

Hostname of the device

app_instance.response.resources.device.first_seen

String

Timestamp of when the device was first seen

app_instance.response.resources.device.last_seen

String

Timestamp of when the device was last seen

app_instance.response.resources.device.local_ip

String

Local IP address of the device

app_instance.response.resources.device.mac_address

String

MAC address of the device

app_instance.response.resources.device.major_version

String

Major version of the device OS

app_instance.response.resources.device.minor_version

String

Minor version of the device OS

app_instance.response.resources.device.os_version

String

Operating system version

app_instance.response.resources.device.platform_id

String

Platform ID of the device

app_instance.response.resources.device.platform_name

String

Platform name of the device

app_instance.response.resources.device.product_type

String

Product type of the device

app_instance.response.resources.device.product_type_desc

String

Description of the product type

app_instance.response.resources.device.status

String

Status of the device

app_instance.response.resources.device.system_manufacturer

String

System manufacturer of the device

app_instance.response.resources.device.system_product_name

String

System product name of the device

app_instance.response.resources.device.modified_timestamp

String

Timestamp of when the device was last modified

app_instance.response.resources.behaviors

Array

List of behaviors associated with the detection

app_instance.response.resources.behaviors.device_id

String

Unique identifier for the device associated with the behavior

app_instance.response.resources.behaviors.timestamp

String

Timestamp of the behavior

app_instance.response.resources.behaviors.behavior_id

String

Unique identifier for the behavior

app_instance.response.resources.behaviors.filename

String

Name of the file associated with the behavior

app_instance.response.resources.behaviors.alleged_filetype

String

Alleged filetype associated with the behavior

app_instance.response.resources.behaviors.cmdline

String

Command line executed for the behavior

app_instance.response.resources.behaviors.scenario

String

Scenario under which the behavior was identified

app_instance.response.resources.behaviors.severity

Integer

Severity of the behavior

app_instance.response.resources.behaviors.confidence

Integer

Confidence level of the behavior

app_instance.response.resources.behaviors.ioc_type

String

Type of indicator of compromise

app_instance.response.resources.behaviors.ioc_value

String

Value of the indicator of compromise

app_instance.response.resources.behaviors.ioc_source

String

Source of the indicator of compromise

app_instance.response.resources.behaviors.ioc_description

String

Description of the indicator of compromise

app_instance.response.resources.behaviors.user_name

String

Username associated with the behavior

app_instance.response.resources.behaviors.user_id

String

User ID associated with the behavior

app_instance.response.resources.behaviors.control_graph_id

String

Control graph ID associated with the behavior

app_instance.response.resources.behaviors.triggering_process_graph_id

String

Triggering process graph ID

app_instance.response.resources.behaviors.sha256

String

SHA-256 hash of the file

app_instance.response.resources.behaviors.md5

String

MD5 hash of the file

app_instance.response.resources.behaviors.parent_details

Object

Details of the parent process

app_instance.response.resources.behaviors.parent_details.parent_sha256

String

SHA-256 hash of the parent file

app_instance.response.resources.behaviors.parent_details.parent_md5

String

MD5 hash of the parent file

app_instance.response.resources.behaviors.parent_details.parent_cmdline

String

Command line executed by the parent process

app_instance.response.resources.behaviors.parent_details.parent_process_graph_id

String

Graph ID of the parent process

app_instance.response.resources.behaviors.pattern_disposition

Integer

Pattern disposition of the behavior

app_instance.response.resources.email_sent

Boolean

Indicates if an email was sent

app_instance.response.resources.first_behavior

String

Timestamp of the first behavior

app_instance.response.resources.last_behavior

String

Timestamp of the last behavior

app_instance.response.resources.max_confidence

Integer

Maximum confidence level of the detection

app_instance.response.resources.max_severity

Integer

Maximum severity level of the detection

app_instance.response.resources.max_severity_displayname

String

Display name of the maximum severity

app_instance.response.resources.show_in_ui

Boolean

Indicates if the detection should be shown in the UI

app_instance.response.resources.status

String

Status of the detection

app_instance.response.resources.adversary_ids

Null

List of adversary IDs associated with the detection

app_instance.response.resources.hostinfo

Object

Host information

app_instance.response.resources.hostinfo.active_directory_dn_display

Null

Active Directory distinguished name display

app_instance.response.resources.hostinfo.domain

String

Domain of the host

app_instance.response.resources.seconds_to_triaged

Integer

Seconds taken to triage the detection

app_instance.response.resources.seconds_to_resolved

Integer

Seconds taken to resolve the detection

app_instance.response.errors

Array

List of errors, if any

Action: Fetch Detection IDs

The action searches for detections to learn more about activity in your environment.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Extra Parameters 

Enter any additional parameters to narrow the result.

Key Value

Optional

You can fetch detection IDs using FQL filters. For more information, see Falcon Query Language reference.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Number

Time taken to process the query

app_instance.response.meta.powered_by

String

Indicates the service powering the API

app_instance.response.meta.trace_id

String

Trace ID for the query

app_instance.response.resources

Array

List of detection IDs

Action: Fetch Incident Detail

The action retrieves a particular incident's details.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Incident IDs 

Enter the incident ID list.

Example:

[inc:a8ecce2f41df4112ae07d4e0c86d0795:3afxxx]

List

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Number

Time taken to process the query

app_instance.response.meta.powered_by

String

Indicates the service powering the API

app_instance.response.meta.trace_id

String

Trace ID for the query

app_instance.response.resources

Array of JSON Objects

List of incidents with details

Action: Fetch Particular IOA Exclusion

The action retrieves the particular IOA exclusion.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IOA Exclusion IDs 

Enter one or more IOA exclusion IDs.

Example:

b0ceca08642b4103a344f8251c492861

Any

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Float

The time taken to execute the query

app_instance.response.meta.trace_id

String

Trace ID for the request

app_instance.response.errors

Array

List of errors, if any

app_instance.response.resources

Array

List of IOA exclusions

app_instance.response.resources.id

String

The unique identifier for the IOA exclusion

app_instance.response.resources.name

String

Name of the exclusion

app_instance.response.resources.description

String

Description of the exclusion

app_instance.response.resources.pattern_id

String

ID of the pattern

app_instance.response.resources.pattern_name

String

Name of the pattern

app_instance.response.resources.ifn_regex

String

Regex pattern for the indicator file name

app_instance.response.resources.cl_regex

String

Regex pattern for the command line

app_instance.response.resources.detection_json

String

JSON representation of the detection

app_instance.response.resources.groups

Array

List of groups associated with the exclusion

app_instance.response.resources.applied_globally

Boolean

Indicates if the exclusion is applied globally

app_instance.response.resources.last_modified

String

Timestamp of the last modification

app_instance.response.resources.modified_by

String

User who last modified the resource

app_instance.response.resources.created_on

String

Timestamp when the resource was created

app_instance.response.resources.created_by

String

User who created the resource

Action: Fetch Particular ML Exclusion Details

The action retrieves details of ML exclusions.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

ML Exclusion IDs 

Enter one or more ML exclusion IDs.

Example:

["b0ceca08642b4103a344f8251c492861"]

List

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the API response

app_instance.response.meta.query_time

Float

Time taken to execute the query

app_instance.response.meta.powered_by

String

Service powering the API

app_instance.response.meta.trace_id

String

Trace ID for the API request

app_instance.response.errors

Object

Errors encountered during the request, if any

app_instance.response.resources

Array

List of ML exclusions returned by the API

app_instance.response.resources.id

String

The unique identifier for the ML exclusion

app_instance.response.resources.value

String

The ML exclusion value

app_instance.response.resources.regexp_value

String

The regular expression value for the ML exclusion

app_instance.response.resources.value_hash

String

Hash of the ML exclusion value

app_instance.response.resources.groups

Array

Groups associated with the ML exclusion

app_instance.response.resources.applied_globally

Boolean

Indicates if the exclusion is applied globally

app_instance.response.resources.excluded_from

Array

List of actions from which the ML exclusion is excluded

app_instance.response.resources.last_modified

String

Timestamp for when the ML exclusion was last modified

app_instance.response.resources.modified_by

String

User who last modified the ML exclusion

app_instance.response.resources.created_on

String

Timestamp for when the ML exclusion was created

app_instance.response.resources.created_by

String

User who created the ML exclusion

Action: Fetch Particular Sensor Visibility Exclusion

The action retrieves a particular sensor visibility exclusion.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Sensor Visibility Exclusion IDs 

Enter the SV exclusion IDs.

Example:

b0ceca08642b4103a344xxxx

List

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Meta information about the API response

app_instance.response.meta.query_time 

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id 

String

Unique trace ID for the API request

app_instance.response.errors 

Array

List of errors (empty if no errors)

app_instance.response.resources 

Array

List of resources (in this case, exclusions)

app_instance.response.resources.id 

String

Unique identifier for the exclusion

app_instance.response.resources.value 

String

The trusted file path excluded from sensor visibility

app_instance.response.resources.regexp_value 

String

Regular expression value for the exclusion

app_instance.response.resources.value_hash 

String

Hash value of the trusted file path

app_instance.response.resources.groups 

Array

List of groups associated with the exclusion

app_instance.response.resources.applied_globally 

Boolean

Indicates if the exclusion is applied globally

app_instance.response.resources.last_modified 

String (ISO 8601)

Date and time when the exclusion was last modified

app_instance.response.resources.modified_by 

String

Username of the user who last modified the exclusion

app_instance.response.resources.created_on 

String (ISO 8601)

Date and time when the exclusion was created

app_instance.response.resources.created_by 

String

Username of the user who created the exclusion

Action: Fetch Real Time Policy Agent IDs

The action retrieves the real-time policy agent IDs.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Extra Parameters 

Enter any extra parameters.

Key Value

Optional

Allowed keys:

  • id

  • offset

  • limit

  • sort

  • filter

For more information, see CrowdStrike API Documentation

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Meta information about the API response

app_instance.response.meta.query_time 

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id 

String

Unique trace ID for the API request

app_instance.response.errors 

Array

List of errors (empty if no errors)

app_instance.response.resources 

Array

List of real-time policy agent IDs

Action: Fetch Real Time Policy Hosts

The action retrieves the real-time policy hosts.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Extra Parameters 

Enter any extra parameters

Key Value

Optional

Allowed keys:

  • id

  • offset

  • limit

  • sort

  • filter

For more information, see CrowdStrike API Documentation.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Float

Time taken to execute the query

app_instance.response.meta.pagination

Object

Pagination details for the response

app_instance.response.meta.pagination.offset

Integer

Offset for the pagination

app_instance.response.meta.pagination.limit

Integer

Limit for the pagination

app_instance.response.meta.pagination.total

Integer

Total number of records

app_instance.response.meta.trace_id

String

Trace ID for the query

app_instance.response.errors

Array

List of errors, if any

app_instance.response.resources

Array

List of resources (hosts)

app_instance.response.resources.device_id

String

Unique identifier for the device

app_instance.response.resources.cid

String

Customer ID

app_instance.response.resources.agent_load_flags

String

Agent load flags

app_instance.response.resources.agent_local_time

String

Agent local time

app_instance.response.resources.agent_version

String

Agent version

app_instance.response.resources.bios_manufacturer

String

BIOS manufacturer

app_instance.response.resources.bios_version

String

BIOS version

app_instance.response.resources.build_number

String

Build number of the OS

app_instance.response.resources.config_id_base

String

Base configuration ID

app_instance.response.resources.config_id_build

String

Build configuration ID

app_instance.response.resources.config_id_platform

String

Platform configuration ID

app_instance.response.resources.cpu_signature

String

CPU signature

app_instance.response.resources.external_ip

String

External IP address

app_instance.response.resources.mac_address

String

MAC address

app_instance.response.resources.hostname

String

Hostname of the device

app_instance.response.resources.first_seen

String

Timestamp when the device was first seen

app_instance.response.resources.last_seen

String

Timestamp when the device was last seen

app_instance.response.resources.local_ip

String

Local IP address

app_instance.response.resources.major_version

String

Major version of the OS

app_instance.response.resources.minor_version

String

Minor version of the OS

app_instance.response.resources.os_version

String

OS version

app_instance.response.resources.platform_id

String

Platform ID

app_instance.response.resources.platform_name

String

Platform name

app_instance.response.resources.policies

Array

List of policies applied to the device

app_instance.response.resources.policies.policy_type

String

Type of policy

app_instance.response.resources.policies.policy_id

String

Policy ID

app_instance.response.resources.policies.applied

Boolean

Indicates if the policy is applied

app_instance.response.resources.policies.settings_hash

String

Settings hash of the policy

app_instance.response.resources.policies.assigned_date

String

Date when the policy was assigned

app_instance.response.resources.policies.applied_date

String

Date when the policy was applied

app_instance.response.resources.policies.rule_groups

Array

List of rule groups for the policy

app_instance.response.resources.reduced_functionality_mode

String

Indicates if the device is in reduced functionality mode

app_instance.response.resources.device_policies

Object

Device policies

app_instance.response.resources.groups

Array

List of groups the device belongs to

app_instance.response.resources.group_hash

String

Hash of the group

app_instance.response.resources.product_type

String

Product type

app_instance.response.resources.product_type_desc

String

Description of the product type

app_instance.response.resources.provision_status

String

Provision status of the device

app_instance.response.resources.serial_number

String

Serial number of the device

app_instance.response.resources.service_pack_major

String

Major version of the service pack

app_instance.response.resources.service_pack_minor

String

Minor version of the service pack

app_instance.response.resources.pointer_size

String

Pointer size (in bits)

app_instance.response.resources.status

String

Status of the device

app_instance.response.resources.system_manufacturer

String

System manufacturer

app_instance.response.resources.system_product_name

String

System product name

app_instance.response.resources.tags

Array

List of tags associated with the device

app_instance.response.resources.modified_timestamp

String

Timestamp when the resource was last modified

app_instance.response.resources.slow_changing_modified_timestamp

String

Timestamp for slow changing modifications

app_instance.response.resources.meta

Object

Metadata for the resource

app_instance.response.resources.meta.version

String

Version of the resource metadata

Action: Fetch Real Time Response Script

This action searches and filters existing scripts uploaded to CrowdStrike Falcon.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Data 

Enter any additional parameters.

Key Value

Optional

You can fetch real time response scripts using FQL filters. For more information, see Falcon Query Language reference.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Float

Time taken to execute the query

app_instance.response.meta.pagination

Object

Pagination details for the response

app_instance.response.meta.pagination.offset

Integer

Offset for the pagination

app_instance.response.meta.pagination.limit

Integer

Limit for the pagination

app_instance.response.meta.pagination.total

Integer

Total number of records

app_instance.response.meta.trace_id

String

Trace ID for the query

app_instance.response.errors

Array

List of errors, if any

app_instance.response.resources

Array

List of script IDs

Action: Find Existing Prevention Policies

The action finds existing prevention policies.

Action Input Parameters

No input parameters are required for this action.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Number

The time taken to execute the query

app_instance.response.meta.pagination

Object

Pagination details

app_instance.response.meta.pagination.offset

Integer

The pagination offset

app_instance.response.meta.pagination.limit

Integer

The pagination limit

app_instance.response.meta.pagination.total

Integer

Total number of items

app_instance.response.meta.trace_id

String

The trace ID for the request

app_instance.response.errors

Array

List of errors

app_instance.response.resources

Array

List of prevention policies

app_instance.response.resources.id

String

The unique identifier for the prevention policy

app_instance.response.resources.name

String

The name of the prevention policy

app_instance.response.resources.description

String

Description of the prevention policy

app_instance.response.resources.platform_name

String

The platform for which the policy is applicable

app_instance.response.resources.groups

Array

List of groups associated with the policy

app_instance.response.resources.enabled

Boolean

Indicates if the policy is enabled

app_instance.response.resources.created_by

String

Email of the user who created the policy

app_instance.response.resources.created_timestamp

String

Timestamp when the policy was created

app_instance.response.resources.modified_by

String

Email of the user who last modified the policy

app_instance.response.resources.modified_timestamp

String

Timestamp when the policy was last modified

app_instance.response.resources.prevention_settings

Array

List of prevention settings associated with the policy

app_instance.response.resources.prevention_settings.name

String

Name of the prevention setting

app_instance.response.resources.prevention_settings.settings

Array

List of settings under the prevention setting

app_instance.response.resources.prevention_settings.settings.id

String

The unique identifier for the setting

app_instance.response.resources.prevention_settings.settings.name

String

The name of the setting

Action: Find Existing Sensor Policies

The action searches existing sensor policies.

Action Input Parameters

No input parameters are required for this action.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Number

The time taken to execute the query

app_instance.response.meta.pagination 

Object

Pagination details

app_instance.response.meta.pagination.offset 

Integer

The pagination offset

app_instance.response.meta.pagination.limit 

Integer

The pagination limit

app_instance.response.meta.pagination.total 

Integer

Total number of items

app_instance.response.meta.trace_id 

String

The trace ID for the request

app_instance.response.errors 

Array

List of errors

app_instance.response.resources 

Array

List of prevention policies

app_instance.response.resources.id 

String

The unique identifier for the prevention policy

app_instance.response.resources.name 

String

The name of the prevention policy

app_instance.response.resources.description 

String

Description of the prevention policy

app_instance.response.resources.platform_name 

String

The platform for which the policy is applicable

app_instance.response.resources.groups 

Array

List of groups associated with the policy

app_instance.response.resources.enabled 

Boolean

Indicates if the policy is enabled

app_instance.response.resources.created_by 

String

Email of the user who created the policy

app_instance.response.resources.created_timestamp 

String

Timestamp when the policy was created

app_instance.response.resources.modified_by 

String

Email of the user who last modified the policy

app_instance.response.resources.modified_timestamp 

String

Timestamp when the policy was last modified

app_instance.response.resources.prevention_settings 

Array

List of prevention settings associated with the policy

app_instance.response.resources.prevention_settings.name 

String

Name of the prevention setting

app_instance.response.resources.prevention_settings.settings 

Array

List of settings under the prevention setting

app_instance.response.resources.prevention_settings.settings.id 

String

The unique identifier for the setting

app_instance.response.resources.prevention_settings.settings.name 

String

The name of the setting

Action: Find Host Group Members

This action retrieves the IDs of hosts in a host group.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host Group ID 

Enter the host group ID to retrieve the hosts.

Example:

006exxxxxxxxa3e7

Text

Required

Limit 

Enter the maximum number of hosts to be retrieved.

Integer

Optional

The default value is 5. Hosts are sorted alphabetically by name.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Number

The time taken to execute the query

app_instance.response.meta.pagination 

Object

Pagination details

app_instance.response.meta.pagination.offset 

Integer

The pagination offset

app_instance.response.meta.pagination.limit 

Integer

The pagination limit

app_instance.response.meta.pagination.total 

Integer

Total number of items

app_instance.response.meta.trace_id 

String

The trace ID for the request

app_instance.response.errors 

Array

List of errors

app_instance.response.resources 

Array

List of host IDs

Action: Find Host Groups

The action searches for host groups.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Data 

Enter any additional parameters to search for host groups.

Key Value

Optional

You can fetch host groups using FQL filters. For more information, see Falcon Query Language reference.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Number

The time taken to execute the query

app_instance.response.meta.pagination 

Object

Pagination details

app_instance.response.meta.pagination.offset 

Integer

The pagination offset

app_instance.response.meta.pagination.limit 

Integer

The pagination limit

app_instance.response.meta.pagination.total 

Integer

Total number of items

app_instance.response.meta.trace_id 

String

The trace ID for the request

app_instance.response.errors 

Array

List of errors

app_instance.response.resources 

Array

List of host group IDs

Action: Find Host With Device Query

The action searches for hosts with various filters.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Extra Parameters 

Enter additional parameters such as device_id, external_ip, hostname, local_ip, mac_address, os_version, platform_name, and more.

Example:

'filter': 'hostname:‘test',local_ip:'192.168.1.1''

Key Value

Optional

For more information about device filters, see CrowdStrike API Documentation.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Number

The time taken to execute the query

app_instance.response.meta.pagination 

Object

Pagination details

app_instance.response.meta.pagination.offset 

Integer

The pagination offset

app_instance.response.meta.pagination.limit 

Integer

The pagination limit

app_instance.response.meta.pagination.total 

Integer

Total number of items

app_instance.response.meta.trace_id 

String

The trace ID for the request

app_instance.response.errors 

Array

List of errors

app_instance.response.resources 

Array

List of host IDs

Action: Find Indicator IDs

This action finds IDs of indicators.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filter Value 

Enter filters to narrow the result.

Example:

type:"md5", value:"test.com"

Text

Optional

Supported filters are type, value, action, mobile_action, severity, platforms, tags, expiration, expired, applied_globally, host_groups, created_on, created_by, modified_on, modified_by, and source.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Number

The time taken to execute the query

app_instance.response.meta.pagination 

Object

Pagination details

app_instance.response.meta.pagination.offset 

Integer

The pagination offset

app_instance.response.meta.pagination.limit 

Integer

The pagination limit

app_instance.response.meta.pagination.total 

Integer

Total number of items

app_instance.response.meta.trace_id 

String

The trace ID for the request

app_instance.response.errors 

Array

List of errors

app_instance.response.resources 

Array

List of indicator IDs

Action: Find IOA Exclusion

The action searches for IOA exclusions.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Parameters 

Enter any additional parameters while finding IOA exclusions.

Key Value

Optional

Allowed keys: 

  • limit

  • offset

  • ids

For more information, see CrowdStrike API Documentation.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Float

The time taken to execute the query

app_instance.response.meta.trace_id 

String

Trace ID for the request

app_instance.response.errors 

Array

List of errors, if any

app_instance.response.resources 

Array

List of IOA exclusions

app_instance.response.resources.id 

String

The unique identifier for the IOA exclusion

app_instance.response.resources.name 

String

Name of the exclusion

app_instance.response.resources.description 

String

Description of the exclusion

app_instance.response.resources.pattern_id 

String

ID of the pattern

app_instance.response.resources.pattern_name 

String

Name of the pattern

app_instance.response.resources.ifn_regex 

String

Regex pattern for the indicator file name

app_instance.response.resources.cl_regex 

String

Regex pattern for the command line

app_instance.response.resources.detection_json 

String

JSON representation of the detection

app_instance.response.resources.groups 

Array

List of groups associated with the exclusion

app_instance.response.resources.applied_globally 

Boolean

Indicates if the exclusion is applied globally

app_instance.response.resources.last_modified 

String

Timestamp of the last modification

app_instance.response.resources.modified_by 

String

User who last modified the resource

app_instance.response.resources.created_on 

String

Timestamp when the resource was created

app_instance.response.resources.created_by 

String

User who created the resource

Action: Find Machine Learning Exclusion

The action searches for machine learning exclusions.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Parameters 

Enter the additional parameters.

Key Value

Optional

Allowed keys: 

  • limit

  • offset

  • ids

For more information, see CrowdStrike API Documentation.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the API response

app_instance.response.meta.query_time 

Float

Time taken to execute the query

app_instance.response.meta.powered_by 

String

Service powering the API

app_instance.response.meta.trace_id 

String

Trace ID for the API request

app_instance.response.errors 

Object

Errors encountered during the request, if any

app_instance.response.resources 

Array

List of ML exclusions returned by the API

app_instance.response.resources.id 

String

The unique identifier for the ML exclusion

app_instance.response.resources.value 

String

The ML exclusion value

app_instance.response.resources.regexp_value 

String

The regular expression value for the ML exclusion

app_instance.response.resources.value_hash 

String

Hash of the ML exclusion value

app_instance.response.resources.groups 

Array

Groups associated with the ML exclusion

app_instance.response.resources.applied_globally 

Boolean

Indicates if the exclusion is applied globally

app_instance.response.resources.excluded_from 

Array

List of actions from which the ML exclusion is excluded

app_instance.response.resources.last_modified 

String

Timestamp for when the ML exclusion was last modified

app_instance.response.resources.modified_by 

String

User who last modified the ML exclusion

app_instance.response.resources.created_on 

String

Timestamp for when the ML exclusion was created

app_instance.response.resources.created_by 

String

User who created the ML exclusion

Action: Find Sensor Visibility Exclusion

The action retrieves the list of all the sensor visibility exclusions.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Parameters 

Enter additional parameters.

Key Value

Optional

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Meta information about the API response

app_instance.response.meta.query_time 

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id 

String

Unique trace ID for the API request

app_instance.response.errors 

Array

List of errors (empty if no errors)

app_instance.response.resources 

Array

List of resources (in this case, exclusions)

app_instance.response.resources.id 

String

Unique identifier for the exclusion

app_instance.response.resources.value 

String

The trusted file path excluded from sensor visibility

app_instance.response.resources.regexp_value 

String

Regular expression value for the exclusion

app_instance.response.resources.value_hash 

String

Hash value of the trusted file path

app_instance.response.resources.groups 

Array

List of groups associated with the exclusion

app_instance.response.resources.applied_globally 

Boolean

Indicates if the exclusion is applied globally

app_instance.response.resources.last_modified 

String (ISO 8601)

Date and time when the exclusion was last modified

app_instance.response.resources.modified_by 

String

Username of the user who last modified the exclusion

app_instance.response.resources.created_on 

String (ISO 8601)

Date and time when the exclusion was created

app_instance.response.resources.created_by 

String

Username of the user who created the exclusion

Action: Get Aggregated Alerts

This action fetches aggregated alerts from CrowdStrike Falcon.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Name 

Enter a name for the aggregate query, which is used to identify the results returned.

Example: 

sample aggregate search

Text

Required

Aggregate Type 

Enter the type of aggregation to perform.

Text

Required

Allowed values are date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, and percentiles.

Aggregate Field 

Enter the field to compute the aggregation. This can be any field returned in the response, such as severity or tactic_id.

Text

Required

Action Response Parameters 

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Float

Time taken to execute the query

app_instance.response.meta.writes

Object

Information about writes in the response

app_instance.response.meta.writes.resources_affected

Integer

Number of resources affected by writes

app_instance.response.meta.powered_by

String

Name of the API powering the response

app_instance.response.meta.trace_id

String

Trace ID for the request

app_instance.response.resources

Array

List of resources in the response

app_instance.response.resources.name

String

Name of the grouping

app_instance.response.resources.buckets

Array

List of buckets in the resource

app_instance.response.resources.buckets.label

Integer

Label of the bucket

app_instance.response.resources.buckets.count

Integer

Count of alerts in the bucket

app_instance.response.errors

Array

List of errors in the response

Action: Get Alert Details

This action is used to fetch the details of an alert from CrowdStrike Falcon.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert IDs 

Enter a list of alert IDs to get details.

Example:

28a1xxxxxxxx3914:ind:a618xxxxxxxx4d85:1328xxxxxxxx1933-117-1930xxxxxxxx9544

List

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata related to the query

app_instance.response.meta.query_time

Number

Time taken for the query in seconds

app_instance.response.meta.writes

Object

Details about resources affected by the query

app_instance.response.meta.writes.resources_affected

Number

Number of resources affected

app_instance.response.meta.powered_by

String

Indicates the source that powered the response

app_instance.response.meta.trace_id

String

Unique identifier for tracing purposes

app_instance.response.errors

Array

List of errors encountered (if any)

app_instance.response.resources

Array

List of alerts and related details

app_instance.response.resources.activity_id

String

Activity ID related to the alert

app_instance.response.resources.aggregate_id

String

Aggregate ID of the alert

app_instance.response.resources.cid

String

Unique identifier for the alert

app_instance.response.resources.composite_id

String

Composite ID of the alert

app_instance.response.resources.confidence

Number

Confidence level of the alert

app_instance.response.resources.context_timestamp

String

Timestamp of the alert context

app_instance.response.resources.created_timestamp

String

Timestamp when the alert was created

app_instance.response.resources.description

String

Description of the alert

app_instance.response.resources.display_name

String

Display name of the alert

app_instance.response.resources.end_time

String

End time of the alert

app_instance.response.resources.falcon_host_link

String

Link to Falcon host for more details

app_instance.response.resources.id

String

Unique identifier of the alert

app_instance.response.resources.location_country_code

String

Country code of the alert location

app_instance.response.resources.name

String

Name of the alert

app_instance.response.resources.objective

String

Objective associated with the alert

app_instance.response.resources.okta_application_id

String

Okta application ID associated with the alert

app_instance.response.resources.pattern_id

Number

Pattern ID of the alert

app_instance.response.resources.product

String

Product related to the alert

app_instance.response.resources.scenario

String

Scenario associated with the alert

app_instance.response.resources.severity

Number

Severity level of the alert

app_instance.response.resources.show_in_ui

Boolean

Indicates if the alert should be displayed in the user interface

app_instance.response.resources.source_account_name

String

Name of the source account associated with the alert

app_instance.response.resources.source_account_okta_id

String

Okta ID of the source account associated with the alert

app_instance.response.resources.source_endpoint_address_ip4

String

IPv4 address of the source endpoint

app_instance.response.resources.source_endpoint_ip_address

String

IP address of the source endpoint

app_instance.response.resources.sso_application_identifier

String

Identifier of the SSO application associated with the alert

app_instance.response.resources.sso_application_uri

String

URI of the SSO application associated with the alert

app_instance.response.resources.start_time

String

Start time of the alert

app_instance.response.resources.status

String

Status of the alert

app_instance.response.resources.tactic

String

Tactic associated with the alert

app_instance.response.resources.tactic_id

String

ID of the tactic associated with the alert

app_instance.response.resources.technique

String

Technique associated with the alert

app_instance.response.resources.technique_id

String

ID of the technique associated with the alert

app_instance.response.resources.timestamp

String

Timestamp of the alert

app_instance.response.resources.type

String

Type of the alert

app_instance.response.resources.updated_timestamp

String

Timestamp when the alert was last updated

Action: Get Device Info By ID

The action searches for the device information using the device ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Device ID 

Enter the ID of the device to retrieve details.

Example:

8cfcb75a73aa48ac7b4f544b04a905b3

Text

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Float

Time taken to execute the query

app_instance.response.meta.pagination 

Object

Pagination details for the response

app_instance.response.meta.pagination.offset 

Integer

Offset for the pagination

app_instance.response.meta.pagination.limit 

Integer

Limit for the pagination

app_instance.response.meta.pagination.total 

Integer

Total number of records

app_instance.response.meta.trace_id 

String

Trace ID for the query

app_instance.response.errors 

Array

List of errors, if any

app_instance.response.resources 

Array

List of resources (hosts)

app_instance.response.resources.device_id 

String

Unique identifier for the device

app_instance.response.resources.cid 

String

Customer ID

app_instance.response.resources.agent_load_flags 

String

Agent load flags

app_instance.response.resources.agent_local_time 

String

Agent local time

app_instance.response.resources.agent_version 

String

Agent version

app_instance.response.resources.bios_manufacturer 

String

BIOS manufacturer

app_instance.response.resources.bios_version 

String

BIOS version

app_instance.response.resources.build_number 

String

Build number of the OS

app_instance.response.resources.config_id_base 

String

Base configuration ID

app_instance.response.resources.config_id_build 

String

Build configuration ID

app_instance.response.resources.config_id_platform 

String

Platform configuration ID

app_instance.response.resources.cpu_signature 

String

CPU signature

app_instance.response.resources.external_ip 

String

External IP address

app_instance.response.resources.mac_address 

String

MAC address

app_instance.response.resources.hostname 

String

Hostname of the device

app_instance.response.resources.first_seen 

String

Timestamp when the device was first seen

app_instance.response.resources.last_seen 

String

Timestamp when the device was last seen

app_instance.response.resources.local_ip 

String

Local IP address

app_instance.response.resources.major_version 

String

Major version of the OS

app_instance.response.resources.minor_version 

String

Minor version of the OS

app_instance.response.resources.os_version 

String

OS version

app_instance.response.resources.platform_id 

String

Platform ID

app_instance.response.resources.platform_name 

String

Platform name

app_instance.response.resources.policies 

Array

List of policies applied to the device

app_instance.response.resources.policies.policy_type 

String

Type of policy

app_instance.response.resources.policies.policy_id 

String

Policy ID

app_instance.response.resources.policies.applied 

Boolean

Indicates if the policy is applied

app_instance.response.resources.policies.settings_hash 

String

Settings hash of the policy

app_instance.response.resources.policies.assigned_date 

String

Date when the policy was assigned

app_instance.response.resources.policies.applied_date 

String

Date when the policy was applied

app_instance.response.resources.policies.rule_groups 

Array

List of rule groups for the policy

app_instance.response.resources.reduced_functionality_mode 

String

Indicates if the device is in reduced functionality mode

app_instance.response.resources.device_policies 

Object

Device policies

app_instance.response.resources.groups 

Array

List of groups the device belongs to

app_instance.response.resources.group_hash 

String

Hash of the group

app_instance.response.resources.product_type 

String

Product type

app_instance.response.resources.product_type_desc 

String

Description of the product type

app_instance.response.resources.provision_status 

String

Provision status of the device

app_instance.response.resources.serial_number 

String

Serial number of the device

app_instance.response.resources.service_pack_major 

String

Major version of the service pack

app_instance.response.resources.service_pack_minor 

String

Minor version of the service pack

app_instance.response.resources.pointer_size 

String

Pointer size (in bits)

app_instance.response.resources.status 

String

Status of the device

app_instance.response.resources.system_manufacturer 

String

System manufacturer

app_instance.response.resources.system_product_name 

String

System product name

app_instance.response.resources.tags 

Array

List of tags associated with the device

app_instance.response.resources.modified_timestamp 

String

Timestamp when the resource was last modified

app_instance.response.resources.slow_changing_modified_timestamp 

String

Timestamp for slow changing modifications

app_instance.response.resources.meta 

Object

Metadata for the resource

app_instance.response.resources.meta.version 

String

Version of the resource metadata

app_instance.response.resources.kernel_version

String

Kernel version of the device

Action: Get Host Details

This action retrieves detailed information for one or more host IDs. It provides insights into the host's policies, configurations, and connection details, ensuring comprehensive visibility into the host's security posture.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host IDs 

Enter the list of host IDs to fetch details. You can enter up to 5000 IDs.

Example:

$list[5b62f6d1a451c8c1a8828ce28265d65b,5c4a1e9ffc24464a9776c61af]

List

Required

 

Example Request

[
    {
        "host_ids": [
            "cdc40c8ad8314cf296016a507460c563"
        ]
    }
]

Action Response Parameters

Parameter

Type

Description

meta 

Object

Contains metadata about the response such as the query time, powered by and trace ID.

resources 

Array of Objects

List of resources related to the response, each representing a host.

resources.device_id 

String

The unique identifier of the device. Example: abcd1234wxyz56

resources.cid 

String

The CrowdStrike Falcon customer identifier associated with the device. Example: 0123456789ABCDEFGHIJKLMNOPQRSTUV

resources.agent_version 

String

The version of the agent installed on the device. Example: 3.5.5606.0

resources.bios_manufacturer 

String

The manufacturer of the BIOS. Example: Phoenix Technologies LTD

resources.bios_version 

String

The version of the BIOS. Example: 6.00

resources.config_id_base 

String

The base configuration ID of the device. Example: 65994753

resources.config_id_build 

String

The build configuration ID of the device. Example, 5606

resources.config_id_platform 

String

The platform configuration ID of the device. The platform configuration ID. Example: 3.

resources.external_ip 

String

The external IP address of the device. Example: 24.xx.20.181.

resources.mac_address 

String

The MAC address of the device. Example: 00-50-xx-8c-17-81.

resources.hostname 

String

 The hostname of the device. Example: example_host.

resources.first_seen 

String

The timestamp when the device was first seen. Example: 2017-07-19T02:08:24Z.

resources.last_seen 

String

The timestamp when the device was last seen. Example: 2017-09-25T23:45:55Z.

resources.local_ip 

String

The local IP address of the device.

resources.machine_domain 

String

The domain to which the device belongs.

resources.major_version 

String

The major version of the operating system.

resources.minor_version 

String

The minor version of the operating system.

resources.os_version 

String

The version of the operating system. Example: Windows 7.

resources.os_build 

String

The build ID of the operating system. Example: 19H1323.

resources.platform_id 

String

The platform ID of the device.

resources.platform_name 

String

The name of the platform.

Example:

Windows, macOS

resources.policies 

Array of Objects

List of policies applied to the device.

resources.policies.policy_type 

String

The type of policy.

Example:

prevention, sensor-update

resources.policies.policy_id 

String

The unique identifier of the policy. Example: aaabbbdddcccddd.

resources.policies.applied 

Boolean

Indicates if the policy is applied.

resources.device_policies 

Object

Contains details of device policies.

resources.device_policies.prevention 

Object

Contains details of the prevention policy.

resources.device_policies.sensor_update 

Object

Contains details of the sensor update policy.

resources.status

String

The status of the device. Example: normal.

resources.system_product_name 

String

The product name of the system. Example: VMware Virtual Platform

resources.modified_timestamp 

String

The timestamp when the device details were last modified. Example: 2017-09-25T23:46:06Z

resources.kernel_version

String

The kernel version of the operating system. Example: 6.1.7601.17592

Action: Get Host Details for Observed Indicator

This action retrieves the host details using observed indicator.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IOC Type

Enter the IOC type.

Text

Required

Allowed values:

sha256, md5, domain, ipv4, ipv6

IOC Value

Enter the IOC value.

Example:

8bbdead7357af7bf0efe397f9fd7e0ec578755eb8bdbaa65ae4f28ef00087ad5

Text

Required

Extra Parameters

Enter the extra parameters to pass to the API.

Key Value

Optional

Example Request

[
  {
    "ioc_type": "ipv4",
    "ioc_value": "1.1.2.2",
    "extra_params": {}
  }
]
Action: Get Incident IDs

This action gets incident IDs. 

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filters 

Enter any FQL filter or sort parameters while fetching incident IDs.

Example:

host_ids: '9a07d39f8c9f430eb3e474d1a0c16ce9'

Key Value

Optional

For filtering options, see CrowdStrike API Documentation.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Number

Time taken to process the query

app_instance.response.meta.powered_by 

String

Indicates the service powering the API

app_instance.response.meta.trace_id 

String

Trace ID for the query

app_instance.response.resources 

Array of JSON Objects

List of incidents with details

Action: Get Real Time Response Scripts

This action retrieves real time response (RTR) scripts using its IDs.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Script ID 

Enter the list of script IDs.

Example:

['fc4974cd1f9011ec8b82ba35da7e613b_9236b0e5b28946de8fc2d278cecba38d']

List

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Float

Time taken to execute the query

app_instance.response.meta.pagination 

Object

Pagination details for the response

app_instance.response.meta.pagination.offset 

Integer

Offset for the pagination

app_instance.response.meta.pagination.limit 

Integer

Limit for the pagination

app_instance.response.meta.pagination.total 

Integer

Total number of records

app_instance.response.meta.trace_id 

String

Trace ID for the query

app_instance.response.errors 

Array

List of errors, if any

app_instance.response.resources 

Array

The script details

Action: Get Remediation Details

This action retrieves remediation details using remediation IDs.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Remediation IDs 

Enter one or more remediation IDs.

Example:

$list['5ddb0407bef249c19c7a975f17979a1f_eecd9a8f319940dfb0255e5d436822d9']

List

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Number

Time taken for the query to execute, in seconds

app_instance.response.meta.powered_by

String

Source or system that powered the response

app_instance.response.meta.trace_id

String

Unique identifier for tracing the request

app_instance.response.resources

Array

List of remediation resources

app_instance.response.resources.id

String

Identifier for the remediation resource

app_instance.response.resources.reference

String

Reference version or number associated with the remediation

app_instance.response.resources.title

String

Title or name describing the remediation

app_instance.response.resources.action

String

Action recommended for remediation

app_instance.response.resources.link

String

Optional link for further information about the remediation

Action: Get Response Time Files

The action retrieves the response time files.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

File IDs 

Enter the list of file IDs.

Example:

$list[1246eaf04dc611ec85f082cab6337bcd_1cxxxxx]

List

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Number

The time taken for the query in seconds

app_instance.response.meta.powered_by

String

The source powering the API response

app_instance.response.meta.trace_id

String

Unique identifier for tracing purposes

app_instance.response.resources

Array

List of resources (RTR scripts)

app_instance.response.resources.id

String

Identifier for the RTR script

app_instance.response.resources.name

String

Name of the RTR script

app_instance.response.resources.description

String

Description of what the RTR script does

app_instance.response.resources.use_case

String

Use case scenario for the RTR script

app_instance.response.resources.categories

Array

Categories that the RTR script belongs to

app_instance.response.resources.access_roles

Array

Roles that have access to execute the RTR script

app_instance.response.resources.sha256

String

SHA-256 hash of the RTR script

app_instance.response.resources.size

Number

Size of the RTR script in bytes

app_instance.response.resources.platform

String

Platform for which the RTR script is intended (e.g., Windows)

app_instance.response.resources.content

String

Detailed content or script code

app_instance.response.resources.created_by

String

Creator of the RTR script

app_instance.response.resources.created_timestamp

String

Timestamp when the RTR script was created

app_instance.response.resources.modified_by

String

Last modifier of the RTR script

app_instance.response.resources.modified_timestamp

String

Timestamp when the RTR script was last modified

app_instance.response.resources.revision

Number

Revision number of the RTR script

app_instance.response.resources.workflow_enabled

Boolean

Indicates if the RTR script workflow is enabled

app_instance.response.resources.workflow_tags

Array

Tags associated with the RTR script's workflow

app_instance.response.resources.workflow_input_schema

String

Schema for the input expected by the RTR script's workflow

app_instance.response.resources.workflow_output_schema

String

Schema for the output produced by the RTR script's workflow

app_instance.response.resources.is_disruptive

Boolean

Indicates if executing the RTR script is disruptive

app_instance.response.resources.modifies_system

Boolean

Indicates if the RTR script modifies the system

Action: Get Status of Host

This action gets the status of hosts.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IDs 

Enter the IDs of the hosts to get status.

Example:

$list[5b62f6d1a451c8c1a8828ce28265d65b,5c4a1e9ffc24464a9776c61af]

List

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata related to the query

app_instance.response.meta.query_time

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id

String

Unique ID for tracing the query

app_instance.response.resources

Array

List of resources (hosts)

app_instance.response.resources.id

String

Unique identifier of the host

app_instance.response.resources.cid

String

Unique customer identifier for the host

app_instance.response.resources.last_seen

String (Timestamp)

Last seen timestamp of the host in UTC

app_instance.response.resources.state

String

Current state of the host (e.g., "online", "offline")

app_instance.response.errors

null or Array

Errors related to the query (if any)

Action: Get Vulnerability Details

This action retrieves details of vulnerabilities.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Vulnerability IDs 

Enter the vulnerability IDs.

Example:

$list[3e32646d80e94c875f9db78ae533d3a3_ff751484b9433cb899a9e4755cce7a7a].

List

Optional

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the API response

app_instance.response.meta.query_time

Number

Time taken for the query in seconds

app_instance.response.meta.powered_by

String

Indicates the service powering the API (spapi in this case)

app_instance.response.meta.trace_id

String

Unique identifier for tracing/debugging purposes

app_instance.response.resources

Array

List of vulnerability resources

app_instance.response.resources[id]

String

Unique identifier for the vulnerability resource

app_instance.response.resources[cid]

String

Customer identifier associated with the vulnerability

app_instance.response.resources[aid]

String

Asset identifier associated with the vulnerability

app_instance.response.resources[vulnerability_id]

String

ID of the vulnerability (e.g., CVE ID)

app_instance.response.resources[vulnerability_metadata_id]

String

Metadata ID specific to the vulnerability

app_instance.response.resources[data_providers]

Array

List of data providers for the vulnerability

app_instance.response.resources[created_timestamp]

String

Timestamp when the vulnerability was created

app_instance.response.resources[updated_timestamp]

String

Timestamp when the vulnerability was last updated

app_instance.response.resources[status]

String

Status of the vulnerability (e.g., open, closed)

app_instance.response.resources[apps]

Array

List of applications affected by the vulnerability

app_instance.response.resources[suppression_info]

Object

Information related to suppression of the vulnerability

app_instance.response.resources[app]

Object

Details about the specific application affected

app_instance.response.resources[cve]

Object

Details about the CVE (Common Vulnerabilities and Exposures)

app_instance.response.resources[cve].id

String

CVE ID for the vulnerability

app_instance.response.resources[cve].base_score

Number

Base score of the vulnerability

app_instance.response.resources[cve].severity

String

Severity level of the vulnerability

app_instance.response.resources[cve].exploit_status

Number

Exploit status of the vulnerability

app_instance.response.resources[cve].exprt_rating

String

Expert rating for the vulnerability

app_instance.response.resources[cve].remediation_level

String

Remediation level for the vulnerability

app_instance.response.resources[cve].cisa_info

Object

Information related to CISA (Cybersecurity and Infrastructure Security Agency)

app_instance.response.resources[cve].cisa_info.is_cisa_kev

Boolean

Indicates if the vulnerability is considered a CISA Key Event (KEV)

app_instance.response.resources[cve].cisa_info.due_date

String

Due date associated with the CISA advisory

app_instance.response.resources[cve].spotlight_published_date

String

Published date for spotlight information related to the vulnerability

app_instance.response.resources[cve].actors

Array

List of actors associated with the vulnerability

app_instance.response.resources[cve].description

String

Description of the vulnerability

app_instance.response.resources[cve].published_date

String

Published date of the vulnerability

app_instance.response.resources[cve].vendor_advisory

Array

List of vendor advisories related to the vulnerability

app_instance.response.resources[cve].references

Array

List of references related to the vulnerability

app_instance.response.resources[cve].exploitability_score

Number

Exploitability score of the vulnerability

app_instance.response.resources[cve].impact_score

Number

Impact score of the vulnerability

app_instance.response.resources[cve].vector

String

Vector string describing the CVSS (Common Vulnerability Scoring System) metrics

app_instance.response.resources[host_info]

Object

Information related to the host affected by the vulnerability

app_instance.response.resources[remediation]

Object

Details about remediation steps for the vulnerability

Action: Get Vulnerability List

This action gets the list of vulnerabilities from CrowdStrike Falcon.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Limit 

Enter the maximum number of vulnerability records to be returned.

Example: 10

Integer

Optional

Filter 

Enter the FQL filter to limit the results.

Example:

created_timestamp:>'2024-03-12t03:27'.

Text

Required

For filtering options, see CrowdStrike API Documentation.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the API response

app_instance.response.meta.query_time

Number

Time taken for the query in seconds

app_instance.response.meta.powered_by

String

Indicates the service powering the API (spapi in this case)

app_instance.response.meta.trace_id

String

Unique identifier for tracing/debugging purposes

app_instance.response.resources

Array

List of vulnerability IDs

Action: Lift Host Containment

The action lifts the containment of a host.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host IDs 

Enter the host agent ID (AID) of the host.

Example:

["123456789"]

List

Required

Get the AID from a detection, the Falcon console, or the streaming API in CrowdStrike Falcon. 

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata related to the query

app_instance.response.meta.query_time 

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id 

String

Unique ID for tracing the query

app_instance.response.resources 

Array

List of resources (hosts)

app_instance.response.resources.id 

String

Unique identifier of the host

app_instance.response.resources.cid 

String

Unique customer identifier for the host

app_instance.response.resources.last_seen 

String (Timestamp)

Last seen timestamp of the host in UTC

app_instance.response.resources.state 

String

Current state of the host (e.g., "online", "offline")

app_instance.response.errors 

null or Array

Errors related to the query (if any)

Action: List All Alerts

This action fetches all alerts from CrowdStrike Falcon.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Filter 

Enter a query to filter alerts.

Example:

product:'idp'

Text

Optional

Limit 

Enter the maximum number of alerts to return.

Integer

Optional

Default limit is 100

Offset 

Enter the offset to return results

Integer

Optional

Default value is 0

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata related to the query

app_instance.response.meta.query_time 

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id 

String

Unique ID for tracing the query

app_instance.response.resources 

Array

List of alert IDs

Action: List Hidden Host IDs

This action gets a list of hidden host IDs.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Limit 

Enter the maximum number of host IDs to return.

Example:

100

Integer

Optional

Allowed range: 

1-5000

Default value:

100

Offset 

Enter the offset to return results.

Example:

19

Integer

Optional

Default value:

0

Filter 

Enter the query to filter the results. This filter is case-sensitive.

Example:

type:"domain"

Text

Optional

For available filters, see CrowdStrike API Documentation.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata related to the query

app_instance.response.meta.query_time 

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id 

String

Unique ID for tracing the query

app_instance.response.resources 

Array

List of hidden host IDs

Action: List Reponse Time File

The action retrieves the list of all the response time files.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Additional Parameters 

Enter the extra parameters for retrieving the files.

Key Value

Optional

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Float

Time taken to execute the query

app_instance.response.meta.pagination 

Object

Pagination details for the response

app_instance.response.meta.pagination.offset 

Integer

Offset for the pagination

app_instance.response.meta.pagination.limit 

Integer

Limit for the pagination

app_instance.response.meta.pagination.total 

Integer

Total number of records

app_instance.response.meta.trace_id 

String

Trace ID for the query

app_instance.response.errors 

Array

List of errors, if any

app_instance.response.resources 

Array

List of file IDs

Action: Modify Detections

The action modifies detections.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Detection IDs 

Enter one or more IDs of the detections that you want to modify.

Example:

["ldt:3752xxxxxxxx9964:8175xxxx2029"]

List

Required

Status 

Enter the status associated with the detections

Text

Required

Allowed values are new, in_progress, true_positive, false_positive, and ignored.

Assigned User 

Enter the user's unique ID to whom you want to assign the detections.

Example:

1234567891234567891

Text

Optional

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the detection

app_instance.response.meta.query_time

Number

Time taken for the query in seconds

app_instance.response.meta.writes

Object

Details of writes related to the detection

app_instance.response.meta.writes.resources_affected

Integer

Number of affected resources

app_instance.response.meta.trace_id

String

Unique trace ID for the detection request

Action: Modify Incidents

This action modifies incidents in CrowdStrike Falcon.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Name 

Enter the specific detail of the incident that you want to update.

Text

Required

Allowed values are add_tag, delete_tag, unassign, update_name, update_assigned_to_v2, update_description, and update_status.

Value 

Enter the updated value for the specified name.

Example:

If “Name” is add_tag, you can enter the tags you want to add to the incident.

Text

Required

Incident IDs 

Enter one or more IDs of incidents that you want to update.

Example:

[inc:a8ecce2f41df4112ae07d4e0c86d0795:3afxxx]

List

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the request

app_instance.response.meta.query_time

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id

String

Unique trace ID for the incident request

Action: Modify ML Exclusion

The action modifies the machine learning exclusion.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Data 

Enter the data that needs to be updated in key-value format.

Example:

{'excluded_from':['blocking','extraction']}

Key Value

Required

ML Exclusion ID 

Enter the ML exclusion IDs.

Example:

'b0ceca08642b4103a344f8251c492861'

Text

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the API response

app_instance.response.meta.query_time 

Float

Time taken to execute the query

app_instance.response.meta.powered_by 

String

Service powering the API

app_instance.response.meta.trace_id 

String

Trace ID for the API request

app_instance.response.errors 

Object

Errors encountered during the request, if any

app_instance.response.resources 

Array

List of ML exclusions returned by the API

app_instance.response.resources.id 

String

The unique identifier for the ML exclusion

app_instance.response.resources.value 

String

The ML exclusion value

app_instance.response.resources.regexp_value 

String

The regular expression value for the ML exclusion

app_instance.response.resources.value_hash 

String

Hash of the ML exclusion value

app_instance.response.resources.groups 

Array

Groups associated with the ML exclusion

app_instance.response.resources.applied_globally 

Boolean

Indicates if the exclusion is applied globally

app_instance.response.resources.excluded_from 

Array

List of actions from which the ML exclusion is excluded

app_instance.response.resources.last_modified 

String

Timestamp for when the ML exclusion was last modified

app_instance.response.resources.modified_by 

String

User who last modified the ML exclusion

app_instance.response.resources.created_on 

String

Timestamp for when the ML exclusion was created

app_instance.response.resources.created_by 

String

User who created the ML exclusion

Action: Modify SV Exclusion

The action modifies a sensor visibility (SV) exclusion.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Data 

Enter the data you want to update.

Example:

{'value':'sv_name'}

Key Value

Required

SV Exclusion ID 

Enter the SV exclusion ID.

Example:

b0ceca08642b4103a344f8251c492861

Text

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Meta information about the API response

app_instance.response.meta.query_time 

Number

Time taken for the query in seconds

app_instance.response.meta.trace_id 

String

Unique trace ID for the API request

app_instance.response.errors 

Array

List of errors (empty if no errors)

app_instance.response.resources 

Array

List of resources (in this case, exclusions)

app_instance.response.resources.id 

String

Unique identifier for the exclusion

app_instance.response.resources.value 

String

The trusted file path excluded from sensor visibility

app_instance.response.resources.regexp_value 

String

Regular expression value for the exclusion

app_instance.response.resources.value_hash 

String

Hash value of the trusted file path

app_instance.response.resources.groups 

Array

List of groups associated with the exclusion

app_instance.response.resources.applied_globally 

Boolean

Indicates if the exclusion is applied globally

app_instance.response.resources.last_modified 

String (ISO 8601)

Date and time when the exclusion was last modified

app_instance.response.resources.modified_by 

String

Username of the user who last modified the exclusion

app_instance.response.resources.created_on 

String (ISO 8601)

Date and time when the exclusion was created

app_instance.response.resources.created_by 

String

Username of the user who created the exclusion

Action: Query Indicator

This action queries for various indicators in CrowdStrike Falcon.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Offset 

Enter the starting row number to return from the index. 

Integer

Optional

Default is 0.

Limit 

Enter the number of rows to return.

Integer

Optional

Default is 100.

Sort 

Enter the sorting order.

Example:

published_date|asc.

Text

Optional

Filter 

Enter the filter.

Example:

_marker, actors, deleted.

Text

Optional

Search 

Enter the generic substring search.

Text

Optional

Include Deleted 

Specify if deleted indicators should be included.

Boolean

Optional

 Default is false

Include Relations 

Specify if relations should be included.

Boolean

Optional

 Default is false

Action Response Parameters

Parameter

Type

Description

{app_instance}

Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response

Object

Contains the details of the response.

app_instance.response.errors

Array of Objects

List of errors related to the request, if any.

app_instance.response.meta

Object

Metadata about the response such as pagination limit, offset and limit.

app_instance.response.resources

Array of Objects

List of indicator resources related to the query.

app_instance.response.resources._marker

String

A marker for the resource. Example: "1717408640a479be6300bbe61d6ac71572f605a524".

app_instance.response.resources.actors

Array of Objects

List of actors related to the indicator.

app_instance.response.resources.deleted

Boolean

Indicates if the indicator has been deleted. Example: false.

app_instance.response.resources.domain_types

Array of Objects

List of domain types related to the indicator.

app_instance.response.resources.id

String

The unique identifier of the indicator. Example: "hash_sha256_df8c1e38200681e2b07b3c2db38ca07ff89172fc2ef975135a10bd7caef1c6dd".

app_instance.response.resources.indicator

String

The indicator value. Example: "df8c1e38200681e2b07b3c2db38ca07ff89172fc2ef975135a10bd7caef1c6dd".

app_instance.response.resources.ip_address_types

Array of Objects

List of IP address types related to the indicator.

app_instance.response.resources.kill_chains

Array of Objects

List of kill chains related to the indicator.

app_instance.response.resources.labels

Array of Objects

List of labels associated with the indicator.

app_instance.response.resources.labels.created_on

Integer

The timestamp when the label was created. Example: 1717408615.

app_instance.response.resources.labels.last_valid_on

Integer

The timestamp when the label was last valid. Example: 1717408640.

app_instance.response.resources.labels.name

String

The name of the label. Example: “MaliciousConfidence/High”.

app_instance.response.resources.last_updated

Integer

The timestamp when the indicator was last updated. Example: 1717408640.

app_instance.response.resources.malicious_confidence 

String

The confidence level of the malicious indicator. Example: "high".

app_instance.response.resources.malware_families

Array of Strings

List of malware families associated with the indicator. Example: ["Mofksys"].

app_instance.response.resources.published_date

Integer

The timestamp when the indicator was published. Example: 1717408615.

app_instance.response.resources.relations

Array of Objects

List of relations associated with the indicator.

app_instance.response.resources.relations.created_date

Integer

The timestamp when the relation was created. Example: 1717408615.

app_instance.response.resources.relations.id

String

The unique identifier of the related indicator. Example: "hash_sha1_90b6160e521bf376bad3cc0bb89fd8f86dcd7214".

app_instance.response.resources.relations.indicator

String

The value of the related indicator. Example: “90b6160e521bf376bad3cc0bb89fd8f86dcd7214”.

app_instance.response.resources.relations.last_valid_date   

Integer

The timestamp when the related indicator was last valid. Example: 1717408615.

app_instance.response.resources.relations.type

String

The type of the related indicator. Example: "hash_sha1".

app_instance.response.resources.reports

Array of Objects

List of reports related to the indicator.

app_instance.response.resources.targets

Array of Objects

List of targets associated with the indicator.

app_instance.response.resources.threat_types

Array of Strings

List of threat types associated with the indicator. Example: ["Commodity", "CredentialHarvesting", "InformationStealer"].

app_instance.response.resources.type

String

The type of the indicator. Example: "hash_sha256".

app_instance.response.resources.vulnerabilities

Array of Objects

List of vulnerabilities associated with the indicator.

Action: Real Time Execute Command Single Host

The action executes a command on a single host.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Base Command 

Enter the base command.

Example:

ls

Text

Required

Device ID 

Enter the device ID.

Example:

9daac64e7e8xxxxx

Text

Required

Command 

Enter the command.

Example:

cd

Text

Required

Session ID 

Enter the session ID.

Example:

3ee4c4-2e74-4967-884f-17xxx

Text

Required

IDs 

Enter the IDs.

Example:

234sdfkuixxxxx

Text

Optional

Persist All 

Specify if you want to persist all.

Boolean

Optional

Default is true

Action: Real Time Read Command

The action executes the RTR read-only command across the hosts mapped to the given batch ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Base Command 

Enter the base command.

Example:

Is

Text

Required

Batch ID 

Enter the batch ID.

Example:

ea263243-ff2f-4aee-a606-xxxx

Text

Required

Command 

Enter the command.

Example:

cd

Text

Required

Optional Hosts 

Enter the optional hosts.

Text

Optional

Persist All 

Specify if you want to persist all.

Boolean

Optional

Default is true

Action: Real Time Response Admin Command

The action executes the RTR admin command across the hosts mapped to the given batch ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Base Command 

Enter the base command.

Example:

ls

Text

Required

Batch ID 

Enter the batch ID.

Example:

ea263243-ff2f-4aee-a606-xxxx

Text

Required

Command 

Enter the command.

Example:

cd

Text

Required

Optional Hosts 

Enter the optional hosts.

Text

Optional

Persist All 

Specify if you want to persist all.

Boolean

Optional

Default is true

Action: Real Time Write Command

The action executes the RTR write-only command across the hosts mapped to the given batch ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Base Command 

Enter the base command.

Example:

ls

Text

Required

Batch ID 

Enter the batch ID.

Example:

ea263243-ff2f-4aee-a606-xxx

Text

Required

Command 

Enter the command.

Example:

cd

Text

Required

Optional Hosts 

Enter the optional hosts.

Text

Optional

Persist All 

Specify if you want to persist all.

Boolean

Optional

Default is true

Action: Remove Hosts from Static Host Group

This action removes hosts from a static host group.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host IDs 

Enter one or more static host group IDs from which you want to remove the hosts.

Example:

["8015xxxxxxxx105d"]

List

Required

Name 

Enter the action name.

Example:

filter

Text

Required

Value 

Enter the host IDs to be removed from the static host group.

Example:

(device_id:['e139xxxxxxxx5885', '8393xxxxxxxx9650','389axxxxxxxx5e80'])

Text

Required

Action Response Parameters 

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Float

Time taken to execute the query

app_instance.response.meta.powered_by

String

Indicates the API powering the response

app_instance.response.meta.trace_id

String

Trace ID for the request

app_instance.response.resources

Array

List of resources affected by the operation

app_instance.response.resources.device_id

String

The unique identifier of the host

app_instance.response.resources.updated

Boolean

Indicates if the host was successfully removed

app_instance.response.resources.code

Integer

HTTP status code of the operation

app_instance.response.errors

Object

Errors, if any, returned by the operation

Action: Removing Falcon Grouping Tags

This action removes restrictions on the host using policy with tags.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Device ID List 

Enter one or more device IDs.

Example:

["bf4fbxxxxxx4b8026"]

List

Required

Tags List 

Enter the list of tags to be removed.

Example:

["falcongroupingtags/tag1"]

List

Required

Action Response Parameters 

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Float

Time taken to execute the query

app_instance.response.meta.powered_by 

String

Indicates the API powering the response

app_instance.response.meta.trace_id 

String

Trace ID for the request

app_instance.response.resources 

Array

List of resources affected by the operation

app_instance.response.resources.device_id 

String

The unique identifier of the host group

app_instance.response.resources.updated 

Boolean

Indicates if the tags are successfully removed

app_instance.response.resources.code 

Integer

HTTP status code of the operation

app_instance.response.errors 

Object

Errors, if any, returned by the operation

Action: Retrieve Zero Trust Assessment Data by Host

The action retrieves ZTA data by the host.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Agent IDs 

Enter the agent IDs (AID). 

Example: 

8b83xxxxxxxx2098072c0496f8a0000

Text

Required

You can get the agent ID from a detection, the Falcon console, or the streaming API in CrowdStrike Falcon.

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata of the response

app_instance.response.meta.query_time

Float

Time taken to query the data

app_instance.response.meta.trace_id

String

Trace identifier for the query

app_instance.response.errors

Array

List of errors, if any

app_instance.response.resources

Array

List of resources

app_instance.response.resources.aid

String

Agent ID of the host

app_instance.response.resources.cid

String

Customer ID of the host

app_instance.response.resources.system_serial_number

String

System serial number of the host

app_instance.response.resources.event_platform

String

Platform of the host

app_instance.response.resources.product_type_desc

String

Description of the product type

app_instance.response.resources.modified_time

String

Last modified time of the resource

app_instance.response.resources.sensor_file_status

String

Status of the sensor file

app_instance.response.resources.assessment

Object

Assessment details of the host

app_instance.response.resources.assessment.sensor_config

Integer

Sensor configuration score

app_instance.response.resources.assessment.os

Integer

Operating system score

app_instance.response.resources.assessment.overall

Integer

Overall assessment score

app_instance.response.resources.assessment.version

String

Version of the assessment

app_instance.response.resources.assessment_items

Object

Items of the assessment

app_instance.response.resources.assessment_items.os_signals

Array

List of operating system signals

app_instance.response.resources.assessment_items.os_signals.signal_id

String

ID of the OS signal

app_instance.response.resources.assessment_items.os_signals.signal_name

String

Name of the OS signal

app_instance.response.resources.assessment_items.os_signals.group_name

String

Group name of the OS signal

app_instance.response.resources.assessment_items.os_signals.criteria

String

Criteria of the OS signal

app_instance.response.resources.assessment_items.os_signals.meets_criteria

String

Indicates if the OS signal meets the criteria

Action: Retrieving Host NIC History

The action can be used to retrieve host NIC history.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Customer ID 

Enter the customer ID.

Example:

456789abcdefghijklmnopqrstuv-wx

Text

Required

Device IDs 

Enter the device IDs.

Example:

['abcuu32534z']

List

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Float

Time taken to execute the query

app_instance.response.meta.powered_by

String

Source of the response data

app_instance.response.meta.trace_id

String

Trace ID for the query

app_instance.response.resources

Array

List of resources returned by the query

app_instance.response.resources.device_id

String

The unique identifier for the host

app_instance.response.resources.cid

String

CID of the host

app_instance.response.resources.history

Array

History of NIC configurations for the device

app_instance.response.resources.history.ip_address

String

IP address of the device at a given time

app_instance.response.resources.history.mac_address

String

MAC address of the device at a given time

app_instance.response.resources.history.timestamp

String

Timestamp of the NIC configuration

app_instance.response.errors

Array

List of errors encountered during the query

Action: Retrieving Host With Device Scroll

The action can be used to retrieve the hosts with device scroll.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Limit 

Enter the limit for the result.

Integer

Optional

Default is 100

Offset 

Enter the offset.

Text

Optional

Default is 0

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Float

Time taken to execute the query

app_instance.response.meta.pagination

Object

Pagination details for the response

app_instance.response.meta.pagination.total

Integer

Total number of hosts

app_instance.response.meta.pagination.offset

String

Offset for pagination

app_instance.response.meta.pagination.expires_at

Integer

Expiration timestamp for the pagination offset

app_instance.response.meta.powered_by

String

Service powering the response

app_instance.response.meta.trace_id

String

Trace ID for the request

app_instance.response.resources

Array

List of host identifiers

app_instance.response.errors

Array

List of errors encountered during the request

Action: Retrieving Indicator ID Details

The action retrieves the indicator ID details.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Indicator IDs 

Enter the list of indicator IDs.

Example: $list[5130b3232266ec3d0712faaa503b0702dbfd5cced6aa725efd2bb19de1898655,16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d] or for single indicator it can be used this way as well: 16f52bc55e498ca5a0377207431af5e9ff60d79582a8145eeb02ce476417247d

List

Optional

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Float

Time taken to execute the query

app_instance.response.meta.pagination

Object

Pagination details

app_instance.response.meta.pagination.limit

Integer

Limit on the number of results returned

app_instance.response.meta.pagination.total

Integer

Total number of results available

app_instance.response.meta.pagination.after

String

Cursor for fetching the next set of results

app_instance.response.meta.powered_by

String

Service that powered the response

app_instance.response.meta.trace_id

String

Trace ID for the request

app_instance.response.errors

Null

Error information (null if no errors)

app_instance.response.resources

Array

List of indicator IDs

app_instance.response.Errors

Array

List of errors (empty array if no errors)

Action: Retrieving Last Logged User Info

The action retrieves the last logged-in user information.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Customer ID 

Enter the customer ID. 

Example:

456789abcdefghijklmnopqrstuv-wx

Text

Required

Device IDs 

Enter the device IDs. 

Example: 

['abcuu32534z']

List

Required

Action: Search Host for Observed Indicator

The action searches host for observed indicator. 

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IOC Type 

Enter the IOC type. 

Text

Required

Allowed values:

  • sha256 

  • md5

  • domain

  • ipv4

  • ipv6

IOC Value 

Enter the IOC value.

Text

Required

Extra Parameters 

Enter the extra parameters.

Key Value

Optional

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Float

Time taken to execute the query

app_instance.response.meta.pagination 

Object

Pagination details

app_instance.response.meta.pagination.limit 

Integer

Limit on the number of results returned

app_instance.response.meta.pagination.total 

Integer

Total number of results available

app_instance.response.meta.pagination.after 

String

Cursor for fetching the next set of results

app_instance.response.meta.powered_by 

String

Service that powered the response

app_instance.response.meta.trace_id 

String

Trace ID for the request

app_instance.response.errors 

Null

Error information (null if no errors)

app_instance.response.resources 

Array

List of host IDs

app_instance.response.Errors 

Array

List of errors (empty array if no errors)

Action: Search Vulnerabilities

This action searches for vulnerabilities using FQL filters.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Sort 

Specify the sorting order. 

Example: 

sort: last_seen.desc.

Text

Optional

Facet 

Enter facet to limit the response. 

Example:

$list[cve]

List

Optional

Allowed values:

  • host_info

  • remediation

  • evaluation_logic

  • cve

Limit 

Enter the maximum number of vulnerability records to be returned. 

Example:

10

Integer

Optional

Filter 

Enter the Falcon Query Language (FQL) filter to limit the results. 

Example:

created_timestamp: '2024-03-12t03:27'

Text

Required

Allowed filters:

  • created_timestamp

  • closed_timestamp

  • aid

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the API response

app_instance.response.meta.query_time 

Number

Time taken for the query in seconds

app_instance.response.meta.powered_by 

String

Indicates the service powering the API (spapi in this case)

app_instance.response.meta.trace_id 

String

Unique identifier for tracing/debugging purposes

app_instance.response.resources 

Array

List of vulnerability resources

app_instance.response.resources[id] 

String

Unique identifier for the vulnerability resource

app_instance.response.resources[cid] 

String

Customer identifier associated with the vulnerability

app_instance.response.resources[aid] 

String

Asset identifier associated with the vulnerability

app_instance.response.resources[vulnerability_id] 

String

ID of the vulnerability (e.g., CVE ID)

app_instance.response.resources[vulnerability_metadata_id] 

String

Metadata ID specific to the vulnerability

app_instance.response.resources[data_providers] 

Array

List of data providers for the vulnerability

app_instance.response.resources[created_timestamp] 

String

Timestamp when the vulnerability was created

app_instance.response.resources[updated_timestamp] 

String

Timestamp when the vulnerability was last updated

app_instance.response.resources[status] 

String

Status of the vulnerability (e.g., open, closed)

app_instance.response.resources[apps] 

Array

List of applications affected by the vulnerability

app_instance.response.resources[suppression_info] 

Object

Information related to suppression of the vulnerability

app_instance.response.resources[app] 

Object

Details about the specific application affected

app_instance.response.resources[cve] 

Object

Details about the CVE (Common Vulnerabilities and Exposures)

app_instance.response.resources[cve].id 

String

CVE ID for the vulnerability

app_instance.response.resources[cve].base_score 

Number

Base score of the vulnerability

app_instance.response.resources[cve].severity 

String

Severity level of the vulnerability

app_instance.response.resources[cve].exploit_status 

Number

Exploit status of the vulnerability

app_instance.response.resources[cve].exprt_rating 

String

Expert rating for the vulnerability

app_instance.response.resources[cve].remediation_level 

String

Remediation level for the vulnerability

app_instance.response.resources[cve].cisa_info 

Object

Information related to CISA (Cybersecurity and Infrastructure Security Agency)

app_instance.response.resources[cve].cisa_info.is_cisa_kev 

Boolean

Indicates if the vulnerability is considered a CISA Key Event (KEV)

app_instance.response.resources[cve].cisa_info.due_date 

String

Due date associated with the CISA advisory

app_instance.response.resources[cve].spotlight_published_date 

String

Published date for spotlight information related to the vulnerability

app_instance.response.resources[cve].actors 

Array

List of actors associated with the vulnerability

app_instance.response.resources[cve].description 

String

Description of the vulnerability

app_instance.response.resources[cve].published_date 

String

Published date of the vulnerability

app_instance.response.resources[cve].vendor_advisory 

Array

List of vendor advisories related to the vulnerability

app_instance.response.resources[cve].references 

Array

List of references related to the vulnerability

app_instance.response.resources[cve].exploitability_score 

Number

Exploitability score of the vulnerability

app_instance.response.resources[cve].impact_score 

Number

Impact score of the vulnerability

app_instance.response.resources[cve].vector 

String

Vector string describing the CVSS (Common Vulnerability Scoring System) metrics

app_instance.response.resources[host_info] 

Object

Information related to the host affected by the vulnerability

app_instance.response.resources[remediation] 

Object

Details about remediation steps for the vulnerability

Action: Send Real Time Response to a Batch of Hosts

The action initiates a session with one or more hosts.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Host IDs 

Enter one or more IDs of the hosts you want to start a session with. 

Example: 

[9daac64e7e8f453488bfde9f573960b1]

List

Required

Existing Batch ID 

Enter the ID of the batch of hosts.

Text

Optional

Queue Offline 

Specify if the session must be queued offline. By default, it is queued.

Boolean

Optional

Action: Send Real Time Response to a Single Host

The action initiates a real-time session for a single host.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Device ID 

Enter the device ID. 

Example: 

9daac64e7e8f453xxxx

Text

Required

Origin 

Enter the origin. 

Example: 

ls

Text

Required

Queue Offline 

Enter the queue offline. 

Text

Optional

Default value is true.

Action: Update Alerts

This action updates alerts in Crowdstrike Falcon.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Alert IDs 

Enter a list of alert IDs to update.

List

Required

Action 

Enter the action to perform on the alerts. 

Text

Required

Allowed values:

  • add_tag 

  • append_comment

  • assign_to_name

  • assign_to_user_id

  • assign_to_uuid

  • remove_tag

  • remove_tags_by_prefix

  • show_in_ui

  • unassign

  • update_status: valid statuses are closed, ignored, in_progress, new, new_activity, reopened

For more information, see CrowdStrike API Documentation.

Action Value 

Enter the value to use for the action. 

Example: 

malicious

Text

Required

Action Response Parameters 

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata about the response

app_instance.response.meta.query_time

Number

Time taken to process the query

app_instance.response.meta.writes

Object

Details about the writes performed

app_instance.response.meta.writes.resources_affected

Integer

Number of alerts updated

app_instance.response.meta.powered_by

String

API used to power the response

app_instance.response.meta.trace_id

String

Unique identifier for tracing the request

Action: Update Detection Status

This action updates the status of the detections in incidents.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Update Detects 

Specify if you want to update the associated detects. 

Boolean

Optional

Default value is false.

Overwrite Detects 

Specify if you want to overwrite the associated detects. 

Boolean

Optional

Default value is false.

Name 

Enter the action parameter. To update the detect status, enter update_status.

Text

Required

Value 

Enter the updated detection value. 

Text

Required

This value will be applied to each incident whose ID is listed in 'incident IDs'.

Incident IDs 

Enter one or more incidents IDs whose detections you want to update. 

Example: ["inc:62e9c3d557a5479258d9ac63a2efb118:131b5xxxx"]

Any

Required

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta 

Object

Metadata about the response

app_instance.response.meta.query_time 

Number

Time taken to process the query

app_instance.response.meta.powered_by 

String

API used to power the response

app_instance.response.meta.trace_id 

String

Unique identifier for tracing the request

Action: Update Indicators

The action updates the indicators.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IOC ID 

Enter the ID of the indicator you want to update. 

Example: 9f8c43311b1801ca4159fc07d319610582c2003ccde8934d5412b1781e841e9e

Text

Required

Additional Data 

Enter any additional data for updating the indicator. 

Example: 

{'source':'testsource','action':'detect'}

Key Value

Optional

Comment 

Enter a comment about the update.

Text

Optional

Action Response Parameters 

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata of the response

app_instance.response.meta.query_time

Float

Time taken to execute the query

app_instance.response.meta.pagination

Object

Pagination details

app_instance.response.meta.pagination.limit

Integer

Limit on the number of results

app_instance.response.meta.pagination.total

Integer

Total number of results

app_instance.response.meta.powered_by

String

Name of the service that powered the response

app_instance.response.meta.trace_id

String

Trace ID for the request

app_instance.response.errors

Null

Errors in the response, if any

app_instance.response.resources

Array

List of updated indicators

app_instance.response.resources.id

String

Unique identifier of the indicator

app_instance.response.resources.type

String

Type of the indicator

app_instance.response.resources.value

String

Value of the indicator

app_instance.response.resources.source

String

Source of the indicator

app_instance.response.resources.action

String

Action to be taken for the indicator

app_instance.response.resources.severity

String

Severity level of the indicator

app_instance.response.resources.description

String

Description of the indicator

app_instance.response.resources.platforms

Array

Platforms associated with the indicator

app_instance.response.resources.tags

Array

Tags associated with the indicator

app_instance.response.resources.expiration

String

Expiration date and time of the indicator

app_instance.response.resources.expired

Boolean

Indicates if the indicator has expired

app_instance.response.resources.deleted

Boolean

Indicates if the indicator has been deleted

app_instance.response.resources.applied_globally

Boolean

Indicates if the indicator is applied globally

app_instance.response.resources.created_on

String

Creation date and time of the indicator

app_instance.response.resources.created_by

String

Email of the user who created the indicator

app_instance.response.resources.modified_on

String

Modification date and time of the indicator

app_instance.response.resources.modified_by

String

Email of the user who modified the indicator

Action: Upload Indicators

This action is used to upload indicators in CrowdStrike Falcon.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IOC Type 

Enter the IOC type. 

Text

Required

Allowed values:

  • ipv4

  • ipv6

  • sha256

  • domain

  • md5

  • all_subdomains

IOC Value 

Enter the IOC value.

Text

Required

Action 

Enter the action to be performed on the indicators. 

Text

Required

Allowed values:

  • no_action

  • allow

  • prevent_no_ui

  • prevent

  • detect

allow, prevent_no_ui, and prevent actions are only applicable to hashes.

Severity 

Enter the severity level to apply to the indicator.

Text

Optional

Allowed values:

  • informational

  • low

  • medium

  • high

  • critical.

If the Actions are prevent or detect, then Severity is mandatory.

Mobile Action 

Enter the mobile action to be performed on the indicators. 

Text

Optional

Allowed values:

  • no_action

  • allow

  • prevent_no_ui

  • prevent

  • detect.

If Mobile Actions are prevent or detect, then Severity is mandatory.

Platforms 

Enter the platforms that the indicator applies to. 

List

Required

Allowed values:

  • mac

  • windows

  • linux

  • android

  • ios

If the Platforms are android and ios, then Mobile Action is mandatory.

Comment 

Enter a comment about the uploading indicator.

Text

Optional

Applied Globally 

Specify if the values apply globally. 

Boolean

Optional

Default value is true.

Additional Data 

Enter any additional data while uploading the indicator.

Key Value

Optional

Action Response Parameters

Parameter

Field Type

Description

{app_instance} 

JSON Object

This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved.

app_instance.response 

JSON Object

Includes the response received from the app action.

app_instance.response.meta

Object

Metadata of the response

app_instance.response.meta.query_time

Float

Time taken to execute the query

app_instance.response.meta.pagination

Object

Pagination details

app_instance.response.meta.pagination.limit

Integer

Limit on the number of results

app_instance.response.meta.pagination.total

Integer

Total number of results

app_instance.response.meta.powered_by

String

Name of the service that powered the response

app_instance.response.meta.trace_id

String

Trace ID for the request

app_instance.response.errors

Null

Errors in the response, if any

app_instance.response.resources

Array

List of updated indicators

app_instance.response.resources.id

String

Unique identifier of the indicator

app_instance.response.resources.type

String

Type of the indicator

app_instance.response.resources.value

String

Value of the indicator

app_instance.response.resources.source

String

Source of the indicator

app_instance.response.resources.action

String

Action to be taken for the indicator

app_instance.response.resources.severity

String

Severity level of the indicator

app_instance.response.resources.description

String

Description of the indicator

app_instance.response.resources.platforms

Array

Platforms associated with the indicator

app_instance.response.resources.tags

Array

Tags associated with the indicator

app_instance.response.resources.expiration

String

Expiration date and time of the indicator

app_instance.response.resources.expired

Boolean

Indicates if the indicator has expired

app_instance.response.resources.deleted

Boolean

Indicates if the indicator has been deleted

app_instance.response.resources.applied_globally

Boolean

Indicates if the indicator is applied globally

app_instance.response.resources.created_on

String

Creation date and time of the indicator

app_instance.response.resources.created_by

String

Email of the user who created the indicator

app_instance.response.resources.modified_on

String

Modification date and time of the indicator

app_instance.response.resources.modified_by

String

Email of the user who modified the indicator

Action: Generic Action

This is a generic action used to make requests to any Crowdstrike Falcon endpoint.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Method 

Enter the HTTP method to use.

Example: 

GET

Text

Required

Allowed values:

  • GET

  • POST

  • PUT

  • PATCH

  • DELETE

Endpoint 

Enter the Crowdstrike endpoint to use. 

Example: 

/devices/entities/devices/v1

Text

Required

Payload JSON 

Enter the payload in JSON format. 

Example: 

{"data": [{"reason": "test"}]}

Text

Optional

Query Params 

Enter the query parameters in JSON format. 

Example: 

{"limit": "10"}

Key Value

Optional

Extra Fields 

Enter the extra fields to pass to the API.

Key Value

Optional

Allowed keys:

  • payload_data

  • custom_output

  • download

  • filename

  • files

  • retry_wait

  • retry_count

  • response_type