Publisher: Splunk
Connector Version: 5.0.0
Product Vendor: CrowdStrike
Product Name: CrowdStrike
Product Version Supported (regex): ".*"
Minimum Product Version: 6.3.0
This app integrates with CrowdStrike OAuth2 authentication standard to implement querying of endpoint security data
- In Falcon UI, Go to menubar on the left, From Support and resources section, Select API clients and keys.
- Click on Create API client.
- Add Client name, Description(optional) and Scopes (defined below).
- Click on Create to obtain the Client ID and Client secret.
Action | Required Scope(s) | Read | Write |
---|---|---|---|
test connectivity | Hosts | âś“ | âś— |
query device | Hosts | âś“ | âś— |
list groups | Host Groups | âś“ | âś— |
quarantine device | Hosts | âś“ | âś“ |
unquarantine device | Hosts | âś“ | âś“ |
assign hosts | Hosts Hosts Group |
âś“ âś— |
âś— âś“ |
remove hosts | Hosts Hosts Group |
âś“ âś— |
âś— âś“ |
create session | Real time response(RTR) | âś“ | âś— |
delete session | Real time response(RTR) | âś“ | âś— |
list detections | Detections | âś“ | âś— |
get detections details | Detections | âś“ | âś— |
update detections | Detections | âś— | âś“ |
list alerts | Alerts | âś“ | âś— |
list epp alerts | Alerts | âś“ | âś— |
get epp details | Alerts | âś“ | âś— |
update epp alerts | Alerts | âś— | âś“ |
resolve epp alerts | Alerts | âś— | âś“ |
list sessions | Real time response(RTR) | âś“ | âś— |
run command | Real time response(RTR) | âś“ | âś— |
run admin command | Real time response(admin) | âś— | âś“ |
get command details | Real time response(RTR) | âś— | âś“ |
list session files | Real time response(RTR) | âś— | âś“ |
get incident behaviors | Incidents | âś“ | âś— |
update incident | Incidents | âś— | âś“ |
list users | User Management | âś“ | âś— |
get user roles | User Management | âś“ | âś— |
list roles | User Management | âś“ | âś— |
get role | User Management | âś“ | âś— |
list crowdscores | Incidents | âś“ | âś— |
get incident details | Incidents | âś“ | âś— |
list incident behaviors | Incidents | âś“ | âś— |
list incidents | Incidents | âś“ | âś— |
get session file | Real time response(RTR) | âś— | âś“ |
set status | Detections | âś— | âś“ |
get system info | Hosts | âś“ | âś— |
get process detail | IOCs(Indicators of Compromise) | âś“ | âś— |
hunt file | IOCs(Indicators of Compromise) | âś“ | âś— |
hunt domain | IOCs(Indicators of Compromise) | âś“ | âś— |
hunt ip | IOCs(Indicators of Compromise) | âś“ | âś— |
upload put file | Real time response | âś— | âś“ |
get indicator | IOC Management | âś“ | âś— |
list custom indicators | IOC Management | âś“ | âś— |
list put files | Real time response(admin) | âś— | âś“ |
on poll | Event Stream | âś“ | âś— |
list processes | IOCs | âś“ | âś— |
upload indicator | IOC Management | âś— | âś“ |
delete indicator | IOC Management | âś“ | âś“ |
update indicator | IOC Management | âś— | âś“ |
file reputation | Sandbox(Falcon Intelligence) | âś“ | âś— |
url reputation | Sandbox(Falcon Intelligence) | âś“ | âś— |
download report | Sandbox(Falcon Intelligence) | âś“ | âś— |
detonate file | Sandbox(Falcon Intelligence) | âś“ | âś— |
detonate url | Sandbox(Falcon Intelligence) | âś“ | âś— |
check status | Sandbox(Falcon Intelligence) | âś“ | âś— |
get device scroll | Hosts | âś“ | âś— |
get zta data | Zero Trust Assessment | âś“ | âś— |
The user can add a script file in the configuration parameter [ Script with functions to preprocess containers and artifacts ]. The script must contain a function with the name preprocess_container (to pre-process the containers and the artifacts) or else, it will throw an error.
- Optionally, you can specify an App ID to be used with the Crowdstrike OAuth API used in the on poll action. If one isn't set, it will default to the asset ID.
- It is recommended to have a unique App ID for each connection to the Crowdstrike OAuth API. That is to say, if you are planning on having multiple assets using the Crowdstrike OAuth API at once, you should give them unique App IDs.
- Common points for both manual and scheduled interval polling
- Default parameters of the On Poll action are ignored in the app. i.e. start_time, end_time, container_count, artifact_count
- The app will fetch all the events based on the value specified in the configuration
parameters [Maximum events to get while POLL NOW] (default 2000 if not specified) and
[Maximum events to get while scheduled and interval polling] (default 10,000 if not
specified). For ingestion, the events are fetched after filtering them based on the event
types - DetectionSummaryEvent and EppDetectionSummaryEvent. The app will exit from the polling cycle in the
below-mentioned 2 cases whichever is earlier.
- If the total events fetched equals the value provided in the [Maximum events to get while POLL NOW] (for manual polling) or [Maximum events to get while scheduled and interval polling] (for scheduled | interval polling) parameters
- If the total number of continuous blank lines encountered while streaming the data equals the value provided in the [Maximum allowed continuous blank lines] (default 50 if not specified) asset configuration parameter
- The default behavior of the app is that each event will be placed in its container. By checking the configuration parameter [Merge containers for Hostname and Eventname] as well as specifying an interval in the configuration parameter [Merge same containers within specified seconds], all events which are of the same type and on the same host will be put into one container, as long as the time between those two events is less than the interval.
- The [Maximum allowed continuous blank lines] asset configuration parameter will be used to indicate the allowed number of continuous blank lines while fetching events. For example, if some events exist after 100 continuous blank lines and you've set the [Maximum allowed continues blank lines] parameter value to 500, it will keep on ingesting all events until the code gets 500 continuous blank lines and hence, it will be able to cover the events successfully even after the 100 blank lines. If you set it to 50, it will break after the 50th blank line is encountered. Hence, it won't be able to ingest the events which exist after the 100 continuous blank lines because the code considers that after the configured value in the [Maximum allowed continuous blank lines] configuration parameter (here 50), there is no data available.
- Manual Polling
- During manual poll now, the app starts from the first event that it can query up to the value configured in the configuration parameter [Maximum events to get while POLL NOW] and creates artifacts for all the fetched DetectionSummaryEvents. The last queried event's offset ID will not be remembered in Manual POLL NOW and it fetches everything every time from the beginning.
- Scheduled | Interval Polling
- During scheduled | interval polling, the app starts from the first event that it can query up to the value configured in the configuration parameter [Maximum events to get while scheduled and interval polling] and creates artifacts for all the fetched DetectionSummaryEvents. Then, it remembers the last event's offset ID and stores it in the state file against the key [last_offset_id]. In the next scheduled poll run, it will start from the stored offset ID in the state file and will fetch the maximum events as configured in the [Maximum events to get while scheduled and interval polling] parameter.
The DetectionSummaryEvent is parsed to extract the following values into an Artifact.
Artifact Field | Event Field |
---|---|
cef.sourceUserName | UserName |
cef.fileName | FileName |
cef.filePath | FilePath |
cef.sourceHostName | ComputerName |
cef.sourceNtDomain | MachineDomain |
cef.hash | MD5String |
cef.hash | SHA1String |
cef.hash | SHA256STring |
cef.cs1 | cmdLine |
The EppDetectionSummaryEvent is parsed to extract the following values into an Artifact.
Artifact Field | Event Field |
---|---|
cef.sourceUserName | UserName |
cef.fileName | FileName |
cef.filePath | FilePath |
cef.sourceHostName | Hostname |
cef.sourceNtDomain | LogonDomain |
cef.hash | MD5String |
cef.hash | SHA1String |
cef.hash | SHA256String |
cef.cs1 | cmdLine |
The app also parses the following sub-events into their own artifacts.
- Documents Accessed
- Executables Written
- Network Access
- Scan Result
- Quarantine Files
- DNS Requests
Each of the sub-events has a CEF key called parentSdi which stands for Parent Source Data Identifier. This is the value of the SDI of the main event that the sub-events were generated from.
This is different from Falcon Sandbox.
- Action - File Reputation, Url reputation
- Report of the resource will be fetched if it has been detonated previously on the CrowdStrike Server otherwise no data found message will be displayed to the user.
- Action - Download Report
- This action will download the resource report based on the provided artifact ID. Currently, we support the following Strict IOC CSV, Strict IOC JSON, Strict IOC STIX2.1, Strict IOC MAEC5.0, Broad IOC CSV, Broad IOC JSON, Broad IOC STIX2.1, Broad IOC MAEC5.0, Memory Strings, Icon, Screenshot artifact IDs.
- Action - Detonate File
- This action will upload the given file to the CrowdStrike sandbox and will submit it for analysis with the entered environment details. If the report of the given file is already present with the same environment, it will fetch the result and the file won't be submitted again.
- If the analysis is in progress and reaches the time entered in the detonate_timeout parameter, then this action will return the resource_id of the submitted file using which the submission status can be checked.
- If the submitted file will be analyzed within the entered time in the detonate_timeout parameter, its report will be fetched. Currently, these file types are supported .exe, .scr, .pif, .dll, .com, .cpl, etc., .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub, .pdf, Executable JAR, .sct, .lnk, .chm, .hta, .wsf, .js, .vbs, .vbe, .swf, pl, .ps1, .psd1, .psm1, .svg, .py, Linux ELF executables, .eml, .msg.
- Action - Detonate Url
- This action will submit the given URL for analysis with the entered environment details. If the report of the given URL is already present with the same environment, it will fetch the result and the url won't be submitted again.
- If the analysis is in progress and it reaches the time entered in the detonate_timeout parameter, then this action will return the resource_id of the submitted URL using which the status of the submission can be checked. If the analysis status is running then do not re-run the detonate URL action, otherwise, the URL will be again submitted for the analysis.
- If the submitted URL will be analyzed within the entered time in the detonate_timeout parameter, its report will be fetched. Currently, 3 domains of URL are supported http, https, and ftp.
- Action - Check Status
- This action will return the status of the given resource_id in case of timeout in detonate file and detonate URL actions.
- Action - List Alerts
-
The filter parameter values follow the FQL Syntax .
-
The sort parameter value has to be provided in the format property_name.asc for ascending and property_name.desc for descending order.
-
The
include_hidden
parameter has been added to the action as it's behavior in the API has changed. In the prior API version, the default behavior of theinclude_hidden
parameter was either not supported or defaulted tofalse
. The latest version of the API now defaultsinclude_hidden
totrue
if it is not included in the API call. Therefore, we have included this parameter in the action configuration and set it tofalse
by default in order to keep the action behavior consistent with the previous app version. Hidden alerts can be identified by theshow_in_ui
field of an alert object.If you experience any
list alerts
action failures in an existing playbook that passed in the previous version of the app, you may need to edit the action in the playbook and then save. This will then add theinclude_hidden
field to the playbook action. -
Action - List Groups
-
The filter parameter values follow the FQL Syntax .
-
The sort parameter value has to be provided in the format property_name.asc for ascending and property_name.desc for descending order.
-
Action - Query Device
-
Both the filter and sort parameters follow the same concepts as mentioned above for the list groups action.
-
Action - Assign Hosts, Remove Hosts, Quarantine Device, and Unquarantine Device
- The devices will be fetched based on the values provided in both the device_id and hostname parameters.
- If an incorrect value is provided in both the device_id and hostname parameters each, then, the action will fail with an appropriate error message.
- Action - List Session Files, Get Session File
-
To add [session id] to the action parameters of these actions, a session with the Create Session action needs to be created. Also, the user can delete the session using the Delete Session action.
-
Action - Run Command
- This action can run the below-mentioned RTR commands on the host:
- cat
- cd
- env
- eventlog
- filehash
- getsid
- ipconfig
- ls
- mount
- netstat
- ps
- reg query
- To add [session id] to the action parameters of these actions, a session with the Create Session action needs to be created. Also, the user can delete the session using the Delete Session action.
- Example action run: If "cd C:\some_directory" command needs to be run using this action, valid [device_id] and [session_id] parameters should be provided by the user. The user should select "cd" from the [command] dropdown parameter and provide "C:\some_directory" input in the [data] parameter.
- Action - Run Admin Command
- This action can run the below-mentioned RTR administrator commands on the host:
- cat
- cd
- cp
- encrypt
- env
- eventlog
- filehash
- get
- getsid
- ipconfig
- kill
- ls
- map
- memdump
- mkdir
- mount
- mv
- netstat
- ps
- put
- reg query
- reg set
- reg delete
- reg load
- reg unload
- restart
- rm
- run
- runscript
- shutdown
- unmap
- xmemdump
- zip
- To add [session id] to the action parameters of these actions, a session with the Create Session action needs to be created. Also, the user can delete the session using the Delete Session action.
- Example action run: If "cd C:\some_directory" command needs to be run using this action, valid [device_id] and [session_id] parameters should be provided by the user. The user should select "cd" from the [command] dropdown parameter and provide "C:\some_directory" input in the [data] parameter.
The app uses HTTP/HTTPS protocol for communicating with the Crowdstrike Server. Below are the default ports used by Splunk SOAR.
Service Name | Transport Protocol | Port |
---|---|---|
http | tcp | 80 |
https | tcp | 443 |
-
The output data-paths have been updated in the below-existing action. Hence, it is requested to update existing playbooks created in the earlier versions of the app by re-inserting | modifying | deleting the corresponding action blocks.
-
list users - Below output data-paths have been updated.
- Updated name from 'customer' to 'cid'
- Updated name from 'firstName' to 'first_name'
- Updated name from 'lastName' to 'last_name'
-
This table lists the configuration variables required to operate CrowdStrike OAuth API. These variables are specified when configuring a CrowdStrike asset in Splunk SOAR.
VARIABLE | REQUIRED | TYPE | DESCRIPTION |
---|---|---|---|
url | required | string | Base URL |
client_id | required | password | Client ID |
client_secret | required | password | Client Secret |
app_id | optional | string | App ID |
max_events | optional | numeric | Maximum events to get for scheduled and interval polling |
max_events_poll_now | optional | numeric | Maximum events to get while POLL NOW |
collate | optional | boolean | Merge containers for hostname and eventname |
merge_time_interval | optional | numeric | Merge same containers within specified seconds |
max_crlf | optional | numeric | Maximum allowed continuous blank lines |
preprocess_script | optional | file | Script with functions to preprocess containers and artifacts |
detonate_timeout | optional | numeric | Timeout for detonation result in minutes (Default: 15 minutes) |
test connectivity - Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
query device - Fetch the device details based on the provided query
list groups - Fetch the details of the host groups
quarantine device - Block the device
unquarantine device - Unblock the device
assign hosts - Assign one or more hosts to the static host group
remove hosts - Remove one or more hosts from the static host group
create session - Initialize a new session with the Real Time Response cloud
delete session - Deletes a Real Time Response session
list detections - Get a list of detections *The action uses legacy Detects API being deprecated. Please use the 'list epp alerts' action instead*
list epp alerts - Get a list of epp alerts, replaces legacy Detects API
get detections details - Get a list of detections details by providing detection IDs *The action uses legacy Detects API being deprecated. Please use the 'get epp details' action instead*
get epp details - Get list of alert details for EPP alerts by providing composite IDs, replaces legacy Detects API
update detections - Update detections in crowdstrike host *The action uses legacy Detects API being deprecated. Please use the 'update epp alerts' action instead*
update epp alerts - Update EPP alerts in CrowdStrike, replaces legacy Detects API
list alerts - Get a list of alerts
list sessions - Lists Real Time Response sessions
run command - Execute an active responder command on a single host
run admin command - Execute an RTR Admin command on a single host
get command details - Retrieve results of an active responder command executed on a single host
list session files - Get a list of files for the specified RTR session
get incident behaviors - Get details on behaviors by providing behavior IDs
update incident - Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
list users - Get information about all users in your Customer ID
get user roles - Gets the roles that are assigned to the user
list roles - Get information about all user roles from your Customer ID
get role - Get information about all user roles from your Customer ID
list crowdscores - Query environment wide CrowdScore and return the entity data
get incident details - Get details on incidents by providing incident IDs
list incident behaviors - Search for behaviors by providing an FQL filter, sorting, and paging details
list incidents - Search for incidents by providing an FQL filter, sorting, and paging details
get session file - Get RTR extracted file contents for the specified session and sha256 and add it to the vault
set status - Set the state of a detection in Crowdstrike Host *The action uses legacy Detects API being deprecated. Please use the 'resolve epp alerts' action instead*
resolve epp alerts - Update the status of an EPP alert in CrowdStrike, replaces legacy Detects API
get system info - Get details of a device, given the device ID
get process detail - Retrieve the details of a process that is running or that previously ran, given a process ID
hunt file - Hunt for a file on the network by querying for the hash
hunt domain - Get a list of device IDs on which the domain was matched
hunt ip - Get a list of device IDs on which the ip was matched
upload put file - Upload a new put-file to use for the RTR put
command
get indicator - Get the full definition of one or more indicators that are being watched
list custom indicators - Queries for custom indicators in your customer account
list put files - Queries for files uploaded to Crowdstrike for use with the RTR put
command
on poll - Callback action for the on_poll ingest functionality
list processes - List processes that have recently used the IOC on a particular device
upload indicator - Upload indicator that you want CrowdStrike to watch
delete indicator - Delete an indicator that is being watched
update indicator - Update an indicator that has been uploaded
file reputation - Queries CrowdStrike for the file info given a vault ID or a SHA256 hash, vault ID has higher priority than SHA256 hash if both are provided
url reputation - Queries CrowdStrike for the url info
download report - To download the report of the provided artifact id
detonate file - Upload a file to CrowdStrike and retrieve the analysis results
detonate url - Upload an url to CrowdStrike and retrieve the analysis results
check status - To check detonation status of the provided resource id
get device scroll - Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
get zta data - Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID)
create ioa rule group - Create an empty IOA Rule Group
update ioa rule group - Modify an existing IOA Rule Group
delete ioa rule group - Delete an existing IOA Rule Group
list ioa platforms - List valid platforms for IOA Rule Groups
list ioa rule groups - List IOA Rule Groups
list ioa severities - List valid severity values for IOA rules
list ioa types - List valid types of IOA rules
create ioa rule - Create a new IOA Rule
update ioa rule - Update an existing IOA Rule
delete ioa rule - Delete an existing IOA Rule
Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
Type: test
Read only: True
No parameters are required for this action
No Output
Fetch the device details based on the provided query
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
limit | optional | Maximum devices to be fetched | numeric | |
offset | optional | Starting index of overall result set from which to return ids. (Defaults to 0) | numeric | |
filter | optional | Filter expression used to limit the fetched devices (FQL Syntax) | string | |
sort | optional | Property to sort by | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.filter | string | hostname: 'E*' platform_name:'Windows' | |
action_result.parameter.limit | numeric | 120 | |
action_result.parameter.offset | numeric | 10 | |
action_result.parameter.sort | string | hostname.desc | |
action_result.data.*.agent_load_flags | string | 1 | |
action_result.data.*.agent_local_time | string | 2019-06-13T10:46:11.024Z | |
action_result.data.*.agent_version | string | 5.10.9106.0 | |
action_result.data.*.bios_manufacturer | string | XYZ Technologies LTD | |
action_result.data.*.bios_version | string | 6.00 | |
action_result.data.*.build_number | string | 17134 | |
action_result.data.*.cid | string | md5 |
3061c7ff3b634e22b38274d4b586558e |
action_result.data.*.config_id_base | string | 65994753 | |
action_result.data.*.config_id_build | string | 9106 | |
action_result.data.*.config_id_platform | string | 3 | |
action_result.data.*.connection_ip | string | ip |
10.1.18.205 |
action_result.data.*.connection_mac_address | string | 00-50-56-12-34-56 | |
action_result.data.*.cpu_signature | string | 329300 | |
action_result.data.*.default_gateway_ip | string | ip |
10.1.16.1 |
action_result.data.*.device_id | string | crowdstrike device id |
07c312fabcb8473454d0a16f118928ab |
action_result.data.*.device_policies.device_control.applied | boolean | True False | |
action_result.data.*.device_policies.device_control.applied_date | string | 2019-04-18T13:16:17.246147089Z | |
action_result.data.*.device_policies.device_control.assigned_date | string | 2019-04-18T13:09:53.221767635Z | |
action_result.data.*.device_policies.device_control.policy_id | string | md5 |
cb4babb273274f79a91e8a0e84164916 |
action_result.data.*.device_policies.device_control.policy_type | string | device-control | |
action_result.data.*.device_policies.firewall.applied | boolean | True False | |
action_result.data.*.device_policies.firewall.applied_date | string | 2020-07-08T03:12:30.212194872Z | |
action_result.data.*.device_policies.firewall.assigned_date | string | 2020-07-08T03:07:38.48127371Z | |
action_result.data.*.device_policies.firewall.policy_id | string | 2018f9894359493cb756bfa7dd3357a6 | |
action_result.data.*.device_policies.firewall.policy_type | string | firewall | |
action_result.data.*.device_policies.firewall.rule_set_id | string | 2018f9894359493cb756bfa7dd3357a6 | |
action_result.data.*.device_policies.global_config.applied | boolean | True False | |
action_result.data.*.device_policies.global_config.applied_date | string | 2019-06-03T23:31:25.402021685Z | |
action_result.data.*.device_policies.global_config.assigned_date | string | 2019-06-03T23:27:22.325516295Z | |
action_result.data.*.device_policies.global_config.policy_id | string | md5 |
49ee9efc99164562ad89640955f372ce |
action_result.data.*.device_policies.global_config.policy_type | string | globalconfig | |
action_result.data.*.device_policies.global_config.settings_hash | string | a75911b0 | |
action_result.data.*.device_policies.jumpcloud.applied | numeric | True | |
action_result.data.*.device_policies.jumpcloud.applied_date | string | 2022-07-13T17:41:16.271074445Z | |
action_result.data.*.device_policies.jumpcloud.assigned_date | string | 2022-07-13T17:40:53.552991354Z | |
action_result.data.*.device_policies.jumpcloud.policy_id | string | md5 |
234766dcce654217babcbaa247ca31f0 |
action_result.data.*.device_policies.jumpcloud.policy_type | string | jumpcloud | |
action_result.data.*.device_policies.jumpcloud.settings_hash | string | sha256 |
0aec295a677907c6e4de672edf1f172d2cefcc5ca96ed2b5e56f4d6745289694 |
action_result.data.*.device_policies.prevention.applied | boolean | True False | |
action_result.data.*.device_policies.prevention.applied_date | string | 2019-04-03T23:57:05.493184498Z | |
action_result.data.*.device_policies.prevention.assigned_date | string | 2019-04-03T23:53:41.614339193Z | |
action_result.data.*.device_policies.prevention.policy_id | string | md5 |
ad0dad6639454b4d8bbfc963bf9510c9 |
action_result.data.*.device_policies.prevention.policy_type | string | prevention | |
action_result.data.*.device_policies.prevention.settings_hash | string | 4aa96e52 | |
action_result.data.*.device_policies.remote_response.applied | boolean | True False | |
action_result.data.*.device_policies.remote_response.applied_date | string | 2019-02-08T02:39:21.726331953Z | |
action_result.data.*.device_policies.remote_response.assigned_date | string | 2019-02-08T02:36:05.073298048Z | |
action_result.data.*.device_policies.remote_response.policy_id | string | md5 |
6c74313d6c864180bd759c3235dbd550 |
action_result.data.*.device_policies.remote_response.policy_type | string | remote-response | |
action_result.data.*.device_policies.remote_response.settings_hash | string | f472bd8e | |
action_result.data.*.device_policies.sensor_update.applied | boolean | True False | |
action_result.data.*.device_policies.sensor_update.applied_date | string | 2019-05-30T23:21:58.956282211Z | |
action_result.data.*.device_policies.sensor_update.assigned_date | string | 2019-05-30T23:02:19.540591355Z | |
action_result.data.*.device_policies.sensor_update.policy_id | string | md5 |
226d7067a47b4ea7a3369f7e9114b180 |
action_result.data.*.device_policies.sensor_update.policy_type | string | sensor-update | |
action_result.data.*.device_policies.sensor_update.settings_hash | string | 65994753 | |
action_result.data.*.device_policies.sensor_update.uninstall_protection | string | ENABLED | |
action_result.data.*.external_ip | string | ip |
204.107.141.240 |
action_result.data.*.first_seen | string | 2018-04-19T19:10:14Z | |
action_result.data.*.group_hash | string | sha256 |
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
action_result.data.*.groups | string | md5 |
4493ec18e3c942078b7c0bd4248d3f5e |
action_result.data.*.hostname | string | host name |
CB-TEST-01 |
action_result.data.*.instance_id | string | i-058fca45cda978e00 | |
action_result.data.*.kernel_version | string | 10.0.19044.1766 | |
action_result.data.*.last_seen | string | 2019-06-20T14:01:26Z | |
action_result.data.*.local_ip | string | ip |
10.1.18.49 |
action_result.data.*.mac_address | string | 00-0c-29-a0-10-27 | |
action_result.data.*.machine_domain | string | domain |
corp.xyz.com |
action_result.data.*.major_version | string | 10 | |
action_result.data.*.meta.version | string | 59509 | |
action_result.data.*.minor_version | string | 0 | |
action_result.data.*.modified_timestamp | string | 2019-06-20T14:04:12Z | |
action_result.data.*.os_build | string | 19044 | |
action_result.data.*.os_version | string | Windows 10 | |
action_result.data.*.ou | string | Domain Controllers | |
action_result.data.*.platform_id | string | 0 | |
action_result.data.*.platform_name | string | Windows | |
action_result.data.*.pointer_size | string | 8 | |
action_result.data.*.policies.*.applied | boolean | True False | |
action_result.data.*.policies.*.applied_date | string | 2019-04-03T23:57:05.493184498Z | |
action_result.data.*.policies.*.assigned_date | string | 2019-04-03T23:53:41.614339193Z | |
action_result.data.*.policies.*.policy_id | string | md5 |
ad0dad6639454b4d8bbfc963bf9510c9 |
action_result.data.*.policies.*.policy_type | string | prevention | |
action_result.data.*.policies.*.settings_hash | string | 4aa96e52 | |
action_result.data.*.product_type | string | 1 | |
action_result.data.*.product_type_desc | string | Server | |
action_result.data.*.provision_status | string | Provisioned | |
action_result.data.*.reduced_functionality_mode | string | no | |
action_result.data.*.serial_number | string | VMware-56 4d c8 00 40 ed 10 1a-e5 4d 5b d5 e1 a0 10 27 | |
action_result.data.*.service_pack_major | string | 0 | |
action_result.data.*.service_pack_minor | string | 0 | |
action_result.data.*.service_provider | string | test | |
action_result.data.*.service_provider_account_id | string | 427749959855 | |
action_result.data.*.site_name | string | Default-First-Site-Name | |
action_result.data.*.slow_changing_modified_timestamp | string | 2019-06-17T16:08:07Z | |
action_result.data.*.status | string | contained | |
action_result.data.*.system_manufacturer | string | XYZ, Inc. | |
action_result.data.*.system_product_name | string | VM Platform | |
action_result.data.*.zone_group | string | us-east-1a | |
action_result.summary.total_devices | numeric | 2 | |
action_result.message | string | Total devices: 2 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Fetch the details of the host groups
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
limit | optional | Maximum host groups to be fetched | numeric | |
filter | optional | Filter expression used to limit the fetched host groups (FQL Syntax) | string | |
sort | optional | Property to sort by | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.filter | string | modified_timestamp:<='2019-06-14T10:22:02.02236652Z' | |
action_result.parameter.limit | numeric | 120 | |
action_result.parameter.sort | string | created_timestamp.asc | |
action_result.data.*.assignment_rule | string | device_id:[''],hostname:['','EC2AMAZ-K5LEL73'] | |
action_result.data.*.created_by | string | email |
first.last@xyz.com |
action_result.data.*.created_timestamp | string | 2019-05-28T22:51:01.124782712Z | |
action_result.data.*.description | string | This is a sample test group | |
action_result.data.*.group_type | string | static | |
action_result.data.*.id | string | crowdstrike host group id |
b5098f79716c4beb8f9c2aebff609075 |
action_result.data.*.modified_by | string | email |
test.user@example.us |
action_result.data.*.modified_timestamp | string | 2019-05-28T22:51:01.124782712Z | |
action_result.data.*.name | string | super secure group | |
action_result.summary.total_host_group | numeric | 529 | |
action_result.summary.total_host_groups | numeric | 1 | |
action_result.message | string | Total host groups: 2 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Block the device
Type: contain
Read only: False
This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in the user's containment policy.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
device_id | optional | Comma-separated list of device IDs | string | crowdstrike device id |
hostname | optional | Comma-separated list of hostnames | string | host name |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.device_id | string | crowdstrike device id |
c70bbe8334aa47bd61046603eb27b15a |
action_result.parameter.hostname | string | host name |
CB-TEST-01 |
action_result.data.*.id | string | crowdstrike device id |
c70bbe8334aa47bd61046603eb27b15a |
action_result.data.*.path | string | /devices/entities/devices/v1 | |
action_result.summary.total_quarantined_device | numeric | 1 | |
action_result.message | string | Device quarantined successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Unblock the device
Type: correct
Read only: False
This action lifts containment on the host, which returns its network communications to normal.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
device_id | optional | Comma-separated list of device IDs | string | crowdstrike device id |
hostname | optional | Comma-separated list of hostnames | string | host name |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.device_id | string | crowdstrike device id |
c70bbe8334aa47bd61046603eb27b15a |
action_result.parameter.hostname | string | host name |
CB-TEST-01 |
action_result.data.*.id | string | crowdstrike device id |
c70bbe8334aa47bd61046603eb27b15a |
action_result.data.*.path | string | /devices/entities/devices/v1 | |
action_result.summary.total_unquarantined_device | numeric | 1 | |
action_result.message | string | Device unquarantined successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Assign one or more hosts to the static host group
Type: correct
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
device_id | optional | Comma-separated list of device IDs | string | crowdstrike device id |
hostname | optional | Comma separated list of hostnames | string | host name |
host_group_id | required | Static host group ID | string | crowdstrike host group id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.device_id | string | crowdstrike device id |
07c312fabcb8473454d0a16f118928ab |
action_result.parameter.host_group_id | string | crowdstrike host group id |
5c3203cee6934edd894c0c02d5a7d2ad |
action_result.parameter.hostname | string | host name |
CB-TEST-01 |
action_result.data.*.assignment_rule | string | device_id:[''],hostname:['CB-TEST-01'] | |
action_result.data.*.created_by | string | api-client-id:ae1690074e144336ae1de4de9dc1bd93 | |
action_result.data.*.created_timestamp | string | 2019-06-18T06:43:48.348572725Z | |
action_result.data.*.description | string | test 6 | |
action_result.data.*.group_type | string | static | |
action_result.data.*.id | string | crowdstrike host group id |
5c3203cee6934edd894c0c02d5a7d2ad |
action_result.data.*.modified_by | string | api-client-id:ae1690074e144336ae1de4de9dc1bd93 | |
action_result.data.*.modified_timestamp | string | 2019-06-18T06:43:48.348572725Z | |
action_result.data.*.name | string | test 7 | |
action_result.summary.total_assigned_device | numeric | 1 | |
action_result.message | string | Host added successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Remove one or more hosts from the static host group
Type: contain
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
device_id | optional | Comma-separated list of device IDs | string | crowdstrike device id |
hostname | optional | Comma-separated list of hostnames | string | host name |
host_group_id | required | Static host group ID | string | crowdstrike host group id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.device_id | string | crowdstrike device id |
07c312fabcb8473454d0a16f118928ab |
action_result.parameter.host_group_id | string | crowdstrike host group id |
5c3203cee6934edd894c0c02d5a7d2ad |
action_result.parameter.hostname | string | host name |
CB-TEST-01 |
action_result.data.*.assignment_rule | string | device_id:[''],hostname:[''] | |
action_result.data.*.created_by | string | api-client-id:ae1690074e144336ae1de4de9dc1bd93 | |
action_result.data.*.created_timestamp | string | 2019-06-18T06:43:48.348572725Z | |
action_result.data.*.description | string | test 6 | |
action_result.data.*.group_type | string | static | |
action_result.data.*.id | string | crowdstrike host group id |
5c3203cee6934edd894c0c02d5a7d2ad |
action_result.data.*.modified_by | string | api-client-id:ae1690074e144336ae1de4de9dc1bd93 | |
action_result.data.*.modified_timestamp | string | 2019-06-18T06:43:48.348572725Z | |
action_result.data.*.name | string | test 7 | |
action_result.summary.total_removed_device | numeric | 1 | |
action_result.message | string | Host removed successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Initialize a new session with the Real Time Response cloud
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
device_id | required | Device ID for session to be created | string | crowdstrike device id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.device_id | string | crowdstrike device id |
07c312fabcb8473454d0a16f118928ab |
action_result.data.*.errors | string | ||
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 5.917429897 | |
action_result.data.*.meta.trace_id | string | 6b7c63e1-0ebd-4121-90f3-cd53451be245 | |
action_result.data.*.resources.*.created_at | string | 2019-09-24T20:52:08.595772499Z | |
action_result.data.*.resources.*.existing_aid_sessions | numeric | 1 | |
action_result.data.*.resources.*.offline_queued | boolean | True False | |
action_result.data.*.resources.*.pwd | string | file path |
C:\ |
action_result.data.*.resources.*.scripts.*.args.*.arg_name | string | Path | |
action_result.data.*.resources.*.scripts.*.args.*.arg_type | string | arg | |
action_result.data.*.resources.*.scripts.*.args.*.command_level | string | non-destructive | |
action_result.data.*.resources.*.scripts.*.args.*.created_at | string | 2019-06-25T23:48:59Z | |
action_result.data.*.resources.*.scripts.*.args.*.data_type | string | string | |
action_result.data.*.resources.*.scripts.*.args.*.default_value | string | ||
action_result.data.*.resources.*.scripts.*.args.*.description | string | File to concatenate | |
action_result.data.*.resources.*.scripts.*.args.*.encoding | string | ||
action_result.data.*.resources.*.scripts.*.args.*.id | numeric | 7 | |
action_result.data.*.resources.*.scripts.*.args.*.options | string | ||
action_result.data.*.resources.*.scripts.*.args.*.required | boolean | True False | |
action_result.data.*.resources.*.scripts.*.args.*.requires_value | boolean | True False | |
action_result.data.*.resources.*.scripts.*.args.*.script_id | numeric | 6 | |
action_result.data.*.resources.*.scripts.*.args.*.sequence | numeric | 1 | |
action_result.data.*.resources.*.scripts.*.args.*.updated_at | string | 2019-06-25T23:48:59Z | |
action_result.data.*.resources.*.scripts.*.command | string | cat | |
action_result.data.*.resources.*.scripts.*.description | string | Read a file from disk and display as ASCII or hex | |
action_result.data.*.resources.*.scripts.*.examples | string | file path |
C:\> cat c:\mytextfile.txt Display the contents of the text file (ASCII encoding) C:\> cat c:\windows\system32\cmd.exe 100 -ShowHex Display the first 100 hexadecimal characters for cmd.exe |
action_result.data.*.resources.*.scripts.*.internal_only | boolean | True False | |
action_result.data.*.resources.*.scripts.*.runnable | boolean | True False | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.arg_name | string | Name | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.arg_type | string | arg | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.command_level | string | non-destructive | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.created_at | string | 2018-05-01T19:38:30Z | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.data_type | string | string | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.default_value | string | ||
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.description | string | Name of the event log, for example "Application", "System" | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.encoding | string | ||
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.id | numeric | 35 | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.options | string | ||
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.required | boolean | True False | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.requires_value | boolean | True False | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.script_id | numeric | 25 | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.sequence | numeric | 1 | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.updated_at | string | 2018-05-01T19:38:30Z | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.command | string | view | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.description | string | View most recent N events in a given event log | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.examples | string | C:\> eventlog view Application 5 Displays the 5 most recent event log entries in the "Application" event source log |
|
action_result.data.*.resources.*.scripts.*.sub_commands.*.internal_only | boolean | True False | |
action_result.data.*.resources.*.scripts.*.sub_commands.*.runnable | boolean | True False | |
action_result.data.*.resources.*.session_id | string | crowdstrike rtr session id |
c0ab8e89-edb0-485f-a8ee-b52d73453a4b |
action_result.summary.session_id | string | crowdstrike rtr session id |
b2403653-1294-488e-be81-7aadb69b52f1 |
action_result.message | string | Session created successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Deletes a Real Time Response session
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
session_id | required | RTR Session ID | string | crowdstrike rtr session id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.session_id | string | crowdstrike rtr session id |
cdc3b485-6d71-4417-b091-939336154e83 |
action_result.data | string | ||
action_result.summary.results | string | Successfully removed session: b2403653-1294-488e-be81-7aadb69b52f1 | |
action_result.message | string | Session ended successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get a list of detections *The action uses legacy Detects API being deprecated. Please use the 'list epp alerts' action instead*
Type: investigate
Read only: True
This action supports filtering in order to retrieve a particular set of detections.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
limit | optional | Maximum detections to be fetched | numeric | |
filter | optional | Filter expression used to limit the fetched detections (FQL Syntax) | string | |
sort | optional | Property to sort by | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.filter | string | modified_timestamp:<='2019-06-14T10:22:02.02236652Z' | |
action_result.parameter.limit | numeric | 120 | |
action_result.parameter.sort | string | created_timestamp.asc | |
action_result.data | string | ||
action_result.data.*.behaviors.*.alleged_filetype | string | exe | |
action_result.data.*.behaviors.*.behavior_id | string | 10354 | |
action_result.data.*.behaviors.*.cmdline | string | ||
action_result.data.*.behaviors.*.confidence | numeric | 80 | |
action_result.data.*.behaviors.*.control_graph_id | string | ctg:46592f3d661a469eb2503d72a29afd3a:309255693652 | |
action_result.data.*.behaviors.*.description | string | ||
action_result.data.*.behaviors.*.device_id | string | md5 crowdstrike device id |
46592f3d661a469eb2503d72a29afd3a |
action_result.data.*.behaviors.*.display_name | string | CredentialsInFilesCredentialAccess | |
action_result.data.*.behaviors.*.filename | string | powershell.exe | |
action_result.data.*.behaviors.*.filepath | string | \Device\HarddiskVolume2\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | |
action_result.data.*.behaviors.*.ioc_description | string | \Device\HarddiskVolume2\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | |
action_result.data.*.behaviors.*.ioc_source | string | library_load | |
action_result.data.*.behaviors.*.ioc_type | string | hash_sha256 | |
action_result.data.*.behaviors.*.ioc_value | string | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f | |
action_result.data.*.behaviors.*.md5 | string | 04029e121a0cfa5991749937dd22a1d9 | |
action_result.data.*.behaviors.*.objective | string | Gain Access | |
action_result.data.*.behaviors.*.parent_details.parent_cmdline | string | "C:\WINDOWS\system32\cmd.exe" | |
action_result.data.*.behaviors.*.parent_details.parent_md5 | string | 8a2122e8162dbef04694b9c3e0b6cdee | |
action_result.data.*.behaviors.*.parent_details.parent_process_graph_id | string | pid:46592f3d661a469eb2503d72a29afd3a:740512001748 | |
action_result.data.*.behaviors.*.parent_details.parent_sha256 | string | b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 | |
action_result.data.*.behaviors.*.pattern_disposition | numeric | 2048 | |
action_result.data.*.behaviors.*.pattern_disposition_details.blocking_unsupported_or_disabled | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.bootup_safeguard_enabled | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.critical_process_disabled | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.detect | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.fs_operation_blocked | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.handle_operation_downgraded | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.inddet_mask | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.indicator | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.kill_action_failed | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.kill_parent | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.kill_process | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.kill_subprocess | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.operation_blocked | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.policy_disabled | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.process_blocked | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.quarantine_file | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.quarantine_machine | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.registry_operation_blocked | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.rooting | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.sensor_only | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.suspend_parent | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.suspend_process | boolean | False True | |
action_result.data.*.behaviors.*.scenario | string | suspicious_activity | |
action_result.data.*.behaviors.*.severity | numeric | 70 | |
action_result.data.*.behaviors.*.sha256 | string | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f | |
action_result.data.*.behaviors.*.tactic | string | Credential Access | |
action_result.data.*.behaviors.*.tactic_id | string | TA0006 | |
action_result.data.*.behaviors.*.technique | string | Credentials In Files | |
action_result.data.*.behaviors.*.technique_id | string | T1552.001 | |
action_result.data.*.behaviors.*.template_instance_id | string | 2649 | |
action_result.data.*.behaviors.*.timestamp | string | 2022-09-26T11:30:26Z | |
action_result.data.*.behaviors.*.triggering_process_graph_id | string | pid:46592f3d661a469eb2503d72a29afd3a:743690872884 | |
action_result.data.*.behaviors.*.user_id | string | S-1-5-21-3607613384-2395287924-1763154957-1001 | |
action_result.data.*.behaviors.*.user_name | string | testuser | |
action_result.data.*.cid | string | md5 |
3061c7ff3b634e22b38274d4b586558e |
action_result.data.*.created_timestamp | string | 2022-09-26T11:30:42.246972793Z | |
action_result.data.*.date_updated | string | 2022-09-26T11:45:46Z | |
action_result.data.*.detection_id | string | crowdstrike detection id |
ldt:46592f3d661a469eb2503d72a29afd3a:309255693652 |
action_result.data.*.device.agent_load_flags | string | 0 | |
action_result.data.*.device.agent_local_time | string | 2022-08-22T15:45:16.195Z | |
action_result.data.*.device.agent_version | string | 6.44.15806.0 | |
action_result.data.*.device.bios_manufacturer | string | Phoenix Technologies LTD | |
action_result.data.*.device.bios_version | string | 6.00 | |
action_result.data.*.device.cid | string | 3061c7ff3b634e22b38274d4b586558e | |
action_result.data.*.device.config_id_base | string | 65994753 | |
action_result.data.*.device.config_id_build | string | 15806 | |
action_result.data.*.device.config_id_platform | string | 3 | |
action_result.data.*.device.device_id | string | md5 crowdstrike device id |
46592f3d661a469eb2503d72a29afd3a |
action_result.data.*.device.external_ip | string | 204.107.141.240 | |
action_result.data.*.device.first_seen | string | 2020-08-13T23:45:59Z | |
action_result.data.*.device.hostname | string | CB-TEST-02 | |
action_result.data.*.device.last_seen | string | 2022-09-26T11:21:40Z | |
action_result.data.*.device.local_ip | string | 10.1.18.205 | |
action_result.data.*.device.mac_address | string | 00-50-56-12-34-56 | |
action_result.data.*.device.machine_domain | string | sql19.local | |
action_result.data.*.device.major_version | string | 10 | |
action_result.data.*.device.minor_version | string | 0 | |
action_result.data.*.device.modified_timestamp | string | 2022-09-26T11:27:43Z | |
action_result.data.*.device.os_version | string | Windows 10 | |
action_result.data.*.device.platform_id | string | 0 | |
action_result.data.*.device.platform_name | string | Windows | |
action_result.data.*.device.product_type | string | 1 | |
action_result.data.*.device.product_type_desc | string | Workstation | |
action_result.data.*.device.site_name | string | Default-First-Site-Name | |
action_result.data.*.device.status | string | normal | |
action_result.data.*.device.system_manufacturer | string | VMware, Inc. | |
action_result.data.*.device.system_product_name | string | VMware Virtual Platform | |
action_result.data.*.email_sent | boolean | False | |
action_result.data.*.first_behavior | string | 2022-09-26T11:30:26Z | |
action_result.data.*.hostinfo.domain | string | ||
action_result.data.*.last_behavior | string | 2022-09-26T11:30:26Z | |
action_result.data.*.max_confidence | numeric | 80 | |
action_result.data.*.max_severity | numeric | 70 | |
action_result.data.*.max_severity_displayname | string | High | |
action_result.data.*.seconds_to_resolved | numeric | 0 | |
action_result.data.*.seconds_to_triaged | numeric | 0 | |
action_result.data.*.show_in_ui | boolean | True | |
action_result.data.*.status | string | new | |
action_result.summary.total_detections | numeric | 44 | |
action_result.message | string | Total detections: 44 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get a list of epp alerts, replaces legacy Detects API
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
limit | optional | Maximum alerts to be fetched | numeric | |
filter | optional | Filter expression used to limit the fetched alerts (FQL Syntax) | string | |
sort | optional | Property to sort by | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.filter | string | ||
action_result.parameter.sort | string | ||
action_result.data.*.agent_id | string | 9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c | |
action_result.data.*.aggregate_id | string | aggind:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx6384 | |
action_result.data.*.alleged_filetype | string | exe | |
action_result.data.*.charlotte.can_triage | boolean | False | |
action_result.data.*.charlotte.triage_status | string | open | |
action_result.data.*.child_process_ids.* | string | pid:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx2640 | |
action_result.data.*.cid | string | d615xxxxxxxx2158 | |
action_result.data.*.cmdline | string | cmd /c echo MZ>log1.txt && cmd /c copy /b log1.txt+fabc.scr abc.scr && cmd /c abc.scr && cmd /c del log1.txt && cmd /c del fabc.scr | |
action_result.data.*.composite_id | string | crowdstrike alert id |
d615xxxxxxxx2158:ind:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx1294-32-7878xxxxxxxxxxx1122 |
action_result.data.*.confidence | numeric | 50 | |
action_result.data.*.context_timestamp | string | 2024-08-22T18:30:03Z | |
action_result.data.*.control_graph_id | string | ctg:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx6384 | |
action_result.data.*.crawled_timestamp | string | 2024-08-22T18:35:06.103126166Z | |
action_result.data.*.created_timestamp | string | 2024-08-22T18:31:04.705194419Z | |
action_result.data.*.data_domains.* | string | Endpoint | |
action_result.data.*.description | string | A productivity app launched a process from an executable stack. | |
action_result.data.*.device.agent_load_flags | string | 3 | |
action_result.data.*.device.agent_local_time | string | 2016-04-28T14:33:47.302Z | |
action_result.data.*.device.agent_version | string | 5.25.10701.0 | |
action_result.data.*.device.bios_manufacturer | string | Phoenix Technologies LTD | |
action_result.data.*.device.bios_version | string | 6.00 | |
action_result.data.*.device.cid | string | d615xxxxxxxx2158 | |
action_result.data.*.device.config_id_base | string | 65994755 | |
action_result.data.*.device.config_id_build | string | 10701 | |
action_result.data.*.device.config_id_platform | string | 3 | |
action_result.data.*.device.device_id | string | crowdstrike device id |
9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c |
action_result.data.*.device.external_ip | string | 4x.xxx.xxx.xxx | |
action_result.data.*.device.first_seen | string | 2024-08-22T18:30:04Z | |
action_result.data.*.device.hostname | string | example-host | |
action_result.data.*.device.last_seen | string | 2024-08-22T18:30:03Z | |
action_result.data.*.device.major_version | string | 6 | |
action_result.data.*.device.minor_version | string | 1 | |
action_result.data.*.device.modified_timestamp | string | 2024-08-22T18:30:13Z | |
action_result.data.*.device.os_version | string | Windows 7 | |
action_result.data.*.device.platform_id | string | 0 | |
action_result.data.*.device.platform_name | string | Windows | |
action_result.data.*.device.product_type | string | 1 | |
action_result.data.*.device.product_type_desc | string | Workstation | |
action_result.data.*.device.status | string | normal | |
action_result.data.*.device.system_manufacturer | string | VMware, Inc. | |
action_result.data.*.device.system_product_name | string | VMware Virtual Platform | |
action_result.data.*.display_name | string | SpearPhishExecutableStack | |
action_result.data.*.email_sent | boolean | True | |
action_result.data.*.external | boolean | False | |
action_result.data.*.falcon_host_link | string | https://falcon.crowdstrike.com/activity-v2/detections/d615xxxxxxxx2158:ind:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx1294-32-7878xxxxxxxxxxx1122?_cid=g01000co2vxxxxxxxxxxxxu5f72jzjfu | |
action_result.data.*.filename | string | cmd.exe | |
action_result.data.*.filepath | string | \Device\HarddiskVolume1\Windows\SysWOW64\cmd.exe | |
action_result.data.*.global_prevalence | string | common | |
action_result.data.*.grandparent_details.cmdline | string | C:\Windows\Explorer.EXE | |
action_result.data.*.grandparent_details.filename | string | explorer.exe | |
action_result.data.*.grandparent_details.filepath | string | \Device\HarddiskVolume1\Windows\explorer.exe | |
action_result.data.*.grandparent_details.local_process_id | string | 1260 | |
action_result.data.*.grandparent_details.md5 | string | ac4c51eb24aaxxxxxxxxxxb159189e24 | |
action_result.data.*.grandparent_details.process_graph_id | string | pid:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx0581 | |
action_result.data.*.grandparent_details.process_id | string | 1336xxxxxxxxxx0581 | |
action_result.data.*.grandparent_details.sha256 | string | 6a67xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx576a | |
action_result.data.*.grandparent_details.timestamp | string | 2024-08-22T18:30:03.000Z | |
action_result.data.*.grandparent_details.user_graph_id | string | uid:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:S-1-5-21-246xxxx873-120xxxx372-215xxxx746-1000 | |
action_result.data.*.grandparent_details.user_id | string | S-1-5-21-246xxxx873-120xxxx372-215xxxx746-1000 | |
action_result.data.*.grandparent_details.user_name | string | testusername | |
action_result.data.*.id | string | ind:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx1294-32-7878xxxxxxxxxxx1122 | |
action_result.data.*.incident.created | string | 2024-08-22T18:30:03Z | |
action_result.data.*.incident.end | string | 2024-08-22T18:30:03Z | |
action_result.data.*.incident.id | string | inc:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:7e90xxxxxxxxxxxxxxxxxxxxxxxx399c | |
action_result.data.*.incident.score | string | 77.2905584547083 | |
action_result.data.*.incident.start | string | 2024-08-22T18:30:03Z | |
action_result.data.*.indicator_id | string | ind:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx1294-32-7878xxxxxxxxxxx1122 | |
action_result.data.*.ioc_context.* | string | [] | |
action_result.data.*.ioc_values.* | string | [] | |
action_result.data.*.local_prevalence | string | common | |
action_result.data.*.local_process_id | string | 2956 | |
action_result.data.*.logon_domain | string | WIN-ABCDEFG | |
action_result.data.*.md5 | string | ad7b9c14xxxxxxxxxxxxxxxxxxxx2b98 | |
action_result.data.*.name | string | SpearPhishExecutableStack | |
action_result.data.*.objective | string | Follow Through | |
action_result.data.*.parent_details.cmdline | string | "C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE" /n /dde | |
action_result.data.*.parent_details.filename | string | WINWORD.EXE | |
action_result.data.*.parent_details.filepath | string | \Device\HarddiskVolume1\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE | |
action_result.data.*.parent_details.local_process_id | string | 2756 | |
action_result.data.*.parent_details.md5 | string | 10ff86bcxxxxxxxxxxxxxxxxxxxxfd507 | |
action_result.data.*.parent_details.process_graph_id | string | pid:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx4664 | |
action_result.data.*.parent_details.process_id | string | 1336xxxxxxxxxx4664 | |
action_result.data.*.parent_details.sha256 | string | b38bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx958d | |
action_result.data.*.parent_details.timestamp | string | 2024-08-22T18:30:03Z | |
action_result.data.*.parent_details.user_graph_id | string | uid:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:S-1-5-21-246xxxx873-120xxxx372-215xxxx746-1000 | |
action_result.data.*.parent_details.user_id | string | S-1-5-21-246xxxx873-120xxxx372-215xxxx746-1000 | |
action_result.data.*.parent_details.user_name | string | testusername | |
action_result.data.*.parent_process_id | string | 1336xxxxxxxxxx4664 | |
action_result.data.*.pattern_disposition | numeric | 0 | |
action_result.data.*.pattern_disposition_description | string | Detection, standard detection. | |
action_result.data.*.pattern_disposition_details.blocking_unsupported_or_disabled | boolean | False | |
action_result.data.*.pattern_disposition_details.bootup_safeguard_enabled | boolean | False | |
action_result.data.*.pattern_disposition_details.containment_file_system | boolean | False | |
action_result.data.*.pattern_disposition_details.critical_process_disabled | boolean | False | |
action_result.data.*.pattern_disposition_details.detect | boolean | False | |
action_result.data.*.pattern_disposition_details.fs_operation_blocked | boolean | False | |
action_result.data.*.pattern_disposition_details.handle_operation_downgraded | boolean | False | |
action_result.data.*.pattern_disposition_details.inddet_mask | boolean | False | |
action_result.data.*.pattern_disposition_details.indicator | boolean | False | |
action_result.data.*.pattern_disposition_details.kill_action_failed | boolean | False | |
action_result.data.*.pattern_disposition_details.kill_parent | boolean | False | |
action_result.data.*.pattern_disposition_details.kill_process | boolean | False | |
action_result.data.*.pattern_disposition_details.kill_subprocess | boolean | False | |
action_result.data.*.pattern_disposition_details.mfa_required | boolean | False | |
action_result.data.*.pattern_disposition_details.operation_blocked | boolean | False | |
action_result.data.*.pattern_disposition_details.policy_disabled | boolean | False | |
action_result.data.*.pattern_disposition_details.prevention_provisioning_enabled | boolean | False | |
action_result.data.*.pattern_disposition_details.process_blocked | boolean | False | |
action_result.data.*.pattern_disposition_details.quarantine_file | boolean | False | |
action_result.data.*.pattern_disposition_details.quarantine_machine | boolean | False | |
action_result.data.*.pattern_disposition_details.registry_operation_blocked | boolean | False | |
action_result.data.*.pattern_disposition_details.response_action_already_applied | boolean | False | |
action_result.data.*.pattern_disposition_details.response_action_failed | boolean | False | |
action_result.data.*.pattern_disposition_details.response_action_triggered | boolean | False | |
action_result.data.*.pattern_disposition_details.rooting | boolean | False | |
action_result.data.*.pattern_disposition_details.sensor_only | boolean | False | |
action_result.data.*.pattern_disposition_details.suspend_parent | boolean | False | |
action_result.data.*.pattern_disposition_details.suspend_process | boolean | False | |
action_result.data.*.pattern_id | numeric | 32 | |
action_result.data.*.platform | string | Windows | |
action_result.data.*.process_end_time | string | 1724351403 | |
action_result.data.*.process_id | string | 1336xxxxxxxxxx1294 | |
action_result.data.*.process_start_time | string | 1724351403 | |
action_result.data.*.product | string | epp | |
action_result.data.*.scenario | string | malicious_document | |
action_result.data.*.seconds_to_resolved | numeric | 0 | |
action_result.data.*.seconds_to_triaged | numeric | 0 | |
action_result.data.*.severity | numeric | 50 | |
action_result.data.*.severity_name | string | Medium | |
action_result.data.*.sha1 | string | ee8cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx20b5 | |
action_result.data.*.sha256 | string | 17f7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx02ae | |
action_result.data.*.show_in_ui | boolean | True | |
action_result.data.*.source_products.* | string | Falcon Insight | |
action_result.data.*.source_vendors.* | string | CrowdStrike | |
action_result.data.*.status | string | in_progress | |
action_result.data.*.tactic | string | Execution | |
action_result.data.*.tactic_id | string | TA0002 | |
action_result.data.*.technique | string | Exploitation for Client Execution | |
action_result.data.*.technique_id | string | T1203 | |
action_result.data.*.timestamp | string | 2024-08-22T18:30:03.238Z | |
action_result.data.*.tree_id | string | 1336xxxxxxxxxx6384 | |
action_result.data.*.tree_root | string | 1336xxxxxxxxxx4664 | |
action_result.data.*.triggering_process_graph_id | string | pid:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx1294 | |
action_result.data.*.type | string | ldt | |
action_result.data.*.updated_timestamp | string | 2024-08-22T18:35:06.102982431Z | |
action_result.data.*.user_id | string | S-1-5-21-246xxxx873-120xxxx372-215xxxx746-1000 | |
action_result.data.*.user_name | string | testusername | |
action_result.message | string | Success | |
action_result.status | string | success | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get a list of detections details by providing detection IDs *The action uses legacy Detects API being deprecated. Please use the 'get epp details' action instead*
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
detection_ids | required | List of detection IDs. Comma-separated list allowed | string | crowdstrike detection id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.detection_ids | string | crowdstrike detection id |
|
action_result.data | string | ||
action_result.data.*.assigned_to_name | string | test user | |
action_result.data.*.assigned_to_uid | string | usertest@gmail.com | |
action_result.data.*.behaviors.*.alleged_filetype | string | exe | |
action_result.data.*.behaviors.*.behavior_id | string | 10354 | |
action_result.data.*.behaviors.*.cmdline | string | ||
action_result.data.*.behaviors.*.confidence | numeric | 80 | |
action_result.data.*.behaviors.*.control_graph_id | string | ctg:46592f3d661a469eb2503d72a29afd3a:309255693652 | |
action_result.data.*.behaviors.*.description | string | ||
action_result.data.*.behaviors.*.device_id | string | md5 crowdstrike device id |
46592f3d661a469eb2503d72a29afd3a |
action_result.data.*.behaviors.*.display_name | string | CredentialsInFilesCredentialAccess | |
action_result.data.*.behaviors.*.filename | string | powershell.exe | |
action_result.data.*.behaviors.*.filepath | string | \Device\HarddiskVolume2\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | |
action_result.data.*.behaviors.*.ioc_description | string | \Device\HarddiskVolume2\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | |
action_result.data.*.behaviors.*.ioc_source | string | library_load | |
action_result.data.*.behaviors.*.ioc_type | string | hash_sha256 | |
action_result.data.*.behaviors.*.ioc_value | string | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f | |
action_result.data.*.behaviors.*.md5 | string | 04029e121a0cfa5991749937dd22a1d9 | |
action_result.data.*.behaviors.*.objective | string | Gain Access | |
action_result.data.*.behaviors.*.parent_details.parent_cmdline | string | "C:\WINDOWS\system32\cmd.exe" | |
action_result.data.*.behaviors.*.parent_details.parent_md5 | string | 8a2122e8162dbef04694b9c3e0b6cdee | |
action_result.data.*.behaviors.*.parent_details.parent_process_graph_id | string | pid:46592f3d661a469eb2503d72a29afd3a:740512001748 | |
action_result.data.*.behaviors.*.parent_details.parent_sha256 | string | b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 | |
action_result.data.*.behaviors.*.pattern_disposition | numeric | 2048 | |
action_result.data.*.behaviors.*.pattern_disposition_details.blocking_unsupported_or_disabled | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.bootup_safeguard_enabled | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.critical_process_disabled | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.detect | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.fs_operation_blocked | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.handle_operation_downgraded | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.inddet_mask | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.indicator | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.kill_action_failed | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.kill_parent | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.kill_process | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.kill_subprocess | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.operation_blocked | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.policy_disabled | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.process_blocked | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.quarantine_file | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.quarantine_machine | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.registry_operation_blocked | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.rooting | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.sensor_only | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.suspend_parent | boolean | False True | |
action_result.data.*.behaviors.*.pattern_disposition_details.suspend_process | boolean | False True | |
action_result.data.*.behaviors.*.scenario | string | suspicious_activity | |
action_result.data.*.behaviors.*.severity | numeric | 70 | |
action_result.data.*.behaviors.*.sha256 | string | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f | |
action_result.data.*.behaviors.*.tactic | string | Credential Access | |
action_result.data.*.behaviors.*.tactic_id | string | TA0006 | |
action_result.data.*.behaviors.*.technique | string | Credentials In Files | |
action_result.data.*.behaviors.*.technique_id | string | T1552.001 | |
action_result.data.*.behaviors.*.template_instance_id | string | 2649 | |
action_result.data.*.behaviors.*.timestamp | string | 2022-09-26T11:30:26Z | |
action_result.data.*.behaviors.*.triggering_process_graph_id | string | pid:46592f3d661a469eb2503d72a29afd3a:743690872884 | |
action_result.data.*.behaviors.*.user_id | string | S-1-5-21-3607613384-2395287924-1763154957-1001 | |
action_result.data.*.behaviors.*.user_name | string | testuser | |
action_result.data.*.cid | string | md5 |
3061c7ff3b634e22b38274d4b586558e |
action_result.data.*.created_timestamp | string | 2022-09-26T11:30:42.246972793Z | |
action_result.data.*.date_updated | string | 2022-09-26T11:45:46Z | |
action_result.data.*.detection_id | string | crowdstrike detection id |
ldt:46592f3d661a469eb2503d72a29afd3a:309255693652 |
action_result.data.*.device.agent_load_flags | string | 0 | |
action_result.data.*.device.agent_local_time | string | 2022-08-22T15:45:16.195Z | |
action_result.data.*.device.agent_version | string | 6.44.15806.0 | |
action_result.data.*.device.bios_manufacturer | string | Phoenix Technologies LTD | |
action_result.data.*.device.bios_version | string | 6.00 | |
action_result.data.*.device.cid | string | 3061c7ff3b634e22b38274d4b586558e | |
action_result.data.*.device.config_id_base | string | 65994753 | |
action_result.data.*.device.config_id_build | string | 15806 | |
action_result.data.*.device.config_id_platform | string | 3 | |
action_result.data.*.device.device_id | string | md5 crowdstrike device id |
46592f3d661a469eb2503d72a29afd3a |
action_result.data.*.device.external_ip | string | 204.107.141.240 | |
action_result.data.*.device.first_seen | string | 2020-08-13T23:45:59Z | |
action_result.data.*.device.hostname | string | CB-TEST-02 | |
action_result.data.*.device.last_seen | string | 2022-09-26T11:21:40Z | |
action_result.data.*.device.local_ip | string | 10.1.18.205 | |
action_result.data.*.device.mac_address | string | 00-50-56-12-34-56 | |
action_result.data.*.device.machine_domain | string | sql19.local | |
action_result.data.*.device.major_version | string | 10 | |
action_result.data.*.device.minor_version | string | 0 | |
action_result.data.*.device.modified_timestamp | string | 2022-09-26T11:27:43Z | |
action_result.data.*.device.os_version | string | Windows 10 | |
action_result.data.*.device.platform_id | string | 0 | |
action_result.data.*.device.platform_name | string | Windows | |
action_result.data.*.device.product_type | string | 1 | |
action_result.data.*.device.product_type_desc | string | Workstation | |
action_result.data.*.device.site_name | string | Default-First-Site-Name | |
action_result.data.*.device.status | string | normal | |
action_result.data.*.device.system_manufacturer | string | VMware, Inc. | |
action_result.data.*.device.system_product_name | string | VMware Virtual Platform | |
action_result.data.*.email_sent | boolean | False | |
action_result.data.*.first_behavior | string | 2022-09-26T11:30:26Z | |
action_result.data.*.hostinfo.domain | string | ||
action_result.data.*.last_behavior | string | 2022-09-26T11:30:26Z | |
action_result.data.*.max_confidence | numeric | 80 | |
action_result.data.*.max_severity | numeric | 70 | |
action_result.data.*.max_severity_displayname | string | High | |
action_result.data.*.seconds_to_resolved | numeric | 2 | |
action_result.data.*.seconds_to_triaged | numeric | 1 | |
action_result.data.*.show_in_ui | boolean | True | |
action_result.data.*.status | string | new | |
action_result.summary.total_detections | numeric | 44 | |
action_result.message | string | Total detections: 44 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get list of alert details for EPP alerts by providing composite IDs, replaces legacy Detects API
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
alert_ids | required | List of alert composite_ids. Comma-separated list allowed | string | crowdstrike alert id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.alert_ids | string | crowdstrike alert id |
|
action_result.data.*.agent_id | string | 9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c | |
action_result.data.*.aggregate_id | string | aggind:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx6384 | |
action_result.data.*.alleged_filetype | string | exe | |
action_result.data.*.charlotte.can_triage | boolean | False | |
action_result.data.*.charlotte.triage_status | string | open | |
action_result.data.*.child_process_ids.* | string | pid:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx2640 | |
action_result.data.*.cid | string | d615xxxxxxxx2158 | |
action_result.data.*.cmdline | string | cmd /c echo MZ>log1.txt && cmd /c copy /b log1.txt+fabc.scr abc.scr && cmd /c abc.scr && cmd /c del log1.txt && cmd /c del fabc.scr | |
action_result.data.*.composite_id | string | crowdstrike alert id |
d615xxxxxxxx2158:ind:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx1294-32-7878xxxxxxxxxxx1122 |
action_result.data.*.confidence | numeric | 50 | |
action_result.data.*.context_timestamp | string | 2024-08-22T18:30:03Z | |
action_result.data.*.control_graph_id | string | ctg:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx6384 | |
action_result.data.*.crawled_timestamp | string | 2024-08-22T18:35:06.103126166Z | |
action_result.data.*.created_timestamp | string | 2024-08-22T18:31:04.705194419Z | |
action_result.data.*.data_domains.* | string | Endpoint | |
action_result.data.*.description | string | A productivity app launched a process from an executable stack. | |
action_result.data.*.device.agent_load_flags | string | 3 | |
action_result.data.*.device.agent_local_time | string | 2016-04-28T14:33:47.302Z | |
action_result.data.*.device.agent_version | string | 5.25.10701.0 | |
action_result.data.*.device.bios_manufacturer | string | Phoenix Technologies LTD | |
action_result.data.*.device.bios_version | string | 6.00 | |
action_result.data.*.device.cid | string | d615xxxxxxxx2158 | |
action_result.data.*.device.config_id_base | string | 65994755 | |
action_result.data.*.device.config_id_build | string | 10701 | |
action_result.data.*.device.config_id_platform | string | 3 | |
action_result.data.*.device.device_id | string | crowdstrike device id |
9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c |
action_result.data.*.device.external_ip | string | 4x.xxx.xxx.xxx | |
action_result.data.*.device.first_seen | string | 2024-08-22T18:30:04Z | |
action_result.data.*.device.hostname | string | example-host | |
action_result.data.*.device.last_seen | string | 2024-08-22T18:30:03Z | |
action_result.data.*.device.major_version | string | 6 | |
action_result.data.*.device.minor_version | string | 1 | |
action_result.data.*.device.modified_timestamp | string | 2024-08-22T18:30:13Z | |
action_result.data.*.device.os_version | string | Windows 7 | |
action_result.data.*.device.platform_id | string | 0 | |
action_result.data.*.device.platform_name | string | Windows | |
action_result.data.*.device.product_type | string | 1 | |
action_result.data.*.device.product_type_desc | string | Workstation | |
action_result.data.*.device.status | string | normal | |
action_result.data.*.device.system_manufacturer | string | VMware, Inc. | |
action_result.data.*.device.system_product_name | string | VMware Virtual Platform | |
action_result.data.*.display_name | string | SpearPhishExecutableStack | |
action_result.data.*.email_sent | boolean | True | |
action_result.data.*.external | boolean | False | |
action_result.data.*.falcon_host_link | string | https://falcon.crowdstrike.com/activity-v2/detections/d615xxxxxxxx2158:ind:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx1294-32-7878xxxxxxxxxxx1122?_cid=g01000co2vxxxxxxxxxxxxu5f72jzjfu | |
action_result.data.*.filename | string | cmd.exe | |
action_result.data.*.filepath | string | \Device\HarddiskVolume1\Windows\SysWOW64\cmd.exe | |
action_result.data.*.global_prevalence | string | common | |
action_result.data.*.grandparent_details.cmdline | string | C:\Windows\Explorer.EXE | |
action_result.data.*.grandparent_details.filename | string | explorer.exe | |
action_result.data.*.grandparent_details.filepath | string | \Device\HarddiskVolume1\Windows\explorer.exe | |
action_result.data.*.grandparent_details.local_process_id | string | 1260 | |
action_result.data.*.grandparent_details.md5 | string | ac4c51eb24aaxxxxxxxxxxb159189e24 | |
action_result.data.*.grandparent_details.process_graph_id | string | pid:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx0581 | |
action_result.data.*.grandparent_details.process_id | string | 1336xxxxxxxxxx0581 | |
action_result.data.*.grandparent_details.sha256 | string | 6a67xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx576a | |
action_result.data.*.grandparent_details.timestamp | string | 2024-08-22T18:30:03.000Z | |
action_result.data.*.grandparent_details.user_graph_id | string | uid:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:S-1-5-21-246xxxx873-120xxxx372-215xxxx746-1000 | |
action_result.data.*.grandparent_details.user_id | string | S-1-5-21-246xxxx873-120xxxx372-215xxxx746-1000 | |
action_result.data.*.grandparent_details.user_name | string | testusername | |
action_result.data.*.id | string | ind:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx1294-32-7878xxxxxxxxxxx1122 | |
action_result.data.*.incident.created | string | 2024-08-22T18:30:03Z | |
action_result.data.*.incident.end | string | 2024-08-22T18:30:03Z | |
action_result.data.*.incident.id | string | inc:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:7e90xxxxxxxxxxxxxxxxxxxxxxxx399c | |
action_result.data.*.incident.score | string | 77.2905584547083 | |
action_result.data.*.incident.start | string | 2024-08-22T18:30:03Z | |
action_result.data.*.indicator_id | string | ind:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx1294-32-7878xxxxxxxxxxx1122 | |
action_result.data.*.ioc_context.* | string | [] | |
action_result.data.*.ioc_values.* | string | [] | |
action_result.data.*.local_prevalence | string | common | |
action_result.data.*.local_process_id | string | 2956 | |
action_result.data.*.logon_domain | string | WIN-ABCDEFG | |
action_result.data.*.md5 | string | ad7b9c14xxxxxxxxxxxxxxxxxxxx2b98 | |
action_result.data.*.name | string | SpearPhishExecutableStack | |
action_result.data.*.objective | string | Follow Through | |
action_result.data.*.parent_details.cmdline | string | "C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE" /n /dde | |
action_result.data.*.parent_details.filename | string | WINWORD.EXE | |
action_result.data.*.parent_details.filepath | string | \Device\HarddiskVolume1\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE | |
action_result.data.*.parent_details.local_process_id | string | 2756 | |
action_result.data.*.parent_details.md5 | string | 10ff86bcxxxxxxxxxxxxxxxxxxxxfd507 | |
action_result.data.*.parent_details.process_graph_id | string | pid:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx4664 | |
action_result.data.*.parent_details.process_id | string | 1336xxxxxxxxxx4664 | |
action_result.data.*.parent_details.sha256 | string | b38bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx958d | |
action_result.data.*.parent_details.timestamp | string | 2024-08-22T18:30:03Z | |
action_result.data.*.parent_details.user_graph_id | string | uid:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:S-1-5-21-246xxxx873-120xxxx372-215xxxx746-1000 | |
action_result.data.*.parent_details.user_id | string | S-1-5-21-246xxxx873-120xxxx372-215xxxx746-1000 | |
action_result.data.*.parent_details.user_name | string | testusername | |
action_result.data.*.parent_process_id | string | 1336xxxxxxxxxx4664 | |
action_result.data.*.pattern_disposition | numeric | 0 | |
action_result.data.*.pattern_disposition_description | string | Detection, standard detection. | |
action_result.data.*.pattern_disposition_details.blocking_unsupported_or_disabled | boolean | False | |
action_result.data.*.pattern_disposition_details.bootup_safeguard_enabled | boolean | False | |
action_result.data.*.pattern_disposition_details.containment_file_system | boolean | False | |
action_result.data.*.pattern_disposition_details.critical_process_disabled | boolean | False | |
action_result.data.*.pattern_disposition_details.detect | boolean | False | |
action_result.data.*.pattern_disposition_details.fs_operation_blocked | boolean | False | |
action_result.data.*.pattern_disposition_details.handle_operation_downgraded | boolean | False | |
action_result.data.*.pattern_disposition_details.inddet_mask | boolean | False | |
action_result.data.*.pattern_disposition_details.indicator | boolean | False | |
action_result.data.*.pattern_disposition_details.kill_action_failed | boolean | False | |
action_result.data.*.pattern_disposition_details.kill_parent | boolean | False | |
action_result.data.*.pattern_disposition_details.kill_process | boolean | False | |
action_result.data.*.pattern_disposition_details.kill_subprocess | boolean | False | |
action_result.data.*.pattern_disposition_details.mfa_required | boolean | False | |
action_result.data.*.pattern_disposition_details.operation_blocked | boolean | False | |
action_result.data.*.pattern_disposition_details.policy_disabled | boolean | False | |
action_result.data.*.pattern_disposition_details.prevention_provisioning_enabled | boolean | False | |
action_result.data.*.pattern_disposition_details.process_blocked | boolean | False | |
action_result.data.*.pattern_disposition_details.quarantine_file | boolean | False | |
action_result.data.*.pattern_disposition_details.quarantine_machine | boolean | False | |
action_result.data.*.pattern_disposition_details.registry_operation_blocked | boolean | False | |
action_result.data.*.pattern_disposition_details.response_action_already_applied | boolean | False | |
action_result.data.*.pattern_disposition_details.response_action_failed | boolean | False | |
action_result.data.*.pattern_disposition_details.response_action_triggered | boolean | False | |
action_result.data.*.pattern_disposition_details.rooting | boolean | False | |
action_result.data.*.pattern_disposition_details.sensor_only | boolean | False | |
action_result.data.*.pattern_disposition_details.suspend_parent | boolean | False | |
action_result.data.*.pattern_disposition_details.suspend_process | boolean | False | |
action_result.data.*.pattern_id | numeric | 32 | |
action_result.data.*.platform | string | Windows | |
action_result.data.*.process_end_time | string | 1724351403 | |
action_result.data.*.process_id | string | 1336xxxxxxxxxx1294 | |
action_result.data.*.process_start_time | string | 1724351403 | |
action_result.data.*.product | string | epp | |
action_result.data.*.scenario | string | malicious_document | |
action_result.data.*.seconds_to_resolved | numeric | 0 | |
action_result.data.*.seconds_to_triaged | numeric | 0 | |
action_result.data.*.severity | numeric | 50 | |
action_result.data.*.severity_name | string | Medium | |
action_result.data.*.sha1 | string | ee8cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx20b5 | |
action_result.data.*.sha256 | string | 17f7xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx02ae | |
action_result.data.*.show_in_ui | boolean | True | |
action_result.data.*.source_products.* | string | Falcon Insight | |
action_result.data.*.source_vendors.* | string | CrowdStrike | |
action_result.data.*.status | string | in_progress | |
action_result.data.*.tactic | string | Execution | |
action_result.data.*.tactic_id | string | TA0002 | |
action_result.data.*.technique | string | Exploitation for Client Execution | |
action_result.data.*.technique_id | string | T1203 | |
action_result.data.*.timestamp | string | 2024-08-22T18:30:03.238Z | |
action_result.data.*.tree_id | string | 1336xxxxxxxxxx6384 | |
action_result.data.*.tree_root | string | 1336xxxxxxxxxx4664 | |
action_result.data.*.triggering_process_graph_id | string | pid:9a8d0d2fe0xxxxxxxxxxxxxxxxxxc74c:1336xxxxxxxxxx1294 | |
action_result.data.*.type | string | ldt | |
action_result.data.*.updated_timestamp | string | 2024-08-22T18:35:06.102982431Z | |
action_result.data.*.user_id | string | S-1-5-21-246xxxx873-120xxxx372-215xxxx746-1000 | |
action_result.data.*.user_name | string | testusername | |
action_result.message | string | Success | |
action_result.status | string | success | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Update detections in crowdstrike host *The action uses legacy Detects API being deprecated. Please use the 'update epp alerts' action instead*
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
detection_ids | required | List of Detection IDs to update, Comma-separated list allowed | string | crowdstrike detection id |
comment | optional | Comment to add to the detection (Maximum 2048 bytes) | string | |
assigned_to_user | optional | User ID to assign | string | crowdstrike unique user id |
show_in_ui | optional | This detection is displayed or not in falcon UI | boolean | |
status | optional | Status to set | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.assigned_to_user | string | crowdstrike unique user id |
|
action_result.parameter.comment | string | update status of detection | |
action_result.parameter.detection_ids | string | crowdstrike detection id |
ldt:07c312fabcb8473454d0a16f118928fg:10548439893999 |
action_result.parameter.show_in_ui | boolean | True False | |
action_result.parameter.status | string | in_progress | |
action_result.data.*.meta.powered_by | string | legacy-detects | |
action_result.data.*.meta.query_time | numeric | 0 | |
action_result.data.*.meta.trace_id | string | a30c7b54-ae00-4a87-8324-0a575ba7dcb4 | |
action_result.data.*.meta.writes.resources_affected | numeric | 2 | |
action_result.summary | string | ||
action_result.summary.detections_affected | numeric | 1 | |
action_result.message | string | Detections affected: 1 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Update EPP alerts in CrowdStrike, replaces legacy Detects API
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
alert_ids | required | List of alert composite_ids to update, Comma-separated list allowed | string | crowdstrike alert id |
comment | optional | Comment to add to the alert (Maximum 2048 bytes) | string | |
assigned_to_user | optional | User to assign (can be email, UUID, or username) | string | crowdstrike user id email |
unassign | optional | If there are any users currently assigned to specified alerts, unassign them | string | |
show_in_ui | optional | Control whether this alert is displayed in Falcon UI | boolean | |
status | optional | Status to set | string | |
add_tags | optional | Tags to add to the alert, Comma-separated list allowed | string | |
remove_tags | optional | Tags to remove from the alert, Comma-separated list allowed | string | |
remove_tags_by_prefix | optional | Remove all tags with this prefix | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.alert_ids | string | crowdstrike alert id |
|
action_result.parameter.assigned_to_user | string | crowdstrike user id email |
|
action_result.parameter.unassign | string | ||
action_result.parameter.show_in_ui | boolean | ||
action_result.parameter.status | string | ||
action_result.parameter.add_tags | string | ||
action_result.parameter.remove_tags | string | ||
action_result.parameter.remove_tags_by_prefix | string | ||
action_result.data.*.errors.* | string | [] | |
action_result.data.*.meta.pagination.limit | numeric | 5 | |
action_result.data.*.meta.pagination.offset | numeric | 0 | |
action_result.data.*.meta.pagination.total | numeric | 10000 | |
action_result.data.*.meta.powered_by | string | detectsapi | |
action_result.data.*.meta.query_time | numeric | 0.044395707 | |
action_result.data.*.meta.trace_id | string | f755297a-e287-4012-b5e3-ff88691e95e9 | |
action_result.data.*.meta.writes.resources_affected | numeric | 0 | |
action_result.data.*.resources.* | string | d615xxxxxxxx2158:ind:9a8dxxxxxxxxc74c:1336xxxxxxxx1294-32-7878xxxxxxxx1122 | |
action_result.message | string | Success | |
action_result.status | string | success | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get a list of alerts
Type: investigate
Read only: True
This action supports filtering in order to retrieve a particular set of alerts.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
limit | optional | Maximum alerts to be fetched | numeric | |
filter | optional | Filter expression used to limit the fetched alerts (FQL Syntax) | string | |
sort | optional | Property to sort by | string | |
include_hidden | optional | Include hidden alerts | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.filter | string | modified_timestamp:<='2019-06-14T10:22:02.02236652Z' | |
action_result.parameter.limit | numeric | 120 | |
action_result.parameter.sort | string | created_timestamp.asc | |
action_result.data.*.aggregate_id | string | aggind:3061c7ff3b634e22b38274d4b586558e:3EC58D8F-599D-4CEC-8BB1-BFDE96477FB1 | |
action_result.data.*.cid | string | md5 |
3061c7ff3b634e22b38274d4b586558e |
action_result.data.*.composite_id | string | 3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:3EC58D8F-599D-4CEC-8BB1-BFDE96477FB1 | |
action_result.data.*.confidence | numeric | 20 | |
action_result.data.*.context_timestamp | string | 2022-11-16T09:42:26.413Z | |
action_result.data.*.crawled_timestamp | string | 2022-11-16T09:47:26.563805668Z | |
action_result.data.*.created_timestamp | string | 2022-11-16T09:43:26.560807901Z | |
action_result.data.*.description | string | A user received new privileges | |
action_result.data.*.display_name | string | Privilege escalation (user) | |
action_result.data.*.end_time | string | 2022-11-16T09:42:26.413Z | |
action_result.data.*.falcon_host_link | string | https://falcon.crowdstrike.com/identity-protection/detections/3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:3EC58D8F-599D-4CEC-8BB1-BFDE96477FB1?cid=3061c7ff3b634e22b38274d4b586558e | |
action_result.data.*.id | string | ind:3061c7ff3b634e22b38274d4b586558e:3EC58D8F-599D-4CEC-8BB1-BFDE96477FB1 | |
action_result.data.*.name | string | IdpEntityPrivilegeEscalationUser | |
action_result.data.*.objective | string | Gain Access | |
action_result.data.*.pattern_id | numeric | 51113 | |
action_result.data.*.previous_privileges | string | 0 | |
action_result.data.*.privileges | string | 8321 | |
action_result.data.*.product | string | idp | |
action_result.data.*.scenario | string | privilege_escalation | |
action_result.data.*.severity | numeric | 2 | |
action_result.data.*.show_in_ui | boolean | True | |
action_result.data.*.source_account_domain | string | IDENTITY.TEST | |
action_result.data.*.source_account_name | string | test1 | |
action_result.data.*.source_account_object_sid | string | S-1-5-21-14850137-2860523753-2226348357-1103 | |
action_result.data.*.start_time | string | 2022-11-16T09:42:26.413Z | |
action_result.data.*.status | string | new | |
action_result.data.*.tactic | string | Privilege Escalation | |
action_result.data.*.tactic_id | string | TA0004 | |
action_result.data.*.technique | string | Valid Accounts | |
action_result.data.*.technique_id | string | T1078 | |
action_result.data.*.timestamp | string | 2022-11-16T09:42:26.56Z | |
action_result.data.*.type | string | idp-user-endpoint-app-info | |
action_result.data.*.updated_timestamp | string | 2022-11-16T09:47:26.561192951Z | |
action_result.summary.total_alerts | numeric | 50 | |
action_result.message | string | Total alerts: 50 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 | |
action_result.parameter.include_hidden | numeric | True |
Lists Real Time Response sessions
Type: investigate
Read only: True
This action supports filtering in order to retrieve a particular session.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
limit | optional | Maximum RTR sessions to be fetched | numeric | |
filter | optional | Filter expression used to limit the fetched RTR sessions (FQL Syntax) | string | |
sort | optional | Property to sort by | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.filter | string | modified_timestamp:<='2019-06-14T10:22:02.02236652Z' | |
action_result.parameter.limit | numeric | 120 | |
action_result.parameter.sort | string | created_timestamp.asc | |
action_result.data.*.cid | string | md5 |
3061c7ff3b634e22b38274d4b586558e |
action_result.data.*.cloud_request_ids | string | 06f052a0-d7a6-431b-987f-4afd92925a19 | |
action_result.data.*.commands | string | ||
action_result.data.*.commands_queued | boolean | True False | |
action_result.data.*.created_at | string | 2019-09-24T20:52:08Z | |
action_result.data.*.deleted_at | string | 2019-09-24T20:54:04Z | |
action_result.data.*.device_details | string | ||
action_result.data.*.device_id | string | md5 crowdstrike device id |
07c312fabcb8473454d0a16f118928ab |
action_result.data.*.duration | numeric | 0 | |
action_result.data.*.hostname | string | host name |
CB-TEST-01 |
action_result.data.*.id | string | crowdstrike rtr session id |
c0ab8e89-edb0-485f-a8ee-b52d73453a4b |
action_result.data.*.logs.*.base_command | string | pwd | |
action_result.data.*.logs.*.cloud_request_id | string | 06f052a0-d7a6-431b-987f-4afd92925a19 | |
action_result.data.*.logs.*.command_string | string | pwd | |
action_result.data.*.logs.*.created_at | string | 2019-09-24T20:52:08Z | |
action_result.data.*.logs.*.current_directory | string | C:\ | |
action_result.data.*.logs.*.id | numeric | 2522218 | |
action_result.data.*.logs.*.session_id | string | c0ab8e89-edb0-485f-a8ee-b52d73453a4b | |
action_result.data.*.logs.*.updated_at | string | 2019-09-24T20:52:08Z | |
action_result.data.*.offline_queued | boolean | True False | |
action_result.data.*.origin | string | source:hosts,deviceId:07c312fabcb8473454d0a16f118928ab | |
action_result.data.*.platform_id | numeric | 0 | |
action_result.data.*.platform_name | string | ||
action_result.data.*.pwd | string | ||
action_result.data.*.updated_at | string | 2019-09-24T20:52:14Z | |
action_result.data.*.user_id | string | api-client-05dbdf165b474db597007c6f88780e39 | |
action_result.data.*.user_uuid | string | 05dbdf16-5b47-4db5-9700-7c6f88780e39 | |
action_result.summary.total_sessions | numeric | 1 | |
action_result.message | string | Total sessions: 2 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Execute an active responder command on a single host
Type: generic
Read only: False
The API works by first creating a cloud request to execute the command, then the results need to be retrieved using a GET with the cloud_request_id. The action will attempt to retrieve the results, but in the event that a timeout occurs, execute a 'get command details' action.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
device_id | required | Device ID | string | md5 crowdstrike device id |
session_id | required | RTR Session ID | string | crowdstrike rtr session id |
command | required | RTR command to execute on host | string | |
data | optional | Data/Arguments for the command | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.command | string | get ls | |
action_result.parameter.data | string | C:\Users\testuser\go\src\simulate\DLL_KEYLOG.dll | |
action_result.parameter.device_id | string | md5 crowdstrike device id |
07c312fabcb8473454d0a16f118928ab |
action_result.parameter.session_id | string | crowdstrike rtr session id |
90981f4c-f6c1-4437-b191-beae115c4929 |
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 0.038770347 | |
action_result.data.*.meta.trace_id | string | f983d1ab-97d7-4af7-8bd7-1a6b8de0c05d | |
action_result.data.*.resources.*.base_command | string | ls | |
action_result.data.*.resources.*.complete | boolean | True False | |
action_result.data.*.resources.*.session_id | string | 9705111a-9928-4c10-b385-eefda32f9575 | |
action_result.data.*.resources.*.stderr | string | Check your filename. Couldn't find 'some_file.txt' | |
action_result.data.*.resources.*.stdout | string | Directory listing for C:\ - Name |
|
action_result.data.*.resources.*.task_id | string | d901dbea-f556-4f32-921b-056bbc00b4e0 | |
action_result.summary.cloud_request_id | string | crowdstrike cloud request id |
4b185028-39a3-4452-8e96-6da3729095fa |
action_result.message | string | Cloud request id: d901dbea-f556-4f32-921b-056bbc00b4e0 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Execute an RTR Admin command on a single host
Type: generic
Read only: False
This action requires a token with RTR Admin permissions.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
device_id | required | Device ID | string | crowdstrike device id |
session_id | required | RTR Session ID | string | crowdstrike rtr session id |
command | required | RTR Admin command to execute on host | string | |
data | optional | Data/Arguments for the command | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.command | string | get ls | |
action_result.parameter.data | string | C:\Users\testuser\go\src\simulate\DLL_KEYLOG.dll | |
action_result.parameter.device_id | string | crowdstrike device id |
07c312fabcb8473454d0a16f118928ab |
action_result.parameter.session_id | string | crowdstrike rtr session id |
90981f4c-f6c1-4437-b191-beae115c4929 |
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 0.038770347 | |
action_result.data.*.meta.trace_id | string | f983d1ab-97d7-4af7-8bd7-1a6b8de0c05d | |
action_result.data.*.resources.*.base_command | string | ls | |
action_result.data.*.resources.*.complete | boolean | True False | |
action_result.data.*.resources.*.session_id | string | 9705111a-9928-4c10-b385-eefda32f9575 | |
action_result.data.*.resources.*.stderr | string | Check your filename. Couldn't find 'some_file.txt' | |
action_result.data.*.resources.*.stdout | string | Directory listing for C:\ - Name |
|
action_result.data.*.resources.*.task_id | string | d901dbea-f556-4f32-921b-056bbc00b4e0 | |
action_result.summary.cloud_request_id | string | crowdstrike cloud request id |
4b185028-39a3-4452-8e96-6da3729095fa |
action_result.message | string | Cloud request id: d901dbea-f556-4f32-921b-056bbc00b4e0 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Retrieve results of an active responder command executed on a single host
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
cloud_request_id | required | Cloud Request ID for Command | string | crowdstrike cloud request id |
timeout_seconds | optional | Time (in seconds; default is 60) to wait before timing out poll for results | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.cloud_request_id | string | crowdstrike cloud request id |
4b185028-39a3-4452-8e96-6da3729095fa |
action_result.parameter.timeout_seconds | numeric | 60 | |
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 0.038770347 | |
action_result.data.*.meta.trace_id | string | f983d1ab-97d7-4af7-8bd7-1a6b8de0c05d | |
action_result.data.*.resources.*.base_command | string | ls | |
action_result.data.*.resources.*.complete | boolean | True False | |
action_result.data.*.resources.*.session_id | string | 9705111a-9928-4c10-b385-eefda32f9575 | |
action_result.data.*.resources.*.stderr | string | Check your filename. Couldn't find 'some_file.txt' | |
action_result.data.*.resources.*.stdout | string | Directory listing for C:\ - Name |
|
action_result.data.*.resources.*.task_id | string | d901dbea-f556-4f32-921b-056bbc00b4e0 | |
action_result.summary.results | string | Successfully executed command | |
action_result.message | string | Results: Successfully executed command | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get a list of files for the specified RTR session
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
session_id | required | RTR Session ID | string | crowdstrike rtr session id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.session_id | string | crowdstrike rtr session id |
0bf3c91f-1267-4a6d-a694-d225aeac65eb |
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 0.060876276 | |
action_result.data.*.meta.trace_id | string | ccb8edf2-fd5b-4221-81c8-0e80de3e66a6 | |
action_result.data.*.resources.*.cloud_request_id | string | 292efe5f-a755-45f8-a95a-72138d21b8db | |
action_result.data.*.resources.*.created_at | string | 2019-10-08T20:12:14Z | |
action_result.data.*.resources.*.deleted_at | string | ||
action_result.data.*.resources.*.id | numeric | 104874 | |
action_result.data.*.resources.*.name | string | file name |
\Device\HarddiskVolume2\Users\testuser\go\src\simulate\DLL_KEYLOG.dll |
action_result.data.*.resources.*.session_id | string | crowdstrike rtr session id |
0bf3c91f-1267-4a6d-a694-d225aeac65eb |
action_result.data.*.resources.*.sha256 | string | sha256 |
53d84902e0a25be8706df19506f78799deab0082149b926b4117270f9c8673ad |
action_result.data.*.resources.*.size | numeric | 0 | |
action_result.data.*.resources.*.updated_at | string | 2019-10-08T20:12:14Z | |
action_result.summary.total_files | numeric | 1 | |
action_result.message | string | Session files listed successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get details on behaviors by providing behavior IDs
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ids | required | List of behavior IDs. Comma separated list allowed | string | crowdstrike incidentbehavior id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.ids | string | crowdstrike incidentbehavior id |
ind:9e262c00000a46916beeaef04e45bc6a:dc8e3b1300004da2a6e7b20656e3276d |
action_result.data.*.aid | string | w6h79wgbzy4ofsa093dp2s808qe8gswr | |
action_result.data.*.behavior_id | string | crowdstrike incidentbehavior id |
ind:9e262c00000a46916beeaef04e45bc6a:dc8e3b1300004da2a6e7b20656e3276d |
action_result.data.*.cid | string | e6m35yiizlefbv6o4az6b46sgjipx6lg | |
action_result.data.*.cmdline | string | ||
action_result.data.*.compound_tto | string | ||
action_result.data.*.detection_ids | string | crowdstrike detection id |
ldt:07c312fabcb8473454d0a16f118928ab:10548439893000 |
action_result.data.*.display_name | string | SampleTemplateDetection | |
action_result.data.*.domain | string | CB-TEST-02 | |
action_result.data.*.errors.*.code | numeric | 400 | |
action_result.data.*.errors.*.message | string | invalid behavior id=test | |
action_result.data.*.filepath | string | C:\user\somefile.txt | |
action_result.data.*.incident_id | string | crowdstrike incident id |
inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d |
action_result.data.*.meta.powered_by | string | incident-api | |
action_result.data.*.meta.query_time | numeric | 0.000305451 | |
action_result.data.*.meta.trace_id | string | ebb97943-be70-4acc-a2dd-c663b59761fa | |
action_result.data.*.objective | string | Keep Access | |
action_result.data.*.pattern_disposition | numeric | 2048 | |
action_result.data.*.pattern_disposition_details.blocking_unsupported_or_disabled | boolean | False | |
action_result.data.*.pattern_disposition_details.bootup_safeguard_enabled | boolean | True False | |
action_result.data.*.pattern_disposition_details.critical_process_disabled | boolean | True False | |
action_result.data.*.pattern_disposition_details.detect | boolean | True False | |
action_result.data.*.pattern_disposition_details.fs_operation_blocked | boolean | True False | |
action_result.data.*.pattern_disposition_details.handle_operation_downgraded | boolean | True False | |
action_result.data.*.pattern_disposition_details.inddet_mask | boolean | True False | |
action_result.data.*.pattern_disposition_details.indicator | boolean | True False | |
action_result.data.*.pattern_disposition_details.kill_action_failed | boolean | False | |
action_result.data.*.pattern_disposition_details.kill_parent | boolean | True False | |
action_result.data.*.pattern_disposition_details.kill_process | boolean | True False | |
action_result.data.*.pattern_disposition_details.kill_subprocess | boolean | True False | |
action_result.data.*.pattern_disposition_details.operation_blocked | boolean | True False | |
action_result.data.*.pattern_disposition_details.policy_disabled | boolean | True False | |
action_result.data.*.pattern_disposition_details.process_blocked | boolean | True False | |
action_result.data.*.pattern_disposition_details.quarantine_file | boolean | True False | |
action_result.data.*.pattern_disposition_details.quarantine_machine | boolean | True False | |
action_result.data.*.pattern_disposition_details.registry_operation_blocked | boolean | True False | |
action_result.data.*.pattern_disposition_details.rooting | boolean | True False | |
action_result.data.*.pattern_disposition_details.sensor_only | boolean | True False | |
action_result.data.*.pattern_disposition_details.suspend_parent | boolean | False | |
action_result.data.*.pattern_disposition_details.suspend_process | boolean | False | |
action_result.data.*.pattern_id | numeric | 1024 | |
action_result.data.*.sha256 | string | ln3g11yf8r40be90ups2q1435ybhzdopbkt103wce5ligiuhww2b4l1f7tmp1vhi | |
action_result.data.*.tactic | string | Persistance | |
action_result.data.*.tactic_id | string | CSTA0001 | |
action_result.data.*.technique | string | Hidden Files and Directories | |
action_result.data.*.technique_id | string | CST0001 | |
action_result.data.*.template_instance_id | numeric | 102 | |
action_result.data.*.timestamp | string | 2020-03-04T10:00:00Z | |
action_result.data.*.user_name | string | testuser | |
action_result.summary | string | ||
action_result.message | string | Incident behavior fetched successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ids | required | List of incident IDs. Comma separated list allowed | string | crowdstrike incident id |
add_tag | optional | Adds the associated tag to all the incident(s) of the ids list. See example values for the defined list | string | |
delete_tag | optional | Deletes the matching tag from all the incident(s) in the ids list. See example values for the defined list | string | |
update_name | optional | Updates the name of all the incident(s) in the ids list | string | |
update_description | optional | Updates the description of all the incident(s) listed in the ids | string | |
update_status | optional | Updates the status of all the incident(s) in the ids list | string | |
add_comment | optional | Adds a comment for all the incident(s) in the ids list | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.add_comment | string | Minor Incident | |
action_result.parameter.add_tag | string | test1 | |
action_result.parameter.delete_tag | string | test2 | |
action_result.parameter.ids | string | crowdstrike incident id |
inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d |
action_result.parameter.update_description | string | IOC found at 2020-07-22T23:54:41Z | |
action_result.parameter.update_name | string | IOC at 2020-07-22T23:54:41Z | |
action_result.parameter.update_status | string | New | |
action_result.data.*.meta.powered_by | string | incident-api | |
action_result.data.*.meta.query_time | numeric | 0.026572641 | |
action_result.data.*.meta.trace_id | string | 50f7477e-587f-4175-ad0d-bdbbd8d3b1ec | |
action_result.summary | string | ||
action_result.message | string | Incident updated successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get information about all users in your Customer ID
Type: investigate
Read only: True
No parameters are required for this action
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.data.*.meta.powered_by | string | csam | |
action_result.data.*.meta.query_time | numeric | 0.267336826 | |
action_result.data.*.meta.trace_id | string | b4e1392e-68ad-4738-93f9-d95cee1cfe9f | |
action_result.data.*.resources.*.cid | string | crowdstrike customer id |
4061c7ff3b634e22b38274d4b586554r |
action_result.data.*.resources.*.first_name | string | Test | |
action_result.data.*.resources.*.last_name | string | Name | |
action_result.data.*.resources.*.uid | string | crowdstrike user id |
test@user.com |
action_result.data.*.resources.*.uuid | string | crowdstrike unique user id |
bb777249-c782-4434-b57a-f15ac742926c |
action_result.summary | string | ||
action_result.message | string | Users listed successfully | |
action_result.summary.total_users | numeric | 1 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Gets the roles that are assigned to the user
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
user_uuid | required | Users Unqiue ID to get the roles for | string | crowdstrike unique user id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.user_uuid | string | crowdstrike unique user id |
bb777249-c782-4434-b57a-f15ac742926c |
action_result.data.*.cid | string | 3061c7ff3b634e22b38274d4b586558e | |
action_result.data.*.grant_type | string | direct | |
action_result.data.*.role_id | string | custom_ioas_manager | |
action_result.data.*.role_name | string | Custom IOAs Manager | |
action_result.data.*.uuid | string | b6330292-28e6-4198-994d-96f327c5b5bd | |
action_result.summary | string | ||
action_result.message | string | User roles fetched successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get information about all user roles from your Customer ID
Type: investigate
Read only: True
No parameters are required for this action
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.data.*.meta.powered_by | string | csam | |
action_result.data.*.meta.query_time | numeric | 0.011271861 | |
action_result.data.*.meta.trace_id | string | 48a46c11-ca36-4a1e-84f6-9a5b1137b7d3 | |
action_result.data.*.resources.*.description | string | Custom IOAs Manager | |
action_result.data.*.resources.*.display_name | string | Custom IOAs Manager | |
action_result.data.*.resources.*.id | string | crowdstrike user role id |
custom_ioas_manager |
action_result.data.*.resources.*.is_global | boolean | True False | |
action_result.summary | string | ||
action_result.message | string | Roles listed successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get information about all user roles from your Customer ID
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
role_id | required | Role ID to get information about. Comma separated list allowed | string | crowdstrike user role id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.role_id | string | crowdstrike user role id |
dashboard_admin |
action_result.data.*.description | string | Can manage, create, update, and delete dashboards | |
action_result.data.*.display_name | string | Dashboard Admin | |
action_result.data.*.errors.*.code | numeric | 404 | |
action_result.data.*.errors.*.message | string | Role ID ' custom_ioas_manager' not found | |
action_result.data.*.id | string | crowdstrike user role id |
dashboard_admin |
action_result.data.*.is_global | boolean | True False | |
action_result.data.*.meta.powered_by | string | csam | |
action_result.data.*.meta.query_time | numeric | 0.000467839 | |
action_result.data.*.meta.trace_id | string | 82983d79-59d2-49e1-a471-4f1833f80c46 | |
action_result.summary | string | ||
action_result.message | string | Role fetched successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Query environment wide CrowdScore and return the entity data
Type: investigate
Read only: True
This action fetches crowdscores using pagination logic.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
filter | optional | Optional filter and sort criteria in the form of an FQL query | string | |
sort | optional | Sort the results by a specific field and direction. (Example: assigned_to.asc) | string | |
offset | optional | Starting index of overall result set from which to return ids. (Defaults to 0) | numeric | |
limit | optional | Limit the number of results to return. (Defaults to 50, Max 500) | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.filter | string | score: 0 | |
action_result.parameter.limit | numeric | 5 | |
action_result.parameter.offset | numeric | 100 | |
action_result.parameter.sort | string | assigned_to.asc | |
action_result.data.*.adjusted_score | numeric | 3 | |
action_result.data.*.cid | string | 3061d7ff3b634e22b38274d64798 | |
action_result.data.*.errors.*.code | numeric | 400 | |
action_result.data.*.errors.*.message | string | test is an invalid behavior sort parameter | |
action_result.data.*.id | string | crowdstrike crowdscore id |
99ff72e8c9c14955ba33cbcbd4112345_2020-05-18 07:38:05.219 +0000 UTC |
action_result.data.*.meta.pagination.limit | numeric | 500 | |
action_result.data.*.meta.pagination.offset | numeric | 0 | |
action_result.data.*.meta.pagination.total | numeric | 12960 | |
action_result.data.*.meta.powered_by | string | incident-api | |
action_result.data.*.meta.query_time | numeric | 0.096319664 | |
action_result.data.*.meta.trace_id | string | 38f293ce-587e-4ff5-8231-4e738178468a | |
action_result.data.*.pagination.*.limit | numeric | ||
action_result.data.*.pagination.*.offset | numeric | ||
action_result.data.*.pagination.*.total | numeric | ||
action_result.data.*.resources.*.cid | string | 3061c7ff3b634e22b38274d4b5865500 | |
action_result.data.*.score | numeric | 0 | |
action_result.data.*.timestamp | string | 2020-03-04T10:00:00Z | |
action_result.summary.total_crowdscores | numeric | 2 | |
action_result.message | string | Total crowdscores: 2 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get details on incidents by providing incident IDs
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ids | required | List of incident IDs. Comma separated list allowed | string | crowdstrike incident id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.ids | string | crowdstrike incident id |
inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d |
action_result.data.*.assigned_to | string | b6330292-28e6-4198-994d-96f327c5b5cc | |
action_result.data.*.assigned_to_name | string | Testname | |
action_result.data.*.cid | string | ctw6caruad3lkbnnt22qzeyoxgf38zap | |
action_result.data.*.created | string | 2020-03-04T10:00:00Z | |
action_result.data.*.description | string | ||
action_result.data.*.end | string | 2020-03-04T10:00:00Z | |
action_result.data.*.errors.*.code | numeric | 400 | |
action_result.data.*.errors.*.message | string | invalid incident id=fyughg | |
action_result.data.*.fine_score | numeric | 1 | |
action_result.data.*.host_ids | string | crowdstrike device id |
c9vnt7jbugw32626p9qsq3f9dx13sdnn |
action_result.data.*.hosts.*.agent_load_flags | string | 1 | |
action_result.data.*.hosts.*.agent_local_time | string | 2020-03-04T10:00:00Z | |
action_result.data.*.hosts.*.agent_version | string | 5.23.10503.0 | |
action_result.data.*.hosts.*.bios_manufacturer | string | Phoenix Technologies LTD | |
action_result.data.*.hosts.*.bios_version | string | 6.00 | |
action_result.data.*.hosts.*.cid | string | ctw6caruad3lkbnnt22qzeyoxgf38zap | |
action_result.data.*.hosts.*.config_id_base | string | 65994753 | |
action_result.data.*.hosts.*.config_id_build | string | 10503 | |
action_result.data.*.hosts.*.config_id_platform | string | 3 | |
action_result.data.*.hosts.*.device_id | string | crowdstrike device id |
c9vnt7jbugw32626p9qsq3f9dx13sdnn |
action_result.data.*.hosts.*.external_ip | string | 1.1.1.1 | |
action_result.data.*.hosts.*.first_seen | string | 2020-03-04T10:00:00Z | |
action_result.data.*.hosts.*.hostname | string | Sever01 | |
action_result.data.*.hosts.*.last_seen | string | 2020-03-04T10:00:00Z | |
action_result.data.*.hosts.*.local_ip | string | 192.168.0.0 | |
action_result.data.*.hosts.*.mac_address | string | 00-00-00-00-00-00 | |
action_result.data.*.hosts.*.machine_domain | string | domain.local | |
action_result.data.*.hosts.*.major_version | string | 10 | |
action_result.data.*.hosts.*.minor_version | string | 0 | |
action_result.data.*.hosts.*.modified_timestamp | string | 2020-03-04T10:00:00Z | |
action_result.data.*.hosts.*.os_version | string | Windows 7 | |
action_result.data.*.hosts.*.ou | string | DOMAIN LOCAL | |
action_result.data.*.hosts.*.platform_id | string | 0 | |
action_result.data.*.hosts.*.platform_name | string | Windows | |
action_result.data.*.hosts.*.product_type | string | 1 | |
action_result.data.*.hosts.*.product_type_desc | string | Workstation | |
action_result.data.*.hosts.*.site_name | string | ||
action_result.data.*.hosts.*.status | string | noraml | |
action_result.data.*.hosts.*.system_manufacturer | string | VMware, Inc. | |
action_result.data.*.hosts.*.system_product_name | string | VMware Virtual Platform | |
action_result.data.*.incident_id | string | crowdstrike incident id |
inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d |
action_result.data.*.incident_type | numeric | 1 | |
action_result.data.*.meta.powered_by | string | incident-api | |
action_result.data.*.meta.query_time | numeric | 0.000258709 | |
action_result.data.*.meta.trace_id | string | b991aeb7-912f-45b2-abce-3759217a690c | |
action_result.data.*.modified_timestamp | string | 2020-08-17T09:35:50.888512834Z | |
action_result.data.*.name | string | ||
action_result.data.*.start | string | 2020-03-04T10:00:00Z | |
action_result.data.*.state | string | open closed | |
action_result.data.*.status | numeric | 20 | |
action_result.data.*.tags | string | ||
action_result.data.*.users | string | ||
action_result.summary.total_incidents | numeric | 1 | |
action_result.message | string | Incident fetched: 1 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Search for behaviors by providing an FQL filter, sorting, and paging details
Type: investigate
Read only: True
This action fetches incident behaviors using pagination logic.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
filter | optional | Optional filter and sort criteria in the form of an FQL query | string | |
sort | optional | Sort the results by a specific field and direction. (Example: assigned_to.asc) | string | |
offset | optional | Starting index of overall result set from which to return ids. (Defaults to 0) | numeric | |
limit | optional | Limit the number of results to return. (Defaults to 50, Max 500) | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.filter | string | incident_ids:['inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d'] | |
action_result.parameter.limit | numeric | 5 | |
action_result.parameter.offset | numeric | 100 | |
action_result.parameter.sort | string | assigned_to.asc | |
action_result.data.* | string | crowdstrike incidentbehavior id |
ind:9e262c70027a46916beeaef04e45bc6a:45890386125841-10264-352683776 |
action_result.data.*.errors.*.code | numeric | 400 | |
action_result.data.*.errors.*.message | string | test is an invalid behavior sort parameter | |
action_result.data.*.meta.pagination.limit | numeric | 50 | |
action_result.data.*.meta.pagination.offset | numeric | 0 | |
action_result.data.*.meta.pagination.total | numeric | 0 | |
action_result.data.*.meta.powered_by | string | incident-api | |
action_result.data.*.meta.query_time | numeric | 0.002429479 | |
action_result.data.*.meta.trace_id | string | 202a0a0c-bcc1-4919-8932-2097213f903a | |
action_result.data.*.pagination.*.limit | numeric | ||
action_result.data.*.pagination.*.offset | numeric | ||
action_result.data.*.pagination.*.total | numeric | ||
action_result.summary.total_incident_behaviors | numeric | 2 | |
action_result.message | string | Total incident behaviors: 2 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Search for incidents by providing an FQL filter, sorting, and paging details
Type: investigate
Read only: True
This action fetches incidents using pagination logic.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
filter | optional | Optional filter and sort criteria in the form of an FQL query | string | |
sort | optional | Sort the results by a specific field and direction. (Example: assigned_to.asc) | string | |
offset | optional | Starting index of overall result set from which to return ids. (Defaults to 0) | numeric | |
limit | optional | Limit the number of results to return. (Defaults to 50, Max 500) | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.filter | string | incident_ids:['inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d'] | |
action_result.parameter.limit | numeric | 5 | |
action_result.parameter.offset | numeric | 100 | |
action_result.parameter.sort | string | assigned_to.asc | |
action_result.data.* | string | crowdstrike incident id |
incident_ids:['inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d'] |
action_result.data.* | string | crowdstrike incident id |
incident_ids:['inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d'] |
action_result.data.*.errors.*.code | numeric | 400 | |
action_result.data.*.errors.*.message | string | test is an invalid incident sort parameter | |
action_result.data.*.meta.pagination.limit | numeric | 50 | |
action_result.data.*.meta.pagination.offset | numeric | 0 | |
action_result.data.*.meta.pagination.total | numeric | 0 | |
action_result.data.*.meta.powered_by | string | incident-api | |
action_result.data.*.meta.query_time | numeric | 0.003846595 | |
action_result.data.*.meta.trace_id | string | bb02d451-d3a9-432c-b402-c08faa066264 | |
action_result.data.*.pagination.*.limit | numeric | ||
action_result.data.*.pagination.*.offset | numeric | ||
action_result.data.*.pagination.*.total | numeric | ||
action_result.summary.total_incidents | numeric | 2 | |
action_result.message | string | Total incidents: 2 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get RTR extracted file contents for the specified session and sha256 and add it to the vault
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
session_id | required | RTR Session ID | string | crowdstrike rtr session id |
file_hash | required | SHA256 hash to retrieve | string | sha256 |
file_name | optional | Filename to use for the archive name and the file within the archive | string | filename |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.file_hash | string | sha256 |
53d84902e0a25be8706df19506f78799deab0082149b926b4117270f9c8673ad |
action_result.parameter.file_name | string | filename |
test |
action_result.parameter.session_id | string | crowdstrike rtr session id |
b2403653-1294-488e-be81-7aadb69b52f1 |
action_result.data.*.container | string | test_crowdstrike | |
action_result.data.*.container_id | numeric | 2840 | |
action_result.data.*.create_time | string | 0 minutes ago | |
action_result.data.*.created_via | string | automation | |
action_result.data.*.hash | string | sha1 |
30c5e524e975816fbce1d958150e394efc219772 |
action_result.data.*.id | numeric | 2 | |
action_result.data.*.metadata.md5 | string | 16723c3d039bc94e1636c0bf0c23ec26 | |
action_result.data.*.metadata.sha1 | string | d43b1c57023fab4e3040dd6f2970053d690b0fab | |
action_result.data.*.metadata.sha256 | string | 8a050bf93fe354d6ad03c6ba2b286f2649fb1420ae80eefac773208e5a0b7c0d | |
action_result.data.*.mime_type | string | application/x-7z-compressed | |
action_result.data.*.name | string | test.7z | |
action_result.data.*.path | string | ||
action_result.data.*.size | numeric | 5122 | |
action_result.data.*.task | string | ||
action_result.data.*.user | string | admin | |
action_result.data.*.vault_document | numeric | 556 | |
action_result.data.*.vault_id | string | sha1 vault id |
30c5e524e975816fbce1d958150e394efc219772 |
action_result.summary.vault_id | string | sha1 vault id |
30c5e524e975816fbce1d958150e394efc219772 |
action_result.message | string | Session file fetched successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Set the state of a detection in Crowdstrike Host *The action uses legacy Detects API being deprecated. Please use the 'resolve epp alerts' action instead*
Type: generic
Read only: False
The detection id can be obtained from the Crowdstrike UI and its state can be set.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
id | required | Detection ID to set the state of | string | crowdstrike detection id |
state | required | State to set | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.id | string | crowdstrike detection id |
ldt:07c312fabcb8473454d0a16f118928fg:10548439893999 |
action_result.parameter.state | string | in_progress | |
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | Status set successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Update the status of an EPP alert in CrowdStrike, replaces legacy Detects API
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
alert_ids | required | List of alert composite_ids to update, Comma-separated list allowed | string | crowdstrike alert id |
status | required | Status to set | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.parameter.alert_ids | string | crowdstrike alert id |
|
action_result.parameter.status | string | ||
action_result.data.*.errors.* | string | [] | |
action_result.data.*.meta.pagination.limit | numeric | 5 | |
action_result.data.*.meta.pagination.offset | numeric | 0 | |
action_result.data.*.meta.pagination.total | numeric | 10000 | |
action_result.data.*.meta.powered_by | string | detectsapi | |
action_result.data.*.meta.query_time | numeric | 0.044395707 | |
action_result.data.*.meta.trace_id | string | f755297a-e287-4012-b5e3-ff88691e95e9 | |
action_result.data.*.meta.writes.resources_affected | numeric | 0 | |
action_result.data.*.resources.* | string | d615xxxxxxxx2158:ind:9a8dxxxxxxxxc74c:1336xxxxxxxx1294-32-7878xxxxxxxx1122 | |
action_result.message | string | Success | |
action_result.status | string | success | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get details of a device, given the device ID
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
id | required | Device ID from previous Crowdstrike IOC search | string | crowdstrike device id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.id | string | crowdstrike device id |
0498d1102b23481162ff846d0633e14c |
action_result.data.*.agent_load_flags | string | 3 | |
action_result.data.*.agent_local_time | string | 2015-07-31T14:07:42.816Z | |
action_result.data.*.agent_version | string | 2.0.0010.3005 | |
action_result.data.*.bios_manufacturer | string | Phoenix Technologies LTD | |
action_result.data.*.bios_version | string | 6.00 | |
action_result.data.*.build_number | string | 17134 | |
action_result.data.*.cid | string | md5 |
3f40c380adc74a3187c27252c0227cff |
action_result.data.*.config_id_base | string | 65994752 | |
action_result.data.*.config_id_build | string | 3005 | |
action_result.data.*.config_id_platform | string | 3 | |
action_result.data.*.connection_ip | string | ip |
10.1.18.205 |
action_result.data.*.connection_mac_address | string | 00-50-56-12-34-56 | |
action_result.data.*.cpu_signature | string | 329455 | |
action_result.data.*.default_gateway_ip | string | ip |
10.1.16.1 |
action_result.data.*.device_id | string | crowdstrike device id |
0498d1102b23481162ff846d0633e14c |
action_result.data.*.device_policies.device_control.applied | boolean | True False | |
action_result.data.*.device_policies.device_control.applied_date | string | 2020-05-12T17:24:23.856260169Z | |
action_result.data.*.device_policies.device_control.assigned_date | string | 2020-05-12T17:24:12.52970392Z | |
action_result.data.*.device_policies.device_control.policy_id | string | cb4babb273274f79a91e8a0e84164916 | |
action_result.data.*.device_policies.device_control.policy_type | string | device-control | |
action_result.data.*.device_policies.firewall.applied | boolean | True False | |
action_result.data.*.device_policies.firewall.applied_date | string | 2020-07-08T03:12:30.212194872Z | |
action_result.data.*.device_policies.firewall.assigned_date | string | 2020-07-08T03:07:38.48127371Z | |
action_result.data.*.device_policies.firewall.policy_id | string | 2018f9894359493cb756bfa7dd3357a6 | |
action_result.data.*.device_policies.firewall.policy_type | string | firewall | |
action_result.data.*.device_policies.firewall.rule_set_id | string | 2018f9894359493cb756bfa7dd3357a6 | |
action_result.data.*.device_policies.global_config.applied | boolean | True False | |
action_result.data.*.device_policies.global_config.applied_date | string | 2020-04-16T02:44:27.694202488Z | |
action_result.data.*.device_policies.global_config.assigned_date | string | 2020-04-16T02:42:41.826629904Z | |
action_result.data.*.device_policies.global_config.policy_id | string | 49ee9efc99164562ad89640955f372ce | |
action_result.data.*.device_policies.global_config.policy_type | string | globalconfig | |
action_result.data.*.device_policies.global_config.settings_hash | string | f48b1bd1 | |
action_result.data.*.device_policies.jumpcloud.applied | numeric | True | |
action_result.data.*.device_policies.jumpcloud.applied_date | string | 2022-07-13T17:41:16.271074445Z | |
action_result.data.*.device_policies.jumpcloud.assigned_date | string | 2022-07-13T17:40:53.552991354Z | |
action_result.data.*.device_policies.jumpcloud.policy_id | string | md5 |
234766dcce654217babcbaa247ca31f0 |
action_result.data.*.device_policies.jumpcloud.policy_type | string | jumpcloud | |
action_result.data.*.device_policies.jumpcloud.settings_hash | string | sha256 |
0aec295a677907c6e4de672edf1f172d2cefcc5ca96ed2b5e56f4d6745289694 |
action_result.data.*.device_policies.prevention.applied | boolean | True | |
action_result.data.*.device_policies.prevention.applied_date | string | 2021-12-02T07:35:26.551598833Z | |
action_result.data.*.device_policies.prevention.assigned_date | string | 2018-03-10T15:39:31.220730539Z | |
action_result.data.*.device_policies.prevention.policy_id | string | md5 |
f81459e0d85b4bc7b3ad14ad40889042 |
action_result.data.*.device_policies.prevention.policy_type | string | prevention | |
action_result.data.*.device_policies.prevention.settings_hash | string | 87cb8b2e | |
action_result.data.*.device_policies.remote_response.applied | boolean | True False | |
action_result.data.*.device_policies.remote_response.applied_date | string | 2019-02-08T02:39:21.726331953Z | |
action_result.data.*.device_policies.remote_response.assigned_date | string | 2019-02-08T02:36:05.073298048Z | |
action_result.data.*.device_policies.remote_response.policy_id | string | 6c74313d6c864180bd759c3235dbd550 | |
action_result.data.*.device_policies.remote_response.policy_type | string | remote-response | |
action_result.data.*.device_policies.remote_response.settings_hash | string | f472bd8e | |
action_result.data.*.device_policies.sensor_update.applied | boolean | True False | |
action_result.data.*.device_policies.sensor_update.applied_date | string | 2023-01-10T23:39:59.53209856Z | |
action_result.data.*.device_policies.sensor_update.assigned_date | string | 2018-03-10T15:39:31.220769757Z | |
action_result.data.*.device_policies.sensor_update.policy_id | string | md5 |
62a3908297584c52bdafaa7fdf3c3bdd |
action_result.data.*.device_policies.sensor_update.policy_type | string | sensor-update | |
action_result.data.*.device_policies.sensor_update.settings_hash | string | 65994753 | |
action_result.data.*.device_policies.sensor_update.uninstall_protection | string | ENABLED | |
action_result.data.*.external_ip | string | ip |
50.18.218.205 |
action_result.data.*.first_seen | string | 2018-03-10T15:38:09Z | |
action_result.data.*.group_hash | string | sha256 |
e2a8b394c0e62960747ff5d64a335162b36ba4c5a54ee6499b438b94e5269ae8 |
action_result.data.*.groups | string | md5 |
873560309d1b4686a6cee666575e7a93 |
action_result.data.*.hostname | string | host name |
TheNarrowSea CentOS70 |
action_result.data.*.instance_id | string | i-019d8b2cc8e20bb8d | |
action_result.data.*.kernel_version | string | 10.0.19044.1766 | |
action_result.data.*.last_seen | string | 2018-03-10T15:39:34Z | |
action_result.data.*.local_ip | string | ip |
10.1.18.49 |
action_result.data.*.mac_address | string | 00-0c-29-a0-10-27 | |
action_result.data.*.machine_domain | string | domain |
VICTIMNET.local |
action_result.data.*.major_version | string | 6 | |
action_result.data.*.meta.version | string | 6 | |
action_result.data.*.minor_version | string | 1 | |
action_result.data.*.modified_timestamp | string | 2018-03-10T15:40:09Z | |
action_result.data.*.os_build | string | 19044 | |
action_result.data.*.os_version | string | Windows Server 2008 R2 | |
action_result.data.*.ou | string | ||
action_result.data.*.platform_id | string | 0 | |
action_result.data.*.platform_name | string | Windows | |
action_result.data.*.pointer_size | string | 8 | |
action_result.data.*.policies.*.applied | boolean | True | |
action_result.data.*.policies.*.applied_date | string | 2021-12-02T07:35:26.551598833Z | |
action_result.data.*.policies.*.assigned_date | string | 2018-03-10T15:39:31.220730539Z | |
action_result.data.*.policies.*.policy_id | string | md5 |
f81459e0d85b4bc7b3ad14ad40889042 |
action_result.data.*.policies.*.policy_type | string | prevention | |
action_result.data.*.policies.*.settings_hash | string | 87cb8b2e | |
action_result.data.*.product_type | string | 3 | |
action_result.data.*.product_type_desc | string | Server | |
action_result.data.*.provision_status | string | Provisioned | |
action_result.data.*.reduced_functionality_mode | string | no | |
action_result.data.*.release_group | string | ||
action_result.data.*.serial_number | string | VMware-56 4d d8 11 42 ab 12 1a-b5 3d 4a e5 d1 a0 12 25 | |
action_result.data.*.service_pack_major | string | 0 | |
action_result.data.*.service_pack_minor | string | 0 | |
action_result.data.*.service_provider | string | Test provider | |
action_result.data.*.service_provider_account_id | string | 149665393462 | |
action_result.data.*.site_name | string | Default-First-Site-Name | |
action_result.data.*.slow_changing_modified_timestamp | string | 2018-04-23T22:52:27Z | |
action_result.data.*.status | string | normal | |
action_result.data.*.system_manufacturer | string | VMware, Inc. | |
action_result.data.*.system_product_name | string | VMware Virtual Platform | |
action_result.data.*.zone_group | string | us-east-1a | |
action_result.summary.hostname | string | host name |
TheNarrowSea |
action_result.message | string | Device details fetched successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Retrieve the details of a process that is running or that previously ran, given a process ID
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
falcon_process_id | required | Process ID from previous Falcon IOC search | string | falcon process id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.falcon_process_id | string | falcon process id |
pid:07c312fabcb8473454d0a16f118928fg:16716090292999 |
action_result.data.*.command_line | string | C: est est.exe | |
action_result.data.*.device_id | string | crowdstrike device id |
07c312fabcb8473454d0a16f118928fg |
action_result.data.*.file_name | string | file name |
estdata est est est.exe |
action_result.data.*.process_id | string | pid |
pid:07c312fabcb8473454d0a16f118928fg:16716090292999 |
action_result.data.*.process_id_local | string | pid |
16716090292999 |
action_result.data.*.start_timestamp | string | 2020-02-14T01:41:11Z | |
action_result.data.*.start_timestamp_raw | string | 132261180718697221 | |
action_result.data.*.stop_timestamp | string | ||
action_result.data.*.stop_timestamp_raw | string | ||
action_result.summary | string | ||
action_result.message | string | Process details fetched successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Hunt for a file on the network by querying for the hash
Type: investigate
Read only: True
In case of count_only set to true, keep the limit value larger to fetch count of all the devices.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
hash | required | File hash to search | string | hash sha256 sha1 md5 |
count_only | optional | Get endpoint count only | boolean | |
limit | optional | Maximum device IDs to be fetched (defaults to 100) | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.count_only | boolean | True False | |
action_result.parameter.hash | string | hash sha256 sha1 md5 |
eeb27d04c5fb25f7459407c0e5394621f12100e301b22d04a6b8f78e2adbf44t |
action_result.parameter.limit | numeric | 100 | |
action_result.data.*.device_id | string | crowdstrike device id |
07c312fabcb8473454d0a16f118928fg |
action_result.summary.device_count | numeric | 1 | |
action_result.message | string | Device count: 1 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get a list of device IDs on which the domain was matched
Type: investigate
Read only: True
In case of count_only set to true, keep the limit value larger to fetch count of all the devices.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
domain | required | Domain to search | string | domain |
count_only | optional | Get endpoint count only | boolean | |
limit | optional | Maximum device IDs to be fetched (defaults to 100) | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.count_only | boolean | True False | |
action_result.parameter.domain | string | domain |
www.example.com |
action_result.parameter.limit | numeric | 100 | |
action_result.data.*.device_id | string | crowdstrike device id |
07c312fabcb8473454d0a16f118928fg |
action_result.summary.device_count | numeric | 3 | |
action_result.message | string | Device count: 3 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get a list of device IDs on which the ip was matched
Type: investigate
Read only: True
In case of count_only set to true, keep the limit value larger to fetch count of all the devices.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ip | required | IP address to search | string | ip ipv6 |
count_only | optional | Get endpoint count only | boolean | |
limit | optional | Maximum device IDs to be fetched (defaults to 100) | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.count_only | boolean | True False | |
action_result.parameter.ip | string | ip ipv6 |
8.8.8.8 2001:0db8:3c4d:0015:0000:0000:1a2f:1a2b |
action_result.parameter.limit | numeric | 100 | |
action_result.data.*.device_id | string | crowdstrike device id |
07c312fabcb8473454d0a16f118928fg |
action_result.summary.device_count | numeric | 1 | |
action_result.message | string | Device count: 1 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Upload a new put-file to use for the RTR put
command
Type: generic
Read only: False
This action requires a token with RTR Admin permissions.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
vault_id | required | Vault ID of file to upload | string | vault id |
description | required | File description | string | |
file_name | optional | Filename to use (if different than actual file name) | string | filename |
comment | optional | Comment for the audit log | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.comment | string | Test comment | |
action_result.parameter.description | string | This is a test description | |
action_result.parameter.file_name | string | filename |
blank_file |
action_result.parameter.vault_id | string | vault id |
30c5e524e975816fbce1d958150e394efc219772 |
action_result.data.*.meta.powered_by | string | empower | |
action_result.data.*.meta.query_time | numeric | 0.869312959 | |
action_result.data.*.meta.trace_id | string | 1e30b813-04ce-4fa4-aca0-2802dfead2f9 | |
action_result.data.*.meta.writes.resources_affected | numeric | 1 | |
action_result.summary | string | ||
action_result.message | string | Put file uploaded successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get the full definition of one or more indicators that are being watched
Type: investigate
Read only: True
In this action, either 'indicator_value' and 'indicator_type' or 'resource_id' should be provided. The priority of 'resource_id' is higher. If all the parameters are provided then the indicator will be fetched based on the 'resource_id'.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
indicator_value | optional | String representation of the indicator | string | domain md5 sha256 ip ipv6 |
indicator_type | optional | The type of the indicator | string | crowdstrike indicator type |
resource_id | optional | The resource id of the indicator | string | crowdstrike indicator id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.indicator_type | string | crowdstrike indicator type |
domain |
action_result.parameter.indicator_value | string | domain md5 sha256 ip ipv6 |
xyz |
action_result.parameter.resource_id | string | crowdstrike indicator id |
feaefb786fc648861779b9f906b1426b3d670ffe4c22ec7b7ff3d3e03e88dc43 |
action_result.data.*.action | string | crowdstrike indicator action |
none |
action_result.data.*.applied_globally | boolean | True False | |
action_result.data.*.created_by | string | C16JJOUVVY125J3O50FF | |
action_result.data.*.created_on | string | date |
2021-09-09T08:51:04.131068458Z |
action_result.data.*.created_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.deleted | boolean | True False | |
action_result.data.*.description | string | test description | |
action_result.data.*.expiration | string | date |
2022-09-09T08:51:03Z |
action_result.data.*.expiration_timestamp | string | date |
2018-09-16T00:00:00Z |
action_result.data.*.expired | boolean | True False | |
action_result.data.*.from_parent | boolean | True False | |
action_result.data.*.host_groups.* | string | crowdstrike host group id |
0491ecd214614b5ab3bca1037a15390b |
action_result.data.*.id | string | crowdstrike indicator id |
99cd3772bf570aebea6e58059532ac902798583d6e75e6817364da70a062673a |
action_result.data.*.metadata.av_hits | numeric | -1 | |
action_result.data.*.metadata.company_name | string | Carbon Black, Inc | |
action_result.data.*.metadata.file_description | string | CarbonBlack Sensor | |
action_result.data.*.metadata.file_version | string | 6.0.2.70329 | |
action_result.data.*.metadata.filename | string | test_file_name | |
action_result.data.*.metadata.original_filename | string | cb.exe | |
action_result.data.*.metadata.product_name | string | CarbonBlack Sensor | |
action_result.data.*.metadata.product_version | string | 6.0.2.70329 | |
action_result.data.*.metadata.signed | boolean | False True | |
action_result.data.*.mobile_action | string | no_action | |
action_result.data.*.modified_by | string | ae2000074e144336ea1de4de9dc1bd39 | |
action_result.data.*.modified_on | string | 2021-09-09T08:51:04.131068458Z | |
action_result.data.*.modified_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.platforms.* | string | crowdstrike indicator platforms |
mac |
action_result.data.*.severity | string | severity |
medium |
action_result.data.*.source | string | test source | |
action_result.data.*.tags | string | tag1 | |
action_result.data.*.type | string | crowdstrike indicator type |
domain |
action_result.data.*.value | string | ip ipv6 md5 sha256 domain |
xyz |
action_result.summary | string | ||
action_result.message | string | Indicator fetched successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Queries for custom indicators in your customer account
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
indicator_value | optional | String representation of the indicator | string | ip ipv6 md5 sha256 domain |
indicator_type | optional | The type of the indicator | string | crowdstrike indicator type |
action | optional | Enforcement policy | string | crowdstrike indicator action |
source | optional | The source of indicators | string | |
from_expiration | optional | The earliest indicator expiration date (RFC3339) | string | date |
to_expiration | optional | The latest indicator expiration date (RFC3339) | string | date |
limit | optional | The limit of indicator to be fetched (defaults to 100) | numeric | |
sort | optional | Property to sort by | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.action | string | crowdstrike indicator action |
detect |
action_result.parameter.from_expiration | string | date |
2020-10-17T00:00:00Z |
action_result.parameter.indicator_type | string | crowdstrike indicator type |
domain |
action_result.parameter.indicator_value | string | ip ipv6 md5 sha256 domain |
test |
action_result.parameter.limit | numeric | 200 | |
action_result.parameter.ph | string | ||
action_result.parameter.sort | string | indicator_type | |
action_result.parameter.source | string | test | |
action_result.parameter.to_expiration | string | date |
2020-10-17T00:00:00Z |
action_result.data.*.domain | string | domain |
|
action_result.data.*.domain.*.action | string | crowdstrike indicator action |
no_action |
action_result.data.*.domain.*.applied_globally | boolean | False | |
action_result.data.*.domain.*.created_by | string | md5 |
ae1690074e144356ae2de5de8dc1bd93 |
action_result.data.*.domain.*.created_on | string | date |
2021-09-15T09:52:27.651770437Z |
action_result.data.*.domain.*.created_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.domain.*.deleted | boolean | False | |
action_result.data.*.domain.*.description | string | Test description | |
action_result.data.*.domain.*.expiration | string | date |
2021-09-25T09:52:27Z |
action_result.data.*.domain.*.expiration_timestamp | string | date |
2018-09-16T00:00:00Z |
action_result.data.*.domain.*.expired | boolean | False | |
action_result.data.*.domain.*.from_parent | boolean | False | |
action_result.data.*.domain.*.host_groups.* | string | crowdstrike host group id |
0491ecd214614b5ab3bca1037a15390b |
action_result.data.*.domain.*.id | string | crowdstrike indicator id |
010114a181ac68f8712b28c288fc210e26c3d25029f3d1edeeb6b37c67293abb |
action_result.data.*.domain.*.metadata.filename | string | EXAMPLEMETADATAvftcdrxcftvgybhhubsdgvfyuegwwiqeqTESTuifgwieugfhiugybhugvftcdrxcftvgbhubsdgvfyuegwwiqeqpdiheuifgEXAMPLE | |
action_result.data.*.domain.*.mobile_action | string | no_action | |
action_result.data.*.domain.*.modified_by | string | md5 |
ae1690074e144356ae2de5de8dc1bd93 |
action_result.data.*.domain.*.modified_on | string | 2021-09-15T09:52:27.651770437Z | |
action_result.data.*.domain.*.modified_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.domain.*.platforms.* | string | crowdstrike indicator platforms |
mac |
action_result.data.*.domain.*.severity | string | severity |
high |
action_result.data.*.domain.*.source | string | Test source | |
action_result.data.*.domain.*.tags | string | test_tag | |
action_result.data.*.domain.*.type | string | crowdstrike indicator type |
domain |
action_result.data.*.domain.*.value | string | domain |
test.domain |
action_result.data.*.ipv4 | string | ip |
|
action_result.data.*.ipv4.*.action | string | crowdstrike indicator action |
no_action |
action_result.data.*.ipv4.*.applied_globally | boolean | False | |
action_result.data.*.ipv4.*.created_by | string | md5 |
ae1690074e144356ae2de5de8dc1bd93 |
action_result.data.*.ipv4.*.created_on | string | date |
2021-09-15T09:52:27.651770437Z |
action_result.data.*.ipv4.*.created_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.ipv4.*.deleted | boolean | False | |
action_result.data.*.ipv4.*.description | string | Test description | |
action_result.data.*.ipv4.*.expiration | string | date |
2021-09-25T09:52:27Z |
action_result.data.*.ipv4.*.expiration_timestamp | string | date |
2018-09-16T00:00:00Z |
action_result.data.*.ipv4.*.expired | boolean | False | |
action_result.data.*.ipv4.*.from_parent | boolean | False | |
action_result.data.*.ipv4.*.host_groups.* | string | crowdstrike host group id |
0491ecd214614b5ab3bca1037a15390b |
action_result.data.*.ipv4.*.id | string | crowdstrike indicator id |
010114a181ac68f8712b28c288fc210e26c3d25029f3d1edeeb6b37c67293abb |
action_result.data.*.ipv4.*.metadata.filename | string | test | |
action_result.data.*.ipv4.*.mobile_action | string | no_action | |
action_result.data.*.ipv4.*.modified_by | string | md5 |
ae1690074e144356ae2de5de8dc1bd93 |
action_result.data.*.ipv4.*.modified_on | string | 2021-09-15T09:52:27.651770437Z | |
action_result.data.*.ipv4.*.modified_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.ipv4.*.platforms.* | string | crowdstrike indicator platforms |
mac |
action_result.data.*.ipv4.*.severity | string | severity |
high |
action_result.data.*.ipv4.*.source | string | Test source | |
action_result.data.*.ipv4.*.tags | string | test_tag | |
action_result.data.*.ipv4.*.type | string | crowdstrike indicator type |
ipv4 |
action_result.data.*.ipv4.*.value | string | ip |
8.8.8.8 |
action_result.data.*.ipv6 | string | ipv6 |
|
action_result.data.*.ipv6.*.action | string | crowdstrike indicator action |
no_action |
action_result.data.*.ipv6.*.applied_globally | boolean | False | |
action_result.data.*.ipv6.*.created_by | string | md5 |
ae1690074e144356ae2de5de8dc1bd93 |
action_result.data.*.ipv6.*.created_on | string | date |
2021-09-15T09:52:27.651770437Z |
action_result.data.*.ipv6.*.created_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.ipv6.*.deleted | boolean | False | |
action_result.data.*.ipv6.*.description | string | Test description | |
action_result.data.*.ipv6.*.expiration | string | date |
2021-09-25T09:52:27Z |
action_result.data.*.ipv6.*.expiration_timestamp | string | date |
2018-09-16T00:00:00Z |
action_result.data.*.ipv6.*.expired | boolean | False | |
action_result.data.*.ipv6.*.from_parent | boolean | False | |
action_result.data.*.ipv6.*.host_groups.* | string | crowdstrike host group id |
0491ecd214614b5ab3bca1037a15390b |
action_result.data.*.ipv6.*.id | string | crowdstrike indicator id |
010114a181ac68f8712b28c288fc210e26c3d25029f3d1edeeb6b37c67293abb |
action_result.data.*.ipv6.*.metadata.filename | string | test_file_name | |
action_result.data.*.ipv6.*.modified_by | string | md5 |
ae1690074e144356ae2de5de8dc1bd93 |
action_result.data.*.ipv6.*.modified_on | string | 2021-09-15T09:52:27.651770437Z | |
action_result.data.*.ipv6.*.modified_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.ipv6.*.platforms.* | string | crowdstrike indicator platforms |
mac |
action_result.data.*.ipv6.*.severity | string | severity |
high |
action_result.data.*.ipv6.*.source | string | Test source | |
action_result.data.*.ipv6.*.tags | string | test_tag | |
action_result.data.*.ipv6.*.type | string | crowdstrike indicator type |
ipv6 |
action_result.data.*.ipv6.*.value | string | ipv6 |
2001:db8:3333::6666:7777:8888 |
action_result.data.*.md5 | string | md5 |
|
action_result.data.*.md5.*.action | string | crowdstrike indicator action |
no_action |
action_result.data.*.md5.*.applied_globally | boolean | False | |
action_result.data.*.md5.*.created_by | string | md5 |
ae1690074e144356ae2de5de8dc1bd93 |
action_result.data.*.md5.*.created_on | string | date |
2021-09-15T09:52:27.651770437Z |
action_result.data.*.md5.*.created_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.md5.*.deleted | boolean | False | |
action_result.data.*.md5.*.description | string | Test description | |
action_result.data.*.md5.*.expiration | string | date |
2021-09-25T09:52:27Z |
action_result.data.*.md5.*.expiration_timestamp | string | date |
2018-09-16T00:00:00Z |
action_result.data.*.md5.*.expired | boolean | False | |
action_result.data.*.md5.*.from_parent | boolean | False | |
action_result.data.*.md5.*.host_groups.* | string | crowdstrike host group id |
0491ecd214614b5ab3bca1037a15390b |
action_result.data.*.md5.*.id | string | crowdstrike indicator id |
010114a181ac68f8712b28c288fc210e26c3d25029f3d1edeeb6b37c67293abb |
action_result.data.*.md5.*.metadata.av_hits | numeric | -1 | |
action_result.data.*.md5.*.metadata.filename | string | test_file_name | |
action_result.data.*.md5.*.metadata.signed | boolean | False True | |
action_result.data.*.md5.*.mobile_action | string | no_action | |
action_result.data.*.md5.*.modified_by | string | md5 |
ae1690074e144356ae2de5de8dc1bd93 |
action_result.data.*.md5.*.modified_on | string | 2021-09-15T09:52:27.651770437Z | |
action_result.data.*.md5.*.modified_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.md5.*.platforms.* | string | crowdstrike indicator platforms |
mac |
action_result.data.*.md5.*.severity | string | severity |
high |
action_result.data.*.md5.*.source | string | Test source | |
action_result.data.*.md5.*.tags | string | test_tag | |
action_result.data.*.md5.*.type | string | crowdstrike indicator type |
md5 |
action_result.data.*.md5.*.value | string | md5 |
098f6bcd4621d373cade4e832627b4f6 |
action_result.data.*.sha256 | string | sha256 |
|
action_result.data.*.sha256.*.action | string | crowdstrike indicator action |
no_action |
action_result.data.*.sha256.*.applied_globally | boolean | False | |
action_result.data.*.sha256.*.created_by | string | md5 |
ae1690074e144356ae2de5de8dc1bd93 |
action_result.data.*.sha256.*.created_on | string | date |
2021-09-15T09:52:27.651770437Z |
action_result.data.*.sha256.*.created_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.sha256.*.deleted | boolean | False | |
action_result.data.*.sha256.*.description | string | Test description | |
action_result.data.*.sha256.*.expiration | string | date |
2021-09-25T09:52:27Z |
action_result.data.*.sha256.*.expiration_timestamp | string | date |
2018-09-16T00:00:00Z |
action_result.data.*.sha256.*.expired | boolean | False | |
action_result.data.*.sha256.*.from_parent | boolean | False | |
action_result.data.*.sha256.*.host_groups.* | string | crowdstrike host group id |
0491ecd214614b5ab3bca1037a15390b |
action_result.data.*.sha256.*.id | string | crowdstrike indicator id |
010114a181ac68f8712b28c288fc210e26c3d25029f3d1edeeb6b37c67293abb |
action_result.data.*.sha256.*.metadata.av_hits | numeric | -1 | |
action_result.data.*.sha256.*.metadata.company_name | string | Test Corporation | |
action_result.data.*.sha256.*.metadata.file_description | string | Runtime Broker | |
action_result.data.*.sha256.*.metadata.file_version | string | 10.0.19041.746 (WinBuild.160101.0800) | |
action_result.data.*.sha256.*.metadata.filename | string | test_file_name | |
action_result.data.*.sha256.*.metadata.original_filename | string | RuntimeBroker.exe | |
action_result.data.*.sha256.*.metadata.product_name | string | Test® Windows® Operating System | |
action_result.data.*.sha256.*.metadata.product_version | string | 10.0.19041.746 | |
action_result.data.*.sha256.*.metadata.signed | boolean | False True | |
action_result.data.*.sha256.*.mobile_action | string | no_action | |
action_result.data.*.sha256.*.modified_by | string | md5 |
ae1690074e144356ae2de5de8dc1bd93 |
action_result.data.*.sha256.*.modified_on | string | 2021-09-15T09:52:27.651770437Z | |
action_result.data.*.sha256.*.modified_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.sha256.*.platforms.* | string | crowdstrike indicator platforms |
mac |
action_result.data.*.sha256.*.severity | string | severity |
high |
action_result.data.*.sha256.*.source | string | Test source | |
action_result.data.*.sha256.*.tags | string | test_tag | |
action_result.data.*.sha256.*.type | string | crowdstrike indicator type |
sha256 |
action_result.data.*.sha256.*.value | string | sha256 |
9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 |
action_result.summary.alerts_found | numeric | ||
action_result.summary.total_domain | numeric | ||
action_result.summary.total_ipv4 | numeric | ||
action_result.summary.total_ipv6 | numeric | ||
action_result.summary.total_md5 | numeric | ||
action_result.summary.total_sha256 | numeric | ||
action_result.message | string | Total ip: 20, Total domain: 26, Total sha1: 0, Total md5: 0, Total sha256: 1, Alerts found: 47 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Queries for files uploaded to Crowdstrike for use with the RTR put
command
Type: investigate
Read only: True
For additional information on FQL syntax see: https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
filter | optional | FQL query to filter results | string | |
offset | optional | Starting index of overall result set | string | |
limit | optional | Number of files to return | numeric | |
sort | optional | Sort results | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.filter | string | size: 292 | |
action_result.parameter.limit | numeric | 50 | |
action_result.parameter.offset | string | 10 | |
action_result.parameter.sort | string | size | |
action_result.data.*.comments_for_audit_log | string | test | |
action_result.data.*.created_by | string | api-client-05dbdf165b474db597007c6f88780e39 | |
action_result.data.*.created_by_uuid | string | 05dbdf16-5b47-4db5-9700-7c6f88780e39 | |
action_result.data.*.created_timestamp | string | 2020-01-17T19:54:47.929163017Z | |
action_result.data.*.description | string | This is a test description | |
action_result.data.*.file_type | string | binary | |
action_result.data.*.id | string | 37420b00396311eaa57e0662caec3daa_05dbdf165b474db597007c6f88780e39 | |
action_result.data.*.modified_by | string | api-client-05d12ffasd65d12b597007c6f88780e39 | |
action_result.data.*.modified_timestamp | string | 2020-01-17T19:54:47.929163507Z | |
action_result.data.*.name | string | blank_file | |
action_result.data.*.permission_type | string | none | |
action_result.data.*.run_attempt_count | numeric | 0 | |
action_result.data.*.run_success_count | numeric | 0 | |
action_result.data.*.sha256 | string | sha256 |
9a9eaa1e83dbb19252ae1c0158eeefe8e4ce78736535d4e6d6a6bb5b039ff9a2 |
action_result.data.*.size | numeric | 88 | |
action_result.summary.total_files | numeric | 2 | |
action_result.message | string | Total files: 2 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Callback action for the on_poll ingest functionality
Type: ingest
Read only: True
This action remembers the last event ID that was queried for. The next ingestion carried out will query for later event IDs. This way, the same events are not queried for in every run. However, in the case of 'POLL NOW' queried event IDs will not be remembered.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
start_time | optional | Parameter ignored in this app | numeric | |
end_time | optional | Parameter ignored in this app | numeric | |
container_count | optional | Parameter ignored in this app | numeric | |
artifact_count | optional | Parameter ignored in this app | numeric |
No Output
List processes that have recently used the IOC on a particular device
Type: investigate
Read only: True
Given a file hash or domain, the action will list all the processes that have either recently connected to the domain or interacted with the file that matches the supplied hash. Use the query device actions to get the device id to run the action on.In case of count_only set to true, keep the limit value larger to fetch count of all the devices.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ioc | required | File Hash or Domain to use for searching | string | hash sha256 sha1 md5 domain |
id | required | Crowdstrike Device ID to search on | string | crowdstrike device id |
limit | optional | Maximum processes to be fetched (defaults to 100) | numeric |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.id | string | crowdstrike device id |
07c312fabcb8473454d0a16f118928ab |
action_result.parameter.ioc | string | hash sha256 sha1 md5 domain |
eeb27d04c5fb25f7459407c0e5394621f12100e301b22d04a6b8f78e2adbf33d |
action_result.parameter.limit | numeric | 100 | |
action_result.data.*.falcon_process_id | string | falcon process id |
pid:07c312fabcb8473454d0a16f118928fg:16716090292999 |
action_result.summary.process_count | numeric | 1 | |
action_result.message | string | Process count: 1 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Upload indicator that you want CrowdStrike to watch
Type: contain
Read only: False
Valid values for the action parameter are:
- no_action
Save the indicator for future use, but take no action. No severity required. - allow
Applies to hashes only. Allow the indicator and do not detect it. Severity does not apply and should not be provided. - prevent_no_ui
Applies to hashes only. Block and detect the indicator, but hide it from Activity > Detections. Has a default severity value. - prevent
Applies to hashes only. Block the indicator and show it as a detection at the selected severity. - detect
Enable detections for the indicator at the selected severity.
- Comma separated host group IDs for specific groups
- Leave it blank for all the host groups
The CrowdStrike API accepts the standard timestamp format in the expiration parameter. In this action, the number of days provided in the expiration parameter is internally converted into the timestamp format to match the API format.
If the indicator with the same type and value is created again, the action will fail as duplicate type-value combination is not allowed.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ioc | required | Input domain, ip, or hash ioc | string | sha256 md5 domain ip ipv6 |
action | required | Action to take when a host observes the custom IOC | string | crowdstrike indicator action |
platforms | required | Comma separated list of platforms | string | crowdstrike indicator platforms |
expiration | optional | Alert lifetime in days | numeric | |
source | optional | Indicator originating source | string | |
description | optional | Indicator description | string | |
tags | optional | Comma separated list of tags | string | |
severity | optional | Severity level | string | severity |
host_groups | optional | Comma separated list of host group IDs | string | crowdstrike host group id |
filename | optional | Metadata filename | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.action | string | crowdstrike indicator action |
detect |
action_result.parameter.description | string | test description | |
action_result.parameter.expiration | numeric | 10 | |
action_result.parameter.filename | string | filename | |
action_result.parameter.host_groups | string | crowdstrike host group id |
7f0d05b7b2fd4ddfb34069ab6e99db34 |
action_result.parameter.ioc | string | sha256 md5 domain ip ipv6 |
8.8.8.8 |
action_result.parameter.platforms | string | crowdstrike indicator platforms |
linux |
action_result.parameter.severity | string | severity |
low |
action_result.parameter.source | string | test source | |
action_result.parameter.tags | string | test_tag | |
action_result.data.*.action | string | crowdstrike indicator action |
no_action |
action_result.data.*.applied_globally | boolean | False | |
action_result.data.*.created_by | string | md5 |
ae1690074e144356ae2de5de8dc1bd93 |
action_result.data.*.created_on | string | date |
2021-09-15T09:52:27.651770437Z |
action_result.data.*.created_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.deleted | boolean | False | |
action_result.data.*.description | string | Test description | |
action_result.data.*.expiration | string | date |
2021-09-25T09:52:27Z |
action_result.data.*.expiration_timestamp | string | date |
2018-09-16T00:00:00Z |
action_result.data.*.expired | boolean | False | |
action_result.data.*.from_parent | boolean | False | |
action_result.data.*.host_groups.* | string | crowdstrike host group id |
0491ecd214614b5ab3bca1037a15390b |
action_result.data.*.id | string | crowdstrike indicator id |
010114a181ac68f8712b28c288fc210e26c3d25029f3d1edeeb6b37c67293abb |
action_result.data.*.metadata.av_hits | numeric | -1 | |
action_result.data.*.metadata.filename | string | test_file_name | |
action_result.data.*.metadata.signed | boolean | False True | |
action_result.data.*.modified_by | string | md5 |
ae1690074e144356ae2de5de8dc1bd93 |
action_result.data.*.modified_on | string | 2021-09-15T09:52:27.651770437Z | |
action_result.data.*.modified_timestamp | string | date |
2018-08-17T15:19:31Z |
action_result.data.*.platforms.* | string | crowdstrike indicator platforms |
mac |
action_result.data.*.severity | string | severity |
high |
action_result.data.*.source | string | Test source | |
action_result.data.*.tags | string | test_tag | |
action_result.data.*.type | string | crowdstrike indicator type |
ipv4 |
action_result.data.*.value | string | ip ipv6 md5 sha256 domain |
8.8.8.8 |
action_result.summary | string | ||
action_result.message | string | Indicator uploaded successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Delete an indicator that is being watched
Type: correct
Read only: False
In this action, either 'ioc' or 'resource_id' should be provided. The priority of 'resource_id' is higher. If both the parameters are provided then the indicator will be deleted based on the 'resource_id'. The CrowdStrike API returns success for the 'resource_id' of the already deleted indicator.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ioc | optional | Hash, ip or domain IOC from previous upload | string | ip ipv6 md5 sha256 domain |
resource_id | optional | The resource id of the indicator | string | crowdstrike indicator id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.ioc | string | ip ipv6 md5 sha256 domain |
test |
action_result.parameter.resource_id | string | crowdstrike indicator id |
feaefb786fc648861779b9f906b1426b3d670ffe4c22ec7b7ff3d3e03e88dc43 |
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | Indicator deleted successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Update an indicator that has been uploaded
Type: generic
Read only: False
Valid values for the host groups parameter are:
- Comma separated host group IDs for specific groups
- The value 'all' for all the host groups
- Leave it blank if there is no change
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
ioc | required | Hash, ip or domain IOC to update | string | ip md5 sha256 domain |
action | optional | Action to take when a host observes the custom IOC | string | crowdstrike indicator action |
platforms | optional | Comma separated list of platforms | string | crowdstrike indicator platforms |
expiration | optional | Alert lifetime in days | numeric | |
source | optional | Indicator originating source | string | |
description | optional | Indicator description | string | |
tags | optional | Comma separated list of tags | string | |
severity | optional | Severity level | string | severity |
host_groups | optional | Comma separated list of host group IDs | string | crowdstrike host group id |
filename | optional | Metadata filename | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.action | string | crowdstrike indicator action |
detect |
action_result.parameter.description | string | test description | |
action_result.parameter.expiration | numeric | 10 | |
action_result.parameter.filename | string | filename | |
action_result.parameter.host_groups | string | crowdstrike host group id |
7f0d05b7b2fd4ddfb34069ab6e99db34 |
action_result.parameter.ioc | string | ip md5 sha256 domain |
8.8.8.8 |
action_result.parameter.platforms | string | crowdstrike indicator platforms |
linux |
action_result.parameter.severity | string | severity |
low |
action_result.parameter.source | string | test source | |
action_result.parameter.tags | string | test_tag | |
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | Indicator updated successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Queries CrowdStrike for the file info given a vault ID or a SHA256 hash, vault ID has higher priority than SHA256 hash if both are provided
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
vault_id | optional | Vault ID of file | string | vault id |
sha256 | optional | SHA256 hash of the file | string | sha256 |
limit | optional | Maximum reports to be fetched | numeric | |
sort | optional | Property to sort by | string | |
offset | optional | Starting index of overall result set from which to return ids (defaults to 0) | numeric | |
detail_report | optional | Get the detailed report | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.detail_report | boolean | True False | |
action_result.parameter.limit | numeric | 120 | |
action_result.parameter.offset | numeric | 100 | |
action_result.parameter.sha256 | string | sha256 |
3460eb8087523e19ac486f37fc68192c2dcd087814a2a9c9ad6b668fee3e0134 |
action_result.parameter.sort | string | created_timestamp.asc | |
action_result.parameter.vault_id | string | vault id |
30c5e524e975816fbce1d958150e394efc219772 |
action_result.data.*.cid | string | 3061c7ff3b634e22b38274d4b586558e | |
action_result.data.*.created_timestamp | string | 2020-10-26T09:26:12Z | |
action_result.data.*.id | string | crowdstrike resource id |
3061c7ff3b634e22b38274d4b586558e_5cbc78f5cd4845fd8652896dde973397 |
action_result.data.*.ioc_report_broad_csv_artifact_id | string | crowdstrike artifact id |
b735c285c7d4119254d7a4eac9734321cf2dee0a8925f0395df6592cce97f848 |
action_result.data.*.ioc_report_broad_json_artifact_id | string | crowdstrike artifact id |
c4a90ac33e499f69fbccf4ca20cd8938a0e3a10055eececfefa99000a475dd7a |
action_result.data.*.ioc_report_broad_maec_artifact_id | string | crowdstrike artifact id |
5a9703fb4d31b4fab70948332af17711b41d06f2fe46406f8abcd810eea8ca2b |
action_result.data.*.ioc_report_broad_stix_artifact_id | string | crowdstrike artifact id |
2433d561ad70b9a30753bc3345bf1d9e986340e40dc59177f91e979d59b4f0f0 |
action_result.data.*.ioc_report_strict_csv_artifact_id | string | crowdstrike artifact id |
f54d63e91cafc2aa131d90bab6a60d7dfd0db05f984ebcf9394e4a1d7934c913 |
action_result.data.*.ioc_report_strict_json_artifact_id | string | crowdstrike artifact id |
7d80482e25d2e86867ea6b4b8c0bc9c1235f9e70dbd2a1754ffb86c950994532 |
action_result.data.*.ioc_report_strict_maec_artifact_id | string | crowdstrike artifact id |
bf73276e6e07f6c02a242254e846f4ef8e6d12a3114ee8de0e144ee608491457 |
action_result.data.*.ioc_report_strict_stix_artifact_id | string | crowdstrike artifact id |
1f129239876f7eb8287bf112763dada414ee8792ce1ab81eda6adcf322327696 |
action_result.data.*.malquery.*.input | string | c619f87556667f2c1799672d36d55172597f4fed158800d5622edc8abee930e8 | |
action_result.data.*.malquery.*.resources.*.file_size | numeric | 100144 | |
action_result.data.*.malquery.*.resources.*.file_type | string | PE32 | |
action_result.data.*.malquery.*.resources.*.first_seen_timestamp | string | 2020-01-29T00:00:00Z | |
action_result.data.*.malquery.*.resources.*.label | string | clean | |
action_result.data.*.malquery.*.resources.*.md5 | string | md5 |
b029f63374652c76e09b6443dd931774 |
action_result.data.*.malquery.*.resources.*.sha1 | string | sha1 |
8b50322f86d4bd5a7a5bc1d54d16ecfae8d4e693 |
action_result.data.*.malquery.*.resources.*.sha256 | string | sha256 |
7b982b66433e1c89d094461d3d461eab90c93f72fbe676fcfc17c3c340c9a8b4 |
action_result.data.*.malquery.*.type | string | sha256 | |
action_result.data.*.malquery.*.verdict | string | clean | |
action_result.data.*.origin | string | quarantine | |
action_result.data.*.sandbox.*.architecture | string | 32 Bit | |
action_result.data.*.sandbox.*.contacted_hosts.*.address | string | ip |
1XX.2XX.1X.6X |
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.name | string | iexplore.exe | |
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.pid | numeric | 7284 | |
action_result.data.*.sandbox.*.contacted_hosts.*.country | string | Test Name | |
action_result.data.*.sandbox.*.contacted_hosts.*.port | numeric | port |
80 |
action_result.data.*.sandbox.*.contacted_hosts.*.protocol | string | TCP | |
action_result.data.*.sandbox.*.dns_requests.*.address | string | ip |
2X.7X.1XX.1XX |
action_result.data.*.sandbox.*.dns_requests.*.country | string | Test Name | |
action_result.data.*.sandbox.*.dns_requests.*.domain | string | domain ip |
clientconfig.passport.net |
action_result.data.*.sandbox.*.dns_requests.*.registrar_creation_timestamp | string | date |
1994-08-01T00:00:00+00:00 |
action_result.data.*.sandbox.*.dns_requests.*.registrar_name | string | MarkMonitor, Inc. | |
action_result.data.*.sandbox.*.dns_requests.*.registrar_name_servers | string | NS1.MSFT.NET | |
action_result.data.*.sandbox.*.dns_requests.*.registrar_organization | string | Test Corporation | |
action_result.data.*.sandbox.*.environment | numeric | 100 | |
action_result.data.*.sandbox.*.environment_description | string | crowdstrike environment |
Windows 7 32 bit |
action_result.data.*.sandbox.*.environment_id | numeric | 100 | |
action_result.data.*.sandbox.*.error_message | string | The requested environment ID "160" and file type "python" have no available execution environment | |
action_result.data.*.sandbox.*.error_origin | string | CLIENT | |
action_result.data.*.sandbox.*.error_type | string | FILE_TYPE_BAD_ERROR | |
action_result.data.*.sandbox.*.exact_deep_hash | string | 026f0c002c06028e00010212000320000000fffffe06030065732078000000e0161f3a9d4755494400ffff0000e804000100e000ff0000b800c900c06f110b7b00706f0e00040d01000000120200e20033303331ffff00000011030400050001000a6f106765745f000000122c06028e0000ffff00ffff00f002a90009000000800000001109142000ffff000a280100088e69fe00ffff000bfe060750000080ffff00000080000000f002a900e000000000000007000000000011000000e80400e80400006f705f0100010000120000561934e00f1a1f6fdf007100100102150000ff2510000000302e302ee80400002e302e30000200e220696e20cf0072370106002affff0000007200460001130f49ae61f1616773000043756c7065730000e8010004effe000070007900f701b700020080fe01130e00ffff00000000000031000b720073001d08050501060a0200ffff0000ff25007e0000ec0011004366006f00446f6d6101130d114d01048000012805012571180100000165006f7003090151fe0000010000a040fe010d010000de00020e0e0300000001029f008100efbbbf002b8c1600f701b78e69fe040a110bfe666f2078150c20050000002b0000ffff006c006100008000110020f400fe010d6f6e732e00e804006be57549ffff00001e01060ade0000000100953b31007400091afe0420001d120000e000 | |
action_result.data.*.sandbox.*.extracted_files.*.description | string | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows | |
action_result.data.*.sandbox.*.extracted_files.*.file_path | string | %TEMP%\329babfa-d618-4d17-a6b0-79fe02a2d94d\AgileDotNetRT.dll | |
action_result.data.*.sandbox.*.extracted_files.*.file_size | numeric | 137741 | |
action_result.data.*.sandbox.*.extracted_files.*.md5 | string | md5 |
5ce220e1334193b403e937ecca0b406f |
action_result.data.*.sandbox.*.extracted_files.*.name | string | AgileDotNetRT.dll | |
action_result.data.*.sandbox.*.extracted_files.*.runtime_process | string | 789356c7d6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2afd24.exe | |
action_result.data.*.sandbox.*.extracted_files.*.sha1 | string | sha1 |
48c1d47e4a23ebfd739aa86830842d1ead7ced59 |
action_result.data.*.sandbox.*.extracted_files.*.sha256 | string | sha256 |
c619f87556667f2c1799672d36d55172597f4fed158800d5622edc8abee930e8 |
action_result.data.*.sandbox.*.extracted_files.*.threat_level_readable | string | no specific threat | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.filename | string | EXAMPLEd6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2aTEST.bin | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.process | string | EXAMPLEd6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2aTEST.exe | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.source | string | Memory/File Scan | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.type | string | Ansi | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.value | string | .http://www.digicert.com/ssl-cps-repository.htm0 | |
action_result.data.*.sandbox.*.file_imports.*.module | string | mscoree.dll | |
action_result.data.*.sandbox.*.file_size | numeric | 224888 | |
action_result.data.*.sandbox.*.file_type | string | PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows | |
action_result.data.*.sandbox.*.http_requests.*.header | string | GET /gsr2/TESTgwRjAJBgUrDgMCTESTBBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtEXAMPLEhi4CDQHjtJqhjYqpgSVpULg%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Test-CryptoAPI/10.0 Host: ocsp.pki.goog |
|
action_result.data.*.sandbox.*.http_requests.*.host | string | domain ip |
ocsp.pki.goog |
action_result.data.*.sandbox.*.http_requests.*.host_ip | string | ip |
1XX.2XX.1X.6X |
action_result.data.*.sandbox.*.http_requests.*.host_port | numeric | port |
80 |
action_result.data.*.sandbox.*.http_requests.*.method | string | GET | |
action_result.data.*.sandbox.*.http_requests.*.url | string | /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | |
action_result.data.*.sandbox.*.incidents.*.name | string | Fingerprint | |
action_result.data.*.sandbox.*.memory_strings_artifact_id | string | crowdstrike artifact id |
9e5ebb7847a684fe6b9f36bb6bfb36e03b4e2f71b010c67e131652b968695a30 |
action_result.data.*.sandbox.*.mitre_attacks.*.attack_id | string | T1215 | |
action_result.data.*.sandbox.*.mitre_attacks.*.parent.attack_id | string | T1027 | |
action_result.data.*.sandbox.*.mitre_attacks.*.parent.attack_id_wiki | string | https://attack.mitre.org/techniques/T1027 | |
action_result.data.*.sandbox.*.mitre_attacks.*.parent.technique | string | Obfuscated Files or Information | |
action_result.data.*.sandbox.*.mitre_attacks.*.tactic | string | Persistence | |
action_result.data.*.sandbox.*.mitre_attacks.*.technique | string | Kernel Modules and Extensions | |
action_result.data.*.sandbox.*.network_settings | string | default | |
action_result.data.*.sandbox.*.packer | string | Test visual C# v7.0 / Basic .NET | |
action_result.data.*.sandbox.*.pcap_report_artifact_id | string | crowdstrike artifact id |
e5521d8c988e4fd8f4bff8d90e231ac71d5bde9710382a1a2ac14e9d004eabd8 |
action_result.data.*.sandbox.*.processes.*.command_line | string | "C:\dummy-pdf_2.pdf" | |
action_result.data.*.sandbox.*.processes.*.file_accesses.*.mask | string | FILE_READ_DATA | |
action_result.data.*.sandbox.*.processes.*.file_accesses.*.path | string | %WINDIR%\SYSTEM32\MSCOREE.DLL | |
action_result.data.*.sandbox.*.processes.*.file_accesses.*.type | string | OPEN | |
action_result.data.*.sandbox.*.processes.*.handles.*.id | numeric | 4 | |
action_result.data.*.sandbox.*.processes.*.handles.*.path | string | HKLM\SYSTEM\ControlSet001\Control\Session Manager | |
action_result.data.*.sandbox.*.processes.*.handles.*.type | string | KeyHandle | |
action_result.data.*.sandbox.*.processes.*.icon_artifact_id | string | crowdstrike artifact id |
6fc9590b42ff8dcbd51c4cddf7ec83bad13f08dcfc882dfbfae326a4c4d68e8d |
action_result.data.*.sandbox.*.processes.*.name | string | 789356c7d6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2afd24.exe | |
action_result.data.*.sandbox.*.processes.*.normalized_path | string | C:\789356c7d6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2afd24.exe | |
action_result.data.*.sandbox.*.processes.*.parent_uid | string | 00079399-00003508 | |
action_result.data.*.sandbox.*.processes.*.pid | numeric | 3788 | |
action_result.data.*.sandbox.*.processes.*.process_flags.*.name | string | Reduced Monitoring | |
action_result.data.*.sandbox.*.processes.*.registry.*.key | string | COMPUTERNAME | |
action_result.data.*.sandbox.*.processes.*.registry.*.operation | string | Open | |
action_result.data.*.sandbox.*.processes.*.registry.*.path | string | HKLM\SOFTWARE\Test\RPC\ | |
action_result.data.*.sandbox.*.processes.*.registry.*.status | string | c0000034 | |
action_result.data.*.sandbox.*.processes.*.registry.*.status_human_readable | string | STATUS_OBJECT_NAME_NOT_FOUND | |
action_result.data.*.sandbox.*.processes.*.registry.*.value | string | 00000000010000002C000000160000001800000043006F006D00700075007400650072004E0061006D00650048004100500055004200570053002D00500043000000 | |
action_result.data.*.sandbox.*.processes.*.sha256 | string | sha256 |
789356c7d6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2afd24 |
action_result.data.*.sandbox.*.processes.*.streams.*.file_name | string | dc829f01c99e0cc1c3bdbcf626bc87a88c9d9d82b965545d9747b2d2292c3716.bin | |
action_result.data.*.sandbox.*.processes.*.streams.*.human_keywords | string | {0},11:{0},varsim | |
action_result.data.*.sandbox.*.processes.*.streams.*.instructions_artifact_id | string | ca39fdd4ec789ac3996014bb6edd4989f3b4988da13dfb69bbdd5299185e50c7 | |
action_result.data.*.sandbox.*.processes.*.streams.*.uid | string | 272dfd975214d0f4abb93b32797f8605-6000001-Program~Main | |
action_result.data.*.sandbox.*.processes.*.uid | string | 00064737-00003788 | |
action_result.data.*.sandbox.*.sha256 | string | sha256 |
789356c7d6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2afd24 |
action_result.data.*.sandbox.*.signatures.*.attack_id | string | T1116 | |
action_result.data.*.sandbox.*.signatures.*.category | string | General | |
action_result.data.*.sandbox.*.signatures.*.description | string | "example_input.exe" created file "%TEMP%\329babfa-d618-4d17-a6b0-79fe02a2d94d\AgileDotNetRT.dll" | |
action_result.data.*.sandbox.*.signatures.*.identifier | string | api-4 | |
action_result.data.*.sandbox.*.signatures.*.name | string | Creates a writable file in a temporary directory | |
action_result.data.*.sandbox.*.signatures.*.origin | string | API Call | |
action_result.data.*.sandbox.*.signatures.*.relevance | numeric | 1 | |
action_result.data.*.sandbox.*.signatures.*.threat_level | numeric | 1 | |
action_result.data.*.sandbox.*.signatures.*.threat_level_human | string | informative | |
action_result.data.*.sandbox.*.signatures.*.type | numeric | 6 | |
action_result.data.*.sandbox.*.submission_type | string | file | |
action_result.data.*.sandbox.*.submit_name | string | 789356c7d6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2afd24 | |
action_result.data.*.sandbox.*.threat_score | numeric | 41 | |
action_result.data.*.sandbox.*.verdict | string | suspicious | |
action_result.data.*.sandbox.*.version_info.*.id | string | Translation | |
action_result.data.*.sandbox.*.version_info.*.value | string | 0x0000 0x04b0 | |
action_result.data.*.sandbox.*.windows_version_bitness | numeric | 32 | |
action_result.data.*.sandbox.*.windows_version_edition | string | Professional | |
action_result.data.*.sandbox.*.windows_version_name | string | Windows 7 | |
action_result.data.*.sandbox.*.windows_version_service_pack | string | Service Pack 1 | |
action_result.data.*.sandbox.*.windows_version_version | string | 6.1 (build 7601) | |
action_result.data.*.threat_graph.indicators.*.customer_prevalence | string | low | |
action_result.data.*.threat_graph.indicators.*.global_prevalence | string | common | |
action_result.data.*.threat_graph.indicators.*.type | string | sha256 | |
action_result.data.*.threat_graph.indicators.*.value | string | c619f87556667f2c1799672d36d55172597f4fed158800d5622edc8abee930e8 | |
action_result.data.*.user_id | string | b1cab7e2bda14722aca74b8353f5f6d9 | |
action_result.data.*.user_name | string | testuser@soar.us | |
action_result.data.*.user_uuid | string | b6330292-28e6-4198-994d-96f327c5b5bd | |
action_result.data.*.verdict | string | suspicious | |
action_result.summary.total_reports | numeric | 1 | |
action_result.summary.verdict | string | suspicious | |
action_result.message | string | Verdict: suspicious, Total reports: 1 Total reports: 6 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Queries CrowdStrike for the url info
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
url | required | URL to query | string | url |
limit | optional | Maximum reports to be fetched | numeric | |
sort | optional | Property to sort by | string | |
offset | optional | Starting index of overall result set from which to return ids (defaults to 0) | numeric | |
detail_report | optional | Get the detailed report | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.detail_report | boolean | True False | |
action_result.parameter.limit | numeric | 5 | |
action_result.parameter.offset | numeric | 5 | |
action_result.parameter.sort | string | created_timestamp.asc | |
action_result.parameter.url | string | url |
https://www.test.com |
action_result.data.*.cid | string | 3061c7ff3b634e22b38274d4b586558e | |
action_result.data.*.created_timestamp | string | 2021-04-29T02:49:16Z | |
action_result.data.*.id | string | crowdstrike resource id |
3061c7ff3b634e22b38274d4b586558e_3ab68d2aa2774ba3a35d6f17ae1a7c0b |
action_result.data.*.ioc_report_broad_csv_artifact_id | string | crowdstrike artifact id |
6ba1a1ab22f1c1fdea253934fd96364513f897a4f697df2058dd8a456dee2cc0 |
action_result.data.*.ioc_report_broad_json_artifact_id | string | crowdstrike artifact id |
3ccac07c025cc4aa4ce900530fb982371d878cf8c80ceeb9247024420b540fa4 |
action_result.data.*.ioc_report_broad_maec_artifact_id | string | crowdstrike artifact id |
0ee0e99a5a032a3c42799d01941938e5b10ed8f13e7452d930648d481af5d51e |
action_result.data.*.ioc_report_broad_stix_artifact_id | string | crowdstrike artifact id |
653ebf60312387e4d519dba01da938294ac607f859b671f5d55980c02732f474 |
action_result.data.*.ioc_report_strict_csv_artifact_id | string | crowdstrike artifact id |
6ba1a1ab22f1c1fdea253934fd96364513f897a4f697df2058dd8a456dee2cc0 |
action_result.data.*.ioc_report_strict_json_artifact_id | string | crowdstrike artifact id |
3ccac07c025cc4aa4ce900530fb982371d878cf8c80ceeb9247024420b540fa4 |
action_result.data.*.ioc_report_strict_maec_artifact_id | string | crowdstrike artifact id |
0ee0e99a5a032a3c42799d01941938e5b10ed8f13e7452d930648d481af5d51e |
action_result.data.*.ioc_report_strict_stix_artifact_id | string | crowdstrike artifact id |
653ebf60312387e4d519dba01da938294ac607f859b671f5d55980c02732f474 |
action_result.data.*.malquery.*.input | string | http://accounts.test.com | |
action_result.data.*.malquery.*.resources.*.file_size | numeric | 466 | |
action_result.data.*.malquery.*.resources.*.file_type | string | HTML | |
action_result.data.*.malquery.*.resources.*.first_seen_timestamp | string | date |
2021-05-05T00:00:00Z |
action_result.data.*.malquery.*.resources.*.label | string | unknown | |
action_result.data.*.malquery.*.resources.*.md5 | string | md5 |
cf83a54faef91aa5c3f9d89dba8a8b14 |
action_result.data.*.malquery.*.resources.*.sha1 | string | sha1 |
7fe4176691ffaf6df16090e19cbc36dc3f7ed041 |
action_result.data.*.malquery.*.resources.*.sha256 | string | sha256 |
80c4f85980efc903c8ae376cd6d88025465d49aec6f84901d41abcc384b99738 |
action_result.data.*.malquery.*.type | string | url | |
action_result.data.*.malquery.*.verdict | string | whitelisted | |
action_result.data.*.origin | string | uiproxy | |
action_result.data.*.sandbox.*.architecture | string | WINDOWS | |
action_result.data.*.sandbox.*.contacted_hosts.*.address | string | ip |
2XX.5X.1XX.6X |
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.name | string | iexplore.exe | |
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.pid | numeric | 3808 | |
action_result.data.*.sandbox.*.contacted_hosts.*.country | string | Test Name | |
action_result.data.*.sandbox.*.contacted_hosts.*.port | numeric | port |
443 |
action_result.data.*.sandbox.*.contacted_hosts.*.protocol | string | TCP | |
action_result.data.*.sandbox.*.dns_requests.*.address | string | 2XX.5X.1XX.2XX | |
action_result.data.*.sandbox.*.dns_requests.*.country | string | Test Name | |
action_result.data.*.sandbox.*.dns_requests.*.domain | string | domain ip |
accounts.test.com |
action_result.data.*.sandbox.*.dns_requests.*.registrar_creation_timestamp | string | date |
2005-02-15T00:00:00+00:00 |
action_result.data.*.sandbox.*.dns_requests.*.registrar_name | string | MarkMonitor, Inc. | |
action_result.data.*.sandbox.*.dns_requests.*.registrar_name_servers | string | NS1.TEST.COM | |
action_result.data.*.sandbox.*.dns_requests.*.registrar_organization | string | Test Inc. | |
action_result.data.*.sandbox.*.environment | numeric | 100 | |
action_result.data.*.sandbox.*.environment_description | string | crowdstrike environment |
Windows 7 32 bit |
action_result.data.*.sandbox.*.environment_id | numeric | 160 | |
action_result.data.*.sandbox.*.error_message | string | The requested environment ID "300" and file type "url" have no available execution environment | |
action_result.data.*.sandbox.*.error_origin | string | CLIENT | |
action_result.data.*.sandbox.*.error_type | string | FILE_TYPE_BAD_ERROR | |
action_result.data.*.sandbox.*.extracted_files.*.description | string | XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators | |
action_result.data.*.sandbox.*.extracted_files.*.file_path | string | %LOCALAPPDATA%\Test\Internet Explorer\VersionManager\ver2963.tmp | |
action_result.data.*.sandbox.*.extracted_files.*.file_size | numeric | 16339 | |
action_result.data.*.sandbox.*.extracted_files.*.md5 | string | md5 |
cbd0581678fa40f0edcbc7c59e0cad10 |
action_result.data.*.sandbox.*.extracted_files.*.name | string | ver2963.tmp | |
action_result.data.*.sandbox.*.extracted_files.*.runtime_process | string | iexplore.exe (PID: 3808) | |
action_result.data.*.sandbox.*.extracted_files.*.sha1 | string | sha1 |
a1463fbcc9b96a8929f8a335f75a89147b300715 |
action_result.data.*.sandbox.*.extracted_files.*.sha256 | string | sha256 |
159bd4343f344a08f6af3b716b6fa679859c1bd1d7030d26ff5ef0255b86e1d9 |
action_result.data.*.sandbox.*.extracted_files.*.threat_level_readable | string | no specific threat | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.filename | string | SSL | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.process | string | iexplore.exe | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.source | string | Decrypted SSL Data | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.type | string | Ansi | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.value | string | .http://www.digicert.com/ssl-cps-repository.htm0 | |
action_result.data.*.sandbox.*.file_type | string | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | |
action_result.data.*.sandbox.*.http_requests.*.header | string | GET /gsr2/EXAMPLEDBKMEgwRjAJBgUrDgMCGgTESTXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJoEXAMPLEQHjtJqhjYqpgSVpULg%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Test-CryptoAPI/6.1 Host: ocsp.pki.goog |
|
action_result.data.*.sandbox.*.http_requests.*.host | string | ocsp.pki.goog | |
action_result.data.*.sandbox.*.http_requests.*.host_ip | string | ip |
2XX.5X.1XX.1XX |
action_result.data.*.sandbox.*.http_requests.*.host_port | numeric | port |
80 |
action_result.data.*.sandbox.*.http_requests.*.method | string | GET | |
action_result.data.*.sandbox.*.http_requests.*.url | string | /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | |
action_result.data.*.sandbox.*.incidents.*.name | string | Network Behavior | |
action_result.data.*.sandbox.*.memory_strings_artifact_id | string | crowdstrike artifact id |
4300381ecd2f3d62648cdc01d862f4765032f071bad272164c3580b7b6fb8840 |
action_result.data.*.sandbox.*.mitre_attacks.*.attack_id | string | T1085 | |
action_result.data.*.sandbox.*.mitre_attacks.*.tactic | string | Execution | |
action_result.data.*.sandbox.*.mitre_attacks.*.technique | string | Rundll32 | |
action_result.data.*.sandbox.*.network_settings | string | default | |
action_result.data.*.sandbox.*.pcap_report_artifact_id | string | crowdstrike artifact id |
04a091843e91c36357b2ec63a2a7ac8ad7d142d861759062520b0a925e9b875d |
action_result.data.*.sandbox.*.processes.*.command_line | string | "%WINDIR%\System32\ieframe.dll",OpenURL C:\3cfc7f2806efb5b01deb01164fa00adb46eb73a0d24871a566051fb2204094af.url | |
action_result.data.*.sandbox.*.processes.*.file_accesses.*.mask | string | FILE_READ_ATTRIBUTES | |
action_result.data.*.sandbox.*.processes.*.file_accesses.*.path | string | C: | |
action_result.data.*.sandbox.*.processes.*.file_accesses.*.type | string | CREATE | |
action_result.data.*.sandbox.*.processes.*.handles.*.id | numeric | 80 | |
action_result.data.*.sandbox.*.processes.*.handles.*.path | string | HKCU\Software\Test\Internet Explorer\Main\WindowsSearch | |
action_result.data.*.sandbox.*.processes.*.handles.*.type | string | KeyHandle | |
action_result.data.*.sandbox.*.processes.*.icon_artifact_id | string | crowdstrike artifact id |
aa6f1a14d219555f2818f89dee06821824c872ae18279027baa0e160f61f049a |
action_result.data.*.sandbox.*.processes.*.name | string | rundll32.exe | |
action_result.data.*.sandbox.*.processes.*.normalized_path | string | %WINDIR%\System32\rundll32.exe | |
action_result.data.*.sandbox.*.processes.*.parent_uid | string | 00065605-00002148 | |
action_result.data.*.sandbox.*.processes.*.pid | numeric | 2148 | |
action_result.data.*.sandbox.*.processes.*.process_flags.*.name | string | Reduced Monitoring | |
action_result.data.*.sandbox.*.processes.*.registry.*.key | string | WPADDECISIONREASON | |
action_result.data.*.sandbox.*.processes.*.registry.*.operation | string | Write | |
action_result.data.*.sandbox.*.processes.*.registry.*.path | string | HKCU\SOFTWARE\Test\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{0C70BB6D-CFA8-4734-A158-28619E142726}\WPADDECISIONREASON | |
action_result.data.*.sandbox.*.processes.*.registry.*.value | string | 01000000 | |
action_result.data.*.sandbox.*.processes.*.sha256 | string | sha256 |
3fa4912eb43fc304652d7b01f118589259861e2d628fa7c86193e54d5f987670 |
action_result.data.*.sandbox.*.processes.*.uid | string | 00065605-00002148 | |
action_result.data.*.sandbox.*.sha256 | string | sha256 |
3cfc7f2806efb5b01deb01164fa00adb46eb73a0d24871a566051fb2204094af |
action_result.data.*.sandbox.*.signatures.*.attack_id | string | T1085 | |
action_result.data.*.sandbox.*.signatures.*.category | string | General | |
action_result.data.*.sandbox.*.signatures.*.description | string | "21X.5X.1XX.6X:4XX" "21X.5X.1XX.1XX:8X" |
|
action_result.data.*.sandbox.*.signatures.*.identifier | string | network-1 | |
action_result.data.*.sandbox.*.signatures.*.name | string | Contacts server | |
action_result.data.*.sandbox.*.signatures.*.origin | string | Network Traffic | |
action_result.data.*.sandbox.*.signatures.*.relevance | numeric | 1 | |
action_result.data.*.sandbox.*.signatures.*.threat_level | numeric | 1 | |
action_result.data.*.sandbox.*.signatures.*.threat_level_human | string | informative | |
action_result.data.*.sandbox.*.signatures.*.type | numeric | 7 | |
action_result.data.*.sandbox.*.submission_type | string | page_url | |
action_result.data.*.sandbox.*.submit_name | string | http://ko.wikipedia.org/wiki/%EC%9C%84%ED%82%A4%EB%B0%B1%EA%B3%BC:%EB%8C%80%EB%AC%B8 | |
action_result.data.*.sandbox.*.submit_url | string | hxxps://www.test.com | |
action_result.data.*.sandbox.*.suricata_alerts.*.category | string | Unknown Traffic | |
action_result.data.*.sandbox.*.suricata_alerts.*.description | string | ET USER_AGENTS Test Device Metadata Retrieval Client User-Agent | |
action_result.data.*.sandbox.*.suricata_alerts.*.destination_ip | string | 1XX.XX0.7X.X2 | |
action_result.data.*.sandbox.*.suricata_alerts.*.destination_port | numeric | port |
80 |
action_result.data.*.sandbox.*.suricata_alerts.*.protocol | string | TCP | |
action_result.data.*.sandbox.*.suricata_alerts.*.sid | string | 2027390 | |
action_result.data.*.sandbox.*.threat_score | numeric | 35 | |
action_result.data.*.sandbox.*.verdict | string | no specific threat | |
action_result.data.*.sandbox.*.windows_version_bitness | numeric | 32 | |
action_result.data.*.sandbox.*.windows_version_edition | string | Professional | |
action_result.data.*.sandbox.*.windows_version_name | string | Windows 7 | |
action_result.data.*.sandbox.*.windows_version_service_pack | string | Service Pack 1 | |
action_result.data.*.sandbox.*.windows_version_version | string | 6.1 (build 7601) | |
action_result.data.*.user_id | string | 2b32e6795b344abba8925cce6782d128 | |
action_result.data.*.user_name | string | testuser@soar.us | |
action_result.data.*.user_uuid | string | b6330292-28e6-4198-994d-96f327c5b5bd | |
action_result.data.*.verdict | string | no specific threat | |
action_result.summary.total_reports | numeric | 1 | |
action_result.summary.verdict | string | no specific threat | |
action_result.message | string | Verdict: no specific threat, Total reports: 1 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
To download the report of the provided artifact id
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
artifact_id | required | Artifact id to be downloaded | string | crowdstrike artifact id |
file_name | optional | Filename to use for the file added to vault | string | filename |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.artifact_id | string | crowdstrike artifact id |
6fc9590b42ff8dcbd51c4cddf7ec83bad13f08dcfc882dfbfae326a4c4d68e8d |
action_result.parameter.file_name | string | filename |
test_file |
action_result.data | string | ||
action_result.summary | string | ||
action_result.message | string | Report downloaded successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Upload a file to CrowdStrike and retrieve the analysis results
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
vault_id | required | Vault ID of file | string | vault id |
environment | required | Sandbox environment to be used for analysis | string | crowdstrike environment |
comment | optional | A descriptive comment to identify the file | string | |
limit | optional | Maximum reports to be fetched | numeric | |
offset | optional | Starting index of overall result set from which to return ids (Defaults to 0) | numeric | |
command_line | optional | Command line script passed to the submitted file at runtime (Max length: 2048 characters) | string | |
document_password | optional | Password of the document if password protected (Max length: 32 characters) | string | |
submit_name | optional | Name of the malware sample that's used for file type detection and analysis | string | |
user_tags | optional | Comma seperated list of user tags (Max length: 100 characters per tag) | string | |
sort | optional | Property to sort by | string | |
action_script | optional | Runtime script for sandbox analysis | string | |
detail_report | optional | Get the detailed report | boolean | |
enable_tor | optional | To route the sandbox network traffic via TOR | boolean | |
is_confidential | optional | Defines visibility of the file in Falcon MalQuery (defaults to True) | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.action_script | string | default | |
action_result.parameter.command_line | string | ||
action_result.parameter.comment | string | This is a test comment | |
action_result.parameter.detail_report | boolean | True False | |
action_result.parameter.document_password | string | test_password | |
action_result.parameter.enable_tor | boolean | True False | |
action_result.parameter.environment | string | crowdstrike environment |
Windows 10, 64-bit |
action_result.parameter.is_confidential | boolean | True False | |
action_result.parameter.limit | numeric | 5 | |
action_result.parameter.offset | numeric | 5 | |
action_result.parameter.sort | string | created_timestamp.asc | |
action_result.parameter.submit_name | string | test_file_name | |
action_result.parameter.user_tags | string | test_tag1 | |
action_result.parameter.vault_id | string | vault id |
30c5e524e975816fbce1d958150e394efc219772 |
action_result.data.*.cid | string | 3061c7ff3b634e22b38274d4b586558e | |
action_result.data.*.created_timestamp | string | date |
2021-05-09T05:58:47Z |
action_result.data.*.id | string | crowdstrike resource id |
3061c7ff3b634e22b38274d4b586558e_ca27f64601b74c1f8a25577007987606 |
action_result.data.*.ioc_report_broad_csv_artifact_id | string | crowdstrike artifact id |
8a06e0e6a04696b16d8bcbe3b7952c6b0b48458f1168bf70ffa97b0993b9d115 |
action_result.data.*.ioc_report_broad_json_artifact_id | string | crowdstrike artifact id |
76dba8304fb398f192202a9dbbb39e259882ee7d9460afb4a07b8f2b8db8679a |
action_result.data.*.ioc_report_broad_maec_artifact_id | string | crowdstrike artifact id |
5391d132d841fe391d3132d2cab43cdf0d5a45c4f146e31cd65f51917dbf6820 |
action_result.data.*.ioc_report_broad_stix_artifact_id | string | crowdstrike artifact id |
aaab7615a82190cabdf6086fd818a5a3a5f65072363a7fa89c73e12bf115befd |
action_result.data.*.ioc_report_strict_csv_artifact_id | string | crowdstrike artifact id |
3ebe2620f871109e7048bfb0c1638b8e011b5fb779d6229db7135668fc558208 |
action_result.data.*.ioc_report_strict_json_artifact_id | string | crowdstrike artifact id |
097dc42503083de24bfb80b8964433348dfcb8b769f9abb491f5a97599666279 |
action_result.data.*.ioc_report_strict_maec_artifact_id | string | crowdstrike artifact id |
ccbc852e586f1348d83025a98a78398ba97c78d21fd8296676ef7da40852dc9a |
action_result.data.*.ioc_report_strict_stix_artifact_id | string | crowdstrike artifact id |
0967fd13eea5335645e8b2be13f2da7254a8401f1536bd2b939002d69a1af7f6 |
action_result.data.*.malquery.*.input | string | X.X.0.0 | |
action_result.data.*.malquery.*.resources.*.file_size | numeric | 25970 | |
action_result.data.*.malquery.*.resources.*.file_type | string | TEXT | |
action_result.data.*.malquery.*.resources.*.first_seen_timestamp | string | date |
2017-08-10T00:00:00Z |
action_result.data.*.malquery.*.resources.*.label | string | unknown | |
action_result.data.*.malquery.*.resources.*.md5 | string | md5 |
c7c4bf6fc4e73a85e6ab36711bdd8a7f |
action_result.data.*.malquery.*.resources.*.sha1 | string | sha1 |
a21c5fbfa596efb30180f75062794f01952cf18e |
action_result.data.*.malquery.*.resources.*.sha256 | string | sha256 |
07c522146bddc664d077c2184e88e5cb17547f2501785506ce2f7b05eaf93af0 |
action_result.data.*.malquery.*.type | string | ip | |
action_result.data.*.malquery.*.verdict | string | whitelisted | |
action_result.data.*.origin | string | apigateway | |
action_result.data.*.sandbox.*.architecture | string | Unknown | |
action_result.data.*.sandbox.*.contacted_hosts.*.address | string | ip |
2X.3X.1XX.X1 |
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.name | string | svchost.exe | |
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.pid | numeric | 7884 | |
action_result.data.*.sandbox.*.contacted_hosts.*.country | string | Test Name | |
action_result.data.*.sandbox.*.contacted_hosts.*.port | numeric | 443 | |
action_result.data.*.sandbox.*.contacted_hosts.*.protocol | string | TCP | |
action_result.data.*.sandbox.*.dns_requests.*.address | string | ip |
1X2.XX7.164.XX |
action_result.data.*.sandbox.*.dns_requests.*.country | string | Test Name | |
action_result.data.*.sandbox.*.dns_requests.*.domain | string | domain url |
fonts.gstatic.com |
action_result.data.*.sandbox.*.dns_requests.*.registrar_creation_timestamp | string | date |
2008-02-11T00:00:00+00:00 |
action_result.data.*.sandbox.*.dns_requests.*.registrar_name | string | MarkMonitor, Inc. | |
action_result.data.*.sandbox.*.dns_requests.*.registrar_name_servers | string | NS1.TEST.COM | |
action_result.data.*.sandbox.*.dns_requests.*.registrar_organization | string | Test Inc. | |
action_result.data.*.sandbox.*.environment | numeric | 160 | |
action_result.data.*.sandbox.*.environment_description | string | crowdstrike environment |
Windows 10 64 bit |
action_result.data.*.sandbox.*.environment_id | numeric | 160 | |
action_result.data.*.sandbox.*.error_message | string | The requested environment ID "300" and file type "html" have no available execution environment | |
action_result.data.*.sandbox.*.error_origin | string | CLIENT | |
action_result.data.*.sandbox.*.error_type | string | FILE_TYPE_BAD_ERROR | |
action_result.data.*.sandbox.*.extracted_files.*.description | string | MS Windows icon resource - 1 icon, 32x32 | |
action_result.data.*.sandbox.*.extracted_files.*.file_path | string | %APPDATA%\Test\Windows\Recent\CustomDestinations\RB7520AO5Z28DRA0CR4G.temp | |
action_result.data.*.sandbox.*.extracted_files.*.file_size | numeric | 4286 | |
action_result.data.*.sandbox.*.extracted_files.*.md5 | string | md5 |
da597791be3b6e732f0bc8b20e38ee62 |
action_result.data.*.sandbox.*.extracted_files.*.name | string | search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico | |
action_result.data.*.sandbox.*.extracted_files.*.runtime_process | string | iexplore.exe (PID: 3508) | |
action_result.data.*.sandbox.*.extracted_files.*.sha1 | string | sha1 |
1125c45d285c360542027d7554a5c442288974de |
action_result.data.*.sandbox.*.extracted_files.*.sha256 | string | sha256 |
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
action_result.data.*.sandbox.*.extracted_files.*.threat_level_readable | string | no specific threat | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.filename | string | ver718B.tmp | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.process | string | iexplore.exe | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.source | string | Runtime Data | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.type | string | Unicode | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.value | string | %LOCALAPPDATA%\Test\Internet Explorer\Recovery\High\Active\{EAD6EFB1-2090-11E8-9BD7-0A00274B5076}.dat | |
action_result.data.*.sandbox.*.file_imports.*.module | string | KERNEL32.dll | |
action_result.data.*.sandbox.*.file_size | numeric | 70595 | |
action_result.data.*.sandbox.*.file_type | string | SVG Scalable Vector Graphics image | |
action_result.data.*.sandbox.*.http_requests.*.header | string | GET /gsr2/TESTMEgwRjAJBgUrDgMCGgUABBTgXIsxbvEXAMPLEkIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqTESTULg%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Test-CryptoAPI/10.0 Host: ocsp.pki.goog |
|
action_result.data.*.sandbox.*.http_requests.*.host | string | hostname |
ocsp.pki.goog |
action_result.data.*.sandbox.*.http_requests.*.host_ip | string | ip |
1X2.2X7.13.67 |
action_result.data.*.sandbox.*.http_requests.*.host_port | numeric | port |
80 |
action_result.data.*.sandbox.*.http_requests.*.method | string | GET | |
action_result.data.*.sandbox.*.http_requests.*.url | string | /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | |
action_result.data.*.sandbox.*.incidents.*.name | string | Network Behavior | |
action_result.data.*.sandbox.*.memory_strings_artifact_id | string | crowdstrike artifact id |
ba1b505d2495d9258817ae235fd12331ec1d6805543df5ff99c98168ff003af5 |
action_result.data.*.sandbox.*.mitre_attacks.*.attack_id | string | T1179 | |
action_result.data.*.sandbox.*.mitre_attacks.*.tactic | string | Persistence | |
action_result.data.*.sandbox.*.mitre_attacks.*.technique | string | Hooking | |
action_result.data.*.sandbox.*.network_settings | string | tor | |
action_result.data.*.sandbox.*.pcap_report_artifact_id | string | crowdstrike artifact id |
cce20f960ed692d8cd1e82418d98133c54eeb0e989941545a25e17c13629c9a6 |
action_result.data.*.sandbox.*.processes.*.command_line | string | C:\TestName.svg | |
action_result.data.*.sandbox.*.processes.*.file_accesses.*.mask | string | GENERIC_READ | |
action_result.data.*.sandbox.*.processes.*.file_accesses.*.path | string | %WINDIR%\apppatch\sysmain.sdb | |
action_result.data.*.sandbox.*.processes.*.file_accesses.*.type | string | CREATE | |
action_result.data.*.sandbox.*.processes.*.handles.*.id | numeric | 152 | |
action_result.data.*.sandbox.*.processes.*.handles.*.path | string | \Device\CNG | |
action_result.data.*.sandbox.*.processes.*.handles.*.type | string | FileHandle | |
action_result.data.*.sandbox.*.processes.*.icon_artifact_id | string | crowdstrike artifact id |
eed07c63db692d7cb4af1daa44bdc5b03a63050290277d1e383601de95c05775 |
action_result.data.*.sandbox.*.processes.*.name | string | iexplore.exe | |
action_result.data.*.sandbox.*.processes.*.normalized_path | string | %PROGRAMFILES%\internet explorer\iexplore.exe | |
action_result.data.*.sandbox.*.processes.*.parent_uid | string | 00079399-00003508 | |
action_result.data.*.sandbox.*.processes.*.pid | numeric | 3508 | |
action_result.data.*.sandbox.*.processes.*.process_flags.*.name | string | Reduced Monitoring | |
action_result.data.*.sandbox.*.processes.*.registry.*.key | string | TYPE | |
action_result.data.*.sandbox.*.processes.*.registry.*.operation | string | Write | |
action_result.data.*.sandbox.*.processes.*.registry.*.path | string | HKCU\SOFTWARE\Test\INTERNET EXPLORER\VERSIONMANAGER\LASTUPDATELOWDATETIME | |
action_result.data.*.sandbox.*.processes.*.registry.*.status | string | c0000022 | |
action_result.data.*.sandbox.*.processes.*.registry.*.status_human_readable | string | STATUS_ACCESS_DENIED | |
action_result.data.*.sandbox.*.processes.*.registry.*.value | string | C4110129 | |
action_result.data.*.sandbox.*.processes.*.sha256 | string | sha256 |
8dea16e513f70e1a98be6ec48439b5499d2c740247716f6bcb990b7c305ec0a0 |
action_result.data.*.sandbox.*.processes.*.uid | string | 00079399-00003508 | |
action_result.data.*.sandbox.*.sha256 | string | sha256 |
43e6a1253ebd103b93d50531ee05ba9cf7d87f043b6bca96a0edec311494d875 |
action_result.data.*.sandbox.*.signatures.*.attack_id | string | T1010 | |
action_result.data.*.sandbox.*.signatures.*.category | string | General | |
action_result.data.*.sandbox.*.signatures.*.description | string | "2XX.1XX.2XX.1X:8X" | |
action_result.data.*.sandbox.*.signatures.*.identifier | string | mutant-0 | |
action_result.data.*.sandbox.*.signatures.*.name | string | Creates mutants | |
action_result.data.*.sandbox.*.signatures.*.origin | string | Created Mutant | |
action_result.data.*.sandbox.*.signatures.*.relevance | numeric | 3 | |
action_result.data.*.sandbox.*.signatures.*.threat_level | numeric | 1 | |
action_result.data.*.sandbox.*.signatures.*.threat_level_human | string | informative | |
action_result.data.*.sandbox.*.signatures.*.type | numeric | 4 | |
action_result.data.*.sandbox.*.submission_type | string | file | |
action_result.data.*.sandbox.*.submit_name | string | Test Name | |
action_result.data.*.sandbox.*.suricata_alerts.*.category | string | Unknown Traffic | |
action_result.data.*.sandbox.*.suricata_alerts.*.description | string | ET USER_AGENTS Test Device Metadata Retrieval Client User-Agent | |
action_result.data.*.sandbox.*.suricata_alerts.*.destination_ip | string | ip |
1X4.1XX.8X.21 |
action_result.data.*.sandbox.*.suricata_alerts.*.destination_port | numeric | port |
80 |
action_result.data.*.sandbox.*.suricata_alerts.*.protocol | string | TCP | |
action_result.data.*.sandbox.*.suricata_alerts.*.sid | string | 2027390 | |
action_result.data.*.sandbox.*.threat_score | numeric | 35 | |
action_result.data.*.sandbox.*.verdict | string | no specific threat | |
action_result.data.*.sandbox.*.version_info.*.id | string | LegalCopyright | |
action_result.data.*.sandbox.*.version_info.*.value | string | Copyright (C) Test Corp. 1981-1998 | |
action_result.data.*.sandbox.*.windows_version_bitness | numeric | 64 | |
action_result.data.*.sandbox.*.windows_version_edition | string | Professional | |
action_result.data.*.sandbox.*.windows_version_name | string | Windows 10 | |
action_result.data.*.sandbox.*.windows_version_service_pack | string | Service Pack 1 | |
action_result.data.*.sandbox.*.windows_version_version | string | 10.0 (build 16299) | |
action_result.data.*.threat_graph.indicators.*.global_prevalence | string | common | |
action_result.data.*.threat_graph.indicators.*.type | string | sha256 | |
action_result.data.*.threat_graph.indicators.*.value | string | 7ef166e82439ea3cafcb28754245325bfbf73e4eb94041bd77fd5c961924709c | |
action_result.data.*.user_id | string | b1cab7e2bda14722aca74b8353f5f6d9 | |
action_result.data.*.user_name | string | testuser@soar.us | |
action_result.data.*.user_tags | string | test_tag1 | |
action_result.data.*.user_uuid | string | b6330292-28e6-4198-994d-96f327c5b5bd | |
action_result.data.*.verdict | string | no specific threat | |
action_result.summary.total_reports | numeric | 1 | |
action_result.summary.verdict | string | suspicious | |
action_result.message | string | Verdict: no specific threat, Total reports: 1 Total reports: 6 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Upload an url to CrowdStrike and retrieve the analysis results
Type: generic
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
url | required | URL to query | string | url |
environment | required | Sandbox environment to be used for analysis | string | crowdstrike environment |
limit | optional | Maximum reports to be fetched | numeric | |
offset | optional | Starting index of overall result set from which to return ids (Defaults to 0) | numeric | |
document_password | optional | Password of the document if password protected (Max length: 32 characters) | string | |
command_line | optional | Command line script passed to the submitted file at runtime (Max length: 2048 characters) | string | |
user_tags | optional | Comma seperated list of user tags (Max length: 100 characters per tag) | string | |
sort | optional | Property to sort by | string | |
action_script | optional | Runtime script for sandbox analysis | string | |
detail_report | optional | Get the detailed report | boolean | |
enable_tor | optional | To route the sandbox network traffic via TOR | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.action_script | string | default | |
action_result.parameter.command_line | string | ||
action_result.parameter.detail_report | boolean | True False | |
action_result.parameter.document_password | string | test_password | |
action_result.parameter.enable_tor | boolean | True False | |
action_result.parameter.environment | string | crowdstrike environment |
Windows 10, 64-bit |
action_result.parameter.limit | numeric | 5 | |
action_result.parameter.offset | numeric | 5 | |
action_result.parameter.sort | string | created_timestamp.asc | |
action_result.parameter.url | string | url |
https://www.test.com |
action_result.parameter.user_tags | string | test_tag1 | |
action_result.data.*.cid | string | 3061c7ff3b634e22b38274d4b586558e | |
action_result.data.*.created_timestamp | string | date |
2021-05-14T10:03:35Z |
action_result.data.*.id | string | crowdstrike resource id |
3061c7ff3b634e22b38274d4b586558e_5e2ec86aa5e444ac93d298df547e4d40 |
action_result.data.*.ioc_report_broad_csv_artifact_id | string | crowdstrike artifact id |
3b4ca1c6dd800fa60aaa4eb7154da76da7604067bcb3df160caa984ed7eabf3e |
action_result.data.*.ioc_report_broad_json_artifact_id | string | crowdstrike artifact id |
5b7554048df30cb234d11a9d4d77a64e9f033dbe53265ee9a0e74fd7f803cf59 |
action_result.data.*.ioc_report_broad_maec_artifact_id | string | crowdstrike artifact id |
eefd76de04f16b6187d0f2b728dafec578e47cbfec140e7a6735f2f173d0cbcf |
action_result.data.*.ioc_report_broad_stix_artifact_id | string | crowdstrike artifact id |
bb6089f7c2da27e70eb93447a724287572d3b4cac1c91e78edc264ee30dc401d |
action_result.data.*.ioc_report_strict_csv_artifact_id | string | crowdstrike artifact id |
3b4ca1c6dd800fa60aaa4eb7154da76da7604067bcb3df160caa984ed7eabf3e |
action_result.data.*.ioc_report_strict_json_artifact_id | string | crowdstrike artifact id |
5b7554048df30cb234d11a9d4d77a64e9f033dbe53265ee9a0e74fd7f803cf59 |
action_result.data.*.ioc_report_strict_maec_artifact_id | string | crowdstrike artifact id |
eefd76de04f16b6187d0f2b728dafec578e47cbfec140e7a6735f2f173d0cbcf |
action_result.data.*.ioc_report_strict_stix_artifact_id | string | crowdstrike artifact id |
bb6089f7c2da27e70eb93447a724287572d3b4cac1c91e78edc264ee30dc401d |
action_result.data.*.malquery.*.input | string | http://mm.test.com | |
action_result.data.*.malquery.*.resources.*.family | string | Coinminer | |
action_result.data.*.malquery.*.resources.*.file_size | numeric | 2313692 | |
action_result.data.*.malquery.*.resources.*.file_type | string | PCAP | |
action_result.data.*.malquery.*.resources.*.first_seen_timestamp | string | date |
2021-05-26T00:00:00Z |
action_result.data.*.malquery.*.resources.*.label | string | unknown | |
action_result.data.*.malquery.*.resources.*.md5 | string | md5 |
4446a961902d0094397a071d75e4abf8 |
action_result.data.*.malquery.*.resources.*.sha1 | string | sha1 |
cb1c5bb0d84e3efb978efede256ebec5308873c0 |
action_result.data.*.malquery.*.resources.*.sha256 | string | sha256 |
0091a4c5bc7bea90faadeee2ae71bd29e131d3f59f8ffb9f58ec7276953fafe5 |
action_result.data.*.malquery.*.type | string | url | |
action_result.data.*.malquery.*.verdict | string | unknown | |
action_result.data.*.origin | string | apigateway | |
action_result.data.*.sandbox.*.architecture | string | WINDOWS | |
action_result.data.*.sandbox.*.contacted_hosts.*.address | string | ip |
1XX.2XX.7X.1XX |
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.name | string | Testedgecp.exe | |
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.pid | numeric | 1600 | |
action_result.data.*.sandbox.*.contacted_hosts.*.country | string | Test Name | |
action_result.data.*.sandbox.*.contacted_hosts.*.port | numeric | 443 | |
action_result.data.*.sandbox.*.contacted_hosts.*.protocol | string | TCP | |
action_result.data.*.sandbox.*.dns_requests.*.address | string | ip |
1XX.2X.X.X |
action_result.data.*.sandbox.*.dns_requests.*.country | string | Test Name | |
action_result.data.*.sandbox.*.dns_requests.*.domain | string | domain url |
www.test.com |
action_result.data.*.sandbox.*.dns_requests.*.registrar_creation_timestamp | string | date |
2007-11-13T00:00:00+00:00 |
action_result.data.*.sandbox.*.dns_requests.*.registrar_name | string | RegistryGate GmbH | |
action_result.data.*.sandbox.*.dns_requests.*.registrar_name_servers | string | NS-1109.AWSDNS-10.ORG | |
action_result.data.*.sandbox.*.dns_requests.*.registrar_organization | string | Creationes Virtuales CV GmbH | |
action_result.data.*.sandbox.*.environment | numeric | 160 | |
action_result.data.*.sandbox.*.environment_description | string | crowdstrike environment |
Windows 10 64 bit |
action_result.data.*.sandbox.*.environment_id | numeric | 100 | |
action_result.data.*.sandbox.*.error_message | string | The requested environment ID "300" and file type "url" have no available execution environment | |
action_result.data.*.sandbox.*.error_origin | string | CLIENT | |
action_result.data.*.sandbox.*.error_type | string | FILE_TYPE_BAD_ERROR | |
action_result.data.*.sandbox.*.extracted_files.*.description | string | data | |
action_result.data.*.sandbox.*.extracted_files.*.file_path | string | %APPDATA%\Adobe\Acrobat\11.0\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl | |
action_result.data.*.sandbox.*.extracted_files.*.file_size | numeric | 637 | |
action_result.data.*.sandbox.*.extracted_files.*.md5 | string | md5 |
974e8536b8767ac5be204f35d16f73e8 |
action_result.data.*.sandbox.*.extracted_files.*.name | string | 0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl | |
action_result.data.*.sandbox.*.extracted_files.*.runtime_process | string | AcroRd32.exe (PID: 4084) | |
action_result.data.*.sandbox.*.extracted_files.*.sha1 | string | sha1 |
e847897947a3db26e35cb7d490c688e8c410dfb7 |
action_result.data.*.sandbox.*.extracted_files.*.sha256 | string | sha256 |
d1bb4b163fe01acc368a92b385bb0bd3a9fc2340b6d485b77a20553a713166d3 |
action_result.data.*.sandbox.*.extracted_files.*.threat_level_readable | string | no specific threat | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.filename | string | rundll32.exe | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.process | string | AcroRd32.exe | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.source | string | Process Commandline | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.type | string | Ansi | |
action_result.data.*.sandbox.*.extracted_interesting_strings.*.value | string | "%WINDIR%\system32\ieframe.dll",OpenURL C:\a3d7be9b5d8f9070d96789cdf7ee5ce2f1ee827f261faa0d43d4de605ad3194c.url | |
action_result.data.*.sandbox.*.file_size | numeric | 690028 | |
action_result.data.*.sandbox.*.file_type | string | PDF document, version 1.6 | |
action_result.data.*.sandbox.*.http_requests.*.header | string | GET /gsr2/EXAMPLEMEgwRjAJBgUrDgMCGgUABBTgXTEST2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBtTESTt39wZhi4CDQHjtJqhjYqpgSVpULg%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Test-CryptoAPI/10.0 Host: ocsp.pki.goog |
|
action_result.data.*.sandbox.*.http_requests.*.host | string | hostname |
ocsp.pki.goog |
action_result.data.*.sandbox.*.http_requests.*.host_ip | string | ip |
1XX.2XX.X.6X |
action_result.data.*.sandbox.*.http_requests.*.host_port | numeric | 80 | |
action_result.data.*.sandbox.*.http_requests.*.method | string | GET | |
action_result.data.*.sandbox.*.http_requests.*.url | string | url |
/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D |
action_result.data.*.sandbox.*.incidents.*.name | string | Network Behavior | |
action_result.data.*.sandbox.*.memory_strings_artifact_id | string | crowdstrike artifact id |
84626f942fc9dffdeb6facc2fb4a337bc8f52323a6a8be3e16d0c2ea57d30820 |
action_result.data.*.sandbox.*.mitre_attacks.*.attack_id | string | T1085 | |
action_result.data.*.sandbox.*.mitre_attacks.*.tactic | string | Execution | |
action_result.data.*.sandbox.*.mitre_attacks.*.technique | string | Rundll32 | |
action_result.data.*.sandbox.*.network_settings | string | tor | |
action_result.data.*.sandbox.*.pcap_report_artifact_id | string | crowdstrike artifact id |
506bc12accb770cdb032ad567ee478842a8cf1506ce9658f78f46d6b6cc65099 |
action_result.data.*.sandbox.*.processes.*.command_line | string | "%WINDIR%\system32\ieframe.dll",OpenURL C:\a3d7be9b5d8f9070d96789cdf7ee5ce2f1ee827f261faa0d43d4de605ad3194c.url | |
action_result.data.*.sandbox.*.processes.*.file_accesses.*.mask | string | GENERIC_READ | |
action_result.data.*.sandbox.*.processes.*.file_accesses.*.path | string | %WINDIR%\apppatch\sysmain.sdb | |
action_result.data.*.sandbox.*.processes.*.file_accesses.*.type | string | CREATE | |
action_result.data.*.sandbox.*.processes.*.handles.*.id | numeric | 176 | |
action_result.data.*.sandbox.*.processes.*.handles.*.path | string | \Device\CNG | |
action_result.data.*.sandbox.*.processes.*.handles.*.type | string | FileHandle | |
action_result.data.*.sandbox.*.processes.*.icon_artifact_id | string | crowdstrike artifact id |
25f2b36dff5226562d05a905dae09c7e4ef627528e74dd5b95cc3575da3697dd |
action_result.data.*.sandbox.*.processes.*.name | string | rundll32.exe | |
action_result.data.*.sandbox.*.processes.*.normalized_path | string | %WINDIR%\System32\rundll32.exe | |
action_result.data.*.sandbox.*.processes.*.pid | numeric | 4340 | |
action_result.data.*.sandbox.*.processes.*.process_flags.*.name | string | Reduced Monitoring | |
action_result.data.*.sandbox.*.processes.*.registry.*.key | string | BLASTEXITNORMAL | |
action_result.data.*.sandbox.*.processes.*.registry.*.operation | string | Delete | |
action_result.data.*.sandbox.*.processes.*.registry.*.path | string | HKLM\SYSTEM\ACROBATVIEWERCPP473\ | |
action_result.data.*.sandbox.*.processes.*.registry.*.value | string | 00000000 | |
action_result.data.*.sandbox.*.processes.*.sha256 | string | sha256 |
b1e6a7a3e2597e51836277a32b2bc61aa781c8f681d44dfddea618b32e2bf2a6 |
action_result.data.*.sandbox.*.processes.*.uid | string | 00177892-00004340 | |
action_result.data.*.sandbox.*.sha256 | string | sha256 |
a3d7be9b5d8f9070d96789cdf7ee5ce2f1ee827f261faa0d43d4de605ad3194c |
action_result.data.*.sandbox.*.signatures.*.attack_id | string | T1085 | |
action_result.data.*.sandbox.*.signatures.*.category | string | General | |
action_result.data.*.sandbox.*.signatures.*.description | string | "www.test.com" | |
action_result.data.*.sandbox.*.signatures.*.identifier | string | network-0 | |
action_result.data.*.sandbox.*.signatures.*.name | string | Contacts domains | |
action_result.data.*.sandbox.*.signatures.*.origin | string | Network Traffic | |
action_result.data.*.sandbox.*.signatures.*.relevance | numeric | 1 | |
action_result.data.*.sandbox.*.signatures.*.threat_level | numeric | 1 | |
action_result.data.*.sandbox.*.signatures.*.threat_level_human | string | informative | |
action_result.data.*.sandbox.*.signatures.*.type | numeric | 7 | |
action_result.data.*.sandbox.*.submission_type | string | page_url | |
action_result.data.*.sandbox.*.submit_name | string | whatami | |
action_result.data.*.sandbox.*.submit_url | string | url |
hxxps://test.com |
action_result.data.*.sandbox.*.threat_score | numeric | 35 | |
action_result.data.*.sandbox.*.verdict | string | no specific threat | |
action_result.data.*.sandbox.*.windows_version_bitness | numeric | 64 | |
action_result.data.*.sandbox.*.windows_version_edition | string | Professional | |
action_result.data.*.sandbox.*.windows_version_name | string | Windows 10 | |
action_result.data.*.sandbox.*.windows_version_version | string | 10.0 (build 16299) | |
action_result.data.*.user_id | string | 225bf5b4490348d9a1eacddc61501c09 | |
action_result.data.*.user_name | string | Test user | |
action_result.data.*.user_tags | string | test_tag1 | |
action_result.data.*.user_uuid | string | b6330292-28e6-4198-994d-96f327c5b5bd | |
action_result.data.*.verdict | string | no specific threat | |
action_result.summary.total_reports | numeric | 5 | |
action_result.summary.verdict | string | suspicious | |
action_result.message | string | Verdict: no specific threat, Total reports: 1 Total reports: 6 | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
To check detonation status of the provided resource id
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
resource_id | required | Id of the resource | string | crowdstrike resource id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.resource_id | string | crowdstrike resource id |
3061c7ff3b634e22b38274d4b586558e_48004b5623af49ce9442d4bafd8e7b3d |
action_result.data | string | ||
action_result.data.*.cid | string | 3061c7ff3b634e22b38274d4b586558e | |
action_result.data.*.created_timestamp | string | date |
2021-05-15T13:12:02Z |
action_result.data.*.id | string | crowdstrike resource id |
3061c7ff3b634e22b38274d4b586558e_48004b5623af49ce9442d4bafd8e7b3d |
action_result.data.*.origin | string | uiproxy | |
action_result.data.*.sandbox.*.action_script | string | default | |
action_result.data.*.sandbox.*.command_line | string | taskkill /IM * | |
action_result.data.*.sandbox.*.enable_tor | boolean | True | |
action_result.data.*.sandbox.*.environment_id | numeric | 160 | |
action_result.data.*.sandbox.*.network_settings | string | default | |
action_result.data.*.sandbox.*.sha256 | string | sha256 |
70641a2ef9a116fa7f5b1376654657926a91a2bed913837c62f5598c77a3e191 |
action_result.data.*.sandbox.*.submit_name | string | example.csv | |
action_result.data.*.sandbox.*.url | string | url |
hxxps://www.test.com |
action_result.data.*.state | string | success | |
action_result.data.*.user_id | string | 225bf5b4490348d9a1eacddc61501c09 | |
action_result.data.*.user_name | string | test_user | |
action_result.data.*.user_uuid | string | b6330292-28e6-4198-994d-96f327c5b5bd | |
action_result.summary.state | string | success | |
action_result.message | string | State: success | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
Type: investigate
Read only: True
More info can be found at here.
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
offset | optional | The offset to page from, for the next result set | string | |
limit | optional | The maximum records to return. [1-5000] | numeric | |
sort | optional | The property to sort by (e.g. status.desc or hostname.asc) | string | |
filter | optional | The offset to page from, for the next result set | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.filter | string | platform_name:'windows' | |
action_result.parameter.limit | numeric | 120 | |
action_result.parameter.offset | string | ||
action_result.parameter.sort | string | status.desc | |
action_result.data.*.errors.*.code | string | ||
action_result.data.*.errors.*.id | string | ||
action_result.data.*.errors.*.message | string | ||
action_result.data.*.meta.pagination.expires_at | numeric | 1632462683095273200 | |
action_result.data.*.meta.pagination.limit | string | ||
action_result.data.*.meta.pagination.offset | string | ||
action_result.data.*.meta.pagination.total | numeric | 2 | |
action_result.data.*.meta.powered_by | string | device-api | |
action_result.data.*.meta.query_time | numeric | 0.004875208 | |
action_result.data.*.meta.trace_id | string | 008a2081-1ad7-4e80-a2cc-0acc1562302b | |
action_result.data.*.resources | string | crowdstrike device id |
12e75112bdc44ac7a60b5ad1d2765303 |
action_result.summary | string | ||
action_result.message | string | Device scroll fetched successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID)
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
agent_id | required | Agent ID to get zero trust assessment data about. Comma-separated list allowed | string | crowdstrike device id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.agent_id | string | crowdstrike device id |
95969e1abbea43bdaf6cc50c9b4aec2e,46592f3d661a469eb2503d72a29afd3a |
action_result.data.*.aid | string | crowdstrike device id |
95969e1abbea43bdaf6cc50c9b4aec2e |
action_result.data.*.assessment.os | numeric | 38 | |
action_result.data.*.assessment.overall | numeric | 32 | |
action_result.data.*.assessment.sensor_config | numeric | 29 | |
action_result.data.*.assessment.version | string | 3.3.0 | |
action_result.data.*.assessment_items.os_signals.*.criteria | string | Kernel Mode Code Integrity: enabled | |
action_result.data.*.assessment_items.os_signals.*.group_name | string | Windows 10 | |
action_result.data.*.assessment_items.os_signals.*.meets_criteria | string | no | |
action_result.data.*.assessment_items.os_signals.*.signal_id | string | windows_os_build | |
action_result.data.*.assessment_items.os_signals.*.signal_name | string | Windows OS Build | |
action_result.data.*.assessment_items.sensor_signals.*.criteria | string | Spotlight: enabled | |
action_result.data.*.assessment_items.sensor_signals.*.group_name | string | Sensor | |
action_result.data.*.assessment_items.sensor_signals.*.meets_criteria | string | no | |
action_result.data.*.assessment_items.sensor_signals.*.signal_id | string | spotlight_enabled | |
action_result.data.*.assessment_items.sensor_signals.*.signal_name | string | Spotlight | |
action_result.data.*.cid | string | crowdstrike customer id |
3061c7ff3b634e22b38274d4b586558e |
action_result.data.*.event_platform | string | Win | |
action_result.data.*.modified_time | string | 2022-03-21T23:07:13Z | |
action_result.data.*.product_type_desc | string | Server | |
action_result.data.*.sensor_file_status | string | not deployed | |
action_result.data.*.system_serial_number | string | VMware-42 2a 23 c9 7f 05 df a5-23 51 df 2c 02 ce 36 fb | |
action_result.summary | string | ||
action_result.message | string | Zero Trust Assessment data fetched successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Create an empty IOA Rule Group
Type: contain
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
name | required | Name of the new Rule Group | string | |
description | required | Longer description for the new Rule Group | string | |
platform | required | Platform that this Rule Group applies to | string | |
enabled | optional | Enable the new Rule Group immediately upon creation | boolean | |
policy_id | optional | Prevention Policy ID to assign the new Rule Group to | string | crowdstrike prevention policy id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.name | string | my_rule_group | |
action_result.parameter.description | string | Custom rule group | |
action_result.parameter.platform | string | windows mac linux | |
action_result.parameter.enabled | boolean | True False | |
action_result.parameter.policy_id | string | crowdstrike prevention policy id |
2018f9894359493cb756bfa7dd3357a6 |
action_result.data.*.errors | string | ||
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 5.917429897 | |
action_result.data.*.meta.trace_id | string | 6b7c63e1-0ebd-4121-90f3-cd53451be245 | |
action_result.data.*.resources.*.id | string | crowdstrike ioa rule group id |
3263801f7612424ba923f4e6e4bfe2f2 |
action_result.data.*.resources.*.customer_id | string | crowdstrike customer id |
4061c7ff3b634e22b38274d4b586554r |
action_result.data.*.resources.*.enabled | boolean | True False | |
action_result.data.*.resources.*.name | string | my_rule_group | |
action_result.data.*.resources.*.description | string | Custom rule group | |
action_result.data.*.resources.*.platform | string | windows mac linux | |
action_result.data.*.resources.*.deleted | boolean | True False | |
action_result.data.*.resources.*.rule_ids.* | string | crowdstrike ioa rule id |
6 |
action_result.data.*.resources.*.comment | string | Updated description | |
action_result.data.*.resources.*.version | numeric | 1 | |
action_result.data.*.resources.*.created_by | string | crowdstrike user id |
65f616497d0d40d4b6e7a68389323605 |
action_result.data.*.resources.*.created_on | string | 2024-01-25T19:17:02.117884262Z | |
action_result.data.*.resources.*.modified_by | string | crowdstrike user id |
65f616497d0d40d4b6e7a68389323605 |
action_result.data.*.resources.*.modified_on | string | 2024-01-25T19:17:02.117884262Z | |
action_result.data.*.resources.*.committed_on | string | 0001-01-01T00:00:00Z | |
action_result.data.*.resources.*.assigned_policy_ids.* | string | crowdstrike prevention policy id |
2018f9894359493cb756bfa7dd3357a6 |
action_result.summary.rule_group_id | string | ||
action_result.message | string | Rule Group created successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Modify an existing IOA Rule Group
Type: contain
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
id | required | Rule Group ID | string | crowdstrike ioa rule group id |
version | required | Latest version of this Rule Group | numeric | |
name | required | Name of the Rule Group | string | |
description | required | Longer description for the Rule Group | string | |
enabled | optional | Enable or disable the Rule Group | boolean | |
comment | required | Comment for the audit log | string | |
assign_policy_id | optional | Prevention Policy ID to assign the Rule Group to | string | crowdstrike prevention policy id |
remove_policy_id | optional | Prevention Policy ID to remove the Rule Group from | string | crowdstrike prevention policy id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.id | string | crowdstrike ioa rule group id |
3263801f7612424ba923f4e6e4bfe2f2 |
action_result.parameter.version | numeric | 1 | |
action_result.parameter.name | string | my_rule_group | |
action_result.parameter.description | string | Custom rule group | |
action_result.parameter.enabled | boolean | True False | |
action_result.parameter.comment | boolean | Updated rule description | |
action_result.parameter.assign_policy_id | string | crowdstrike prevention policy id |
2018f9894359493cb756bfa7dd3357a6 |
action_result.parameter.remove_policy_id | string | crowdstrike prevention policy id |
2018f9894359493cb756bfa7dd3357a6 |
action_result.data.*.errors | string | ||
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 5.917429897 | |
action_result.data.*.meta.trace_id | string | 6b7c63e1-0ebd-4121-90f3-cd53451be245 | |
action_result.data.*.resources.*.id | string | crowdstrike ioa rule group id |
3263801f7612424ba923f4e6e4bfe2f2 |
action_result.data.*.resources.*.customer_id | string | crowdstrike customer id |
4061c7ff3b634e22b38274d4b586554r |
action_result.data.*.resources.*.enabled | boolean | True False | |
action_result.data.*.resources.*.name | string | my_rule_group | |
action_result.data.*.resources.*.description | string | Custom rule group | |
action_result.data.*.resources.*.platform | string | windows mac linux | |
action_result.data.*.resources.*.deleted | boolean | True False | |
action_result.data.*.resources.*.rule_ids.* | string | crowdstrike ioa rule id |
6 |
action_result.data.*.resources.*.comment | string | Updated description | |
action_result.data.*.resources.*.version | numeric | 1 | |
action_result.data.*.resources.*.created_by | string | crowdstrike user id |
65f616497d0d40d4b6e7a68389323605 |
action_result.data.*.resources.*.created_on | string | 2024-01-25T19:17:02.117884262Z | |
action_result.data.*.resources.*.modified_by | string | crowdstrike user id |
65f616497d0d40d4b6e7a68389323605 |
action_result.data.*.resources.*.modified_on | string | 2024-01-25T19:17:02.117884262Z | |
action_result.data.*.resources.*.committed_on | string | 0001-01-01T00:00:00Z | |
action_result.data.*.resources.*.assigned_policy_ids.* | string | crowdstrike prevention policy id |
2018f9894359493cb756bfa7dd3357a6 |
action_result.data.*.resources.*.removed_policy_ids.* | string | crowdstrike prevention policy id |
2018f9894359493cb756bfa7dd3357a6 |
action_result.summary.rule_group_id | string | ||
action_result.message | string | Rule Group updated successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Delete an existing IOA Rule Group
Type: contain
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
id | required | Rule Group ID | string | crowdstrike ioa rule group id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.id | string | crowdstrike ioa rule group id |
3263801f7612424ba923f4e6e4bfe2f2 |
action_result.data.*.errors | string | ||
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 5.917429897 | |
action_result.data.*.meta.trace_id | string | 6b7c63e1-0ebd-4121-90f3-cd53451be245 | |
action_result.data.*.meta.writes.resources_affected | numeric | 1 | |
action_result.summary.resources_affected | string | ||
action_result.message | string | Deleted 1 rule groups | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
List valid platforms for IOA Rule Groups
Type: investigate
Read only: True
No parameters are required for this action
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.data.*.errors | string | ||
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 5.917429897 | |
action_result.data.*.meta.trace_id | string | 6b7c63e1-0ebd-4121-90f3-cd53451be245 | |
action_result.data.*.resources.* | string | windows mac linux | |
action_result.summary.result_count | numeric | ||
action_result.message | string | Found 3 rule groups | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
List IOA Rule Groups
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
fql_query | optional | FQL query to filter rule groups | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.fql_query | string | enabled: true + platform: 'mac' | |
action_result.data.*.errors | string | ||
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 5.917429897 | |
action_result.data.*.meta.trace_id | string | 6b7c63e1-0ebd-4121-90f3-cd53451be245 | |
action_result.data.*.resources.*.instance_id | string | crowdstrike ioa rule id |
1 |
action_result.data.*.resources.*.customer_id | string | crowdstrike customer id |
4061c7ff3b634e22b38274d4b586554r |
action_result.data.*.resources.*.ruletype_id | string | 5 | |
action_result.data.*.resources.*.ruletype_name | string | Process Creation | |
action_result.data.*.resources.*.comment | string | Created rule | |
action_result.data.*.resources.*.enabled | boolean | True False | |
action_result.data.*.resources.*.deleted | boolean | True False | |
action_result.data.*.resources.*.magic_cookie | numeric | 2 | |
action_result.data.*.resources.*.rulegroup_id | string | crowdstrike ioa rule group id |
83f596d2f8c04f36ad39182311e90e3a |
action_result.data.*.resources.*.version_ids.* | string | 1 | |
action_result.data.*.resources.*.instance_version | numeric | 1 | |
action_result.data.*.resources.*.name | string | BugRule | |
action_result.data.*.resources.*.description | string | Stops the bug | |
action_result.data.*.resources.*.pattern_id | string | 41005 | |
action_result.data.*.resources.*.pattern_severity | string | critical | |
action_result.data.*.resources.*.action_label | string | Block Execution | |
action_result.data.*.resources.*.disposition_id | numeric | 30 | |
action_result.data.*.resources.*.field_values.*.name | string | GrandparentImageFilename | |
action_result.data.*.resources.*.field_values.*.value | string | (?i).+bug.exe | |
action_result.data.*.resources.*.field_values.*.label | string | Grandparent Image Filename | |
action_result.data.*.resources.*.field_values.*.type | string | excludable | |
action_result.data.*.resources.*.field_values.*.values.*.label | string | include | |
action_result.data.*.resources.*.field_values.*.values.*.value | string | .+bug.exe | |
action_result.data.*.resources.*.field_values.*.final_value | string | (?i).+bug.exe | |
action_result.summary.result_count | numeric | ||
action_result.message | string | Found 3 rule groups | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
List valid severity values for IOA rules
Type: investigate
Read only: True
No parameters are required for this action
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.data.*.errors | string | ||
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 5.917429897 | |
action_result.data.*.meta.trace_id | string | 6b7c63e1-0ebd-4121-90f3-cd53451be245 | |
action_result.data.*.resources.* | string | informational low medium high critical | |
action_result.summary.result_count | numeric | ||
action_result.message | string | Found 3 supported platforms | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
List valid types of IOA rules
Type: investigate
Read only: True
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
platform | optional | Show only IOA types supported by the given platform | string |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.platform | string | mac linux windows | |
action_result.data.*.errors | string | ||
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 5.917429897 | |
action_result.data.*.meta.trace_id | string | 6b7c63e1-0ebd-4121-90f3-cd53451be245 | |
action_result.data.*.resources.*.id | string | 1 | |
action_result.data.*.resources.*.name | string | Process Creation | |
action_result.data.*.resources.*.channel | numeric | 501 | |
action_result.data.*.resources.*.long_desc | string | Mac basic process custom template. Triggered off of CreateProcessPreventionQueryMac. | |
action_result.data.*.resources.*.released | boolean | True False | |
action_result.data.*.resources.*.fields.*.name | string | GrandparentImageFilename | |
action_result.data.*.resources.*.fields.*.label | string | Grandparent Image Filename | |
action_result.data.*.resources.*.fields.*.type | string | excludable | |
action_result.data.*.resources.*.fields.*.type.*.label | string | include | |
action_result.data.*.resources.*.fields.*.type.*.value | string | ||
action_result.data.*.resources.*.disposition_map.*.id | numeric | 10 | |
action_result.data.*.resources.*.disposition_map.*.label | string | Monitor | |
action_result.data.*.resources.*.fields_pretty | string | {} | |
action_result.summary.result_count | numeric | ||
action_result.message | string | Found 3 rule types | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Create a new IOA Rule
Type: contain
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
rule_group_id | required | Rule Group ID in which to create this rule | string | crowdstrike ioa rule group id |
name | required | Rule name | string | |
description | required | Rule description | string | |
severity | required | Rule severity (run the "list ioa severities" action to find valid severities) | string | |
rule_type_id | required | Rule type to create (run the "list ioa types" action to find valid types of rules and their IDs and parameters) | numeric | |
disposition_id | required | The action that the rule should take when triggered (valid dispositions can be found in the "list ioa types" output) | numeric | |
field_values | required | JSON list of parameters to pass to the new rule (valid fields can be found in the "list ioa types" output) | string | |
comment | optional | Comment for the audit log (optional) | string | |
enabled | optional | Enable this rule immediately | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.rule_group_id | string | crowdstrike ioa rule group id |
83f596d2f8c04f36ad39182311e90e3a |
action_result.parameter.name | string | BugRule | |
action_result.parameter.description | string | Stops the bug | |
action_result.parameter.severity | string | critical | |
action_result.parameter.rule_type_id | numeric | 5 | |
action_result.parameter.disposition_id | numeric | 30 | |
action_result.parameter.field_values | string | {"label":"Grandparent Image Filename","name":"GrandparentImageFilename","type":"excludable","values":[{"label":"include","value":".+bug.exe"}]}] | |
action_result.parameter.comment | string | Example comment | |
action_result.parameter.enabled | boolean | True False | |
action_result.data.*.errors | string | ||
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 5.917429897 | |
action_result.data.*.meta.trace_id | string | 6b7c63e1-0ebd-4121-90f3-cd53451be245 | |
action_result.data.*.resources.*.instance_id | string | crowdstrike ioa rule id |
1 |
action_result.data.*.resources.*.customer_id | string | crowdstrike customer id |
4061c7ff3b634e22b38274d4b586554r |
action_result.data.*.resources.*.ruletype_id | string | 5 | |
action_result.data.*.resources.*.ruletype_name | string | Process Creation | |
action_result.data.*.resources.*.comment | string | Created rule | |
action_result.data.*.resources.*.enabled | boolean | True False | |
action_result.data.*.resources.*.deleted | boolean | True False | |
action_result.data.*.resources.*.magic_cookie | numeric | 2 | |
action_result.data.*.resources.*.rulegroup_id | string | crowdstrike ioa rule group id |
83f596d2f8c04f36ad39182311e90e3a |
action_result.data.*.resources.*.version_ids.* | string | 1 | |
action_result.data.*.resources.*.instance_version | numeric | 1 | |
action_result.data.*.resources.*.name | string | BugRule | |
action_result.data.*.resources.*.description | string | Stops the bug | |
action_result.data.*.resources.*.pattern_id | string | 41005 | |
action_result.data.*.resources.*.pattern_severity | string | critical | |
action_result.data.*.resources.*.action_label | string | Block Execution | |
action_result.data.*.resources.*.disposition_id | numeric | 30 | |
action_result.data.*.resources.*.field_values.*.name | string | GrandparentImageFilename | |
action_result.data.*.resources.*.field_values.*.value | string | (?i).+bug.exe | |
action_result.data.*.resources.*.field_values.*.label | string | Grandparent Image Filename | |
action_result.data.*.resources.*.field_values.*.type | string | excludable | |
action_result.data.*.resources.*.field_values.*.values.*.label | string | include | |
action_result.data.*.resources.*.field_values.*.values.*.value | string | .+bug.exe | |
action_result.data.*.resources.*.field_values.*.final_value | string | (?i).+bug.exe | |
action_result.summary.rule_group_id | string | crowdstrike ioa rule group id |
83f596d2f8c04f36ad39182311e90e3a |
action_result.summary.rule_id | string | crowdstrike ioa rule id |
1 |
action_result.message | string | Rule created successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Update an existing IOA Rule
Type: contain
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
rule_group_id | required | Rule Group ID containing the rule | string | crowdstrike ioa rule group id |
rule_group_version | required | Latest version of Rule Group | numeric | |
rule_id | required | Rule ID to update | string | crowdstrike ioa rule id |
rule_version | required | Latest version of Rule | numeric | |
name | required | Rule name | string | |
description | required | Rule description | string | |
severity | required | Rule severity (run the "list ioa severities" action to find valid severities) | string | |
disposition_id | required | The action that the rule should take when triggered (valid dispositions can be found in the "list ioa types" output) | numeric | |
field_values | required | JSON list of parameters to pass to the new rule (valid fields can be found in the "list ioa types" output) | string | |
comment | optional | Comment for the audit log (optional) | string | |
enabled | optional | Enable this rule | boolean |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.rule_group_id | string | crowdstrike ioa rule group id |
83f596d2f8c04f36ad39182311e90e3a |
action_result.parameter.rule_group_version | numeric | 2 | |
action_result.parameter.rule_id | string | crowdstrike ioa rule id |
1 |
action_result.parameter.rule_version | numeric | 1 | |
action_result.parameter.name | string | BugRule | |
action_result.parameter.description | string | Stops the bug | |
action_result.parameter.severity | string | critical | |
action_result.parameter.disposition_id | numeric | 30 | |
action_result.parameter.field_values | string | {"label":"Grandparent Image Filename","name":"GrandparentImageFilename","type":"excludable","values":[{"label":"include","value":".+bug.exe"}]}] | |
action_result.parameter.comment | string | Example comment | |
action_result.parameter.enabled | boolean | True False | |
action_result.data.*.errors | string | ||
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 5.917429897 | |
action_result.data.*.meta.trace_id | string | 6b7c63e1-0ebd-4121-90f3-cd53451be245 | |
action_result.data.*.resources.*.id | string | crowdstrike ioa rule group id |
83f596d2f8c04f36ad39182311e90e3a |
action_result.data.*.resources.*.name | string | Bug Rule Group | |
action_result.data.*.resources.*.rules.*.name | string | BugRule | |
action_result.data.*.resources.*.rules.*.comment | string | Updated the thing | |
action_result.data.*.resources.*.rules.*.deleted | boolean | True False | |
action_result.data.*.resources.*.rules.*.enabled | boolean | True False | |
action_result.data.*.resources.*.rules.*.created_by | string | crowdstrike unique user id |
bb777249-c782-4434-b57a-f15ac742926c |
action_result.data.*.resources.*.rules.*.created_on | string | date |
2021-09-15T09:52:27.651770437Z |
action_result.data.*.resources.*.rules.*.pattern_id | string | 41007 | |
action_result.data.*.resources.*.rules.*.customer_id | string | crowdstrike customer id |
4061c7ff3b634e22b38274d4b586554r |
action_result.data.*.resources.*.rules.*.description | string | Stops the bug | |
action_result.data.*.resources.*.rules.*.modified_by | string | crowdstrike unique user id |
bb777249-c782-4434-b57a-f15ac742926c |
action_result.data.*.resources.*.rules.*.modified_on | string | date |
2021-09-15T09:52:27.651770437Z |
action_result.data.*.resources.*.rules.*.ruletype_id | string | ||
action_result.data.*.resource.*.rules.*.version_ids.* | string | ||
action_result.data.*.resource.*.rules.*.action_label | string | ||
action_result.data.*.resources.*.rules.*.committed_on | string | date |
2021-09-15T09:52:27.651770437Z |
action_result.data.*.resources.*.rules.*.field_values.*.name | string | GrandparentImageFilename | |
action_result.data.*.resources.*.rules.*.field_values.*.value | string | (?i).+bug.exe | |
action_result.data.*.resources.*.rules.*.field_values.*.label | string | Grandparent Image Filename | |
action_result.data.*.resources.*.rules.*.field_values.*.type | string | excludable | |
action_result.data.*.resources.*.rules.*.field_values.*.values.*.label | string | include | |
action_result.data.*.resources.*.rules.*.field_values.*.values.*.value | string | .+bug.exe | |
action_result.data.*.resources.*.rules.*.field_values.*.final_value | string | (?i).+bug.exe | |
action_result.data.*.resources.*.rules.*.magic_cookie | numeric | 6 | |
action_result.data.*.resources.*.rules.*.rulegroup_id | string | crowdstrike ioa rule group id |
|
action_result.data.*.resources.*.rules.*.ruletype_name | string | Process Creation | |
action_result.data.*.resources.*.rules.*.disposition_id | numeric | 10 | |
action_result.data.*.resources.*.rules.*.instance_version | numeric | 3 | |
action_result.data.*.resources.*.rules.*.pattern_severity | string | medium | |
action_result.data.*.resources.*.comment | string | Created rule | |
action_result.data.*.resources.*.enabled | boolean | True False | |
action_result.data.*.resources.*.deleted | boolean | True False | |
action_result.data.*.resources.*.version | numeric | 2 | |
action_result.data.*.resources.*.platform | string | mac windows linux | |
action_result.data.*.resources.*.rule_ids.* | string | crowdstrike ioa rule id |
1 |
action_result.data.*.resources.*.created_by | string | crowdstrike unique user id |
bb777249-c782-4434-b57a-f15ac742926c |
action_result.data.*.resources.*.created_on | string | date |
2021-09-15T09:52:27.651770437Z |
action_result.data.*.resources.*.customer_id | string | crowdstrike customer id |
4061c7ff3b634e22b38274d4b586554r |
action_result.data.*.resources.*.description | string | Stops the bug | |
action_result.data.*.resources.*.modified_by | string | crowdstrike unique user id |
bb777249-c782-4434-b57a-f15ac742926c |
action_result.data.*.resources.*.modified_on | string | date |
2021-09-15T09:52:27.651770437Z |
action_result.data.*.resources.*.committed_on | string | date |
2021-09-15T09:52:27.651770437Z |
action_result.summary.rule_group_id | string | crowdstrike ioa rule group id |
83f596d2f8c04f36ad39182311e90e3a |
action_result.summary.rule_group_version | numeric | 1 | |
action_result.summary.rule_id | string | crowdstrike ioa rule id |
1 |
action_result.summary.rule_version | numeric | 1 | |
action_result.message | string | Rule updated successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |
Delete an existing IOA Rule
Type: contain
Read only: False
PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
---|---|---|---|---|
rule_group_id | required | Rule Group ID containing the rule | string | crowdstrike ioa rule group id |
rule_id | required | Rule ID to delete | string | crowdstrike ioa rule id |
DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
---|---|---|---|
action_result.status | string | success failed | |
action_result.parameter.rule_group_id | string | crowdstrike ioa rule group id |
83f596d2f8c04f36ad39182311e90e3a |
action_result.parameter.rule_id | string | crowdstrike ioa rule id |
1 |
action_result.data.*.errors | string | ||
action_result.data.*.meta.powered_by | string | empower-api | |
action_result.data.*.meta.query_time | numeric | 5.917429897 | |
action_result.data.*.meta.trace_id | string | 6b7c63e1-0ebd-4121-90f3-cd53451be245 | |
action_result.summary.resources_affected | string | ||
action_result.message | string | Rule deleted successfully | |
summary.total_objects | numeric | 1 | |
summary.total_objects_successful | numeric | 1 |