CrowdStrike OAuth API

Publisher: Splunk
Connector Version: 4.3.0
Product Vendor: CrowdStrike
Product Name: CrowdStrike
Product Version Supported (regex): ".*"
Minimum Product Version: 6.2.1

This app integrates with CrowdStrike OAuth2 authentication standard to implement querying of endpoint security data

Steps to create API clients and key

• In Falcon UI, Go to menubar on the left, From Support and resources section, Select API clients and keys.
• Click on Create API client.
• Add Client name, Description(optional) and Scopes (defined below).
• Click on Create to obtain the Client ID and Client secret.

Minimal required scope(s) (Action wise)

Action	Required Scope(s)	Read	Write
test connectivity	Hosts	✓	✗
query device	Hosts	✓	✗
list groups	Host Groups	✓	✗
quarantine device	Hosts	✓	✓
unquarantine device	Hosts	✓	✓
assign hosts	Hosts Hosts Group	✓ ✗	✗ ✓
remove hosts	Hosts Hosts Group	✓ ✗	✗ ✓
create session	Real time response(RTR)	✓	✗
delete session	Real time response(RTR)	✓	✗
list detections	Detections	✓	✗
get detections details	Detections	✓	✗
update detections	Detections	✗	✓
list alerts	Alerts	✓	✗
list sessions	Real time response(RTR)	✓	✗
run command	Real time response(RTR)	✓	✗
run admin command	Real time response(admin)	✗	✓
get command details	Real time response(RTR)	✗	✓
list session files	Real time response(RTR)	✗	✓
get incident behaviors	Incidents	✓	✗
update incident	Incidents	✗	✓
list users	User Management	✓	✗
get user roles	User Management	✓	✗
list roles	User Management	✓	✗
get role	User Management	✓	✗
list crowdscores	Incidents	✓	✗
get incident details	Incidents	✓	✗
list incident behaviors	Incidents	✓	✗
list incidents	Incidents	✓	✗
get session file	Real time response(RTR)	✗	✓
set status	Detections	✗	✓
get system info	Hosts	✓	✗
get process detail	IOCs(Indicators of Compromise)	✓	✗
hunt file	IOCs(Indicators of Compromise)	✓	✗
hunt domain	IOCs(Indicators of Compromise)	✓	✗
hunt ip	IOCs(Indicators of Compromise)	✓	✗
upload put file	Real time response	✗	✓
get indicator	IOC Management	✓	✗
list custom indicators	IOC Management	✓	✗
list put files	Real time response(admin)	✗	✓
on poll	Event Stream	✓	✗
list processes	IOCs	✓	✗
upload indicator	IOC Management	✗	✓
delete indicator	IOC Management	✓	✓
update indicator	IOC Management	✗	✓
file reputation	Sandbox(Falcon Intelligence)	✓	✗
url reputation	Sandbox(Falcon Intelligence)	✓	✗
download report	Sandbox(Falcon Intelligence)	✓	✗
detonate file	Sandbox(Falcon Intelligence)	✓	✗
detonate url	Sandbox(Falcon Intelligence)	✓	✗
check status	Sandbox(Falcon Intelligence)	✓	✗
get device scroll	Hosts	✓	✗
get zta data	Zero Trust Assessment	✓	✗

Preprocess Script

The user can add a script file in the configuration parameter [ Script with functions to preprocess containers and artifacts ]. The script must contain a function with the name preprocess_container (to pre-process the containers and the artifacts) or else, it will throw an error.

App ID

• Optionally, you can specify an App ID to be used with the Crowdstrike OAuth API used in the on poll action. If one isn't set, it will default to the asset ID.
• It is recommended to have a unique App ID for each connection to the Crowdstrike OAuth API. That is to say, if you are planning on having multiple assets using the Crowdstrike OAuth API at once, you should give them unique App IDs.

On Poll

• Common points for both manual and scheduled interval polling
  • Default parameters of the On Poll action are ignored in the app. i.e. start_time, end_time, container_count, artifact_count
  • The app will fetch all the events based on the value specified in the configuration parameters [Maximum events to get while POLL NOW] (default 2000 if not specified) and [Maximum events to get while scheduled and interval polling] (default 10,000 if not specified). For ingestion, the events are fetched after filtering them based on the event type - DetectionSummaryEvent . The app will exit from the polling cycle in the below-mentioned 2 cases whichever is earlier.
    • If the total DetectionSummaryEvents fetched equals the value provided in the [Maximum events to get while POLL NOW] (for manual polling) or [Maximum events to get while scheduled and interval polling] (for scheduled | interval polling) parameters
    • If the total number of continuous blank lines encountered while streaming the data equals the value provided in the [Maximum allowed continuous blank lines] (default 50 if not specified) asset configuration parameter
  • The default behavior of the app is that each event will be placed in its container. By checking the configuration parameter [Merge containers for Hostname and Eventname] as well as specifying an interval in the configuration parameter [Merge same containers within specified seconds], all events which are of the same type and on the same host will be put into one container, as long as the time between those two events is less than the interval.
  • The [Maximum allowed continuous blank lines] asset configuration parameter will be used to indicate the allowed number of continuous blank lines while fetching DetectionSummaryEvents . For example, of the entire data of the DetectionSummaryEvents, some of the 'DetectionSummaryEvents' exists after 100 continuous blank lines and if you've set the [Maximum allowed continues blank lines] parameter value to 500, it will keep on ingesting all the 'DetectionSummaryEvents' until the code gets 500 continuous blank lines and hence, it will be able to cover the DetectionSummaryEvents successfully even after the 100 blank lines. If you set it to 50, it will break after the 50th blank line is encountered. Hence, it won't be able to ingest the events which exist after the 100 continuous blank lines because the code considers that after the configured value in the [Maximum allowed continuous blank lines] configuration parameter (here 50), there is no data available for the 'DetectionSummaryEvents'.
• Manual Polling
  • During manual poll now, the app starts from the first event that it can query up to the value configured in the configuration parameter [Maximum events to get while POLL NOW] and creates artifacts for all the fetched DetectionSummaryEvents. The last queried event's offset ID will not be remembered in Manual POLL NOW and it fetches everything every time from the beginning.
• Scheduled | Interval Polling
  • During scheduled | interval polling, the app starts from the first event that it can query up to the value configured in the configuration parameter [Maximum events to get while scheduled and interval polling] and creates artifacts for all the fetched DetectionSummaryEvents. Then, it remembers the last event's offset ID and stores it in the state file against the key [last_offset_id]. In the next scheduled poll run, it will start from the stored offset ID in the state file and will fetch the maximum events as configured in the [Maximum events to get while scheduled and interval polling] parameter.

The DetectionSummaryEvent is parsed to extract the following values into an Artifact.

Artifact Field	Event Field
cef.sourceUserName	UserName
cef.fileName	FileName
cef.filePath	FilePath
cef.sourceHostName	ComputerName
cef.sourceNtDomain	MachineDomain
cef.hash	MD5String
cef.hash	SHA1String
cef.hash	SHA256STring
cef.cs1	cmdLine

The app also parses the following sub-events into their own artifacts.

• Documents Accessed
• Executables Written
• Network Access
• Scan Result
• Quarantine Files
• DNS Requests

Each of the sub-events has a CEF key called parentSdi which stands for Parent Source Data Identifier. This is the value of the SDI of the main event that the sub-events were generated from.

Falcon X Sandbox Actions

This is different from Falcon Sandbox.

• Action - File Reputation, Url reputation

• Report of the resource will be fetched if it has been detonated previously on the CrowdStrike Server otherwise no data found message will be displayed to the user.

• Action - Download Report

• This action will download the resource report based on the provided artifact ID. Currently, we support the following Strict IOC CSV, Strict IOC JSON, Strict IOC STIX2.1, Strict IOC MAEC5.0, Broad IOC CSV, Broad IOC JSON, Broad IOC STIX2.1, Broad IOC MAEC5.0, Memory Strings, Icon, Screenshot artifact IDs.

• Action - Detonate File

• This action will upload the given file to the CrowdStrike sandbox and will submit it for analysis with the entered environment details. If the report of the given file is already present with the same environment, it will fetch the result and the file won't be submitted again.
• If the analysis is in progress and reaches the time entered in the detonate_timeout parameter, then this action will return the resource_id of the submitted file using which the submission status can be checked.
• If the submitted file will be analyzed within the entered time in the detonate_timeout parameter, its report will be fetched. Currently, these file types are supported .exe, .scr, .pif, .dll, .com, .cpl, etc., .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub, .pdf, Executable JAR, .sct, .lnk, .chm, .hta, .wsf, .js, .vbs, .vbe, .swf, pl, .ps1, .psd1, .psm1, .svg, .py, Linux ELF executables, .eml, .msg.

• Action - Detonate Url

• This action will submit the given URL for analysis with the entered environment details. If the report of the given URL is already present with the same environment, it will fetch the result and the url won't be submitted again.
• If the analysis is in progress and it reaches the time entered in the detonate_timeout parameter, then this action will return the resource_id of the submitted URL using which the status of the submission can be checked. If the analysis status is running then do not re-run the detonate URL action, otherwise, the URL will be again submitted for the analysis.
• If the submitted URL will be analyzed within the entered time in the detonate_timeout parameter, its report will be fetched. Currently, 3 domains of URL are supported http, https, and ftp.

• Action - Check Status

• This action will return the status of the given resource_id in case of timeout in detonate file and detonate URL actions.

Notes

• Action - List Alerts

• The filter parameter values follow the FQL Syntax .

• The sort parameter value has to be provided in the format property_name.asc for ascending and property_name.desc for descending order.

• The include_hidden parameter has been added to the action as it's behavior in the API has changed. In the prior API version, the default behavior of the include_hidden parameter was either not supported or defaulted to false. The latest version of the API now defaults include_hidden to true if it is not included in the API call. Therefore, we have included this parameter in the action configuration and set it to false by default in order to keep the action behavior consistent with the previous app version. Hidden alerts can be identified by the show_in_ui field of an alert object.

  If you experience any list alerts action failures in an existing playbook that passed in the previous version of the app, you may need to edit the action in the playbook and then save. This will then add the include_hidden field to the playbook action.

• Action - List Groups

• The filter parameter values follow the FQL Syntax .

• The sort parameter value has to be provided in the format property_name.asc for ascending and property_name.desc for descending order.

• Action - Query Device

• Both the filter and sort parameters follow the same concepts as mentioned above for the list groups action.

• Action - Assign Hosts, Remove Hosts, Quarantine Device, and Unquarantine Device

• The devices will be fetched based on the values provided in both the device_id and hostname parameters.
• If an incorrect value is provided in both the device_id and hostname parameters each, then, the action will fail with an appropriate error message.

• Action - List Session Files, Get Session File

• To add [session id] to the action parameters of these actions, a session with the Create Session action needs to be created. Also, the user can delete the session using the Delete Session action.

• Action - Run Command

• This action can run the below-mentioned RTR commands on the host:
  • cat
  • cd
  • env
  • eventlog
  • filehash
  • getsid
  • ipconfig
  • ls
  • mount
  • netstat
  • ps
  • reg query
• To add [session id] to the action parameters of these actions, a session with the Create Session action needs to be created. Also, the user can delete the session using the Delete Session action.
• Example action run: If "cd C:\some_directory" command needs to be run using this action, valid [device_id] and [session_id] parameters should be provided by the user. The user should select "cd" from the [command] dropdown parameter and provide "C:\some_directory" input in the [data] parameter.

• Action - Run Admin Command

• This action can run the below-mentioned RTR administrator commands on the host:
  • cat
  • cd
  • cp
  • encrypt
  • env
  • eventlog
  • filehash
  • get
  • getsid
  • ipconfig
  • kill
  • ls
  • map
  • memdump
  • mkdir
  • mount
  • mv
  • netstat
  • ps
  • put
  • reg query
  • reg set
  • reg delete
  • reg load
  • reg unload
  • restart
  • rm
  • run
  • runscript
  • shutdown
  • unmap
  • xmemdump
  • zip
• To add [session id] to the action parameters of these actions, a session with the Create Session action needs to be created. Also, the user can delete the session using the Delete Session action.
• Example action run: If "cd C:\some_directory" command needs to be run using this action, valid [device_id] and [session_id] parameters should be provided by the user. The user should select "cd" from the [command] dropdown parameter and provide "C:\some_directory" input in the [data] parameter.

Port Information

The app uses HTTP/HTTPS protocol for communicating with the Crowdstrike Server. Below are the default ports used by Splunk SOAR.

Service Name	Transport Protocol	Port
http	tcp	80
https	tcp	443

Playbook Backward Compatibility

• The output data-paths have been updated in the below-existing action. Hence, it is requested to update existing playbooks created in the earlier versions of the app by re-inserting | modifying | deleting the corresponding action blocks.

  • list users - Below output data-paths have been updated.

    • Updated name from 'customer' to 'cid'
    • Updated name from 'firstName' to 'first_name'
    • Updated name from 'lastName' to 'last_name'

Configuration Variables

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a CrowdStrike asset in SOAR.

VARIABLE	REQUIRED	TYPE	DESCRIPTION
url	required	string	Base URL
place_holder	optional	ph	Placeholder
client_id	required	password	Client ID
client_secret	required	password	Client Secret
app_id	optional	string	App ID
max_events	optional	numeric	Maximum events to get for scheduled and interval polling
max_events_poll_now	optional	numeric	Maximum events to get while POLL NOW
collate	optional	boolean	Merge containers for hostname and eventname
merge_time_interval	optional	numeric	Merge same containers within specified seconds
max_crlf	optional	numeric	Maximum allowed continuous blank lines
preprocess_script	optional	file	Script with functions to preprocess containers and artifacts
detonate_timeout	optional	numeric	Timeout for detonation result in minutes (Default: 15 minutes)

Supported Actions

test connectivity - Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
query device - Fetch the device details based on the provided query
list groups - Fetch the details of the host groups
quarantine device - Block the device
unquarantine device - Unblock the device
assign hosts - Assign one or more hosts to the static host group
remove hosts - Remove one or more hosts from the static host group
create session - Initialize a new session with the Real Time Response cloud
delete session - Deletes a Real Time Response session
list detections - Get a list of detections
get detections details - Get a list of detections details by providing detection IDs
update detections - Update detections in crowdstrike host
list alerts - Get a list of alerts
list sessions - Lists Real Time Response sessions
run command - Execute an active responder command on a single host
run admin command - Execute an RTR Admin command on a single host
get command details - Retrieve results of an active responder command executed on a single host
list session files - Get a list of files for the specified RTR session
get incident behaviors - Get details on behaviors by providing behavior IDs
update incident - Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
list users - Get information about all users in your Customer ID
get user roles - Gets the roles that are assigned to the user
list roles - Get information about all user roles from your Customer ID
get role - Get information about all user roles from your Customer ID
list crowdscores - Query environment wide CrowdScore and return the entity data
get incident details - Get details on incidents by providing incident IDs
list incident behaviors - Search for behaviors by providing an FQL filter, sorting, and paging details
list incidents - Search for incidents by providing an FQL filter, sorting, and paging details
get session file - Get RTR extracted file contents for the specified session and sha256 and add it to the vault
set status - Set the state of a detection in Crowdstrike Host
get system info - Get details of a device, given the device ID
get process detail - Retrieve the details of a process that is running or that previously ran, given a process ID
hunt file - Hunt for a file on the network by querying for the hash
hunt domain - Get a list of device IDs on which the domain was matched
hunt ip - Get a list of device IDs on which the ip was matched
upload put file - Upload a new put-file to use for the RTR put command
get indicator - Get the full definition of one or more indicators that are being watched
list custom indicators - Queries for custom indicators in your customer account
list put files - Queries for files uploaded to Crowdstrike for use with the RTR put command
on poll - Callback action for the on_poll ingest functionality
list processes - List processes that have recently used the IOC on a particular device
upload indicator - Upload indicator that you want CrowdStrike to watch
delete indicator - Delete an indicator that is being watched
update indicator - Update an indicator that has been uploaded
file reputation - Queries CrowdStrike for the file info given a vault ID or a SHA256 hash, vault ID has higher priority than SHA256 hash if both are provided
url reputation - Queries CrowdStrike for the url info
download report - To download the report of the provided artifact id
detonate file - Upload a file to CrowdStrike and retrieve the analysis results
detonate url - Upload an url to CrowdStrike and retrieve the analysis results
check status - To check detonation status of the provided resource id
get device scroll - Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
get zta data - Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID)
create ioa rule group - Create an empty IOA Rule Group
update ioa rule group - Modify an existing IOA Rule Group
delete ioa rule group - Delete an existing IOA Rule Group
list ioa platforms - List valid platforms for IOA Rule Groups
list ioa rule groups - List IOA Rule Groups
list ioa severities - List valid severity values for IOA rules
list ioa types - List valid types of IOA rules
create ioa rule - Create a new IOA Rule
update ioa rule - Update an existing IOA Rule
delete ioa rule - Delete an existing IOA Rule

action: 'test connectivity'

Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials

Type: test
Read only: True

Action Parameters

No parameters are required for this action

Action Output

No Output

action: 'query device'

Fetch the device details based on the provided query

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
limit	optional	Maximum devices to be fetched	numeric
offset	optional	Starting index of overall result set from which to return ids. (Defaults to 0)	numeric
filter	optional	Filter expression used to limit the fetched devices (FQL Syntax)	string
sort	optional	Property to sort by	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.filter	string		hostname: 'E*' platform_name:'Windows'
action_result.parameter.limit	numeric		120
action_result.parameter.offset	numeric		10
action_result.parameter.sort	string		hostname.desc
action_result.data.*.agent_load_flags	string		1
action_result.data.*.agent_local_time	string		2019-06-13T10:46:11.024Z
action_result.data.*.agent_version	string		5.10.9106.0
action_result.data.*.bios_manufacturer	string		XYZ Technologies LTD
action_result.data.*.bios_version	string		6.00
action_result.data.*.build_number	string		17134
action_result.data.*.cid	string	md5	3061c7ff3b634e22b38274d4b586558e
action_result.data.*.config_id_base	string		65994753
action_result.data.*.config_id_build	string		9106
action_result.data.*.config_id_platform	string		3
action_result.data.*.connection_ip	string	ip	10.1.18.205
action_result.data.*.connection_mac_address	string		00-50-56-12-34-56
action_result.data.*.cpu_signature	string		329300
action_result.data.*.default_gateway_ip	string	ip	10.1.16.1
action_result.data.*.device_id	string	crowdstrike device id	07c312fabcb8473454d0a16f118928ab
action_result.data.*.device_policies.device_control.applied	boolean		True False
action_result.data.*.device_policies.device_control.applied_date	string		2019-04-18T13:16:17.246147089Z
action_result.data.*.device_policies.device_control.assigned_date	string		2019-04-18T13:09:53.221767635Z
action_result.data.*.device_policies.device_control.policy_id	string	md5	cb4babb273274f79a91e8a0e84164916
action_result.data.*.device_policies.device_control.policy_type	string		device-control
action_result.data.*.device_policies.firewall.applied	boolean		True False
action_result.data.*.device_policies.firewall.applied_date	string		2020-07-08T03:12:30.212194872Z
action_result.data.*.device_policies.firewall.assigned_date	string		2020-07-08T03:07:38.48127371Z
action_result.data.*.device_policies.firewall.policy_id	string		2018f9894359493cb756bfa7dd3357a6
action_result.data.*.device_policies.firewall.policy_type	string		firewall
action_result.data.*.device_policies.firewall.rule_set_id	string		2018f9894359493cb756bfa7dd3357a6
action_result.data.*.device_policies.global_config.applied	boolean		True False
action_result.data.*.device_policies.global_config.applied_date	string		2019-06-03T23:31:25.402021685Z
action_result.data.*.device_policies.global_config.assigned_date	string		2019-06-03T23:27:22.325516295Z
action_result.data.*.device_policies.global_config.policy_id	string	md5	49ee9efc99164562ad89640955f372ce
action_result.data.*.device_policies.global_config.policy_type	string		globalconfig
action_result.data.*.device_policies.global_config.settings_hash	string		a75911b0
action_result.data.*.device_policies.jumpcloud.applied	numeric		True
action_result.data.*.device_policies.jumpcloud.applied_date	string		2022-07-13T17:41:16.271074445Z
action_result.data.*.device_policies.jumpcloud.assigned_date	string		2022-07-13T17:40:53.552991354Z
action_result.data.*.device_policies.jumpcloud.policy_id	string	md5	234766dcce654217babcbaa247ca31f0
action_result.data.*.device_policies.jumpcloud.policy_type	string		jumpcloud
action_result.data.*.device_policies.jumpcloud.settings_hash	string	sha256	0aec295a677907c6e4de672edf1f172d2cefcc5ca96ed2b5e56f4d6745289694
action_result.data.*.device_policies.prevention.applied	boolean		True False
action_result.data.*.device_policies.prevention.applied_date	string		2019-04-03T23:57:05.493184498Z
action_result.data.*.device_policies.prevention.assigned_date	string		2019-04-03T23:53:41.614339193Z
action_result.data.*.device_policies.prevention.policy_id	string	md5	ad0dad6639454b4d8bbfc963bf9510c9
action_result.data.*.device_policies.prevention.policy_type	string		prevention
action_result.data.*.device_policies.prevention.settings_hash	string		4aa96e52
action_result.data.*.device_policies.remote_response.applied	boolean		True False
action_result.data.*.device_policies.remote_response.applied_date	string		2019-02-08T02:39:21.726331953Z
action_result.data.*.device_policies.remote_response.assigned_date	string		2019-02-08T02:36:05.073298048Z
action_result.data.*.device_policies.remote_response.policy_id	string	md5	6c74313d6c864180bd759c3235dbd550
action_result.data.*.device_policies.remote_response.policy_type	string		remote-response
action_result.data.*.device_policies.remote_response.settings_hash	string		f472bd8e
action_result.data.*.device_policies.sensor_update.applied	boolean		True False
action_result.data.*.device_policies.sensor_update.applied_date	string		2019-05-30T23:21:58.956282211Z
action_result.data.*.device_policies.sensor_update.assigned_date	string		2019-05-30T23:02:19.540591355Z
action_result.data.*.device_policies.sensor_update.policy_id	string	md5	226d7067a47b4ea7a3369f7e9114b180
action_result.data.*.device_policies.sensor_update.policy_type	string		sensor-update
action_result.data.*.device_policies.sensor_update.settings_hash	string		65994753
action_result.data.*.device_policies.sensor_update.uninstall_protection	string		ENABLED
action_result.data.*.external_ip	string	ip	204.107.141.240
action_result.data.*.first_seen	string		2018-04-19T19:10:14Z
action_result.data.*.group_hash	string	sha256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
action_result.data.*.groups	string	md5	4493ec18e3c942078b7c0bd4248d3f5e
action_result.data.*.hostname	string	host name	CB-TEST-01
action_result.data.*.instance_id	string		i-058fca45cda978e00
action_result.data.*.kernel_version	string		10.0.19044.1766
action_result.data.*.last_seen	string		2019-06-20T14:01:26Z
action_result.data.*.local_ip	string	ip	10.1.18.49
action_result.data.*.mac_address	string		00-0c-29-a0-10-27
action_result.data.*.machine_domain	string	domain	corp.xyz.com
action_result.data.*.major_version	string		10
action_result.data.*.meta.version	string		59509
action_result.data.*.minor_version	string		0
action_result.data.*.modified_timestamp	string		2019-06-20T14:04:12Z
action_result.data.*.os_build	string		19044
action_result.data.*.os_version	string		Windows 10
action_result.data.*.ou	string		Domain Controllers
action_result.data.*.platform_id	string		0
action_result.data.*.platform_name	string		Windows
action_result.data.*.pointer_size	string		8
action_result.data.*.policies.*.applied	boolean		True False
action_result.data.*.policies.*.applied_date	string		2019-04-03T23:57:05.493184498Z
action_result.data.*.policies.*.assigned_date	string		2019-04-03T23:53:41.614339193Z
action_result.data.*.policies.*.policy_id	string	md5	ad0dad6639454b4d8bbfc963bf9510c9
action_result.data.*.policies.*.policy_type	string		prevention
action_result.data.*.policies.*.settings_hash	string		4aa96e52
action_result.data.*.product_type	string		1
action_result.data.*.product_type_desc	string		Server
action_result.data.*.provision_status	string		Provisioned
action_result.data.*.reduced_functionality_mode	string		no
action_result.data.*.serial_number	string		VMware-56 4d c8 00 40 ed 10 1a-e5 4d 5b d5 e1 a0 10 27
action_result.data.*.service_pack_major	string		0
action_result.data.*.service_pack_minor	string		0
action_result.data.*.service_provider	string		test
action_result.data.*.service_provider_account_id	string		427749959855
action_result.data.*.site_name	string		Default-First-Site-Name
action_result.data.*.slow_changing_modified_timestamp	string		2019-06-17T16:08:07Z
action_result.data.*.status	string		contained
action_result.data.*.system_manufacturer	string		XYZ, Inc.
action_result.data.*.system_product_name	string		VM Platform
action_result.data.*.zone_group	string		us-east-1a
action_result.summary.total_devices	numeric		2
action_result.message	string		Total devices: 2
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list groups'

Fetch the details of the host groups

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
limit	optional	Maximum host groups to be fetched	numeric
filter	optional	Filter expression used to limit the fetched host groups (FQL Syntax)	string
sort	optional	Property to sort by	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.filter	string		modified_timestamp:<='2019-06-14T10:22:02.02236652Z'
action_result.parameter.limit	numeric		120
action_result.parameter.sort	string		created_timestamp.asc
action_result.data.*.assignment_rule	string		device_id:[''],hostname:['','EC2AMAZ-K5LEL73']
action_result.data.*.created_by	string	email	[email protected]
action_result.data.*.created_timestamp	string		2019-05-28T22:51:01.124782712Z
action_result.data.*.description	string		This is a sample test group
action_result.data.*.group_type	string		static
action_result.data.*.id	string	crowdstrike host group id	b5098f79716c4beb8f9c2aebff609075
action_result.data.*.modified_by	string	email	[email protected]
action_result.data.*.modified_timestamp	string		2019-05-28T22:51:01.124782712Z
action_result.data.*.name	string		super secure group
action_result.summary.total_host_group	numeric		529
action_result.summary.total_host_groups	numeric		1
action_result.message	string		Total host groups: 2
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'quarantine device'

Block the device

Type: contain
Read only: False

This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in the user's containment policy.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
device_id	optional	Comma-separated list of device IDs	string	crowdstrike device id
hostname	optional	Comma-separated list of hostnames	string	host name

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.device_id	string	crowdstrike device id	c70bbe8334aa47bd61046603eb27b15a
action_result.parameter.hostname	string	host name	CB-TEST-01
action_result.data.*.id	string	crowdstrike device id	c70bbe8334aa47bd61046603eb27b15a
action_result.data.*.path	string		/devices/entities/devices/v1
action_result.summary.total_quarantined_device	numeric		1
action_result.message	string		Device quarantined successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'unquarantine device'

Unblock the device

Type: correct
Read only: False

This action lifts containment on the host, which returns its network communications to normal.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
device_id	optional	Comma-separated list of device IDs	string	crowdstrike device id
hostname	optional	Comma-separated list of hostnames	string	host name

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.device_id	string	crowdstrike device id	c70bbe8334aa47bd61046603eb27b15a
action_result.parameter.hostname	string	host name	CB-TEST-01
action_result.data.*.id	string	crowdstrike device id	c70bbe8334aa47bd61046603eb27b15a
action_result.data.*.path	string		/devices/entities/devices/v1
action_result.summary.total_unquarantined_device	numeric		1
action_result.message	string		Device unquarantined successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'assign hosts'

Assign one or more hosts to the static host group

Type: correct
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
device_id	optional	Comma-separated list of device IDs	string	crowdstrike device id
hostname	optional	Comma separated list of hostnames	string	host name
host_group_id	required	Static host group ID	string	crowdstrike host group id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.device_id	string	crowdstrike device id	07c312fabcb8473454d0a16f118928ab
action_result.parameter.host_group_id	string	crowdstrike host group id	5c3203cee6934edd894c0c02d5a7d2ad
action_result.parameter.hostname	string	host name	CB-TEST-01
action_result.data.*.assignment_rule	string		device_id:[''],hostname:['CB-TEST-01']
action_result.data.*.created_by	string		api-client-id:ae1690074e144336ae1de4de9dc1bd93
action_result.data.*.created_timestamp	string		2019-06-18T06:43:48.348572725Z
action_result.data.*.description	string		test 6
action_result.data.*.group_type	string		static
action_result.data.*.id	string	crowdstrike host group id	5c3203cee6934edd894c0c02d5a7d2ad
action_result.data.*.modified_by	string		api-client-id:ae1690074e144336ae1de4de9dc1bd93
action_result.data.*.modified_timestamp	string		2019-06-18T06:43:48.348572725Z
action_result.data.*.name	string		test 7
action_result.summary.total_assigned_device	numeric		1
action_result.message	string		Host added successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'remove hosts'

Remove one or more hosts from the static host group

Type: contain
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
device_id	optional	Comma-separated list of device IDs	string	crowdstrike device id
hostname	optional	Comma-separated list of hostnames	string	host name
host_group_id	required	Static host group ID	string	crowdstrike host group id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.device_id	string	crowdstrike device id	07c312fabcb8473454d0a16f118928ab
action_result.parameter.host_group_id	string	crowdstrike host group id	5c3203cee6934edd894c0c02d5a7d2ad
action_result.parameter.hostname	string	host name	CB-TEST-01
action_result.data.*.assignment_rule	string		device_id:[''],hostname:['']
action_result.data.*.created_by	string		api-client-id:ae1690074e144336ae1de4de9dc1bd93
action_result.data.*.created_timestamp	string		2019-06-18T06:43:48.348572725Z
action_result.data.*.description	string		test 6
action_result.data.*.group_type	string		static
action_result.data.*.id	string	crowdstrike host group id	5c3203cee6934edd894c0c02d5a7d2ad
action_result.data.*.modified_by	string		api-client-id:ae1690074e144336ae1de4de9dc1bd93
action_result.data.*.modified_timestamp	string		2019-06-18T06:43:48.348572725Z
action_result.data.*.name	string		test 7
action_result.summary.total_removed_device	numeric		1
action_result.message	string		Host removed successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'create session'

Initialize a new session with the Real Time Response cloud

Type: generic
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
device_id	required	Device ID for session to be created	string	crowdstrike device id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.device_id	string	crowdstrike device id	07c312fabcb8473454d0a16f118928ab
action_result.data.*.errors	string
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		5.917429897
action_result.data.*.meta.trace_id	string		6b7c63e1-0ebd-4121-90f3-cd53451be245
action_result.data.*.resources.*.created_at	string		2019-09-24T20:52:08.595772499Z
action_result.data.*.resources.*.existing_aid_sessions	numeric		1
action_result.data.*.resources.*.offline_queued	boolean		True False
action_result.data.*.resources.*.pwd	string	file path	C:\
action_result.data.*.resources.*.scripts.*.args.*.arg_name	string		Path
action_result.data.*.resources.*.scripts.*.args.*.arg_type	string		arg
action_result.data.*.resources.*.scripts.*.args.*.command_level	string		non-destructive
action_result.data.*.resources.*.scripts.*.args.*.created_at	string		2019-06-25T23:48:59Z
action_result.data.*.resources.*.scripts.*.args.*.data_type	string		string
action_result.data.*.resources.*.scripts.*.args.*.default_value	string
action_result.data.*.resources.*.scripts.*.args.*.description	string		File to concatenate
action_result.data.*.resources.*.scripts.*.args.*.encoding	string
action_result.data.*.resources.*.scripts.*.args.*.id	numeric		7
action_result.data.*.resources.*.scripts.*.args.*.options	string
action_result.data.*.resources.*.scripts.*.args.*.required	boolean		True False
action_result.data.*.resources.*.scripts.*.args.*.requires_value	boolean		True False
action_result.data.*.resources.*.scripts.*.args.*.script_id	numeric		6
action_result.data.*.resources.*.scripts.*.args.*.sequence	numeric		1
action_result.data.*.resources.*.scripts.*.args.*.updated_at	string		2019-06-25T23:48:59Z
action_result.data.*.resources.*.scripts.*.command	string		cat
action_result.data.*.resources.*.scripts.*.description	string		Read a file from disk and display as ASCII or hex
action_result.data.*.resources.*.scripts.*.examples	string	file path	C:\> cat c:\mytextfile.txt Display the contents of the text file (ASCII encoding) C:\> cat c:\windows\system32\cmd.exe 100 -ShowHex Display the first 100 hexadecimal characters for cmd.exe
action_result.data.*.resources.*.scripts.*.internal_only	boolean		True False
action_result.data.*.resources.*.scripts.*.runnable	boolean		True False
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.arg_name	string		Name
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.arg_type	string		arg
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.command_level	string		non-destructive
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.created_at	string		2018-05-01T19:38:30Z
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.data_type	string		string
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.default_value	string
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.description	string		Name of the event log, for example "Application", "System"
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.encoding	string
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.id	numeric		35
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.options	string
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.required	boolean		True False
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.requires_value	boolean		True False
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.script_id	numeric		25
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.sequence	numeric		1
action_result.data.*.resources.*.scripts.*.sub_commands.*.args.*.updated_at	string		2018-05-01T19:38:30Z
action_result.data.*.resources.*.scripts.*.sub_commands.*.command	string		view
action_result.data.*.resources.*.scripts.*.sub_commands.*.description	string		View most recent N events in a given event log
action_result.data.*.resources.*.scripts.*.sub_commands.*.examples	string		C:\> eventlog view Application 5 Displays the 5 most recent event log entries in the "Application" event source log
action_result.data.*.resources.*.scripts.*.sub_commands.*.internal_only	boolean		True False
action_result.data.*.resources.*.scripts.*.sub_commands.*.runnable	boolean		True False
action_result.data.*.resources.*.session_id	string	crowdstrike rtr session id	c0ab8e89-edb0-485f-a8ee-b52d73453a4b
action_result.summary.session_id	string	crowdstrike rtr session id	b2403653-1294-488e-be81-7aadb69b52f1
action_result.message	string		Session created successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'delete session'

Deletes a Real Time Response session

Type: generic
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
session_id	required	RTR Session ID	string	crowdstrike rtr session id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.session_id	string	crowdstrike rtr session id	cdc3b485-6d71-4417-b091-939336154e83
action_result.data	string
action_result.summary.results	string		Successfully removed session: b2403653-1294-488e-be81-7aadb69b52f1
action_result.message	string		Session ended successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list detections'

Get a list of detections

Type: investigate
Read only: True

This action supports filtering in order to retrieve a particular set of detections.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
limit	optional	Maximum detections to be fetched	numeric
filter	optional	Filter expression used to limit the fetched detections (FQL Syntax)	string
sort	optional	Property to sort by	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.filter	string		modified_timestamp:<='2019-06-14T10:22:02.02236652Z'
action_result.parameter.limit	numeric		120
action_result.parameter.sort	string		created_timestamp.asc
action_result.data	string
action_result.data.*.behaviors.*.alleged_filetype	string		exe
action_result.data.*.behaviors.*.behavior_id	string		10354
action_result.data.*.behaviors.*.cmdline	string
action_result.data.*.behaviors.*.confidence	numeric		80
action_result.data.*.behaviors.*.control_graph_id	string		ctg:46592f3d661a469eb2503d72a29afd3a:309255693652
action_result.data.*.behaviors.*.description	string
action_result.data.*.behaviors.*.device_id	string	md5 crowdstrike device id	46592f3d661a469eb2503d72a29afd3a
action_result.data.*.behaviors.*.display_name	string		CredentialsInFilesCredentialAccess
action_result.data.*.behaviors.*.filename	string		powershell.exe
action_result.data.*.behaviors.*.filepath	string		\Device\HarddiskVolume2\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
action_result.data.*.behaviors.*.ioc_description	string		\Device\HarddiskVolume2\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
action_result.data.*.behaviors.*.ioc_source	string		library_load
action_result.data.*.behaviors.*.ioc_type	string		hash_sha256
action_result.data.*.behaviors.*.ioc_value	string		9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
action_result.data.*.behaviors.*.md5	string		04029e121a0cfa5991749937dd22a1d9
action_result.data.*.behaviors.*.objective	string		Gain Access
action_result.data.*.behaviors.*.parent_details.parent_cmdline	string		"C:\WINDOWS\system32\cmd.exe"
action_result.data.*.behaviors.*.parent_details.parent_md5	string		8a2122e8162dbef04694b9c3e0b6cdee
action_result.data.*.behaviors.*.parent_details.parent_process_graph_id	string		pid:46592f3d661a469eb2503d72a29afd3a:740512001748
action_result.data.*.behaviors.*.parent_details.parent_sha256	string		b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
action_result.data.*.behaviors.*.pattern_disposition	numeric		2048
action_result.data.*.behaviors.*.pattern_disposition_details.blocking_unsupported_or_disabled	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.bootup_safeguard_enabled	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.critical_process_disabled	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.detect	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.fs_operation_blocked	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.handle_operation_downgraded	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.inddet_mask	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.indicator	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.kill_action_failed	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.kill_parent	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.kill_process	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.kill_subprocess	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.operation_blocked	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.policy_disabled	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.process_blocked	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.quarantine_file	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.quarantine_machine	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.registry_operation_blocked	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.rooting	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.sensor_only	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.suspend_parent	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.suspend_process	boolean		False True
action_result.data.*.behaviors.*.scenario	string		suspicious_activity
action_result.data.*.behaviors.*.severity	numeric		70
action_result.data.*.behaviors.*.sha256	string		9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
action_result.data.*.behaviors.*.tactic	string		Credential Access
action_result.data.*.behaviors.*.tactic_id	string		TA0006
action_result.data.*.behaviors.*.technique	string		Credentials In Files
action_result.data.*.behaviors.*.technique_id	string		T1552.001
action_result.data.*.behaviors.*.template_instance_id	string		2649
action_result.data.*.behaviors.*.timestamp	string		2022-09-26T11:30:26Z
action_result.data.*.behaviors.*.triggering_process_graph_id	string		pid:46592f3d661a469eb2503d72a29afd3a:743690872884
action_result.data.*.behaviors.*.user_id	string		S-1-5-21-3607613384-2395287924-1763154957-1001
action_result.data.*.behaviors.*.user_name	string		testuser
action_result.data.*.cid	string	md5	3061c7ff3b634e22b38274d4b586558e
action_result.data.*.created_timestamp	string		2022-09-26T11:30:42.246972793Z
action_result.data.*.date_updated	string		2022-09-26T11:45:46Z
action_result.data.*.detection_id	string	crowdstrike detection id	ldt:46592f3d661a469eb2503d72a29afd3a:309255693652
action_result.data.*.device.agent_load_flags	string		0
action_result.data.*.device.agent_local_time	string		2022-08-22T15:45:16.195Z
action_result.data.*.device.agent_version	string		6.44.15806.0
action_result.data.*.device.bios_manufacturer	string		Phoenix Technologies LTD
action_result.data.*.device.bios_version	string		6.00
action_result.data.*.device.cid	string		3061c7ff3b634e22b38274d4b586558e
action_result.data.*.device.config_id_base	string		65994753
action_result.data.*.device.config_id_build	string		15806
action_result.data.*.device.config_id_platform	string		3
action_result.data.*.device.device_id	string	md5 crowdstrike device id	46592f3d661a469eb2503d72a29afd3a
action_result.data.*.device.external_ip	string		204.107.141.240
action_result.data.*.device.first_seen	string		2020-08-13T23:45:59Z
action_result.data.*.device.hostname	string		CB-TEST-02
action_result.data.*.device.last_seen	string		2022-09-26T11:21:40Z
action_result.data.*.device.local_ip	string		10.1.18.205
action_result.data.*.device.mac_address	string		00-50-56-12-34-56
action_result.data.*.device.machine_domain	string		sql19.local
action_result.data.*.device.major_version	string		10
action_result.data.*.device.minor_version	string		0
action_result.data.*.device.modified_timestamp	string		2022-09-26T11:27:43Z
action_result.data.*.device.os_version	string		Windows 10
action_result.data.*.device.platform_id	string		0
action_result.data.*.device.platform_name	string		Windows
action_result.data.*.device.product_type	string		1
action_result.data.*.device.product_type_desc	string		Workstation
action_result.data.*.device.site_name	string		Default-First-Site-Name
action_result.data.*.device.status	string		normal
action_result.data.*.device.system_manufacturer	string		VMware, Inc.
action_result.data.*.device.system_product_name	string		VMware Virtual Platform
action_result.data.*.email_sent	boolean		False
action_result.data.*.first_behavior	string		2022-09-26T11:30:26Z
action_result.data.*.hostinfo.domain	string
action_result.data.*.last_behavior	string		2022-09-26T11:30:26Z
action_result.data.*.max_confidence	numeric		80
action_result.data.*.max_severity	numeric		70
action_result.data.*.max_severity_displayname	string		High
action_result.data.*.seconds_to_resolved	numeric		0
action_result.data.*.seconds_to_triaged	numeric		0
action_result.data.*.show_in_ui	boolean		True
action_result.data.*.status	string		new
action_result.summary.total_detections	numeric		44
action_result.message	string		Total detections: 44
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'get detections details'

Get a list of detections details by providing detection IDs

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
detection_ids	required	List of detection IDs. Comma-separated list allowed	string	crowdstrike detection id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.detection_ids	string	crowdstrike detection id
action_result.data	string
action_result.data.*.assigned_to_name	string		test user
action_result.data.*.assigned_to_uid	string		[email protected]
action_result.data.*.behaviors.*.alleged_filetype	string		exe
action_result.data.*.behaviors.*.behavior_id	string		10354
action_result.data.*.behaviors.*.cmdline	string
action_result.data.*.behaviors.*.confidence	numeric		80
action_result.data.*.behaviors.*.control_graph_id	string		ctg:46592f3d661a469eb2503d72a29afd3a:309255693652
action_result.data.*.behaviors.*.description	string
action_result.data.*.behaviors.*.device_id	string	md5 crowdstrike device id	46592f3d661a469eb2503d72a29afd3a
action_result.data.*.behaviors.*.display_name	string		CredentialsInFilesCredentialAccess
action_result.data.*.behaviors.*.filename	string		powershell.exe
action_result.data.*.behaviors.*.filepath	string		\Device\HarddiskVolume2\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
action_result.data.*.behaviors.*.ioc_description	string		\Device\HarddiskVolume2\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
action_result.data.*.behaviors.*.ioc_source	string		library_load
action_result.data.*.behaviors.*.ioc_type	string		hash_sha256
action_result.data.*.behaviors.*.ioc_value	string		9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
action_result.data.*.behaviors.*.md5	string		04029e121a0cfa5991749937dd22a1d9
action_result.data.*.behaviors.*.objective	string		Gain Access
action_result.data.*.behaviors.*.parent_details.parent_cmdline	string		"C:\WINDOWS\system32\cmd.exe"
action_result.data.*.behaviors.*.parent_details.parent_md5	string		8a2122e8162dbef04694b9c3e0b6cdee
action_result.data.*.behaviors.*.parent_details.parent_process_graph_id	string		pid:46592f3d661a469eb2503d72a29afd3a:740512001748
action_result.data.*.behaviors.*.parent_details.parent_sha256	string		b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
action_result.data.*.behaviors.*.pattern_disposition	numeric		2048
action_result.data.*.behaviors.*.pattern_disposition_details.blocking_unsupported_or_disabled	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.bootup_safeguard_enabled	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.critical_process_disabled	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.detect	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.fs_operation_blocked	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.handle_operation_downgraded	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.inddet_mask	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.indicator	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.kill_action_failed	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.kill_parent	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.kill_process	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.kill_subprocess	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.operation_blocked	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.policy_disabled	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.process_blocked	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.quarantine_file	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.quarantine_machine	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.registry_operation_blocked	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.rooting	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.sensor_only	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.suspend_parent	boolean		False True
action_result.data.*.behaviors.*.pattern_disposition_details.suspend_process	boolean		False True
action_result.data.*.behaviors.*.scenario	string		suspicious_activity
action_result.data.*.behaviors.*.severity	numeric		70
action_result.data.*.behaviors.*.sha256	string		9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
action_result.data.*.behaviors.*.tactic	string		Credential Access
action_result.data.*.behaviors.*.tactic_id	string		TA0006
action_result.data.*.behaviors.*.technique	string		Credentials In Files
action_result.data.*.behaviors.*.technique_id	string		T1552.001
action_result.data.*.behaviors.*.template_instance_id	string		2649
action_result.data.*.behaviors.*.timestamp	string		2022-09-26T11:30:26Z
action_result.data.*.behaviors.*.triggering_process_graph_id	string		pid:46592f3d661a469eb2503d72a29afd3a:743690872884
action_result.data.*.behaviors.*.user_id	string		S-1-5-21-3607613384-2395287924-1763154957-1001
action_result.data.*.behaviors.*.user_name	string		testuser
action_result.data.*.cid	string	md5	3061c7ff3b634e22b38274d4b586558e
action_result.data.*.created_timestamp	string		2022-09-26T11:30:42.246972793Z
action_result.data.*.date_updated	string		2022-09-26T11:45:46Z
action_result.data.*.detection_id	string	crowdstrike detection id	ldt:46592f3d661a469eb2503d72a29afd3a:309255693652
action_result.data.*.device.agent_load_flags	string		0
action_result.data.*.device.agent_local_time	string		2022-08-22T15:45:16.195Z
action_result.data.*.device.agent_version	string		6.44.15806.0
action_result.data.*.device.bios_manufacturer	string		Phoenix Technologies LTD
action_result.data.*.device.bios_version	string		6.00
action_result.data.*.device.cid	string		3061c7ff3b634e22b38274d4b586558e
action_result.data.*.device.config_id_base	string		65994753
action_result.data.*.device.config_id_build	string		15806
action_result.data.*.device.config_id_platform	string		3
action_result.data.*.device.device_id	string	md5 crowdstrike device id	46592f3d661a469eb2503d72a29afd3a
action_result.data.*.device.external_ip	string		204.107.141.240
action_result.data.*.device.first_seen	string		2020-08-13T23:45:59Z
action_result.data.*.device.hostname	string		CB-TEST-02
action_result.data.*.device.last_seen	string		2022-09-26T11:21:40Z
action_result.data.*.device.local_ip	string		10.1.18.205
action_result.data.*.device.mac_address	string		00-50-56-12-34-56
action_result.data.*.device.machine_domain	string		sql19.local
action_result.data.*.device.major_version	string		10
action_result.data.*.device.minor_version	string		0
action_result.data.*.device.modified_timestamp	string		2022-09-26T11:27:43Z
action_result.data.*.device.os_version	string		Windows 10
action_result.data.*.device.platform_id	string		0
action_result.data.*.device.platform_name	string		Windows
action_result.data.*.device.product_type	string		1
action_result.data.*.device.product_type_desc	string		Workstation
action_result.data.*.device.site_name	string		Default-First-Site-Name
action_result.data.*.device.status	string		normal
action_result.data.*.device.system_manufacturer	string		VMware, Inc.
action_result.data.*.device.system_product_name	string		VMware Virtual Platform
action_result.data.*.email_sent	boolean		False
action_result.data.*.first_behavior	string		2022-09-26T11:30:26Z
action_result.data.*.hostinfo.domain	string
action_result.data.*.last_behavior	string		2022-09-26T11:30:26Z
action_result.data.*.max_confidence	numeric		80
action_result.data.*.max_severity	numeric		70
action_result.data.*.max_severity_displayname	string		High
action_result.data.*.seconds_to_resolved	numeric		2
action_result.data.*.seconds_to_triaged	numeric		1
action_result.data.*.show_in_ui	boolean		True
action_result.data.*.status	string		new
action_result.summary.total_detections	numeric		44
action_result.message	string		Total detections: 44
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'update detections'

Update detections in crowdstrike host

Type: generic
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
detection_ids	required	List of Detection IDs to update, Comma-separated list allowed	string	crowdstrike detection id
comment	optional	Comment to add to the detection (Maximum 2048 bytes)	string
assigned_to_user	optional	User ID to assign	string	crowdstrike unique user id
show_in_ui	optional	This detection is displayed or not in falcon UI	boolean
status	optional	Status to set	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.assigned_to_user	string	crowdstrike unique user id
action_result.parameter.comment	string		update status of detection
action_result.parameter.detection_ids	string	crowdstrike detection id	ldt:07c312fabcb8473454d0a16f118928fg:10548439893999
action_result.parameter.show_in_ui	boolean		True False
action_result.parameter.status	string		in_progress
action_result.data.*.meta.powered_by	string		legacy-detects
action_result.data.*.meta.query_time	numeric		0
action_result.data.*.meta.trace_id	string		a30c7b54-ae00-4a87-8324-0a575ba7dcb4
action_result.data.*.meta.writes.resources_affected	numeric		2
action_result.summary	string
action_result.summary.detections_affected	numeric		1
action_result.message	string		Detections affected: 1
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list alerts'

Get a list of alerts

Type: investigate
Read only: True

This action supports filtering in order to retrieve a particular set of alerts.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
limit	optional	Maximum alerts to be fetched	numeric
filter	optional	Filter expression used to limit the fetched alerts (FQL Syntax)	string
sort	optional	Property to sort by	string
include_hidden	optional	Include hidden alerts	boolean

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.filter	string		modified_timestamp:<='2019-06-14T10:22:02.02236652Z'
action_result.parameter.limit	numeric		120
action_result.parameter.sort	string		created_timestamp.asc
action_result.data.*.aggregate_id	string		aggind:3061c7ff3b634e22b38274d4b586558e:3EC58D8F-599D-4CEC-8BB1-BFDE96477FB1
action_result.data.*.cid	string	md5	3061c7ff3b634e22b38274d4b586558e
action_result.data.*.composite_id	string		3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:3EC58D8F-599D-4CEC-8BB1-BFDE96477FB1
action_result.data.*.confidence	numeric		20
action_result.data.*.context_timestamp	string		2022-11-16T09:42:26.413Z
action_result.data.*.crawled_timestamp	string		2022-11-16T09:47:26.563805668Z
action_result.data.*.created_timestamp	string		2022-11-16T09:43:26.560807901Z
action_result.data.*.description	string		A user received new privileges
action_result.data.*.display_name	string		Privilege escalation (user)
action_result.data.*.end_time	string		2022-11-16T09:42:26.413Z
action_result.data.*.falcon_host_link	string		https://falcon.crowdstrike.com/identity-protection/detections/3061c7ff3b634e22b38274d4b586558e:ind:3061c7ff3b634e22b38274d4b586558e:3EC58D8F-599D-4CEC-8BB1-BFDE96477FB1?cid=3061c7ff3b634e22b38274d4b586558e
action_result.data.*.id	string		ind:3061c7ff3b634e22b38274d4b586558e:3EC58D8F-599D-4CEC-8BB1-BFDE96477FB1
action_result.data.*.name	string		IdpEntityPrivilegeEscalationUser
action_result.data.*.objective	string		Gain Access
action_result.data.*.pattern_id	numeric		51113
action_result.data.*.previous_privileges	string		0
action_result.data.*.privileges	string		8321
action_result.data.*.product	string		idp
action_result.data.*.scenario	string		privilege_escalation
action_result.data.*.severity	numeric		2
action_result.data.*.show_in_ui	boolean		True
action_result.data.*.source_account_domain	string		IDENTITY.TEST
action_result.data.*.source_account_name	string		test1
action_result.data.*.source_account_object_sid	string		S-1-5-21-14850137-2860523753-2226348357-1103
action_result.data.*.start_time	string		2022-11-16T09:42:26.413Z
action_result.data.*.status	string		new
action_result.data.*.tactic	string		Privilege Escalation
action_result.data.*.tactic_id	string		TA0004
action_result.data.*.technique	string		Valid Accounts
action_result.data.*.technique_id	string		T1078
action_result.data.*.timestamp	string		2022-11-16T09:42:26.56Z
action_result.data.*.type	string		idp-user-endpoint-app-info
action_result.data.*.updated_timestamp	string		2022-11-16T09:47:26.561192951Z
action_result.summary.total_alerts	numeric		50
action_result.message	string		Total alerts: 50
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1
action_result.parameter.include_hidden	numeric		True

action: 'list sessions'

Lists Real Time Response sessions

Type: investigate
Read only: True

This action supports filtering in order to retrieve a particular session.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
limit	optional	Maximum RTR sessions to be fetched	numeric
filter	optional	Filter expression used to limit the fetched RTR sessions (FQL Syntax)	string
sort	optional	Property to sort by	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.filter	string		modified_timestamp:<='2019-06-14T10:22:02.02236652Z'
action_result.parameter.limit	numeric		120
action_result.parameter.sort	string		created_timestamp.asc
action_result.data.*.cid	string	md5	3061c7ff3b634e22b38274d4b586558e
action_result.data.*.cloud_request_ids	string		06f052a0-d7a6-431b-987f-4afd92925a19
action_result.data.*.commands	string
action_result.data.*.commands_queued	boolean		True False
action_result.data.*.created_at	string		2019-09-24T20:52:08Z
action_result.data.*.deleted_at	string		2019-09-24T20:54:04Z
action_result.data.*.device_details	string
action_result.data.*.device_id	string	md5 crowdstrike device id	07c312fabcb8473454d0a16f118928ab
action_result.data.*.duration	numeric		0
action_result.data.*.hostname	string	host name	CB-TEST-01
action_result.data.*.id	string	crowdstrike rtr session id	c0ab8e89-edb0-485f-a8ee-b52d73453a4b
action_result.data.*.logs.*.base_command	string		pwd
action_result.data.*.logs.*.cloud_request_id	string		06f052a0-d7a6-431b-987f-4afd92925a19
action_result.data.*.logs.*.command_string	string		pwd
action_result.data.*.logs.*.created_at	string		2019-09-24T20:52:08Z
action_result.data.*.logs.*.current_directory	string		C:\
action_result.data.*.logs.*.id	numeric		2522218
action_result.data.*.logs.*.session_id	string		c0ab8e89-edb0-485f-a8ee-b52d73453a4b
action_result.data.*.logs.*.updated_at	string		2019-09-24T20:52:08Z
action_result.data.*.offline_queued	boolean		True False
action_result.data.*.origin	string		source:hosts,deviceId:07c312fabcb8473454d0a16f118928ab
action_result.data.*.platform_id	numeric		0
action_result.data.*.platform_name	string
action_result.data.*.pwd	string
action_result.data.*.updated_at	string		2019-09-24T20:52:14Z
action_result.data.*.user_id	string		api-client-05dbdf165b474db597007c6f88780e39
action_result.data.*.user_uuid	string		05dbdf16-5b47-4db5-9700-7c6f88780e39
action_result.summary.total_sessions	numeric		1
action_result.message	string		Total sessions: 2
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'run command'

Execute an active responder command on a single host

Type: generic
Read only: False

The API works by first creating a cloud request to execute the command, then the results need to be retrieved using a GET with the cloud_request_id. The action will attempt to retrieve the results, but in the event that a timeout occurs, execute a 'get command details' action.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
device_id	required	Device ID	string	md5 crowdstrike device id
session_id	required	RTR Session ID	string	crowdstrike rtr session id
command	required	RTR command to execute on host	string
data	optional	Data/Arguments for the command	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.command	string		get ls
action_result.parameter.data	string		C:\Users\testuser\go\src\simulate\DLL_KEYLOG.dll
action_result.parameter.device_id	string	md5 crowdstrike device id	07c312fabcb8473454d0a16f118928ab
action_result.parameter.session_id	string	crowdstrike rtr session id	90981f4c-f6c1-4437-b191-beae115c4929
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		0.038770347
action_result.data.*.meta.trace_id	string		f983d1ab-97d7-4af7-8bd7-1a6b8de0c05d
action_result.data.*.resources.*.base_command	string		ls
action_result.data.*.resources.*.complete	boolean		True False
action_result.data.*.resources.*.session_id	string		9705111a-9928-4c10-b385-eefda32f9575
action_result.data.*.resources.*.stderr	string		Check your filename. Couldn't find 'some_file.txt'
action_result.data.*.resources.*.stdout	string		Directory listing for C:\ - Name
action_result.data.*.resources.*.task_id	string		d901dbea-f556-4f32-921b-056bbc00b4e0
action_result.summary.cloud_request_id	string	crowdstrike cloud request id	4b185028-39a3-4452-8e96-6da3729095fa
action_result.message	string		Cloud request id: d901dbea-f556-4f32-921b-056bbc00b4e0
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'run admin command'

Execute an RTR Admin command on a single host

Type: generic
Read only: False

This action requires a token with RTR Admin permissions.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
device_id	required	Device ID	string	crowdstrike device id
session_id	required	RTR Session ID	string	crowdstrike rtr session id
command	required	RTR Admin command to execute on host	string
data	optional	Data/Arguments for the command	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.command	string		get ls
action_result.parameter.data	string		C:\Users\testuser\go\src\simulate\DLL_KEYLOG.dll
action_result.parameter.device_id	string	crowdstrike device id	07c312fabcb8473454d0a16f118928ab
action_result.parameter.session_id	string	crowdstrike rtr session id	90981f4c-f6c1-4437-b191-beae115c4929
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		0.038770347
action_result.data.*.meta.trace_id	string		f983d1ab-97d7-4af7-8bd7-1a6b8de0c05d
action_result.data.*.resources.*.base_command	string		ls
action_result.data.*.resources.*.complete	boolean		True False
action_result.data.*.resources.*.session_id	string		9705111a-9928-4c10-b385-eefda32f9575
action_result.data.*.resources.*.stderr	string		Check your filename. Couldn't find 'some_file.txt'
action_result.data.*.resources.*.stdout	string		Directory listing for C:\ - Name
action_result.data.*.resources.*.task_id	string		d901dbea-f556-4f32-921b-056bbc00b4e0
action_result.summary.cloud_request_id	string	crowdstrike cloud request id	4b185028-39a3-4452-8e96-6da3729095fa
action_result.message	string		Cloud request id: d901dbea-f556-4f32-921b-056bbc00b4e0
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'get command details'

Retrieve results of an active responder command executed on a single host

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
cloud_request_id	required	Cloud Request ID for Command	string	crowdstrike cloud request id
timeout_seconds	optional	Time (in seconds; default is 60) to wait before timing out poll for results	numeric

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.cloud_request_id	string	crowdstrike cloud request id	4b185028-39a3-4452-8e96-6da3729095fa
action_result.parameter.timeout_seconds	numeric		60
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		0.038770347
action_result.data.*.meta.trace_id	string		f983d1ab-97d7-4af7-8bd7-1a6b8de0c05d
action_result.data.*.resources.*.base_command	string		ls
action_result.data.*.resources.*.complete	boolean		True False
action_result.data.*.resources.*.session_id	string		9705111a-9928-4c10-b385-eefda32f9575
action_result.data.*.resources.*.stderr	string		Check your filename. Couldn't find 'some_file.txt'
action_result.data.*.resources.*.stdout	string		Directory listing for C:\ - Name
action_result.data.*.resources.*.task_id	string		d901dbea-f556-4f32-921b-056bbc00b4e0
action_result.summary.results	string		Successfully executed command
action_result.message	string		Results: Successfully executed command
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list session files'

Get a list of files for the specified RTR session

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
session_id	required	RTR Session ID	string	crowdstrike rtr session id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.session_id	string	crowdstrike rtr session id	0bf3c91f-1267-4a6d-a694-d225aeac65eb
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		0.060876276
action_result.data.*.meta.trace_id	string		ccb8edf2-fd5b-4221-81c8-0e80de3e66a6
action_result.data.*.resources.*.cloud_request_id	string		292efe5f-a755-45f8-a95a-72138d21b8db
action_result.data.*.resources.*.created_at	string		2019-10-08T20:12:14Z
action_result.data.*.resources.*.deleted_at	string
action_result.data.*.resources.*.id	numeric		104874
action_result.data.*.resources.*.name	string	file name	\Device\HarddiskVolume2\Users\testuser\go\src\simulate\DLL_KEYLOG.dll
action_result.data.*.resources.*.session_id	string	crowdstrike rtr session id	0bf3c91f-1267-4a6d-a694-d225aeac65eb
action_result.data.*.resources.*.sha256	string	sha256	53d84902e0a25be8706df19506f78799deab0082149b926b4117270f9c8673ad
action_result.data.*.resources.*.size	numeric		0
action_result.data.*.resources.*.updated_at	string		2019-10-08T20:12:14Z
action_result.summary.total_files	numeric		1
action_result.message	string		Session files listed successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'get incident behaviors'

Get details on behaviors by providing behavior IDs

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
ids	required	List of behavior IDs. Comma separated list allowed	string	crowdstrike incidentbehavior id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.ids	string	crowdstrike incidentbehavior id	ind:9e262c00000a46916beeaef04e45bc6a:dc8e3b1300004da2a6e7b20656e3276d
action_result.data.*.aid	string		w6h79wgbzy4ofsa093dp2s808qe8gswr
action_result.data.*.behavior_id	string	crowdstrike incidentbehavior id	ind:9e262c00000a46916beeaef04e45bc6a:dc8e3b1300004da2a6e7b20656e3276d
action_result.data.*.cid	string		e6m35yiizlefbv6o4az6b46sgjipx6lg
action_result.data.*.cmdline	string
action_result.data.*.compound_tto	string
action_result.data.*.detection_ids	string	crowdstrike detection id	ldt:07c312fabcb8473454d0a16f118928ab:10548439893000
action_result.data.*.display_name	string		SampleTemplateDetection
action_result.data.*.domain	string		CB-TEST-02
action_result.data.*.errors.*.code	numeric		400
action_result.data.*.errors.*.message	string		invalid behavior id=test
action_result.data.*.filepath	string		C:\user\somefile.txt
action_result.data.*.incident_id	string	crowdstrike incident id	inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d
action_result.data.*.meta.powered_by	string		incident-api
action_result.data.*.meta.query_time	numeric		0.000305451
action_result.data.*.meta.trace_id	string		ebb97943-be70-4acc-a2dd-c663b59761fa
action_result.data.*.objective	string		Keep Access
action_result.data.*.pattern_disposition	numeric		2048
action_result.data.*.pattern_disposition_details.blocking_unsupported_or_disabled	boolean		False
action_result.data.*.pattern_disposition_details.bootup_safeguard_enabled	boolean		True False
action_result.data.*.pattern_disposition_details.critical_process_disabled	boolean		True False
action_result.data.*.pattern_disposition_details.detect	boolean		True False
action_result.data.*.pattern_disposition_details.fs_operation_blocked	boolean		True False
action_result.data.*.pattern_disposition_details.handle_operation_downgraded	boolean		True False
action_result.data.*.pattern_disposition_details.inddet_mask	boolean		True False
action_result.data.*.pattern_disposition_details.indicator	boolean		True False
action_result.data.*.pattern_disposition_details.kill_action_failed	boolean		False
action_result.data.*.pattern_disposition_details.kill_parent	boolean		True False
action_result.data.*.pattern_disposition_details.kill_process	boolean		True False
action_result.data.*.pattern_disposition_details.kill_subprocess	boolean		True False
action_result.data.*.pattern_disposition_details.operation_blocked	boolean		True False
action_result.data.*.pattern_disposition_details.policy_disabled	boolean		True False
action_result.data.*.pattern_disposition_details.process_blocked	boolean		True False
action_result.data.*.pattern_disposition_details.quarantine_file	boolean		True False
action_result.data.*.pattern_disposition_details.quarantine_machine	boolean		True False
action_result.data.*.pattern_disposition_details.registry_operation_blocked	boolean		True False
action_result.data.*.pattern_disposition_details.rooting	boolean		True False
action_result.data.*.pattern_disposition_details.sensor_only	boolean		True False
action_result.data.*.pattern_disposition_details.suspend_parent	boolean		False
action_result.data.*.pattern_disposition_details.suspend_process	boolean		False
action_result.data.*.pattern_id	numeric		1024
action_result.data.*.sha256	string		ln3g11yf8r40be90ups2q1435ybhzdopbkt103wce5ligiuhww2b4l1f7tmp1vhi
action_result.data.*.tactic	string		Persistance
action_result.data.*.tactic_id	string		CSTA0001
action_result.data.*.technique	string		Hidden Files and Directories
action_result.data.*.technique_id	string		CST0001
action_result.data.*.template_instance_id	numeric		102
action_result.data.*.timestamp	string		2020-03-04T10:00:00Z
action_result.data.*.user_name	string		testuser
action_result.summary	string
action_result.message	string		Incident behavior fetched successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'update incident'

Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description

Type: generic
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
ids	required	List of incident IDs. Comma separated list allowed	string	crowdstrike incident id
add_tag	optional	Adds the associated tag to all the incident(s) of the ids list. See example values for the defined list	string
delete_tag	optional	Deletes the matching tag from all the incident(s) in the ids list. See example values for the defined list	string
update_name	optional	Updates the name of all the incident(s) in the ids list	string
update_description	optional	Updates the description of all the incident(s) listed in the ids	string
update_status	optional	Updates the status of all the incident(s) in the ids list	string
add_comment	optional	Adds a comment for all the incident(s) in the ids list	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.add_comment	string		Minor Incident
action_result.parameter.add_tag	string		test1
action_result.parameter.delete_tag	string		test2
action_result.parameter.ids	string	crowdstrike incident id	inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d
action_result.parameter.update_description	string		IOC found at 2020-07-22T23:54:41Z
action_result.parameter.update_name	string		IOC at 2020-07-22T23:54:41Z
action_result.parameter.update_status	string		New
action_result.data.*.meta.powered_by	string		incident-api
action_result.data.*.meta.query_time	numeric		0.026572641
action_result.data.*.meta.trace_id	string		50f7477e-587f-4175-ad0d-bdbbd8d3b1ec
action_result.summary	string
action_result.message	string		Incident updated successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list users'

Get information about all users in your Customer ID

Type: investigate
Read only: True

Action Parameters

No parameters are required for this action

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.data.*.meta.powered_by	string		csam
action_result.data.*.meta.query_time	numeric		0.267336826
action_result.data.*.meta.trace_id	string		b4e1392e-68ad-4738-93f9-d95cee1cfe9f
action_result.data.*.resources.*.cid	string	crowdstrike customer id	4061c7ff3b634e22b38274d4b586554r
action_result.data.*.resources.*.first_name	string		Test
action_result.data.*.resources.*.last_name	string		Name
action_result.data.*.resources.*.uid	string	crowdstrike user id	[email protected]
action_result.data.*.resources.*.uuid	string	crowdstrike unique user id	bb777249-c782-4434-b57a-f15ac742926c
action_result.summary	string
action_result.message	string		Users listed successfully
action_result.summary.total_users	numeric		1
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'get user roles'

Gets the roles that are assigned to the user

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
user_uuid	required	Users Unqiue ID to get the roles for	string	crowdstrike unique user id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.user_uuid	string	crowdstrike unique user id	bb777249-c782-4434-b57a-f15ac742926c
action_result.data.*.cid	string		3061c7ff3b634e22b38274d4b586558e
action_result.data.*.grant_type	string		direct
action_result.data.*.role_id	string		custom_ioas_manager
action_result.data.*.role_name	string		Custom IOAs Manager
action_result.data.*.uuid	string		b6330292-28e6-4198-994d-96f327c5b5bd
action_result.summary	string
action_result.message	string		User roles fetched successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list roles'

Get information about all user roles from your Customer ID

Type: investigate
Read only: True

Action Parameters

No parameters are required for this action

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.data.*.meta.powered_by	string		csam
action_result.data.*.meta.query_time	numeric		0.011271861
action_result.data.*.meta.trace_id	string		48a46c11-ca36-4a1e-84f6-9a5b1137b7d3
action_result.data.*.resources.*.description	string		Custom IOAs Manager
action_result.data.*.resources.*.display_name	string		Custom IOAs Manager
action_result.data.*.resources.*.id	string	crowdstrike user role id	custom_ioas_manager
action_result.data.*.resources.*.is_global	boolean		True False
action_result.summary	string
action_result.message	string		Roles listed successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'get role'

Get information about all user roles from your Customer ID

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
role_id	required	Role ID to get information about. Comma separated list allowed	string	crowdstrike user role id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.role_id	string	crowdstrike user role id	dashboard_admin
action_result.data.*.description	string		Can manage, create, update, and delete dashboards
action_result.data.*.display_name	string		Dashboard Admin
action_result.data.*.errors.*.code	numeric		404
action_result.data.*.errors.*.message	string		Role ID ' custom_ioas_manager' not found
action_result.data.*.id	string	crowdstrike user role id	dashboard_admin
action_result.data.*.is_global	boolean		True False
action_result.data.*.meta.powered_by	string		csam
action_result.data.*.meta.query_time	numeric		0.000467839
action_result.data.*.meta.trace_id	string		82983d79-59d2-49e1-a471-4f1833f80c46
action_result.summary	string
action_result.message	string		Role fetched successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list crowdscores'

Query environment wide CrowdScore and return the entity data

Type: investigate
Read only: True

This action fetches crowdscores using pagination logic.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
filter	optional	Optional filter and sort criteria in the form of an FQL query	string
sort	optional	Sort the results by a specific field and direction. (Example: assigned_to.asc)	string
offset	optional	Starting index of overall result set from which to return ids. (Defaults to 0)	numeric
limit	optional	Limit the number of results to return. (Defaults to 50, Max 500)	numeric

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.filter	string		score: 0
action_result.parameter.limit	numeric		5
action_result.parameter.offset	numeric		100
action_result.parameter.sort	string		assigned_to.asc
action_result.data.*.adjusted_score	numeric		3
action_result.data.*.cid	string		3061d7ff3b634e22b38274d64798
action_result.data.*.errors.*.code	numeric		400
action_result.data.*.errors.*.message	string		test is an invalid behavior sort parameter
action_result.data.*.id	string	crowdstrike crowdscore id	99ff72e8c9c14955ba33cbcbd4112345_2020-05-18 07:38:05.219 +0000 UTC
action_result.data.*.meta.pagination.limit	numeric		500
action_result.data.*.meta.pagination.offset	numeric		0
action_result.data.*.meta.pagination.total	numeric		12960
action_result.data.*.meta.powered_by	string		incident-api
action_result.data.*.meta.query_time	numeric		0.096319664
action_result.data.*.meta.trace_id	string		38f293ce-587e-4ff5-8231-4e738178468a
action_result.data.*.pagination.*.limit	numeric
action_result.data.*.pagination.*.offset	numeric
action_result.data.*.pagination.*.total	numeric
action_result.data.*.resources.*.cid	string		3061c7ff3b634e22b38274d4b5865500
action_result.data.*.score	numeric		0
action_result.data.*.timestamp	string		2020-03-04T10:00:00Z
action_result.summary.total_crowdscores	numeric		2
action_result.message	string		Total crowdscores: 2
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'get incident details'

Get details on incidents by providing incident IDs

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
ids	required	List of incident IDs. Comma separated list allowed	string	crowdstrike incident id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.ids	string	crowdstrike incident id	inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d
action_result.data.*.assigned_to	string		b6330292-28e6-4198-994d-96f327c5b5cc
action_result.data.*.assigned_to_name	string		Testname
action_result.data.*.cid	string		ctw6caruad3lkbnnt22qzeyoxgf38zap
action_result.data.*.created	string		2020-03-04T10:00:00Z
action_result.data.*.description	string
action_result.data.*.end	string		2020-03-04T10:00:00Z
action_result.data.*.errors.*.code	numeric		400
action_result.data.*.errors.*.message	string		invalid incident id=fyughg
action_result.data.*.fine_score	numeric		1
action_result.data.*.host_ids	string	crowdstrike device id	c9vnt7jbugw32626p9qsq3f9dx13sdnn
action_result.data.*.hosts.*.agent_load_flags	string		1
action_result.data.*.hosts.*.agent_local_time	string		2020-03-04T10:00:00Z
action_result.data.*.hosts.*.agent_version	string		5.23.10503.0
action_result.data.*.hosts.*.bios_manufacturer	string		Phoenix Technologies LTD
action_result.data.*.hosts.*.bios_version	string		6.00
action_result.data.*.hosts.*.cid	string		ctw6caruad3lkbnnt22qzeyoxgf38zap
action_result.data.*.hosts.*.config_id_base	string		65994753
action_result.data.*.hosts.*.config_id_build	string		10503
action_result.data.*.hosts.*.config_id_platform	string		3
action_result.data.*.hosts.*.device_id	string	crowdstrike device id	c9vnt7jbugw32626p9qsq3f9dx13sdnn
action_result.data.*.hosts.*.external_ip	string		1.1.1.1
action_result.data.*.hosts.*.first_seen	string		2020-03-04T10:00:00Z
action_result.data.*.hosts.*.hostname	string		Sever01
action_result.data.*.hosts.*.last_seen	string		2020-03-04T10:00:00Z
action_result.data.*.hosts.*.local_ip	string		192.168.0.0
action_result.data.*.hosts.*.mac_address	string		00-00-00-00-00-00
action_result.data.*.hosts.*.machine_domain	string		domain.local
action_result.data.*.hosts.*.major_version	string		10
action_result.data.*.hosts.*.minor_version	string		0
action_result.data.*.hosts.*.modified_timestamp	string		2020-03-04T10:00:00Z
action_result.data.*.hosts.*.os_version	string		Windows 7
action_result.data.*.hosts.*.ou	string		DOMAIN LOCAL
action_result.data.*.hosts.*.platform_id	string		0
action_result.data.*.hosts.*.platform_name	string		Windows
action_result.data.*.hosts.*.product_type	string		1
action_result.data.*.hosts.*.product_type_desc	string		Workstation
action_result.data.*.hosts.*.site_name	string
action_result.data.*.hosts.*.status	string		noraml
action_result.data.*.hosts.*.system_manufacturer	string		VMware, Inc.
action_result.data.*.hosts.*.system_product_name	string		VMware Virtual Platform
action_result.data.*.incident_id	string	crowdstrike incident id	inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d
action_result.data.*.incident_type	numeric		1
action_result.data.*.meta.powered_by	string		incident-api
action_result.data.*.meta.query_time	numeric		0.000258709
action_result.data.*.meta.trace_id	string		b991aeb7-912f-45b2-abce-3759217a690c
action_result.data.*.modified_timestamp	string		2020-08-17T09:35:50.888512834Z
action_result.data.*.name	string
action_result.data.*.start	string		2020-03-04T10:00:00Z
action_result.data.*.state	string		open closed
action_result.data.*.status	numeric		20
action_result.data.*.tags	string
action_result.data.*.users	string
action_result.summary.total_incidents	numeric		1
action_result.message	string		Incident fetched: 1
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list incident behaviors'

Search for behaviors by providing an FQL filter, sorting, and paging details

Type: investigate
Read only: True

This action fetches incident behaviors using pagination logic.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
filter	optional	Optional filter and sort criteria in the form of an FQL query	string
sort	optional	Sort the results by a specific field and direction. (Example: assigned_to.asc)	string
offset	optional	Starting index of overall result set from which to return ids. (Defaults to 0)	numeric
limit	optional	Limit the number of results to return. (Defaults to 50, Max 500)	numeric

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.filter	string		incident_ids:['inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d']
action_result.parameter.limit	numeric		5
action_result.parameter.offset	numeric		100
action_result.parameter.sort	string		assigned_to.asc
action_result.data.*	string	crowdstrike incidentbehavior id	ind:9e262c70027a46916beeaef04e45bc6a:45890386125841-10264-352683776
action_result.data.*.errors.*.code	numeric		400
action_result.data.*.errors.*.message	string		test is an invalid behavior sort parameter
action_result.data.*.meta.pagination.limit	numeric		50
action_result.data.*.meta.pagination.offset	numeric		0
action_result.data.*.meta.pagination.total	numeric		0
action_result.data.*.meta.powered_by	string		incident-api
action_result.data.*.meta.query_time	numeric		0.002429479
action_result.data.*.meta.trace_id	string		202a0a0c-bcc1-4919-8932-2097213f903a
action_result.data.*.pagination.*.limit	numeric
action_result.data.*.pagination.*.offset	numeric
action_result.data.*.pagination.*.total	numeric
action_result.summary.total_incident_behaviors	numeric		2
action_result.message	string		Total incident behaviors: 2
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list incidents'

Search for incidents by providing an FQL filter, sorting, and paging details

Type: investigate
Read only: True

This action fetches incidents using pagination logic.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
filter	optional	Optional filter and sort criteria in the form of an FQL query	string
sort	optional	Sort the results by a specific field and direction. (Example: assigned_to.asc)	string
offset	optional	Starting index of overall result set from which to return ids. (Defaults to 0)	numeric
limit	optional	Limit the number of results to return. (Defaults to 50, Max 500)	numeric

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.filter	string		incident_ids:['inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d']
action_result.parameter.limit	numeric		5
action_result.parameter.offset	numeric		100
action_result.parameter.sort	string		assigned_to.asc
action_result.data.*	string	crowdstrike incident id	incident_ids:['inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d']
action_result.data.*	string	crowdstrike incident id	incident_ids:['inc:9e262c70027a46916beeaef04e45bc6a:dc8e3b1325634da2a6e7b20656e3276d']
action_result.data.*.errors.*.code	numeric		400
action_result.data.*.errors.*.message	string		test is an invalid incident sort parameter
action_result.data.*.meta.pagination.limit	numeric		50
action_result.data.*.meta.pagination.offset	numeric		0
action_result.data.*.meta.pagination.total	numeric		0
action_result.data.*.meta.powered_by	string		incident-api
action_result.data.*.meta.query_time	numeric		0.003846595
action_result.data.*.meta.trace_id	string		bb02d451-d3a9-432c-b402-c08faa066264
action_result.data.*.pagination.*.limit	numeric
action_result.data.*.pagination.*.offset	numeric
action_result.data.*.pagination.*.total	numeric
action_result.summary.total_incidents	numeric		2
action_result.message	string		Total incidents: 2
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'get session file'

Get RTR extracted file contents for the specified session and sha256 and add it to the vault

Type: generic
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
session_id	required	RTR Session ID	string	crowdstrike rtr session id
file_hash	required	SHA256 hash to retrieve	string	sha256
file_name	optional	Filename to use for the archive name and the file within the archive	string	filename

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.file_hash	string	sha256	53d84902e0a25be8706df19506f78799deab0082149b926b4117270f9c8673ad
action_result.parameter.file_name	string	filename	test
action_result.parameter.session_id	string	crowdstrike rtr session id	b2403653-1294-488e-be81-7aadb69b52f1
action_result.data.*.container	string		test_crowdstrike
action_result.data.*.container_id	numeric		2840
action_result.data.*.create_time	string		0 minutes ago
action_result.data.*.created_via	string		automation
action_result.data.*.hash	string	sha1	30c5e524e975816fbce1d958150e394efc219772
action_result.data.*.id	numeric		2
action_result.data.*.metadata.md5	string		16723c3d039bc94e1636c0bf0c23ec26
action_result.data.*.metadata.sha1	string		d43b1c57023fab4e3040dd6f2970053d690b0fab
action_result.data.*.metadata.sha256	string		8a050bf93fe354d6ad03c6ba2b286f2649fb1420ae80eefac773208e5a0b7c0d
action_result.data.*.mime_type	string		application/x-7z-compressed
action_result.data.*.name	string		test.7z
action_result.data.*.path	string
action_result.data.*.size	numeric		5122
action_result.data.*.task	string
action_result.data.*.user	string		admin
action_result.data.*.vault_document	numeric		556
action_result.data.*.vault_id	string	sha1 vault id	30c5e524e975816fbce1d958150e394efc219772
action_result.summary.vault_id	string	sha1 vault id	30c5e524e975816fbce1d958150e394efc219772
action_result.message	string		Session file fetched successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'set status'

Set the state of a detection in Crowdstrike Host

Type: generic
Read only: False

The detection id can be obtained from the Crowdstrike UI and its state can be set.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
id	required	Detection ID to set the state of	string	crowdstrike detection id
state	required	State to set	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.id	string	crowdstrike detection id	ldt:07c312fabcb8473454d0a16f118928fg:10548439893999
action_result.parameter.state	string		in_progress
action_result.data	string
action_result.summary	string
action_result.message	string		Status set successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'get system info'

Get details of a device, given the device ID

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
id	required	Device ID from previous Crowdstrike IOC search	string	crowdstrike device id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.id	string	crowdstrike device id	0498d1102b23481162ff846d0633e14c
action_result.data.*.agent_load_flags	string		3
action_result.data.*.agent_local_time	string		2015-07-31T14:07:42.816Z
action_result.data.*.agent_version	string		2.0.0010.3005
action_result.data.*.bios_manufacturer	string		Phoenix Technologies LTD
action_result.data.*.bios_version	string		6.00
action_result.data.*.build_number	string		17134
action_result.data.*.cid	string	md5	3f40c380adc74a3187c27252c0227cff
action_result.data.*.config_id_base	string		65994752
action_result.data.*.config_id_build	string		3005
action_result.data.*.config_id_platform	string		3
action_result.data.*.connection_ip	string	ip	10.1.18.205
action_result.data.*.connection_mac_address	string		00-50-56-12-34-56
action_result.data.*.cpu_signature	string		329455
action_result.data.*.default_gateway_ip	string	ip	10.1.16.1
action_result.data.*.device_id	string	crowdstrike device id	0498d1102b23481162ff846d0633e14c
action_result.data.*.device_policies.device_control.applied	boolean		True False
action_result.data.*.device_policies.device_control.applied_date	string		2020-05-12T17:24:23.856260169Z
action_result.data.*.device_policies.device_control.assigned_date	string		2020-05-12T17:24:12.52970392Z
action_result.data.*.device_policies.device_control.policy_id	string		cb4babb273274f79a91e8a0e84164916
action_result.data.*.device_policies.device_control.policy_type	string		device-control
action_result.data.*.device_policies.firewall.applied	boolean		True False
action_result.data.*.device_policies.firewall.applied_date	string		2020-07-08T03:12:30.212194872Z
action_result.data.*.device_policies.firewall.assigned_date	string		2020-07-08T03:07:38.48127371Z
action_result.data.*.device_policies.firewall.policy_id	string		2018f9894359493cb756bfa7dd3357a6
action_result.data.*.device_policies.firewall.policy_type	string		firewall
action_result.data.*.device_policies.firewall.rule_set_id	string		2018f9894359493cb756bfa7dd3357a6
action_result.data.*.device_policies.global_config.applied	boolean		True False
action_result.data.*.device_policies.global_config.applied_date	string		2020-04-16T02:44:27.694202488Z
action_result.data.*.device_policies.global_config.assigned_date	string		2020-04-16T02:42:41.826629904Z
action_result.data.*.device_policies.global_config.policy_id	string		49ee9efc99164562ad89640955f372ce
action_result.data.*.device_policies.global_config.policy_type	string		globalconfig
action_result.data.*.device_policies.global_config.settings_hash	string		f48b1bd1
action_result.data.*.device_policies.jumpcloud.applied	numeric		True
action_result.data.*.device_policies.jumpcloud.applied_date	string		2022-07-13T17:41:16.271074445Z
action_result.data.*.device_policies.jumpcloud.assigned_date	string		2022-07-13T17:40:53.552991354Z
action_result.data.*.device_policies.jumpcloud.policy_id	string	md5	234766dcce654217babcbaa247ca31f0
action_result.data.*.device_policies.jumpcloud.policy_type	string		jumpcloud
action_result.data.*.device_policies.jumpcloud.settings_hash	string	sha256	0aec295a677907c6e4de672edf1f172d2cefcc5ca96ed2b5e56f4d6745289694
action_result.data.*.device_policies.prevention.applied	boolean		True
action_result.data.*.device_policies.prevention.applied_date	string		2021-12-02T07:35:26.551598833Z
action_result.data.*.device_policies.prevention.assigned_date	string		2018-03-10T15:39:31.220730539Z
action_result.data.*.device_policies.prevention.policy_id	string	md5	f81459e0d85b4bc7b3ad14ad40889042
action_result.data.*.device_policies.prevention.policy_type	string		prevention
action_result.data.*.device_policies.prevention.settings_hash	string		87cb8b2e
action_result.data.*.device_policies.remote_response.applied	boolean		True False
action_result.data.*.device_policies.remote_response.applied_date	string		2019-02-08T02:39:21.726331953Z
action_result.data.*.device_policies.remote_response.assigned_date	string		2019-02-08T02:36:05.073298048Z
action_result.data.*.device_policies.remote_response.policy_id	string		6c74313d6c864180bd759c3235dbd550
action_result.data.*.device_policies.remote_response.policy_type	string		remote-response
action_result.data.*.device_policies.remote_response.settings_hash	string		f472bd8e
action_result.data.*.device_policies.sensor_update.applied	boolean		True False
action_result.data.*.device_policies.sensor_update.applied_date	string		2023-01-10T23:39:59.53209856Z
action_result.data.*.device_policies.sensor_update.assigned_date	string		2018-03-10T15:39:31.220769757Z
action_result.data.*.device_policies.sensor_update.policy_id	string	md5	62a3908297584c52bdafaa7fdf3c3bdd
action_result.data.*.device_policies.sensor_update.policy_type	string		sensor-update
action_result.data.*.device_policies.sensor_update.settings_hash	string		65994753
action_result.data.*.device_policies.sensor_update.uninstall_protection	string		ENABLED
action_result.data.*.external_ip	string	ip	50.18.218.205
action_result.data.*.first_seen	string		2018-03-10T15:38:09Z
action_result.data.*.group_hash	string	sha256	e2a8b394c0e62960747ff5d64a335162b36ba4c5a54ee6499b438b94e5269ae8
action_result.data.*.groups	string	md5	873560309d1b4686a6cee666575e7a93
action_result.data.*.hostname	string	host name	TheNarrowSea CentOS70
action_result.data.*.instance_id	string		i-019d8b2cc8e20bb8d
action_result.data.*.kernel_version	string		10.0.19044.1766
action_result.data.*.last_seen	string		2018-03-10T15:39:34Z
action_result.data.*.local_ip	string	ip	10.1.18.49
action_result.data.*.mac_address	string		00-0c-29-a0-10-27
action_result.data.*.machine_domain	string	domain	VICTIMNET.local
action_result.data.*.major_version	string		6
action_result.data.*.meta.version	string		6
action_result.data.*.minor_version	string		1
action_result.data.*.modified_timestamp	string		2018-03-10T15:40:09Z
action_result.data.*.os_build	string		19044
action_result.data.*.os_version	string		Windows Server 2008 R2
action_result.data.*.ou	string
action_result.data.*.platform_id	string		0
action_result.data.*.platform_name	string		Windows
action_result.data.*.pointer_size	string		8
action_result.data.*.policies.*.applied	boolean		True
action_result.data.*.policies.*.applied_date	string		2021-12-02T07:35:26.551598833Z
action_result.data.*.policies.*.assigned_date	string		2018-03-10T15:39:31.220730539Z
action_result.data.*.policies.*.policy_id	string	md5	f81459e0d85b4bc7b3ad14ad40889042
action_result.data.*.policies.*.policy_type	string		prevention
action_result.data.*.policies.*.settings_hash	string		87cb8b2e
action_result.data.*.product_type	string		3
action_result.data.*.product_type_desc	string		Server
action_result.data.*.provision_status	string		Provisioned
action_result.data.*.reduced_functionality_mode	string		no
action_result.data.*.release_group	string
action_result.data.*.serial_number	string		VMware-56 4d d8 11 42 ab 12 1a-b5 3d 4a e5 d1 a0 12 25
action_result.data.*.service_pack_major	string		0
action_result.data.*.service_pack_minor	string		0
action_result.data.*.service_provider	string		Test provider
action_result.data.*.service_provider_account_id	string		149665393462
action_result.data.*.site_name	string		Default-First-Site-Name
action_result.data.*.slow_changing_modified_timestamp	string		2018-04-23T22:52:27Z
action_result.data.*.status	string		normal
action_result.data.*.system_manufacturer	string		VMware, Inc.
action_result.data.*.system_product_name	string		VMware Virtual Platform
action_result.data.*.zone_group	string		us-east-1a
action_result.summary.hostname	string	host name	TheNarrowSea
action_result.message	string		Device details fetched successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'get process detail'

Retrieve the details of a process that is running or that previously ran, given a process ID

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
falcon_process_id	required	Process ID from previous Falcon IOC search	string	falcon process id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.falcon_process_id	string	falcon process id	pid:07c312fabcb8473454d0a16f118928fg:16716090292999
action_result.data.*.command_line	string		C: est est.exe
action_result.data.*.device_id	string	crowdstrike device id	07c312fabcb8473454d0a16f118928fg
action_result.data.*.file_name	string	file name	estdata est est est.exe
action_result.data.*.process_id	string	pid	pid:07c312fabcb8473454d0a16f118928fg:16716090292999
action_result.data.*.process_id_local	string	pid	16716090292999
action_result.data.*.start_timestamp	string		2020-02-14T01:41:11Z
action_result.data.*.start_timestamp_raw	string		132261180718697221
action_result.data.*.stop_timestamp	string
action_result.data.*.stop_timestamp_raw	string
action_result.summary	string
action_result.message	string		Process details fetched successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'hunt file'

Hunt for a file on the network by querying for the hash

Type: investigate
Read only: True

In case of count_only set to true, keep the limit value larger to fetch count of all the devices.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
hash	required	File hash to search	string	hash sha256 sha1 md5
count_only	optional	Get endpoint count only	boolean
limit	optional	Maximum device IDs to be fetched (defaults to 100)	numeric

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.count_only	boolean		True False
action_result.parameter.hash	string	hash sha256 sha1 md5	eeb27d04c5fb25f7459407c0e5394621f12100e301b22d04a6b8f78e2adbf44t
action_result.parameter.limit	numeric		100
action_result.data.*.device_id	string	crowdstrike device id	07c312fabcb8473454d0a16f118928fg
action_result.summary.device_count	numeric		1
action_result.message	string		Device count: 1
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'hunt domain'

Get a list of device IDs on which the domain was matched

Type: investigate
Read only: True

In case of count_only set to true, keep the limit value larger to fetch count of all the devices.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
domain	required	Domain to search	string	domain
count_only	optional	Get endpoint count only	boolean
limit	optional	Maximum device IDs to be fetched (defaults to 100)	numeric

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.count_only	boolean		True False
action_result.parameter.domain	string	domain	www.example.com
action_result.parameter.limit	numeric		100
action_result.data.*.device_id	string	crowdstrike device id	07c312fabcb8473454d0a16f118928fg
action_result.summary.device_count	numeric		3
action_result.message	string		Device count: 3
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'hunt ip'

Get a list of device IDs on which the ip was matched

Type: investigate
Read only: True

In case of count_only set to true, keep the limit value larger to fetch count of all the devices.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
ip	required	IP address to search	string	ip ipv6
count_only	optional	Get endpoint count only	boolean
limit	optional	Maximum device IDs to be fetched (defaults to 100)	numeric

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.count_only	boolean		True False
action_result.parameter.ip	string	ip ipv6	8.8.8.8 2001:0db8:3c4d:0015:0000:0000:1a2f:1a2b
action_result.parameter.limit	numeric		100
action_result.data.*.device_id	string	crowdstrike device id	07c312fabcb8473454d0a16f118928fg
action_result.summary.device_count	numeric		1
action_result.message	string		Device count: 1
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'upload put file'

Upload a new put-file to use for the RTR put command

Type: generic
Read only: False

This action requires a token with RTR Admin permissions.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
vault_id	required	Vault ID of file to upload	string	vault id
description	required	File description	string
file_name	optional	Filename to use (if different than actual file name)	string	filename
comment	optional	Comment for the audit log	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.comment	string		Test comment
action_result.parameter.description	string		This is a test description
action_result.parameter.file_name	string	filename	blank_file
action_result.parameter.vault_id	string	vault id	30c5e524e975816fbce1d958150e394efc219772
action_result.data.*.meta.powered_by	string		empower
action_result.data.*.meta.query_time	numeric		0.869312959
action_result.data.*.meta.trace_id	string		1e30b813-04ce-4fa4-aca0-2802dfead2f9
action_result.data.*.meta.writes.resources_affected	numeric		1
action_result.summary	string
action_result.message	string		Put file uploaded successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'get indicator'

Get the full definition of one or more indicators that are being watched

Type: investigate
Read only: True

In this action, either 'indicator_value' and 'indicator_type' or 'resource_id' should be provided. The priority of 'resource_id' is higher. If all the parameters are provided then the indicator will be fetched based on the 'resource_id'.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
indicator_value	optional	String representation of the indicator	string	domain md5 sha256 ip ipv6
indicator_type	optional	The type of the indicator	string	crowdstrike indicator type
resource_id	optional	The resource id of the indicator	string	crowdstrike indicator id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.indicator_type	string	crowdstrike indicator type	domain
action_result.parameter.indicator_value	string	domain md5 sha256 ip ipv6	xyz
action_result.parameter.resource_id	string	crowdstrike indicator id	feaefb786fc648861779b9f906b1426b3d670ffe4c22ec7b7ff3d3e03e88dc43
action_result.data.*.action	string	crowdstrike indicator action	none
action_result.data.*.applied_globally	boolean		True False
action_result.data.*.created_by	string		C16JJOUVVY125J3O50FF
action_result.data.*.created_on	string	date	2021-09-09T08:51:04.131068458Z
action_result.data.*.created_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.deleted	boolean		True False
action_result.data.*.description	string		test description
action_result.data.*.expiration	string	date	2022-09-09T08:51:03Z
action_result.data.*.expiration_timestamp	string	date	2018-09-16T00:00:00Z
action_result.data.*.expired	boolean		True False
action_result.data.*.from_parent	boolean		True False
action_result.data.*.host_groups.*	string	crowdstrike host group id	0491ecd214614b5ab3bca1037a15390b
action_result.data.*.id	string	crowdstrike indicator id	99cd3772bf570aebea6e58059532ac902798583d6e75e6817364da70a062673a
action_result.data.*.metadata.av_hits	numeric		-1
action_result.data.*.metadata.company_name	string		Carbon Black, Inc
action_result.data.*.metadata.file_description	string		CarbonBlack Sensor
action_result.data.*.metadata.file_version	string		6.0.2.70329
action_result.data.*.metadata.filename	string		test_file_name
action_result.data.*.metadata.original_filename	string		cb.exe
action_result.data.*.metadata.product_name	string		CarbonBlack Sensor
action_result.data.*.metadata.product_version	string		6.0.2.70329
action_result.data.*.metadata.signed	boolean		False True
action_result.data.*.mobile_action	string		no_action
action_result.data.*.modified_by	string		ae2000074e144336ea1de4de9dc1bd39
action_result.data.*.modified_on	string		2021-09-09T08:51:04.131068458Z
action_result.data.*.modified_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.platforms.*	string	crowdstrike indicator platforms	mac
action_result.data.*.severity	string	severity	medium
action_result.data.*.source	string		test source
action_result.data.*.tags	string		tag1
action_result.data.*.type	string	crowdstrike indicator type	domain
action_result.data.*.value	string	ip ipv6 md5 sha256 domain	xyz
action_result.summary	string
action_result.message	string		Indicator fetched successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list custom indicators'

Queries for custom indicators in your customer account

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
indicator_value	optional	String representation of the indicator	string	ip ipv6 md5 sha256 domain
indicator_type	optional	The type of the indicator	string	crowdstrike indicator type
action	optional	Enforcement policy	string	crowdstrike indicator action
source	optional	The source of indicators	string
from_expiration	optional	The earliest indicator expiration date (RFC3339)	string	date
to_expiration	optional	The latest indicator expiration date (RFC3339)	string	date
limit	optional	The limit of indicator to be fetched (defaults to 100)	numeric
sort	optional	Property to sort by	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.action	string	crowdstrike indicator action	detect
action_result.parameter.from_expiration	string	date	2020-10-17T00:00:00Z
action_result.parameter.indicator_type	string	crowdstrike indicator type	domain
action_result.parameter.indicator_value	string	ip ipv6 md5 sha256 domain	test
action_result.parameter.limit	numeric		200
action_result.parameter.ph	string
action_result.parameter.sort	string		indicator_type
action_result.parameter.source	string		test
action_result.parameter.to_expiration	string	date	2020-10-17T00:00:00Z
action_result.data.*.domain	string	domain
action_result.data.*.domain.*.action	string	crowdstrike indicator action	no_action
action_result.data.*.domain.*.applied_globally	boolean		False
action_result.data.*.domain.*.created_by	string	md5	ae1690074e144356ae2de5de8dc1bd93
action_result.data.*.domain.*.created_on	string	date	2021-09-15T09:52:27.651770437Z
action_result.data.*.domain.*.created_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.domain.*.deleted	boolean		False
action_result.data.*.domain.*.description	string		Test description
action_result.data.*.domain.*.expiration	string	date	2021-09-25T09:52:27Z
action_result.data.*.domain.*.expiration_timestamp	string	date	2018-09-16T00:00:00Z
action_result.data.*.domain.*.expired	boolean		False
action_result.data.*.domain.*.from_parent	boolean		False
action_result.data.*.domain.*.host_groups.*	string	crowdstrike host group id	0491ecd214614b5ab3bca1037a15390b
action_result.data.*.domain.*.id	string	crowdstrike indicator id	010114a181ac68f8712b28c288fc210e26c3d25029f3d1edeeb6b37c67293abb
action_result.data.*.domain.*.metadata.filename	string		EXAMPLEMETADATAvftcdrxcftvgybhhubsdgvfyuegwwiqeqTESTuifgwieugfhiugybhugvftcdrxcftvgbhubsdgvfyuegwwiqeqpdiheuifgEXAMPLE
action_result.data.*.domain.*.mobile_action	string		no_action
action_result.data.*.domain.*.modified_by	string	md5	ae1690074e144356ae2de5de8dc1bd93
action_result.data.*.domain.*.modified_on	string		2021-09-15T09:52:27.651770437Z
action_result.data.*.domain.*.modified_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.domain.*.platforms.*	string	crowdstrike indicator platforms	mac
action_result.data.*.domain.*.severity	string	severity	high
action_result.data.*.domain.*.source	string		Test source
action_result.data.*.domain.*.tags	string		test_tag
action_result.data.*.domain.*.type	string	crowdstrike indicator type	domain
action_result.data.*.domain.*.value	string	domain	test.domain
action_result.data.*.ipv4	string	ip
action_result.data.*.ipv4.*.action	string	crowdstrike indicator action	no_action
action_result.data.*.ipv4.*.applied_globally	boolean		False
action_result.data.*.ipv4.*.created_by	string	md5	ae1690074e144356ae2de5de8dc1bd93
action_result.data.*.ipv4.*.created_on	string	date	2021-09-15T09:52:27.651770437Z
action_result.data.*.ipv4.*.created_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.ipv4.*.deleted	boolean		False
action_result.data.*.ipv4.*.description	string		Test description
action_result.data.*.ipv4.*.expiration	string	date	2021-09-25T09:52:27Z
action_result.data.*.ipv4.*.expiration_timestamp	string	date	2018-09-16T00:00:00Z
action_result.data.*.ipv4.*.expired	boolean		False
action_result.data.*.ipv4.*.from_parent	boolean		False
action_result.data.*.ipv4.*.host_groups.*	string	crowdstrike host group id	0491ecd214614b5ab3bca1037a15390b
action_result.data.*.ipv4.*.id	string	crowdstrike indicator id	010114a181ac68f8712b28c288fc210e26c3d25029f3d1edeeb6b37c67293abb
action_result.data.*.ipv4.*.metadata.filename	string		test
action_result.data.*.ipv4.*.mobile_action	string		no_action
action_result.data.*.ipv4.*.modified_by	string	md5	ae1690074e144356ae2de5de8dc1bd93
action_result.data.*.ipv4.*.modified_on	string		2021-09-15T09:52:27.651770437Z
action_result.data.*.ipv4.*.modified_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.ipv4.*.platforms.*	string	crowdstrike indicator platforms	mac
action_result.data.*.ipv4.*.severity	string	severity	high
action_result.data.*.ipv4.*.source	string		Test source
action_result.data.*.ipv4.*.tags	string		test_tag
action_result.data.*.ipv4.*.type	string	crowdstrike indicator type	ipv4
action_result.data.*.ipv4.*.value	string	ip	8.8.8.8
action_result.data.*.ipv6	string	ipv6
action_result.data.*.ipv6.*.action	string	crowdstrike indicator action	no_action
action_result.data.*.ipv6.*.applied_globally	boolean		False
action_result.data.*.ipv6.*.created_by	string	md5	ae1690074e144356ae2de5de8dc1bd93
action_result.data.*.ipv6.*.created_on	string	date	2021-09-15T09:52:27.651770437Z
action_result.data.*.ipv6.*.created_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.ipv6.*.deleted	boolean		False
action_result.data.*.ipv6.*.description	string		Test description
action_result.data.*.ipv6.*.expiration	string	date	2021-09-25T09:52:27Z
action_result.data.*.ipv6.*.expiration_timestamp	string	date	2018-09-16T00:00:00Z
action_result.data.*.ipv6.*.expired	boolean		False
action_result.data.*.ipv6.*.from_parent	boolean		False
action_result.data.*.ipv6.*.host_groups.*	string	crowdstrike host group id	0491ecd214614b5ab3bca1037a15390b
action_result.data.*.ipv6.*.id	string	crowdstrike indicator id	010114a181ac68f8712b28c288fc210e26c3d25029f3d1edeeb6b37c67293abb
action_result.data.*.ipv6.*.metadata.filename	string		test_file_name
action_result.data.*.ipv6.*.modified_by	string	md5	ae1690074e144356ae2de5de8dc1bd93
action_result.data.*.ipv6.*.modified_on	string		2021-09-15T09:52:27.651770437Z
action_result.data.*.ipv6.*.modified_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.ipv6.*.platforms.*	string	crowdstrike indicator platforms	mac
action_result.data.*.ipv6.*.severity	string	severity	high
action_result.data.*.ipv6.*.source	string		Test source
action_result.data.*.ipv6.*.tags	string		test_tag
action_result.data.*.ipv6.*.type	string	crowdstrike indicator type	ipv6
action_result.data.*.ipv6.*.value	string	ipv6	2001:db8:3333::6666:7777:8888
action_result.data.*.md5	string	md5
action_result.data.*.md5.*.action	string	crowdstrike indicator action	no_action
action_result.data.*.md5.*.applied_globally	boolean		False
action_result.data.*.md5.*.created_by	string	md5	ae1690074e144356ae2de5de8dc1bd93
action_result.data.*.md5.*.created_on	string	date	2021-09-15T09:52:27.651770437Z
action_result.data.*.md5.*.created_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.md5.*.deleted	boolean		False
action_result.data.*.md5.*.description	string		Test description
action_result.data.*.md5.*.expiration	string	date	2021-09-25T09:52:27Z
action_result.data.*.md5.*.expiration_timestamp	string	date	2018-09-16T00:00:00Z
action_result.data.*.md5.*.expired	boolean		False
action_result.data.*.md5.*.from_parent	boolean		False
action_result.data.*.md5.*.host_groups.*	string	crowdstrike host group id	0491ecd214614b5ab3bca1037a15390b
action_result.data.*.md5.*.id	string	crowdstrike indicator id	010114a181ac68f8712b28c288fc210e26c3d25029f3d1edeeb6b37c67293abb
action_result.data.*.md5.*.metadata.av_hits	numeric		-1
action_result.data.*.md5.*.metadata.filename	string		test_file_name
action_result.data.*.md5.*.metadata.signed	boolean		False True
action_result.data.*.md5.*.mobile_action	string		no_action
action_result.data.*.md5.*.modified_by	string	md5	ae1690074e144356ae2de5de8dc1bd93
action_result.data.*.md5.*.modified_on	string		2021-09-15T09:52:27.651770437Z
action_result.data.*.md5.*.modified_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.md5.*.platforms.*	string	crowdstrike indicator platforms	mac
action_result.data.*.md5.*.severity	string	severity	high
action_result.data.*.md5.*.source	string		Test source
action_result.data.*.md5.*.tags	string		test_tag
action_result.data.*.md5.*.type	string	crowdstrike indicator type	md5
action_result.data.*.md5.*.value	string	md5	098f6bcd4621d373cade4e832627b4f6
action_result.data.*.sha256	string	sha256
action_result.data.*.sha256.*.action	string	crowdstrike indicator action	no_action
action_result.data.*.sha256.*.applied_globally	boolean		False
action_result.data.*.sha256.*.created_by	string	md5	ae1690074e144356ae2de5de8dc1bd93
action_result.data.*.sha256.*.created_on	string	date	2021-09-15T09:52:27.651770437Z
action_result.data.*.sha256.*.created_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.sha256.*.deleted	boolean		False
action_result.data.*.sha256.*.description	string		Test description
action_result.data.*.sha256.*.expiration	string	date	2021-09-25T09:52:27Z
action_result.data.*.sha256.*.expiration_timestamp	string	date	2018-09-16T00:00:00Z
action_result.data.*.sha256.*.expired	boolean		False
action_result.data.*.sha256.*.from_parent	boolean		False
action_result.data.*.sha256.*.host_groups.*	string	crowdstrike host group id	0491ecd214614b5ab3bca1037a15390b
action_result.data.*.sha256.*.id	string	crowdstrike indicator id	010114a181ac68f8712b28c288fc210e26c3d25029f3d1edeeb6b37c67293abb
action_result.data.*.sha256.*.metadata.av_hits	numeric		-1
action_result.data.*.sha256.*.metadata.company_name	string		Test Corporation
action_result.data.*.sha256.*.metadata.file_description	string		Runtime Broker
action_result.data.*.sha256.*.metadata.file_version	string		10.0.19041.746 (WinBuild.160101.0800)
action_result.data.*.sha256.*.metadata.filename	string		test_file_name
action_result.data.*.sha256.*.metadata.original_filename	string		RuntimeBroker.exe
action_result.data.*.sha256.*.metadata.product_name	string		Test® Windows® Operating System
action_result.data.*.sha256.*.metadata.product_version	string		10.0.19041.746
action_result.data.*.sha256.*.metadata.signed	boolean		False True
action_result.data.*.sha256.*.mobile_action	string		no_action
action_result.data.*.sha256.*.modified_by	string	md5	ae1690074e144356ae2de5de8dc1bd93
action_result.data.*.sha256.*.modified_on	string		2021-09-15T09:52:27.651770437Z
action_result.data.*.sha256.*.modified_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.sha256.*.platforms.*	string	crowdstrike indicator platforms	mac
action_result.data.*.sha256.*.severity	string	severity	high
action_result.data.*.sha256.*.source	string		Test source
action_result.data.*.sha256.*.tags	string		test_tag
action_result.data.*.sha256.*.type	string	crowdstrike indicator type	sha256
action_result.data.*.sha256.*.value	string	sha256	9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
action_result.summary.alerts_found	numeric
action_result.summary.total_domain	numeric
action_result.summary.total_ipv4	numeric
action_result.summary.total_ipv6	numeric
action_result.summary.total_md5	numeric
action_result.summary.total_sha256	numeric
action_result.message	string		Total ip: 20, Total domain: 26, Total sha1: 0, Total md5: 0, Total sha256: 1, Alerts found: 47
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list put files'

Queries for files uploaded to Crowdstrike for use with the RTR put command

Type: investigate
Read only: True

For additional information on FQL syntax see: https://falcon.crowdstrike.com/support/documentation/45/falcon-query-language-feature-guide.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
filter	optional	FQL query to filter results	string
offset	optional	Starting index of overall result set	string
limit	optional	Number of files to return	numeric
sort	optional	Sort results	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.filter	string		size: 292
action_result.parameter.limit	numeric		50
action_result.parameter.offset	string		10
action_result.parameter.sort	string		size
action_result.data.*.comments_for_audit_log	string		test
action_result.data.*.created_by	string		api-client-05dbdf165b474db597007c6f88780e39
action_result.data.*.created_by_uuid	string		05dbdf16-5b47-4db5-9700-7c6f88780e39
action_result.data.*.created_timestamp	string		2020-01-17T19:54:47.929163017Z
action_result.data.*.description	string		This is a test description
action_result.data.*.file_type	string		binary
action_result.data.*.id	string		37420b00396311eaa57e0662caec3daa_05dbdf165b474db597007c6f88780e39
action_result.data.*.modified_by	string		api-client-05d12ffasd65d12b597007c6f88780e39
action_result.data.*.modified_timestamp	string		2020-01-17T19:54:47.929163507Z
action_result.data.*.name	string		blank_file
action_result.data.*.permission_type	string		none
action_result.data.*.run_attempt_count	numeric		0
action_result.data.*.run_success_count	numeric		0
action_result.data.*.sha256	string	sha256	9a9eaa1e83dbb19252ae1c0158eeefe8e4ce78736535d4e6d6a6bb5b039ff9a2
action_result.data.*.size	numeric		88
action_result.summary.total_files	numeric		2
action_result.message	string		Total files: 2
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'on poll'

Callback action for the on_poll ingest functionality

Type: ingest
Read only: True

This action remembers the last event ID that was queried for. The next ingestion carried out will query for later event IDs. This way, the same events are not queried for in every run. However, in the case of 'POLL NOW' queried event IDs will not be remembered.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
start_time	optional	Parameter ignored in this app	numeric
end_time	optional	Parameter ignored in this app	numeric
container_count	optional	Parameter ignored in this app	numeric
artifact_count	optional	Parameter ignored in this app	numeric

Action Output

No Output

action: 'list processes'

List processes that have recently used the IOC on a particular device

Type: investigate
Read only: True

Given a file hash or domain, the action will list all the processes that have either recently connected to the domain or interacted with the file that matches the supplied hash. Use the query device actions to get the device id to run the action on.In case of count_only set to true, keep the limit value larger to fetch count of all the devices.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
ioc	required	File Hash or Domain to use for searching	string	hash sha256 sha1 md5 domain
id	required	Crowdstrike Device ID to search on	string	crowdstrike device id
limit	optional	Maximum processes to be fetched (defaults to 100)	numeric

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.id	string	crowdstrike device id	07c312fabcb8473454d0a16f118928ab
action_result.parameter.ioc	string	hash sha256 sha1 md5 domain	eeb27d04c5fb25f7459407c0e5394621f12100e301b22d04a6b8f78e2adbf33d
action_result.parameter.limit	numeric		100
action_result.data.*.falcon_process_id	string	falcon process id	pid:07c312fabcb8473454d0a16f118928fg:16716090292999
action_result.summary.process_count	numeric		1
action_result.message	string		Process count: 1
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'upload indicator'

Upload indicator that you want CrowdStrike to watch

Type: contain
Read only: False

Valid values for the action parameter are:

• no_action
  Save the indicator for future use, but take no action. No severity required.
• allow
  Applies to hashes only. Allow the indicator and do not detect it. Severity does not apply and should not be provided.
• prevent_no_ui
  Applies to hashes only. Block and detect the indicator, but hide it from Activity > Detections. Has a default severity value.
• prevent
  Applies to hashes only. Block the indicator and show it as a detection at the selected severity.
• detect
  Enable detections for the indicator at the selected severity.

Valid values for the host groups parameter are:

• Comma separated host group IDs for specific groups
• Leave it blank for all the host groups

The platforms parameter is the list of platforms that the indicator applies to. You can enter multiple platform names, separated by commas. Valid values are: mac, windows, and linux.
The CrowdStrike API accepts the standard timestamp format in the expiration parameter. In this action, the number of days provided in the expiration parameter is internally converted into the timestamp format to match the API format.
If the indicator with the same type and value is created again, the action will fail as duplicate type-value combination is not allowed.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
ioc	required	Input domain, ip, or hash ioc	string	sha256 md5 domain ip ipv6
action	required	Action to take when a host observes the custom IOC	string	crowdstrike indicator action
platforms	required	Comma separated list of platforms	string	crowdstrike indicator platforms
expiration	optional	Alert lifetime in days	numeric
source	optional	Indicator originating source	string
description	optional	Indicator description	string
tags	optional	Comma separated list of tags	string
severity	optional	Severity level	string	severity
host_groups	optional	Comma separated list of host group IDs	string	crowdstrike host group id
filename	optional	Metadata filename	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.action	string	crowdstrike indicator action	detect
action_result.parameter.description	string		test description
action_result.parameter.expiration	numeric		10
action_result.parameter.filename	string		filename
action_result.parameter.host_groups	string	crowdstrike host group id	7f0d05b7b2fd4ddfb34069ab6e99db34
action_result.parameter.ioc	string	sha256 md5 domain ip ipv6	8.8.8.8
action_result.parameter.platforms	string	crowdstrike indicator platforms	linux
action_result.parameter.severity	string	severity	low
action_result.parameter.source	string		test source
action_result.parameter.tags	string		test_tag
action_result.data.*.action	string	crowdstrike indicator action	no_action
action_result.data.*.applied_globally	boolean		False
action_result.data.*.created_by	string	md5	ae1690074e144356ae2de5de8dc1bd93
action_result.data.*.created_on	string	date	2021-09-15T09:52:27.651770437Z
action_result.data.*.created_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.deleted	boolean		False
action_result.data.*.description	string		Test description
action_result.data.*.expiration	string	date	2021-09-25T09:52:27Z
action_result.data.*.expiration_timestamp	string	date	2018-09-16T00:00:00Z
action_result.data.*.expired	boolean		False
action_result.data.*.from_parent	boolean		False
action_result.data.*.host_groups.*	string	crowdstrike host group id	0491ecd214614b5ab3bca1037a15390b
action_result.data.*.id	string	crowdstrike indicator id	010114a181ac68f8712b28c288fc210e26c3d25029f3d1edeeb6b37c67293abb
action_result.data.*.metadata.av_hits	numeric		-1
action_result.data.*.metadata.filename	string		test_file_name
action_result.data.*.metadata.signed	boolean		False True
action_result.data.*.modified_by	string	md5	ae1690074e144356ae2de5de8dc1bd93
action_result.data.*.modified_on	string		2021-09-15T09:52:27.651770437Z
action_result.data.*.modified_timestamp	string	date	2018-08-17T15:19:31Z
action_result.data.*.platforms.*	string	crowdstrike indicator platforms	mac
action_result.data.*.severity	string	severity	high
action_result.data.*.source	string		Test source
action_result.data.*.tags	string		test_tag
action_result.data.*.type	string	crowdstrike indicator type	ipv4
action_result.data.*.value	string	ip ipv6 md5 sha256 domain	8.8.8.8
action_result.summary	string
action_result.message	string		Indicator uploaded successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'delete indicator'

Delete an indicator that is being watched

Type: correct
Read only: False

In this action, either 'ioc' or 'resource_id' should be provided. The priority of 'resource_id' is higher. If both the parameters are provided then the indicator will be deleted based on the 'resource_id'. The CrowdStrike API returns success for the 'resource_id' of the already deleted indicator.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
ioc	optional	Hash, ip or domain IOC from previous upload	string	ip ipv6 md5 sha256 domain
resource_id	optional	The resource id of the indicator	string	crowdstrike indicator id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.ioc	string	ip ipv6 md5 sha256 domain	test
action_result.parameter.resource_id	string	crowdstrike indicator id	feaefb786fc648861779b9f906b1426b3d670ffe4c22ec7b7ff3d3e03e88dc43
action_result.data	string
action_result.summary	string
action_result.message	string		Indicator deleted successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'update indicator'

Update an indicator that has been uploaded

Type: generic
Read only: False

Valid values for the host groups parameter are:

• Comma separated host group IDs for specific groups
• The value 'all' for all the host groups
• Leave it blank if there is no change

If no parameters are provided as input, the action would pass successfully.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
ioc	required	Hash, ip or domain IOC to update	string	ip md5 sha256 domain
action	optional	Action to take when a host observes the custom IOC	string	crowdstrike indicator action
platforms	optional	Comma separated list of platforms	string	crowdstrike indicator platforms
expiration	optional	Alert lifetime in days	numeric
source	optional	Indicator originating source	string
description	optional	Indicator description	string
tags	optional	Comma separated list of tags	string
severity	optional	Severity level	string	severity
host_groups	optional	Comma separated list of host group IDs	string	crowdstrike host group id
filename	optional	Metadata filename	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.action	string	crowdstrike indicator action	detect
action_result.parameter.description	string		test description
action_result.parameter.expiration	numeric		10
action_result.parameter.filename	string		filename
action_result.parameter.host_groups	string	crowdstrike host group id	7f0d05b7b2fd4ddfb34069ab6e99db34
action_result.parameter.ioc	string	ip md5 sha256 domain	8.8.8.8
action_result.parameter.platforms	string	crowdstrike indicator platforms	linux
action_result.parameter.severity	string	severity	low
action_result.parameter.source	string		test source
action_result.parameter.tags	string		test_tag
action_result.data	string
action_result.summary	string
action_result.message	string		Indicator updated successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'file reputation'

Queries CrowdStrike for the file info given a vault ID or a SHA256 hash, vault ID has higher priority than SHA256 hash if both are provided

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
vault_id	optional	Vault ID of file	string	vault id
sha256	optional	SHA256 hash of the file	string	sha256
limit	optional	Maximum reports to be fetched	numeric
sort	optional	Property to sort by	string
offset	optional	Starting index of overall result set from which to return ids (defaults to 0)	numeric
detail_report	optional	Get the detailed report	boolean

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.detail_report	boolean		True False
action_result.parameter.limit	numeric		120
action_result.parameter.offset	numeric		100
action_result.parameter.sha256	string	sha256	3460eb8087523e19ac486f37fc68192c2dcd087814a2a9c9ad6b668fee3e0134
action_result.parameter.sort	string		created_timestamp.asc
action_result.parameter.vault_id	string	vault id	30c5e524e975816fbce1d958150e394efc219772
action_result.data.*.cid	string		3061c7ff3b634e22b38274d4b586558e
action_result.data.*.created_timestamp	string		2020-10-26T09:26:12Z
action_result.data.*.id	string	crowdstrike resource id	3061c7ff3b634e22b38274d4b586558e_5cbc78f5cd4845fd8652896dde973397
action_result.data.*.ioc_report_broad_csv_artifact_id	string	crowdstrike artifact id	b735c285c7d4119254d7a4eac9734321cf2dee0a8925f0395df6592cce97f848
action_result.data.*.ioc_report_broad_json_artifact_id	string	crowdstrike artifact id	c4a90ac33e499f69fbccf4ca20cd8938a0e3a10055eececfefa99000a475dd7a
action_result.data.*.ioc_report_broad_maec_artifact_id	string	crowdstrike artifact id	5a9703fb4d31b4fab70948332af17711b41d06f2fe46406f8abcd810eea8ca2b
action_result.data.*.ioc_report_broad_stix_artifact_id	string	crowdstrike artifact id	2433d561ad70b9a30753bc3345bf1d9e986340e40dc59177f91e979d59b4f0f0
action_result.data.*.ioc_report_strict_csv_artifact_id	string	crowdstrike artifact id	f54d63e91cafc2aa131d90bab6a60d7dfd0db05f984ebcf9394e4a1d7934c913
action_result.data.*.ioc_report_strict_json_artifact_id	string	crowdstrike artifact id	7d80482e25d2e86867ea6b4b8c0bc9c1235f9e70dbd2a1754ffb86c950994532
action_result.data.*.ioc_report_strict_maec_artifact_id	string	crowdstrike artifact id	bf73276e6e07f6c02a242254e846f4ef8e6d12a3114ee8de0e144ee608491457
action_result.data.*.ioc_report_strict_stix_artifact_id	string	crowdstrike artifact id	1f129239876f7eb8287bf112763dada414ee8792ce1ab81eda6adcf322327696
action_result.data.*.malquery.*.input	string		c619f87556667f2c1799672d36d55172597f4fed158800d5622edc8abee930e8
action_result.data.*.malquery.*.resources.*.file_size	numeric		100144
action_result.data.*.malquery.*.resources.*.file_type	string		PE32
action_result.data.*.malquery.*.resources.*.first_seen_timestamp	string		2020-01-29T00:00:00Z
action_result.data.*.malquery.*.resources.*.label	string		clean
action_result.data.*.malquery.*.resources.*.md5	string	md5	b029f63374652c76e09b6443dd931774
action_result.data.*.malquery.*.resources.*.sha1	string	sha1	8b50322f86d4bd5a7a5bc1d54d16ecfae8d4e693
action_result.data.*.malquery.*.resources.*.sha256	string	sha256	7b982b66433e1c89d094461d3d461eab90c93f72fbe676fcfc17c3c340c9a8b4
action_result.data.*.malquery.*.type	string		sha256
action_result.data.*.malquery.*.verdict	string		clean
action_result.data.*.origin	string		quarantine
action_result.data.*.sandbox.*.architecture	string		32 Bit
action_result.data.*.sandbox.*.contacted_hosts.*.address	string	ip	1XX.2XX.1X.6X
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.name	string		iexplore.exe
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.pid	numeric		7284
action_result.data.*.sandbox.*.contacted_hosts.*.country	string		Test Name
action_result.data.*.sandbox.*.contacted_hosts.*.port	numeric	port	80
action_result.data.*.sandbox.*.contacted_hosts.*.protocol	string		TCP
action_result.data.*.sandbox.*.dns_requests.*.address	string	ip	2X.7X.1XX.1XX
action_result.data.*.sandbox.*.dns_requests.*.country	string		Test Name
action_result.data.*.sandbox.*.dns_requests.*.domain	string	domain ip	clientconfig.passport.net
action_result.data.*.sandbox.*.dns_requests.*.registrar_creation_timestamp	string	date	1994-08-01T00:00:00+00:00
action_result.data.*.sandbox.*.dns_requests.*.registrar_name	string		MarkMonitor, Inc.
action_result.data.*.sandbox.*.dns_requests.*.registrar_name_servers	string		NS1.MSFT.NET
action_result.data.*.sandbox.*.dns_requests.*.registrar_organization	string		Test Corporation
action_result.data.*.sandbox.*.environment	numeric		100
action_result.data.*.sandbox.*.environment_description	string	crowdstrike environment	Windows 7 32 bit
action_result.data.*.sandbox.*.environment_id	numeric		100
action_result.data.*.sandbox.*.error_message	string		The requested environment ID "160" and file type "python" have no available execution environment
action_result.data.*.sandbox.*.error_origin	string		CLIENT
action_result.data.*.sandbox.*.error_type	string		FILE_TYPE_BAD_ERROR
action_result.data.*.sandbox.*.exact_deep_hash	string		026f0c002c06028e00010212000320000000fffffe06030065732078000000e0161f3a9d4755494400ffff0000e804000100e000ff0000b800c900c06f110b7b00706f0e00040d01000000120200e20033303331ffff00000011030400050001000a6f106765745f000000122c06028e0000ffff00ffff00f002a90009000000800000001109142000ffff000a280100088e69fe00ffff000bfe060750000080ffff00000080000000f002a900e000000000000007000000000011000000e80400e80400006f705f0100010000120000561934e00f1a1f6fdf007100100102150000ff2510000000302e302ee80400002e302e30000200e220696e20cf0072370106002affff0000007200460001130f49ae61f1616773000043756c7065730000e8010004effe000070007900f701b700020080fe01130e00ffff00000000000031000b720073001d08050501060a0200ffff0000ff25007e0000ec0011004366006f00446f6d6101130d114d01048000012805012571180100000165006f7003090151fe0000010000a040fe010d010000de00020e0e0300000001029f008100efbbbf002b8c1600f701b78e69fe040a110bfe666f2078150c20050000002b0000ffff006c006100008000110020f400fe010d6f6e732e00e804006be57549ffff00001e01060ade0000000100953b31007400091afe0420001d120000e000
action_result.data.*.sandbox.*.extracted_files.*.description	string		PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
action_result.data.*.sandbox.*.extracted_files.*.file_path	string		%TEMP%\329babfa-d618-4d17-a6b0-79fe02a2d94d\AgileDotNetRT.dll
action_result.data.*.sandbox.*.extracted_files.*.file_size	numeric		137741
action_result.data.*.sandbox.*.extracted_files.*.md5	string	md5	5ce220e1334193b403e937ecca0b406f
action_result.data.*.sandbox.*.extracted_files.*.name	string		AgileDotNetRT.dll
action_result.data.*.sandbox.*.extracted_files.*.runtime_process	string		789356c7d6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2afd24.exe
action_result.data.*.sandbox.*.extracted_files.*.sha1	string	sha1	48c1d47e4a23ebfd739aa86830842d1ead7ced59
action_result.data.*.sandbox.*.extracted_files.*.sha256	string	sha256	c619f87556667f2c1799672d36d55172597f4fed158800d5622edc8abee930e8
action_result.data.*.sandbox.*.extracted_files.*.threat_level_readable	string		no specific threat
action_result.data.*.sandbox.*.extracted_interesting_strings.*.filename	string		EXAMPLEd6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2aTEST.bin
action_result.data.*.sandbox.*.extracted_interesting_strings.*.process	string		EXAMPLEd6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2aTEST.exe
action_result.data.*.sandbox.*.extracted_interesting_strings.*.source	string		Memory/File Scan
action_result.data.*.sandbox.*.extracted_interesting_strings.*.type	string		Ansi
action_result.data.*.sandbox.*.extracted_interesting_strings.*.value	string		.http://www.digicert.com/ssl-cps-repository.htm0
action_result.data.*.sandbox.*.file_imports.*.module	string		mscoree.dll
action_result.data.*.sandbox.*.file_size	numeric		224888
action_result.data.*.sandbox.*.file_type	string		PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
action_result.data.*.sandbox.*.http_requests.*.header	string		GET /gsr2/TESTgwRjAJBgUrDgMCTESTBBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtEXAMPLEhi4CDQHjtJqhjYqpgSVpULg%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Test-CryptoAPI/10.0 Host: ocsp.pki.goog
action_result.data.*.sandbox.*.http_requests.*.host	string	domain ip	ocsp.pki.goog
action_result.data.*.sandbox.*.http_requests.*.host_ip	string	ip	1XX.2XX.1X.6X
action_result.data.*.sandbox.*.http_requests.*.host_port	numeric	port	80
action_result.data.*.sandbox.*.http_requests.*.method	string		GET
action_result.data.*.sandbox.*.http_requests.*.url	string		/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
action_result.data.*.sandbox.*.incidents.*.name	string		Fingerprint
action_result.data.*.sandbox.*.memory_strings_artifact_id	string	crowdstrike artifact id	9e5ebb7847a684fe6b9f36bb6bfb36e03b4e2f71b010c67e131652b968695a30
action_result.data.*.sandbox.*.mitre_attacks.*.attack_id	string		T1215
action_result.data.*.sandbox.*.mitre_attacks.*.parent.attack_id	string		T1027
action_result.data.*.sandbox.*.mitre_attacks.*.parent.attack_id_wiki	string		https://attack.mitre.org/techniques/T1027
action_result.data.*.sandbox.*.mitre_attacks.*.parent.technique	string		Obfuscated Files or Information
action_result.data.*.sandbox.*.mitre_attacks.*.tactic	string		Persistence
action_result.data.*.sandbox.*.mitre_attacks.*.technique	string		Kernel Modules and Extensions
action_result.data.*.sandbox.*.network_settings	string		default
action_result.data.*.sandbox.*.packer	string		Test visual C# v7.0 / Basic .NET
action_result.data.*.sandbox.*.pcap_report_artifact_id	string	crowdstrike artifact id	e5521d8c988e4fd8f4bff8d90e231ac71d5bde9710382a1a2ac14e9d004eabd8
action_result.data.*.sandbox.*.processes.*.command_line	string		"C:\dummy-pdf_2.pdf"
action_result.data.*.sandbox.*.processes.*.file_accesses.*.mask	string		FILE_READ_DATA
action_result.data.*.sandbox.*.processes.*.file_accesses.*.path	string		%WINDIR%\SYSTEM32\MSCOREE.DLL
action_result.data.*.sandbox.*.processes.*.file_accesses.*.type	string		OPEN
action_result.data.*.sandbox.*.processes.*.handles.*.id	numeric		4
action_result.data.*.sandbox.*.processes.*.handles.*.path	string		HKLM\SYSTEM\ControlSet001\Control\Session Manager
action_result.data.*.sandbox.*.processes.*.handles.*.type	string		KeyHandle
action_result.data.*.sandbox.*.processes.*.icon_artifact_id	string	crowdstrike artifact id	6fc9590b42ff8dcbd51c4cddf7ec83bad13f08dcfc882dfbfae326a4c4d68e8d
action_result.data.*.sandbox.*.processes.*.name	string		789356c7d6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2afd24.exe
action_result.data.*.sandbox.*.processes.*.normalized_path	string		C:\789356c7d6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2afd24.exe
action_result.data.*.sandbox.*.processes.*.parent_uid	string		00079399-00003508
action_result.data.*.sandbox.*.processes.*.pid	numeric		3788
action_result.data.*.sandbox.*.processes.*.process_flags.*.name	string		Reduced Monitoring
action_result.data.*.sandbox.*.processes.*.registry.*.key	string		COMPUTERNAME
action_result.data.*.sandbox.*.processes.*.registry.*.operation	string		Open
action_result.data.*.sandbox.*.processes.*.registry.*.path	string		HKLM\SOFTWARE\Test\RPC\
action_result.data.*.sandbox.*.processes.*.registry.*.status	string		c0000034
action_result.data.*.sandbox.*.processes.*.registry.*.status_human_readable	string		STATUS_OBJECT_NAME_NOT_FOUND
action_result.data.*.sandbox.*.processes.*.registry.*.value	string		00000000010000002C000000160000001800000043006F006D00700075007400650072004E0061006D00650048004100500055004200570053002D00500043000000
action_result.data.*.sandbox.*.processes.*.sha256	string	sha256	789356c7d6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2afd24
action_result.data.*.sandbox.*.processes.*.streams.*.file_name	string		dc829f01c99e0cc1c3bdbcf626bc87a88c9d9d82b965545d9747b2d2292c3716.bin
action_result.data.*.sandbox.*.processes.*.streams.*.human_keywords	string		{0},11:{0},varsim
action_result.data.*.sandbox.*.processes.*.streams.*.instructions_artifact_id	string		ca39fdd4ec789ac3996014bb6edd4989f3b4988da13dfb69bbdd5299185e50c7
action_result.data.*.sandbox.*.processes.*.streams.*.uid	string		272dfd975214d0f4abb93b32797f8605-6000001-Program~Main
action_result.data.*.sandbox.*.processes.*.uid	string		00064737-00003788
action_result.data.*.sandbox.*.sha256	string	sha256	789356c7d6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2afd24
action_result.data.*.sandbox.*.signatures.*.attack_id	string		T1116
action_result.data.*.sandbox.*.signatures.*.category	string		General
action_result.data.*.sandbox.*.signatures.*.description	string		"example_input.exe" created file "%TEMP%\329babfa-d618-4d17-a6b0-79fe02a2d94d\AgileDotNetRT.dll"
action_result.data.*.sandbox.*.signatures.*.identifier	string		api-4
action_result.data.*.sandbox.*.signatures.*.name	string		Creates a writable file in a temporary directory
action_result.data.*.sandbox.*.signatures.*.origin	string		API Call
action_result.data.*.sandbox.*.signatures.*.relevance	numeric		1
action_result.data.*.sandbox.*.signatures.*.threat_level	numeric		1
action_result.data.*.sandbox.*.signatures.*.threat_level_human	string		informative
action_result.data.*.sandbox.*.signatures.*.type	numeric		6
action_result.data.*.sandbox.*.submission_type	string		file
action_result.data.*.sandbox.*.submit_name	string		789356c7d6964b9b4b3d38ecadea3b1570893275013cabbd008900a32c2afd24
action_result.data.*.sandbox.*.threat_score	numeric		41
action_result.data.*.sandbox.*.verdict	string		suspicious
action_result.data.*.sandbox.*.version_info.*.id	string		Translation
action_result.data.*.sandbox.*.version_info.*.value	string		0x0000 0x04b0
action_result.data.*.sandbox.*.windows_version_bitness	numeric		32
action_result.data.*.sandbox.*.windows_version_edition	string		Professional
action_result.data.*.sandbox.*.windows_version_name	string		Windows 7
action_result.data.*.sandbox.*.windows_version_service_pack	string		Service Pack 1
action_result.data.*.sandbox.*.windows_version_version	string		6.1 (build 7601)
action_result.data.*.threat_graph.indicators.*.customer_prevalence	string		low
action_result.data.*.threat_graph.indicators.*.global_prevalence	string		common
action_result.data.*.threat_graph.indicators.*.type	string		sha256
action_result.data.*.threat_graph.indicators.*.value	string		c619f87556667f2c1799672d36d55172597f4fed158800d5622edc8abee930e8
action_result.data.*.user_id	string		b1cab7e2bda14722aca74b8353f5f6d9
action_result.data.*.user_name	string		[email protected]
action_result.data.*.user_uuid	string		b6330292-28e6-4198-994d-96f327c5b5bd
action_result.data.*.verdict	string		suspicious
action_result.summary.total_reports	numeric		1
action_result.summary.verdict	string		suspicious
action_result.message	string		Verdict: suspicious, Total reports: 1 Total reports: 6
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'url reputation'

Queries CrowdStrike for the url info

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
url	required	URL to query	string	url
limit	optional	Maximum reports to be fetched	numeric
sort	optional	Property to sort by	string
offset	optional	Starting index of overall result set from which to return ids (defaults to 0)	numeric
detail_report	optional	Get the detailed report	boolean

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.detail_report	boolean		True False
action_result.parameter.limit	numeric		5
action_result.parameter.offset	numeric		5
action_result.parameter.sort	string		created_timestamp.asc
action_result.parameter.url	string	url	https://www.test.com
action_result.data.*.cid	string		3061c7ff3b634e22b38274d4b586558e
action_result.data.*.created_timestamp	string		2021-04-29T02:49:16Z
action_result.data.*.id	string	crowdstrike resource id	3061c7ff3b634e22b38274d4b586558e_3ab68d2aa2774ba3a35d6f17ae1a7c0b
action_result.data.*.ioc_report_broad_csv_artifact_id	string	crowdstrike artifact id	6ba1a1ab22f1c1fdea253934fd96364513f897a4f697df2058dd8a456dee2cc0
action_result.data.*.ioc_report_broad_json_artifact_id	string	crowdstrike artifact id	3ccac07c025cc4aa4ce900530fb982371d878cf8c80ceeb9247024420b540fa4
action_result.data.*.ioc_report_broad_maec_artifact_id	string	crowdstrike artifact id	0ee0e99a5a032a3c42799d01941938e5b10ed8f13e7452d930648d481af5d51e
action_result.data.*.ioc_report_broad_stix_artifact_id	string	crowdstrike artifact id	653ebf60312387e4d519dba01da938294ac607f859b671f5d55980c02732f474
action_result.data.*.ioc_report_strict_csv_artifact_id	string	crowdstrike artifact id	6ba1a1ab22f1c1fdea253934fd96364513f897a4f697df2058dd8a456dee2cc0
action_result.data.*.ioc_report_strict_json_artifact_id	string	crowdstrike artifact id	3ccac07c025cc4aa4ce900530fb982371d878cf8c80ceeb9247024420b540fa4
action_result.data.*.ioc_report_strict_maec_artifact_id	string	crowdstrike artifact id	0ee0e99a5a032a3c42799d01941938e5b10ed8f13e7452d930648d481af5d51e
action_result.data.*.ioc_report_strict_stix_artifact_id	string	crowdstrike artifact id	653ebf60312387e4d519dba01da938294ac607f859b671f5d55980c02732f474
action_result.data.*.malquery.*.input	string		http://accounts.test.com
action_result.data.*.malquery.*.resources.*.file_size	numeric		466
action_result.data.*.malquery.*.resources.*.file_type	string		HTML
action_result.data.*.malquery.*.resources.*.first_seen_timestamp	string	date	2021-05-05T00:00:00Z
action_result.data.*.malquery.*.resources.*.label	string		unknown
action_result.data.*.malquery.*.resources.*.md5	string	md5	cf83a54faef91aa5c3f9d89dba8a8b14
action_result.data.*.malquery.*.resources.*.sha1	string	sha1	7fe4176691ffaf6df16090e19cbc36dc3f7ed041
action_result.data.*.malquery.*.resources.*.sha256	string	sha256	80c4f85980efc903c8ae376cd6d88025465d49aec6f84901d41abcc384b99738
action_result.data.*.malquery.*.type	string		url
action_result.data.*.malquery.*.verdict	string		whitelisted
action_result.data.*.origin	string		uiproxy
action_result.data.*.sandbox.*.architecture	string		WINDOWS
action_result.data.*.sandbox.*.contacted_hosts.*.address	string	ip	2XX.5X.1XX.6X
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.name	string		iexplore.exe
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.pid	numeric		3808
action_result.data.*.sandbox.*.contacted_hosts.*.country	string		Test Name
action_result.data.*.sandbox.*.contacted_hosts.*.port	numeric	port	443
action_result.data.*.sandbox.*.contacted_hosts.*.protocol	string		TCP
action_result.data.*.sandbox.*.dns_requests.*.address	string		2XX.5X.1XX.2XX
action_result.data.*.sandbox.*.dns_requests.*.country	string		Test Name
action_result.data.*.sandbox.*.dns_requests.*.domain	string	domain ip	accounts.test.com
action_result.data.*.sandbox.*.dns_requests.*.registrar_creation_timestamp	string	date	2005-02-15T00:00:00+00:00
action_result.data.*.sandbox.*.dns_requests.*.registrar_name	string		MarkMonitor, Inc.
action_result.data.*.sandbox.*.dns_requests.*.registrar_name_servers	string		NS1.TEST.COM
action_result.data.*.sandbox.*.dns_requests.*.registrar_organization	string		Test Inc.
action_result.data.*.sandbox.*.environment	numeric		100
action_result.data.*.sandbox.*.environment_description	string	crowdstrike environment	Windows 7 32 bit
action_result.data.*.sandbox.*.environment_id	numeric		160
action_result.data.*.sandbox.*.error_message	string		The requested environment ID "300" and file type "url" have no available execution environment
action_result.data.*.sandbox.*.error_origin	string		CLIENT
action_result.data.*.sandbox.*.error_type	string		FILE_TYPE_BAD_ERROR
action_result.data.*.sandbox.*.extracted_files.*.description	string		XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
action_result.data.*.sandbox.*.extracted_files.*.file_path	string		%LOCALAPPDATA%\Test\Internet Explorer\VersionManager\ver2963.tmp
action_result.data.*.sandbox.*.extracted_files.*.file_size	numeric		16339
action_result.data.*.sandbox.*.extracted_files.*.md5	string	md5	cbd0581678fa40f0edcbc7c59e0cad10
action_result.data.*.sandbox.*.extracted_files.*.name	string		ver2963.tmp
action_result.data.*.sandbox.*.extracted_files.*.runtime_process	string		iexplore.exe (PID: 3808)
action_result.data.*.sandbox.*.extracted_files.*.sha1	string	sha1	a1463fbcc9b96a8929f8a335f75a89147b300715
action_result.data.*.sandbox.*.extracted_files.*.sha256	string	sha256	159bd4343f344a08f6af3b716b6fa679859c1bd1d7030d26ff5ef0255b86e1d9
action_result.data.*.sandbox.*.extracted_files.*.threat_level_readable	string		no specific threat
action_result.data.*.sandbox.*.extracted_interesting_strings.*.filename	string		SSL
action_result.data.*.sandbox.*.extracted_interesting_strings.*.process	string		iexplore.exe
action_result.data.*.sandbox.*.extracted_interesting_strings.*.source	string		Decrypted SSL Data
action_result.data.*.sandbox.*.extracted_interesting_strings.*.type	string		Ansi
action_result.data.*.sandbox.*.extracted_interesting_strings.*.value	string		.http://www.digicert.com/ssl-cps-repository.htm0
action_result.data.*.sandbox.*.file_type	string		PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
action_result.data.*.sandbox.*.http_requests.*.header	string		GET /gsr2/EXAMPLEDBKMEgwRjAJBgUrDgMCGgTESTXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJoEXAMPLEQHjtJqhjYqpgSVpULg%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Test-CryptoAPI/6.1 Host: ocsp.pki.goog
action_result.data.*.sandbox.*.http_requests.*.host	string		ocsp.pki.goog
action_result.data.*.sandbox.*.http_requests.*.host_ip	string	ip	2XX.5X.1XX.1XX
action_result.data.*.sandbox.*.http_requests.*.host_port	numeric	port	80
action_result.data.*.sandbox.*.http_requests.*.method	string		GET
action_result.data.*.sandbox.*.http_requests.*.url	string		/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
action_result.data.*.sandbox.*.incidents.*.name	string		Network Behavior
action_result.data.*.sandbox.*.memory_strings_artifact_id	string	crowdstrike artifact id	4300381ecd2f3d62648cdc01d862f4765032f071bad272164c3580b7b6fb8840
action_result.data.*.sandbox.*.mitre_attacks.*.attack_id	string		T1085
action_result.data.*.sandbox.*.mitre_attacks.*.tactic	string		Execution
action_result.data.*.sandbox.*.mitre_attacks.*.technique	string		Rundll32
action_result.data.*.sandbox.*.network_settings	string		default
action_result.data.*.sandbox.*.pcap_report_artifact_id	string	crowdstrike artifact id	04a091843e91c36357b2ec63a2a7ac8ad7d142d861759062520b0a925e9b875d
action_result.data.*.sandbox.*.processes.*.command_line	string		"%WINDIR%\System32\ieframe.dll",OpenURL C:\3cfc7f2806efb5b01deb01164fa00adb46eb73a0d24871a566051fb2204094af.url
action_result.data.*.sandbox.*.processes.*.file_accesses.*.mask	string		FILE_READ_ATTRIBUTES
action_result.data.*.sandbox.*.processes.*.file_accesses.*.path	string		C:
action_result.data.*.sandbox.*.processes.*.file_accesses.*.type	string		CREATE
action_result.data.*.sandbox.*.processes.*.handles.*.id	numeric		80
action_result.data.*.sandbox.*.processes.*.handles.*.path	string		HKCU\Software\Test\Internet Explorer\Main\WindowsSearch
action_result.data.*.sandbox.*.processes.*.handles.*.type	string		KeyHandle
action_result.data.*.sandbox.*.processes.*.icon_artifact_id	string	crowdstrike artifact id	aa6f1a14d219555f2818f89dee06821824c872ae18279027baa0e160f61f049a
action_result.data.*.sandbox.*.processes.*.name	string		rundll32.exe
action_result.data.*.sandbox.*.processes.*.normalized_path	string		%WINDIR%\System32\rundll32.exe
action_result.data.*.sandbox.*.processes.*.parent_uid	string		00065605-00002148
action_result.data.*.sandbox.*.processes.*.pid	numeric		2148
action_result.data.*.sandbox.*.processes.*.process_flags.*.name	string		Reduced Monitoring
action_result.data.*.sandbox.*.processes.*.registry.*.key	string		WPADDECISIONREASON
action_result.data.*.sandbox.*.processes.*.registry.*.operation	string		Write
action_result.data.*.sandbox.*.processes.*.registry.*.path	string		HKCU\SOFTWARE\Test\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\WPAD\{0C70BB6D-CFA8-4734-A158-28619E142726}\WPADDECISIONREASON
action_result.data.*.sandbox.*.processes.*.registry.*.value	string		01000000
action_result.data.*.sandbox.*.processes.*.sha256	string	sha256	3fa4912eb43fc304652d7b01f118589259861e2d628fa7c86193e54d5f987670
action_result.data.*.sandbox.*.processes.*.uid	string		00065605-00002148
action_result.data.*.sandbox.*.sha256	string	sha256	3cfc7f2806efb5b01deb01164fa00adb46eb73a0d24871a566051fb2204094af
action_result.data.*.sandbox.*.signatures.*.attack_id	string		T1085
action_result.data.*.sandbox.*.signatures.*.category	string		General
action_result.data.*.sandbox.*.signatures.*.description	string		"21X.5X.1XX.6X:4XX" "21X.5X.1XX.1XX:8X"
action_result.data.*.sandbox.*.signatures.*.identifier	string		network-1
action_result.data.*.sandbox.*.signatures.*.name	string		Contacts server
action_result.data.*.sandbox.*.signatures.*.origin	string		Network Traffic
action_result.data.*.sandbox.*.signatures.*.relevance	numeric		1
action_result.data.*.sandbox.*.signatures.*.threat_level	numeric		1
action_result.data.*.sandbox.*.signatures.*.threat_level_human	string		informative
action_result.data.*.sandbox.*.signatures.*.type	numeric		7
action_result.data.*.sandbox.*.submission_type	string		page_url
action_result.data.*.sandbox.*.submit_name	string		http://ko.wikipedia.org/wiki/%EC%9C%84%ED%82%A4%EB%B0%B1%EA%B3%BC:%EB%8C%80%EB%AC%B8
action_result.data.*.sandbox.*.submit_url	string		hxxps://www.test.com
action_result.data.*.sandbox.*.suricata_alerts.*.category	string		Unknown Traffic
action_result.data.*.sandbox.*.suricata_alerts.*.description	string		ET USER_AGENTS Test Device Metadata Retrieval Client User-Agent
action_result.data.*.sandbox.*.suricata_alerts.*.destination_ip	string		1XX.XX0.7X.X2
action_result.data.*.sandbox.*.suricata_alerts.*.destination_port	numeric	port	80
action_result.data.*.sandbox.*.suricata_alerts.*.protocol	string		TCP
action_result.data.*.sandbox.*.suricata_alerts.*.sid	string		2027390
action_result.data.*.sandbox.*.threat_score	numeric		35
action_result.data.*.sandbox.*.verdict	string		no specific threat
action_result.data.*.sandbox.*.windows_version_bitness	numeric		32
action_result.data.*.sandbox.*.windows_version_edition	string		Professional
action_result.data.*.sandbox.*.windows_version_name	string		Windows 7
action_result.data.*.sandbox.*.windows_version_service_pack	string		Service Pack 1
action_result.data.*.sandbox.*.windows_version_version	string		6.1 (build 7601)
action_result.data.*.user_id	string		2b32e6795b344abba8925cce6782d128
action_result.data.*.user_name	string		[email protected]
action_result.data.*.user_uuid	string		b6330292-28e6-4198-994d-96f327c5b5bd
action_result.data.*.verdict	string		no specific threat
action_result.summary.total_reports	numeric		1
action_result.summary.verdict	string		no specific threat
action_result.message	string		Verdict: no specific threat, Total reports: 1
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'download report'

To download the report of the provided artifact id

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
artifact_id	required	Artifact id to be downloaded	string	crowdstrike artifact id
file_name	optional	Filename to use for the file added to vault	string	filename

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.artifact_id	string	crowdstrike artifact id	6fc9590b42ff8dcbd51c4cddf7ec83bad13f08dcfc882dfbfae326a4c4d68e8d
action_result.parameter.file_name	string	filename	test_file
action_result.data	string
action_result.summary	string
action_result.message	string		Report downloaded successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'detonate file'

Upload a file to CrowdStrike and retrieve the analysis results

Type: generic
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
vault_id	required	Vault ID of file	string	vault id
environment	required	Sandbox environment to be used for analysis	string	crowdstrike environment
comment	optional	A descriptive comment to identify the file	string
limit	optional	Maximum reports to be fetched	numeric
offset	optional	Starting index of overall result set from which to return ids (Defaults to 0)	numeric
command_line	optional	Command line script passed to the submitted file at runtime (Max length: 2048 characters)	string
document_password	optional	Password of the document if password protected (Max length: 32 characters)	string
submit_name	optional	Name of the malware sample that's used for file type detection and analysis	string
user_tags	optional	Comma seperated list of user tags (Max length: 100 characters per tag)	string
sort	optional	Property to sort by	string
action_script	optional	Runtime script for sandbox analysis	string
detail_report	optional	Get the detailed report	boolean
enable_tor	optional	To route the sandbox network traffic via TOR	boolean
is_confidential	optional	Defines visibility of the file in Falcon MalQuery (defaults to True)	boolean

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.action_script	string		default
action_result.parameter.command_line	string
action_result.parameter.comment	string		This is a test comment
action_result.parameter.detail_report	boolean		True False
action_result.parameter.document_password	string		test_password
action_result.parameter.enable_tor	boolean		True False
action_result.parameter.environment	string	crowdstrike environment	Windows 10, 64-bit
action_result.parameter.is_confidential	boolean		True False
action_result.parameter.limit	numeric		5
action_result.parameter.offset	numeric		5
action_result.parameter.sort	string		created_timestamp.asc
action_result.parameter.submit_name	string		test_file_name
action_result.parameter.user_tags	string		test_tag1
action_result.parameter.vault_id	string	vault id	30c5e524e975816fbce1d958150e394efc219772
action_result.data.*.cid	string		3061c7ff3b634e22b38274d4b586558e
action_result.data.*.created_timestamp	string	date	2021-05-09T05:58:47Z
action_result.data.*.id	string	crowdstrike resource id	3061c7ff3b634e22b38274d4b586558e_ca27f64601b74c1f8a25577007987606
action_result.data.*.ioc_report_broad_csv_artifact_id	string	crowdstrike artifact id	8a06e0e6a04696b16d8bcbe3b7952c6b0b48458f1168bf70ffa97b0993b9d115
action_result.data.*.ioc_report_broad_json_artifact_id	string	crowdstrike artifact id	76dba8304fb398f192202a9dbbb39e259882ee7d9460afb4a07b8f2b8db8679a
action_result.data.*.ioc_report_broad_maec_artifact_id	string	crowdstrike artifact id	5391d132d841fe391d3132d2cab43cdf0d5a45c4f146e31cd65f51917dbf6820
action_result.data.*.ioc_report_broad_stix_artifact_id	string	crowdstrike artifact id	aaab7615a82190cabdf6086fd818a5a3a5f65072363a7fa89c73e12bf115befd
action_result.data.*.ioc_report_strict_csv_artifact_id	string	crowdstrike artifact id	3ebe2620f871109e7048bfb0c1638b8e011b5fb779d6229db7135668fc558208
action_result.data.*.ioc_report_strict_json_artifact_id	string	crowdstrike artifact id	097dc42503083de24bfb80b8964433348dfcb8b769f9abb491f5a97599666279
action_result.data.*.ioc_report_strict_maec_artifact_id	string	crowdstrike artifact id	ccbc852e586f1348d83025a98a78398ba97c78d21fd8296676ef7da40852dc9a
action_result.data.*.ioc_report_strict_stix_artifact_id	string	crowdstrike artifact id	0967fd13eea5335645e8b2be13f2da7254a8401f1536bd2b939002d69a1af7f6
action_result.data.*.malquery.*.input	string		X.X.0.0
action_result.data.*.malquery.*.resources.*.file_size	numeric		25970
action_result.data.*.malquery.*.resources.*.file_type	string		TEXT
action_result.data.*.malquery.*.resources.*.first_seen_timestamp	string	date	2017-08-10T00:00:00Z
action_result.data.*.malquery.*.resources.*.label	string		unknown
action_result.data.*.malquery.*.resources.*.md5	string	md5	c7c4bf6fc4e73a85e6ab36711bdd8a7f
action_result.data.*.malquery.*.resources.*.sha1	string	sha1	a21c5fbfa596efb30180f75062794f01952cf18e
action_result.data.*.malquery.*.resources.*.sha256	string	sha256	07c522146bddc664d077c2184e88e5cb17547f2501785506ce2f7b05eaf93af0
action_result.data.*.malquery.*.type	string		ip
action_result.data.*.malquery.*.verdict	string		whitelisted
action_result.data.*.origin	string		apigateway
action_result.data.*.sandbox.*.architecture	string		Unknown
action_result.data.*.sandbox.*.contacted_hosts.*.address	string	ip	2X.3X.1XX.X1
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.name	string		svchost.exe
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.pid	numeric		7884
action_result.data.*.sandbox.*.contacted_hosts.*.country	string		Test Name
action_result.data.*.sandbox.*.contacted_hosts.*.port	numeric		443
action_result.data.*.sandbox.*.contacted_hosts.*.protocol	string		TCP
action_result.data.*.sandbox.*.dns_requests.*.address	string	ip	1X2.XX7.164.XX
action_result.data.*.sandbox.*.dns_requests.*.country	string		Test Name
action_result.data.*.sandbox.*.dns_requests.*.domain	string	domain url	fonts.gstatic.com
action_result.data.*.sandbox.*.dns_requests.*.registrar_creation_timestamp	string	date	2008-02-11T00:00:00+00:00
action_result.data.*.sandbox.*.dns_requests.*.registrar_name	string		MarkMonitor, Inc.
action_result.data.*.sandbox.*.dns_requests.*.registrar_name_servers	string		NS1.TEST.COM
action_result.data.*.sandbox.*.dns_requests.*.registrar_organization	string		Test Inc.
action_result.data.*.sandbox.*.environment	numeric		160
action_result.data.*.sandbox.*.environment_description	string	crowdstrike environment	Windows 10 64 bit
action_result.data.*.sandbox.*.environment_id	numeric		160
action_result.data.*.sandbox.*.error_message	string		The requested environment ID "300" and file type "html" have no available execution environment
action_result.data.*.sandbox.*.error_origin	string		CLIENT
action_result.data.*.sandbox.*.error_type	string		FILE_TYPE_BAD_ERROR
action_result.data.*.sandbox.*.extracted_files.*.description	string		MS Windows icon resource - 1 icon, 32x32
action_result.data.*.sandbox.*.extracted_files.*.file_path	string		%APPDATA%\Test\Windows\Recent\CustomDestinations\RB7520AO5Z28DRA0CR4G.temp
action_result.data.*.sandbox.*.extracted_files.*.file_size	numeric		4286
action_result.data.*.sandbox.*.extracted_files.*.md5	string	md5	da597791be3b6e732f0bc8b20e38ee62
action_result.data.*.sandbox.*.extracted_files.*.name	string		search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico
action_result.data.*.sandbox.*.extracted_files.*.runtime_process	string		iexplore.exe (PID: 3508)
action_result.data.*.sandbox.*.extracted_files.*.sha1	string	sha1	1125c45d285c360542027d7554a5c442288974de
action_result.data.*.sandbox.*.extracted_files.*.sha256	string	sha256	5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
action_result.data.*.sandbox.*.extracted_files.*.threat_level_readable	string		no specific threat
action_result.data.*.sandbox.*.extracted_interesting_strings.*.filename	string		ver718B.tmp
action_result.data.*.sandbox.*.extracted_interesting_strings.*.process	string		iexplore.exe
action_result.data.*.sandbox.*.extracted_interesting_strings.*.source	string		Runtime Data
action_result.data.*.sandbox.*.extracted_interesting_strings.*.type	string		Unicode
action_result.data.*.sandbox.*.extracted_interesting_strings.*.value	string		%LOCALAPPDATA%\Test\Internet Explorer\Recovery\High\Active\{EAD6EFB1-2090-11E8-9BD7-0A00274B5076}.dat
action_result.data.*.sandbox.*.file_imports.*.module	string		KERNEL32.dll
action_result.data.*.sandbox.*.file_size	numeric		70595
action_result.data.*.sandbox.*.file_type	string		SVG Scalable Vector Graphics image
action_result.data.*.sandbox.*.http_requests.*.header	string		GET /gsr2/TESTMEgwRjAJBgUrDgMCGgUABBTgXIsxbvEXAMPLEkIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqTESTULg%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Test-CryptoAPI/10.0 Host: ocsp.pki.goog
action_result.data.*.sandbox.*.http_requests.*.host	string	hostname	ocsp.pki.goog
action_result.data.*.sandbox.*.http_requests.*.host_ip	string	ip	1X2.2X7.13.67
action_result.data.*.sandbox.*.http_requests.*.host_port	numeric	port	80
action_result.data.*.sandbox.*.http_requests.*.method	string		GET
action_result.data.*.sandbox.*.http_requests.*.url	string		/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
action_result.data.*.sandbox.*.incidents.*.name	string		Network Behavior
action_result.data.*.sandbox.*.memory_strings_artifact_id	string	crowdstrike artifact id	ba1b505d2495d9258817ae235fd12331ec1d6805543df5ff99c98168ff003af5
action_result.data.*.sandbox.*.mitre_attacks.*.attack_id	string		T1179
action_result.data.*.sandbox.*.mitre_attacks.*.tactic	string		Persistence
action_result.data.*.sandbox.*.mitre_attacks.*.technique	string		Hooking
action_result.data.*.sandbox.*.network_settings	string		tor
action_result.data.*.sandbox.*.pcap_report_artifact_id	string	crowdstrike artifact id	cce20f960ed692d8cd1e82418d98133c54eeb0e989941545a25e17c13629c9a6
action_result.data.*.sandbox.*.processes.*.command_line	string		C:\TestName.svg
action_result.data.*.sandbox.*.processes.*.file_accesses.*.mask	string		GENERIC_READ
action_result.data.*.sandbox.*.processes.*.file_accesses.*.path	string		%WINDIR%\apppatch\sysmain.sdb
action_result.data.*.sandbox.*.processes.*.file_accesses.*.type	string		CREATE
action_result.data.*.sandbox.*.processes.*.handles.*.id	numeric		152
action_result.data.*.sandbox.*.processes.*.handles.*.path	string		\Device\CNG
action_result.data.*.sandbox.*.processes.*.handles.*.type	string		FileHandle
action_result.data.*.sandbox.*.processes.*.icon_artifact_id	string	crowdstrike artifact id	eed07c63db692d7cb4af1daa44bdc5b03a63050290277d1e383601de95c05775
action_result.data.*.sandbox.*.processes.*.name	string		iexplore.exe
action_result.data.*.sandbox.*.processes.*.normalized_path	string		%PROGRAMFILES%\internet explorer\iexplore.exe
action_result.data.*.sandbox.*.processes.*.parent_uid	string		00079399-00003508
action_result.data.*.sandbox.*.processes.*.pid	numeric		3508
action_result.data.*.sandbox.*.processes.*.process_flags.*.name	string		Reduced Monitoring
action_result.data.*.sandbox.*.processes.*.registry.*.key	string		TYPE
action_result.data.*.sandbox.*.processes.*.registry.*.operation	string		Write
action_result.data.*.sandbox.*.processes.*.registry.*.path	string		HKCU\SOFTWARE\Test\INTERNET EXPLORER\VERSIONMANAGER\LASTUPDATELOWDATETIME
action_result.data.*.sandbox.*.processes.*.registry.*.status	string		c0000022
action_result.data.*.sandbox.*.processes.*.registry.*.status_human_readable	string		STATUS_ACCESS_DENIED
action_result.data.*.sandbox.*.processes.*.registry.*.value	string		C4110129
action_result.data.*.sandbox.*.processes.*.sha256	string	sha256	8dea16e513f70e1a98be6ec48439b5499d2c740247716f6bcb990b7c305ec0a0
action_result.data.*.sandbox.*.processes.*.uid	string		00079399-00003508
action_result.data.*.sandbox.*.sha256	string	sha256	43e6a1253ebd103b93d50531ee05ba9cf7d87f043b6bca96a0edec311494d875
action_result.data.*.sandbox.*.signatures.*.attack_id	string		T1010
action_result.data.*.sandbox.*.signatures.*.category	string		General
action_result.data.*.sandbox.*.signatures.*.description	string		"2XX.1XX.2XX.1X:8X"
action_result.data.*.sandbox.*.signatures.*.identifier	string		mutant-0
action_result.data.*.sandbox.*.signatures.*.name	string		Creates mutants
action_result.data.*.sandbox.*.signatures.*.origin	string		Created Mutant
action_result.data.*.sandbox.*.signatures.*.relevance	numeric		3
action_result.data.*.sandbox.*.signatures.*.threat_level	numeric		1
action_result.data.*.sandbox.*.signatures.*.threat_level_human	string		informative
action_result.data.*.sandbox.*.signatures.*.type	numeric		4
action_result.data.*.sandbox.*.submission_type	string		file
action_result.data.*.sandbox.*.submit_name	string		Test Name
action_result.data.*.sandbox.*.suricata_alerts.*.category	string		Unknown Traffic
action_result.data.*.sandbox.*.suricata_alerts.*.description	string		ET USER_AGENTS Test Device Metadata Retrieval Client User-Agent
action_result.data.*.sandbox.*.suricata_alerts.*.destination_ip	string	ip	1X4.1XX.8X.21
action_result.data.*.sandbox.*.suricata_alerts.*.destination_port	numeric	port	80
action_result.data.*.sandbox.*.suricata_alerts.*.protocol	string		TCP
action_result.data.*.sandbox.*.suricata_alerts.*.sid	string		2027390
action_result.data.*.sandbox.*.threat_score	numeric		35
action_result.data.*.sandbox.*.verdict	string		no specific threat
action_result.data.*.sandbox.*.version_info.*.id	string		LegalCopyright
action_result.data.*.sandbox.*.version_info.*.value	string		Copyright (C) Test Corp. 1981-1998
action_result.data.*.sandbox.*.windows_version_bitness	numeric		64
action_result.data.*.sandbox.*.windows_version_edition	string		Professional
action_result.data.*.sandbox.*.windows_version_name	string		Windows 10
action_result.data.*.sandbox.*.windows_version_service_pack	string		Service Pack 1
action_result.data.*.sandbox.*.windows_version_version	string		10.0 (build 16299)
action_result.data.*.threat_graph.indicators.*.global_prevalence	string		common
action_result.data.*.threat_graph.indicators.*.type	string		sha256
action_result.data.*.threat_graph.indicators.*.value	string		7ef166e82439ea3cafcb28754245325bfbf73e4eb94041bd77fd5c961924709c
action_result.data.*.user_id	string		b1cab7e2bda14722aca74b8353f5f6d9
action_result.data.*.user_name	string		[email protected]
action_result.data.*.user_tags	string		test_tag1
action_result.data.*.user_uuid	string		b6330292-28e6-4198-994d-96f327c5b5bd
action_result.data.*.verdict	string		no specific threat
action_result.summary.total_reports	numeric		1
action_result.summary.verdict	string		suspicious
action_result.message	string		Verdict: no specific threat, Total reports: 1 Total reports: 6
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'detonate url'

Upload an url to CrowdStrike and retrieve the analysis results

Type: generic
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
url	required	URL to query	string	url
environment	required	Sandbox environment to be used for analysis	string	crowdstrike environment
limit	optional	Maximum reports to be fetched	numeric
offset	optional	Starting index of overall result set from which to return ids (Defaults to 0)	numeric
document_password	optional	Password of the document if password protected (Max length: 32 characters)	string
command_line	optional	Command line script passed to the submitted file at runtime (Max length: 2048 characters)	string
user_tags	optional	Comma seperated list of user tags (Max length: 100 characters per tag)	string
sort	optional	Property to sort by	string
action_script	optional	Runtime script for sandbox analysis	string
detail_report	optional	Get the detailed report	boolean
enable_tor	optional	To route the sandbox network traffic via TOR	boolean

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.action_script	string		default
action_result.parameter.command_line	string
action_result.parameter.detail_report	boolean		True False
action_result.parameter.document_password	string		test_password
action_result.parameter.enable_tor	boolean		True False
action_result.parameter.environment	string	crowdstrike environment	Windows 10, 64-bit
action_result.parameter.limit	numeric		5
action_result.parameter.offset	numeric		5
action_result.parameter.sort	string		created_timestamp.asc
action_result.parameter.url	string	url	https://www.test.com
action_result.parameter.user_tags	string		test_tag1
action_result.data.*.cid	string		3061c7ff3b634e22b38274d4b586558e
action_result.data.*.created_timestamp	string	date	2021-05-14T10:03:35Z
action_result.data.*.id	string	crowdstrike resource id	3061c7ff3b634e22b38274d4b586558e_5e2ec86aa5e444ac93d298df547e4d40
action_result.data.*.ioc_report_broad_csv_artifact_id	string	crowdstrike artifact id	3b4ca1c6dd800fa60aaa4eb7154da76da7604067bcb3df160caa984ed7eabf3e
action_result.data.*.ioc_report_broad_json_artifact_id	string	crowdstrike artifact id	5b7554048df30cb234d11a9d4d77a64e9f033dbe53265ee9a0e74fd7f803cf59
action_result.data.*.ioc_report_broad_maec_artifact_id	string	crowdstrike artifact id	eefd76de04f16b6187d0f2b728dafec578e47cbfec140e7a6735f2f173d0cbcf
action_result.data.*.ioc_report_broad_stix_artifact_id	string	crowdstrike artifact id	bb6089f7c2da27e70eb93447a724287572d3b4cac1c91e78edc264ee30dc401d
action_result.data.*.ioc_report_strict_csv_artifact_id	string	crowdstrike artifact id	3b4ca1c6dd800fa60aaa4eb7154da76da7604067bcb3df160caa984ed7eabf3e
action_result.data.*.ioc_report_strict_json_artifact_id	string	crowdstrike artifact id	5b7554048df30cb234d11a9d4d77a64e9f033dbe53265ee9a0e74fd7f803cf59
action_result.data.*.ioc_report_strict_maec_artifact_id	string	crowdstrike artifact id	eefd76de04f16b6187d0f2b728dafec578e47cbfec140e7a6735f2f173d0cbcf
action_result.data.*.ioc_report_strict_stix_artifact_id	string	crowdstrike artifact id	bb6089f7c2da27e70eb93447a724287572d3b4cac1c91e78edc264ee30dc401d
action_result.data.*.malquery.*.input	string		http://mm.test.com
action_result.data.*.malquery.*.resources.*.family	string		Coinminer
action_result.data.*.malquery.*.resources.*.file_size	numeric		2313692
action_result.data.*.malquery.*.resources.*.file_type	string		PCAP
action_result.data.*.malquery.*.resources.*.first_seen_timestamp	string	date	2021-05-26T00:00:00Z
action_result.data.*.malquery.*.resources.*.label	string		unknown
action_result.data.*.malquery.*.resources.*.md5	string	md5	4446a961902d0094397a071d75e4abf8
action_result.data.*.malquery.*.resources.*.sha1	string	sha1	cb1c5bb0d84e3efb978efede256ebec5308873c0
action_result.data.*.malquery.*.resources.*.sha256	string	sha256	0091a4c5bc7bea90faadeee2ae71bd29e131d3f59f8ffb9f58ec7276953fafe5
action_result.data.*.malquery.*.type	string		url
action_result.data.*.malquery.*.verdict	string		unknown
action_result.data.*.origin	string		apigateway
action_result.data.*.sandbox.*.architecture	string		WINDOWS
action_result.data.*.sandbox.*.contacted_hosts.*.address	string	ip	1XX.2XX.7X.1XX
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.name	string		Testedgecp.exe
action_result.data.*.sandbox.*.contacted_hosts.*.associated_runtime.*.pid	numeric		1600
action_result.data.*.sandbox.*.contacted_hosts.*.country	string		Test Name
action_result.data.*.sandbox.*.contacted_hosts.*.port	numeric		443
action_result.data.*.sandbox.*.contacted_hosts.*.protocol	string		TCP
action_result.data.*.sandbox.*.dns_requests.*.address	string	ip	1XX.2X.X.X
action_result.data.*.sandbox.*.dns_requests.*.country	string		Test Name
action_result.data.*.sandbox.*.dns_requests.*.domain	string	domain url	www.test.com
action_result.data.*.sandbox.*.dns_requests.*.registrar_creation_timestamp	string	date	2007-11-13T00:00:00+00:00
action_result.data.*.sandbox.*.dns_requests.*.registrar_name	string		RegistryGate GmbH
action_result.data.*.sandbox.*.dns_requests.*.registrar_name_servers	string		NS-1109.AWSDNS-10.ORG
action_result.data.*.sandbox.*.dns_requests.*.registrar_organization	string		Creationes Virtuales CV GmbH
action_result.data.*.sandbox.*.environment	numeric		160
action_result.data.*.sandbox.*.environment_description	string	crowdstrike environment	Windows 10 64 bit
action_result.data.*.sandbox.*.environment_id	numeric		100
action_result.data.*.sandbox.*.error_message	string		The requested environment ID "300" and file type "url" have no available execution environment
action_result.data.*.sandbox.*.error_origin	string		CLIENT
action_result.data.*.sandbox.*.error_type	string		FILE_TYPE_BAD_ERROR
action_result.data.*.sandbox.*.extracted_files.*.description	string		data
action_result.data.*.sandbox.*.extracted_files.*.file_path	string		%APPDATA%\Adobe\Acrobat\11.0\Security\CRLCache\0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl
action_result.data.*.sandbox.*.extracted_files.*.file_size	numeric		637
action_result.data.*.sandbox.*.extracted_files.*.md5	string	md5	974e8536b8767ac5be204f35d16f73e8
action_result.data.*.sandbox.*.extracted_files.*.name	string		0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl
action_result.data.*.sandbox.*.extracted_files.*.runtime_process	string		AcroRd32.exe (PID: 4084)
action_result.data.*.sandbox.*.extracted_files.*.sha1	string	sha1	e847897947a3db26e35cb7d490c688e8c410dfb7
action_result.data.*.sandbox.*.extracted_files.*.sha256	string	sha256	d1bb4b163fe01acc368a92b385bb0bd3a9fc2340b6d485b77a20553a713166d3
action_result.data.*.sandbox.*.extracted_files.*.threat_level_readable	string		no specific threat
action_result.data.*.sandbox.*.extracted_interesting_strings.*.filename	string		rundll32.exe
action_result.data.*.sandbox.*.extracted_interesting_strings.*.process	string		AcroRd32.exe
action_result.data.*.sandbox.*.extracted_interesting_strings.*.source	string		Process Commandline
action_result.data.*.sandbox.*.extracted_interesting_strings.*.type	string		Ansi
action_result.data.*.sandbox.*.extracted_interesting_strings.*.value	string		"%WINDIR%\system32\ieframe.dll",OpenURL C:\a3d7be9b5d8f9070d96789cdf7ee5ce2f1ee827f261faa0d43d4de605ad3194c.url
action_result.data.*.sandbox.*.file_size	numeric		690028
action_result.data.*.sandbox.*.file_type	string		PDF document, version 1.6
action_result.data.*.sandbox.*.http_requests.*.header	string		GET /gsr2/EXAMPLEMEgwRjAJBgUrDgMCGgUABBTgXTEST2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBtTESTt39wZhi4CDQHjtJqhjYqpgSVpULg%3D HTTP/1.1 Connection: Keep-Alive Accept: */* User-Agent: Test-CryptoAPI/10.0 Host: ocsp.pki.goog
action_result.data.*.sandbox.*.http_requests.*.host	string	hostname	ocsp.pki.goog
action_result.data.*.sandbox.*.http_requests.*.host_ip	string	ip	1XX.2XX.X.6X
action_result.data.*.sandbox.*.http_requests.*.host_port	numeric		80
action_result.data.*.sandbox.*.http_requests.*.method	string		GET
action_result.data.*.sandbox.*.http_requests.*.url	string	url	/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
action_result.data.*.sandbox.*.incidents.*.name	string		Network Behavior
action_result.data.*.sandbox.*.memory_strings_artifact_id	string	crowdstrike artifact id	84626f942fc9dffdeb6facc2fb4a337bc8f52323a6a8be3e16d0c2ea57d30820
action_result.data.*.sandbox.*.mitre_attacks.*.attack_id	string		T1085
action_result.data.*.sandbox.*.mitre_attacks.*.tactic	string		Execution
action_result.data.*.sandbox.*.mitre_attacks.*.technique	string		Rundll32
action_result.data.*.sandbox.*.network_settings	string		tor
action_result.data.*.sandbox.*.pcap_report_artifact_id	string	crowdstrike artifact id	506bc12accb770cdb032ad567ee478842a8cf1506ce9658f78f46d6b6cc65099
action_result.data.*.sandbox.*.processes.*.command_line	string		"%WINDIR%\system32\ieframe.dll",OpenURL C:\a3d7be9b5d8f9070d96789cdf7ee5ce2f1ee827f261faa0d43d4de605ad3194c.url
action_result.data.*.sandbox.*.processes.*.file_accesses.*.mask	string		GENERIC_READ
action_result.data.*.sandbox.*.processes.*.file_accesses.*.path	string		%WINDIR%\apppatch\sysmain.sdb
action_result.data.*.sandbox.*.processes.*.file_accesses.*.type	string		CREATE
action_result.data.*.sandbox.*.processes.*.handles.*.id	numeric		176
action_result.data.*.sandbox.*.processes.*.handles.*.path	string		\Device\CNG
action_result.data.*.sandbox.*.processes.*.handles.*.type	string		FileHandle
action_result.data.*.sandbox.*.processes.*.icon_artifact_id	string	crowdstrike artifact id	25f2b36dff5226562d05a905dae09c7e4ef627528e74dd5b95cc3575da3697dd
action_result.data.*.sandbox.*.processes.*.name	string		rundll32.exe
action_result.data.*.sandbox.*.processes.*.normalized_path	string		%WINDIR%\System32\rundll32.exe
action_result.data.*.sandbox.*.processes.*.pid	numeric		4340
action_result.data.*.sandbox.*.processes.*.process_flags.*.name	string		Reduced Monitoring
action_result.data.*.sandbox.*.processes.*.registry.*.key	string		BLASTEXITNORMAL
action_result.data.*.sandbox.*.processes.*.registry.*.operation	string		Delete
action_result.data.*.sandbox.*.processes.*.registry.*.path	string		HKLM\SYSTEM\ACROBATVIEWERCPP473\
action_result.data.*.sandbox.*.processes.*.registry.*.value	string		00000000
action_result.data.*.sandbox.*.processes.*.sha256	string	sha256	b1e6a7a3e2597e51836277a32b2bc61aa781c8f681d44dfddea618b32e2bf2a6
action_result.data.*.sandbox.*.processes.*.uid	string		00177892-00004340
action_result.data.*.sandbox.*.sha256	string	sha256	a3d7be9b5d8f9070d96789cdf7ee5ce2f1ee827f261faa0d43d4de605ad3194c
action_result.data.*.sandbox.*.signatures.*.attack_id	string		T1085
action_result.data.*.sandbox.*.signatures.*.category	string		General
action_result.data.*.sandbox.*.signatures.*.description	string		"www.test.com"
action_result.data.*.sandbox.*.signatures.*.identifier	string		network-0
action_result.data.*.sandbox.*.signatures.*.name	string		Contacts domains
action_result.data.*.sandbox.*.signatures.*.origin	string		Network Traffic
action_result.data.*.sandbox.*.signatures.*.relevance	numeric		1
action_result.data.*.sandbox.*.signatures.*.threat_level	numeric		1
action_result.data.*.sandbox.*.signatures.*.threat_level_human	string		informative
action_result.data.*.sandbox.*.signatures.*.type	numeric		7
action_result.data.*.sandbox.*.submission_type	string		page_url
action_result.data.*.sandbox.*.submit_name	string		whatami
action_result.data.*.sandbox.*.submit_url	string	url	hxxps://test.com
action_result.data.*.sandbox.*.threat_score	numeric		35
action_result.data.*.sandbox.*.verdict	string		no specific threat
action_result.data.*.sandbox.*.windows_version_bitness	numeric		64
action_result.data.*.sandbox.*.windows_version_edition	string		Professional
action_result.data.*.sandbox.*.windows_version_name	string		Windows 10
action_result.data.*.sandbox.*.windows_version_version	string		10.0 (build 16299)
action_result.data.*.user_id	string		225bf5b4490348d9a1eacddc61501c09
action_result.data.*.user_name	string		Test user
action_result.data.*.user_tags	string		test_tag1
action_result.data.*.user_uuid	string		b6330292-28e6-4198-994d-96f327c5b5bd
action_result.data.*.verdict	string		no specific threat
action_result.summary.total_reports	numeric		5
action_result.summary.verdict	string		suspicious
action_result.message	string		Verdict: no specific threat, Total reports: 1 Total reports: 6
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'check status'

To check detonation status of the provided resource id

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
resource_id	required	Id of the resource	string	crowdstrike resource id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.resource_id	string	crowdstrike resource id	3061c7ff3b634e22b38274d4b586558e_48004b5623af49ce9442d4bafd8e7b3d
action_result.data	string
action_result.data.*.cid	string		3061c7ff3b634e22b38274d4b586558e
action_result.data.*.created_timestamp	string	date	2021-05-15T13:12:02Z
action_result.data.*.id	string	crowdstrike resource id	3061c7ff3b634e22b38274d4b586558e_48004b5623af49ce9442d4bafd8e7b3d
action_result.data.*.origin	string		uiproxy
action_result.data.*.sandbox.*.action_script	string		default
action_result.data.*.sandbox.*.command_line	string		taskkill /IM *
action_result.data.*.sandbox.*.enable_tor	boolean		True
action_result.data.*.sandbox.*.environment_id	numeric		160
action_result.data.*.sandbox.*.network_settings	string		default
action_result.data.*.sandbox.*.sha256	string	sha256	70641a2ef9a116fa7f5b1376654657926a91a2bed913837c62f5598c77a3e191
action_result.data.*.sandbox.*.submit_name	string		example.csv
action_result.data.*.sandbox.*.url	string	url	hxxps://www.test.com
action_result.data.*.state	string		success
action_result.data.*.user_id	string		225bf5b4490348d9a1eacddc61501c09
action_result.data.*.user_name	string		test_user
action_result.data.*.user_uuid	string		b6330292-28e6-4198-994d-96f327c5b5bd
action_result.summary.state	string		success
action_result.message	string		State: success
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'get device scroll'

Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)

Type: investigate
Read only: True

More info can be found at here.

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
offset	optional	The offset to page from, for the next result set	string
limit	optional	The maximum records to return. [1-5000]	numeric
sort	optional	The property to sort by (e.g. status.desc or hostname.asc)	string
filter	optional	The offset to page from, for the next result set	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.filter	string		platform_name:'windows'
action_result.parameter.limit	numeric		120
action_result.parameter.offset	string
action_result.parameter.sort	string		status.desc
action_result.data.*.errors.*.code	string
action_result.data.*.errors.*.id	string
action_result.data.*.errors.*.message	string
action_result.data.*.meta.pagination.expires_at	numeric		1632462683095273200
action_result.data.*.meta.pagination.limit	string
action_result.data.*.meta.pagination.offset	string
action_result.data.*.meta.pagination.total	numeric		2
action_result.data.*.meta.powered_by	string		device-api
action_result.data.*.meta.query_time	numeric		0.004875208
action_result.data.*.meta.trace_id	string		008a2081-1ad7-4e80-a2cc-0acc1562302b
action_result.data.*.resources	string	crowdstrike device id	12e75112bdc44ac7a60b5ad1d2765303
action_result.summary	string
action_result.message	string		Device scroll fetched successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'get zta data'

Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID)

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
agent_id	required	Agent ID to get zero trust assessment data about. Comma-separated list allowed	string	crowdstrike device id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.agent_id	string	crowdstrike device id	95969e1abbea43bdaf6cc50c9b4aec2e,46592f3d661a469eb2503d72a29afd3a
action_result.data.*.aid	string	crowdstrike device id	95969e1abbea43bdaf6cc50c9b4aec2e
action_result.data.*.assessment.os	numeric		38
action_result.data.*.assessment.overall	numeric		32
action_result.data.*.assessment.sensor_config	numeric		29
action_result.data.*.assessment.version	string		3.3.0
action_result.data.*.assessment_items.os_signals.*.criteria	string		Kernel Mode Code Integrity: enabled
action_result.data.*.assessment_items.os_signals.*.group_name	string		Windows 10
action_result.data.*.assessment_items.os_signals.*.meets_criteria	string		no
action_result.data.*.assessment_items.os_signals.*.signal_id	string		windows_os_build
action_result.data.*.assessment_items.os_signals.*.signal_name	string		Windows OS Build
action_result.data.*.assessment_items.sensor_signals.*.criteria	string		Spotlight: enabled
action_result.data.*.assessment_items.sensor_signals.*.group_name	string		Sensor
action_result.data.*.assessment_items.sensor_signals.*.meets_criteria	string		no
action_result.data.*.assessment_items.sensor_signals.*.signal_id	string		spotlight_enabled
action_result.data.*.assessment_items.sensor_signals.*.signal_name	string		Spotlight
action_result.data.*.cid	string	crowdstrike customer id	3061c7ff3b634e22b38274d4b586558e
action_result.data.*.event_platform	string		Win
action_result.data.*.modified_time	string		2022-03-21T23:07:13Z
action_result.data.*.product_type_desc	string		Server
action_result.data.*.sensor_file_status	string		not deployed
action_result.data.*.system_serial_number	string		VMware-42 2a 23 c9 7f 05 df a5-23 51 df 2c 02 ce 36 fb
action_result.summary	string
action_result.message	string		Zero Trust Assessment data fetched successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'create ioa rule group'

Create an empty IOA Rule Group

Type: contain
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
name	required	Name of the new Rule Group	string
description	required	Longer description for the new Rule Group	string
platform	required	Platform that this Rule Group applies to	string
enabled	optional	Enable the new Rule Group immediately upon creation	boolean
policy_id	optional	Prevention Policy ID to assign the new Rule Group to	string	crowdstrike prevention policy id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.name	string		my_rule_group
action_result.parameter.description	string		Custom rule group
action_result.parameter.platform	string		windows mac linux
action_result.parameter.enabled	boolean		True False
action_result.parameter.policy_id	string	crowdstrike prevention policy id	2018f9894359493cb756bfa7dd3357a6
action_result.data.*.errors	string
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		5.917429897
action_result.data.*.meta.trace_id	string		6b7c63e1-0ebd-4121-90f3-cd53451be245
action_result.data.*.resources.*.id	string	crowdstrike ioa rule group id	3263801f7612424ba923f4e6e4bfe2f2
action_result.data.*.resources.*.customer_id	string	crowdstrike customer id	4061c7ff3b634e22b38274d4b586554r
action_result.data.*.resources.*.enabled	boolean		True False
action_result.data.*.resources.*.name	string		my_rule_group
action_result.data.*.resources.*.description	string		Custom rule group
action_result.data.*.resources.*.platform	string		windows mac linux
action_result.data.*.resources.*.deleted	boolean		True False
action_result.data.*.resources.*.rule_ids.*	string	crowdstrike ioa rule id	6
action_result.data.*.resources.*.comment	string		Updated description
action_result.data.*.resources.*.version	numeric		1
action_result.data.*.resources.*.created_by	string	crowdstrike user id	65f616497d0d40d4b6e7a68389323605
action_result.data.*.resources.*.created_on	string		2024-01-25T19:17:02.117884262Z
action_result.data.*.resources.*.modified_by	string	crowdstrike user id	65f616497d0d40d4b6e7a68389323605
action_result.data.*.resources.*.modified_on	string		2024-01-25T19:17:02.117884262Z
action_result.data.*.resources.*.committed_on	string		0001-01-01T00:00:00Z
action_result.data.*.resources.*.assigned_policy_ids.*	string	crowdstrike prevention policy id	2018f9894359493cb756bfa7dd3357a6
action_result.summary.rule_group_id	string
action_result.message	string		Rule Group created successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'update ioa rule group'

Modify an existing IOA Rule Group

Type: contain
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
id	required	Rule Group ID	string	crowdstrike ioa rule group id
version	required	Latest version of this Rule Group	numeric
name	required	Name of the Rule Group	string
description	required	Longer description for the Rule Group	string
enabled	optional	Enable or disable the Rule Group	boolean
comment	required	Comment for the audit log	string
assign_policy_id	optional	Prevention Policy ID to assign the Rule Group to	string	crowdstrike prevention policy id
remove_policy_id	optional	Prevention Policy ID to remove the Rule Group from	string	crowdstrike prevention policy id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.id	string	crowdstrike ioa rule group id	3263801f7612424ba923f4e6e4bfe2f2
action_result.parameter.version	numeric		1
action_result.parameter.name	string		my_rule_group
action_result.parameter.description	string		Custom rule group
action_result.parameter.enabled	boolean		True False
action_result.parameter.comment	boolean		Updated rule description
action_result.parameter.assign_policy_id	string	crowdstrike prevention policy id	2018f9894359493cb756bfa7dd3357a6
action_result.parameter.remove_policy_id	string	crowdstrike prevention policy id	2018f9894359493cb756bfa7dd3357a6
action_result.data.*.errors	string
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		5.917429897
action_result.data.*.meta.trace_id	string		6b7c63e1-0ebd-4121-90f3-cd53451be245
action_result.data.*.resources.*.id	string	crowdstrike ioa rule group id	3263801f7612424ba923f4e6e4bfe2f2
action_result.data.*.resources.*.customer_id	string	crowdstrike customer id	4061c7ff3b634e22b38274d4b586554r
action_result.data.*.resources.*.enabled	boolean		True False
action_result.data.*.resources.*.name	string		my_rule_group
action_result.data.*.resources.*.description	string		Custom rule group
action_result.data.*.resources.*.platform	string		windows mac linux
action_result.data.*.resources.*.deleted	boolean		True False
action_result.data.*.resources.*.rule_ids.*	string	crowdstrike ioa rule id	6
action_result.data.*.resources.*.comment	string		Updated description
action_result.data.*.resources.*.version	numeric		1
action_result.data.*.resources.*.created_by	string	crowdstrike user id	65f616497d0d40d4b6e7a68389323605
action_result.data.*.resources.*.created_on	string		2024-01-25T19:17:02.117884262Z
action_result.data.*.resources.*.modified_by	string	crowdstrike user id	65f616497d0d40d4b6e7a68389323605
action_result.data.*.resources.*.modified_on	string		2024-01-25T19:17:02.117884262Z
action_result.data.*.resources.*.committed_on	string		0001-01-01T00:00:00Z
action_result.data.*.resources.*.assigned_policy_ids.*	string	crowdstrike prevention policy id	2018f9894359493cb756bfa7dd3357a6
action_result.data.*.resources.*.removed_policy_ids.*	string	crowdstrike prevention policy id	2018f9894359493cb756bfa7dd3357a6
action_result.summary.rule_group_id	string
action_result.message	string		Rule Group updated successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'delete ioa rule group'

Delete an existing IOA Rule Group

Type: contain
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
id	required	Rule Group ID	string	crowdstrike ioa rule group id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.id	string	crowdstrike ioa rule group id	3263801f7612424ba923f4e6e4bfe2f2
action_result.data.*.errors	string
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		5.917429897
action_result.data.*.meta.trace_id	string		6b7c63e1-0ebd-4121-90f3-cd53451be245
action_result.data.*.meta.writes.resources_affected	numeric		1
action_result.summary.resources_affected	string
action_result.message	string		Deleted 1 rule groups
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list ioa platforms'

List valid platforms for IOA Rule Groups

Type: investigate
Read only: True

Action Parameters

No parameters are required for this action

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.data.*.errors	string
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		5.917429897
action_result.data.*.meta.trace_id	string		6b7c63e1-0ebd-4121-90f3-cd53451be245
action_result.data.*.resources.*	string		windows mac linux
action_result.summary.result_count	numeric
action_result.message	string		Found 3 rule groups
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list ioa rule groups'

List IOA Rule Groups

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
fql_query	optional	FQL query to filter rule groups	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.fql_query	string		enabled: true + platform: 'mac'
action_result.data.*.errors	string
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		5.917429897
action_result.data.*.meta.trace_id	string		6b7c63e1-0ebd-4121-90f3-cd53451be245
action_result.data.*.resources.*.instance_id	string	crowdstrike ioa rule id	1
action_result.data.*.resources.*.customer_id	string	crowdstrike customer id	4061c7ff3b634e22b38274d4b586554r
action_result.data.*.resources.*.ruletype_id	string		5
action_result.data.*.resources.*.ruletype_name	string		Process Creation
action_result.data.*.resources.*.comment	string		Created rule
action_result.data.*.resources.*.enabled	boolean		True False
action_result.data.*.resources.*.deleted	boolean		True False
action_result.data.*.resources.*.magic_cookie	numeric		2
action_result.data.*.resources.*.rulegroup_id	string	crowdstrike ioa rule group id	83f596d2f8c04f36ad39182311e90e3a
action_result.data.*.resources.*.version_ids.*	string		1
action_result.data.*.resources.*.instance_version	numeric		1
action_result.data.*.resources.*.name	string		BugRule
action_result.data.*.resources.*.description	string		Stops the bug
action_result.data.*.resources.*.pattern_id	string		41005
action_result.data.*.resources.*.pattern_severity	string		critical
action_result.data.*.resources.*.action_label	string		Block Execution
action_result.data.*.resources.*.disposition_id	numeric		30
action_result.data.*.resources.*.field_values.*.name	string		GrandparentImageFilename
action_result.data.*.resources.*.field_values.*.value	string		(?i).+bug.exe
action_result.data.*.resources.*.field_values.*.label	string		Grandparent Image Filename
action_result.data.*.resources.*.field_values.*.type	string		excludable
action_result.data.*.resources.*.field_values.*.values.*.label	string		include
action_result.data.*.resources.*.field_values.*.values.*.value	string		.+bug.exe
action_result.data.*.resources.*.field_values.*.final_value	string		(?i).+bug.exe
action_result.summary.result_count	numeric
action_result.message	string		Found 3 rule groups
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list ioa severities'

List valid severity values for IOA rules

Type: investigate
Read only: True

Action Parameters

No parameters are required for this action

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.data.*.errors	string
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		5.917429897
action_result.data.*.meta.trace_id	string		6b7c63e1-0ebd-4121-90f3-cd53451be245
action_result.data.*.resources.*	string		informational low medium high critical
action_result.summary.result_count	numeric
action_result.message	string		Found 3 supported platforms
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'list ioa types'

List valid types of IOA rules

Type: investigate
Read only: True

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
platform	optional	Show only IOA types supported by the given platform	string

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.platform	string		mac linux windows
action_result.data.*.errors	string
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		5.917429897
action_result.data.*.meta.trace_id	string		6b7c63e1-0ebd-4121-90f3-cd53451be245
action_result.data.*.resources.*.id	string		1
action_result.data.*.resources.*.name	string		Process Creation
action_result.data.*.resources.*.channel	numeric		501
action_result.data.*.resources.*.long_desc	string		Mac basic process custom template. Triggered off of CreateProcessPreventionQueryMac.
action_result.data.*.resources.*.released	boolean		True False
action_result.data.*.resources.*.fields.*.name	string		GrandparentImageFilename
action_result.data.*.resources.*.fields.*.label	string		Grandparent Image Filename
action_result.data.*.resources.*.fields.*.type	string		excludable
action_result.data.*.resources.*.fields.*.type.*.label	string		include
action_result.data.*.resources.*.fields.*.type.*.value	string
action_result.data.*.resources.*.disposition_map.*.id	numeric		10
action_result.data.*.resources.*.disposition_map.*.label	string		Monitor
action_result.data.*.resources.*.fields_pretty	string		{}
action_result.summary.result_count	numeric
action_result.message	string		Found 3 rule types
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'create ioa rule'

Create a new IOA Rule

Type: contain
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
rule_group_id	required	Rule Group ID in which to create this rule	string	crowdstrike ioa rule group id
name	required	Rule name	string
description	required	Rule description	string
severity	required	Rule severity (run the "list ioa severities" action to find valid severities)	string
rule_type_id	required	Rule type to create (run the "list ioa types" action to find valid types of rules and their IDs and parameters)	numeric
disposition_id	required	The action that the rule should take when triggered (valid dispositions can be found in the "list ioa types" output)	numeric
field_values	required	JSON list of parameters to pass to the new rule (valid fields can be found in the "list ioa types" output)	string
comment	optional	Comment for the audit log (optional)	string
enabled	optional	Enable this rule immediately	boolean

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.rule_group_id	string	crowdstrike ioa rule group id	83f596d2f8c04f36ad39182311e90e3a
action_result.parameter.name	string		BugRule
action_result.parameter.description	string		Stops the bug
action_result.parameter.severity	string		critical
action_result.parameter.rule_type_id	numeric		5
action_result.parameter.disposition_id	numeric		30
action_result.parameter.field_values	string		{"label":"Grandparent Image Filename","name":"GrandparentImageFilename","type":"excludable","values":[{"label":"include","value":".+bug.exe"}]}]
action_result.parameter.comment	string		Example comment
action_result.parameter.enabled	boolean		True False
action_result.data.*.errors	string
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		5.917429897
action_result.data.*.meta.trace_id	string		6b7c63e1-0ebd-4121-90f3-cd53451be245
action_result.data.*.resources.*.instance_id	string	crowdstrike ioa rule id	1
action_result.data.*.resources.*.customer_id	string	crowdstrike customer id	4061c7ff3b634e22b38274d4b586554r
action_result.data.*.resources.*.ruletype_id	string		5
action_result.data.*.resources.*.ruletype_name	string		Process Creation
action_result.data.*.resources.*.comment	string		Created rule
action_result.data.*.resources.*.enabled	boolean		True False
action_result.data.*.resources.*.deleted	boolean		True False
action_result.data.*.resources.*.magic_cookie	numeric		2
action_result.data.*.resources.*.rulegroup_id	string	crowdstrike ioa rule group id	83f596d2f8c04f36ad39182311e90e3a
action_result.data.*.resources.*.version_ids.*	string		1
action_result.data.*.resources.*.instance_version	numeric		1
action_result.data.*.resources.*.name	string		BugRule
action_result.data.*.resources.*.description	string		Stops the bug
action_result.data.*.resources.*.pattern_id	string		41005
action_result.data.*.resources.*.pattern_severity	string		critical
action_result.data.*.resources.*.action_label	string		Block Execution
action_result.data.*.resources.*.disposition_id	numeric		30
action_result.data.*.resources.*.field_values.*.name	string		GrandparentImageFilename
action_result.data.*.resources.*.field_values.*.value	string		(?i).+bug.exe
action_result.data.*.resources.*.field_values.*.label	string		Grandparent Image Filename
action_result.data.*.resources.*.field_values.*.type	string		excludable
action_result.data.*.resources.*.field_values.*.values.*.label	string		include
action_result.data.*.resources.*.field_values.*.values.*.value	string		.+bug.exe
action_result.data.*.resources.*.field_values.*.final_value	string		(?i).+bug.exe
action_result.summary.rule_group_id	string	crowdstrike ioa rule group id	83f596d2f8c04f36ad39182311e90e3a
action_result.summary.rule_id	string	crowdstrike ioa rule id	1
action_result.message	string		Rule created successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'update ioa rule'

Update an existing IOA Rule

Type: contain
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
rule_group_id	required	Rule Group ID containing the rule	string	crowdstrike ioa rule group id
rule_group_version	required	Latest version of Rule Group	numeric
rule_id	required	Rule ID to update	string	crowdstrike ioa rule id
rule_version	required	Latest version of Rule	numeric
name	required	Rule name	string
description	required	Rule description	string
severity	required	Rule severity (run the "list ioa severities" action to find valid severities)	string
disposition_id	required	The action that the rule should take when triggered (valid dispositions can be found in the "list ioa types" output)	numeric
field_values	required	JSON list of parameters to pass to the new rule (valid fields can be found in the "list ioa types" output)	string
comment	optional	Comment for the audit log (optional)	string
enabled	optional	Enable this rule	boolean

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.rule_group_id	string	crowdstrike ioa rule group id	83f596d2f8c04f36ad39182311e90e3a
action_result.parameter.rule_group_version	numeric		2
action_result.parameter.rule_id	string	crowdstrike ioa rule id	1
action_result.parameter.rule_version	numeric		1
action_result.parameter.name	string		BugRule
action_result.parameter.description	string		Stops the bug
action_result.parameter.severity	string		critical
action_result.parameter.disposition_id	numeric		30
action_result.parameter.field_values	string		{"label":"Grandparent Image Filename","name":"GrandparentImageFilename","type":"excludable","values":[{"label":"include","value":".+bug.exe"}]}]
action_result.parameter.comment	string		Example comment
action_result.parameter.enabled	boolean		True False
action_result.data.*.errors	string
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		5.917429897
action_result.data.*.meta.trace_id	string		6b7c63e1-0ebd-4121-90f3-cd53451be245
action_result.data.*.resources.*.id	string	crowdstrike ioa rule group id	83f596d2f8c04f36ad39182311e90e3a
action_result.data.*.resources.*.name	string		Bug Rule Group
action_result.data.*.resources.*.rules.*.name	string		BugRule
action_result.data.*.resources.*.rules.*.comment	string		Updated the thing
action_result.data.*.resources.*.rules.*.deleted	boolean		True False
action_result.data.*.resources.*.rules.*.enabled	boolean		True False
action_result.data.*.resources.*.rules.*.created_by	string	crowdstrike unique user id	bb777249-c782-4434-b57a-f15ac742926c
action_result.data.*.resources.*.rules.*.created_on	string	date	2021-09-15T09:52:27.651770437Z
action_result.data.*.resources.*.rules.*.pattern_id	string		41007
action_result.data.*.resources.*.rules.*.customer_id	string	crowdstrike customer id	4061c7ff3b634e22b38274d4b586554r
action_result.data.*.resources.*.rules.*.description	string		Stops the bug
action_result.data.*.resources.*.rules.*.modified_by	string	crowdstrike unique user id	bb777249-c782-4434-b57a-f15ac742926c
action_result.data.*.resources.*.rules.*.modified_on	string	date	2021-09-15T09:52:27.651770437Z
action_result.data.*.resources.*.rules.*.ruletype_id	string
action_result.data.*.resource.*.rules.*.version_ids.*	string
action_result.data.*.resource.*.rules.*.action_label	string
action_result.data.*.resources.*.rules.*.committed_on	string	date	2021-09-15T09:52:27.651770437Z
action_result.data.*.resources.*.rules.*.field_values.*.name	string		GrandparentImageFilename
action_result.data.*.resources.*.rules.*.field_values.*.value	string		(?i).+bug.exe
action_result.data.*.resources.*.rules.*.field_values.*.label	string		Grandparent Image Filename
action_result.data.*.resources.*.rules.*.field_values.*.type	string		excludable
action_result.data.*.resources.*.rules.*.field_values.*.values.*.label	string		include
action_result.data.*.resources.*.rules.*.field_values.*.values.*.value	string		.+bug.exe
action_result.data.*.resources.*.rules.*.field_values.*.final_value	string		(?i).+bug.exe
action_result.data.*.resources.*.rules.*.magic_cookie	numeric		6
action_result.data.*.resources.*.rules.*.rulegroup_id	string	crowdstrike ioa rule group id
action_result.data.*.resources.*.rules.*.ruletype_name	string		Process Creation
action_result.data.*.resources.*.rules.*.disposition_id	numeric		10
action_result.data.*.resources.*.rules.*.instance_version	numeric		3
action_result.data.*.resources.*.rules.*.pattern_severity	string		medium
action_result.data.*.resources.*.comment	string		Created rule
action_result.data.*.resources.*.enabled	boolean		True False
action_result.data.*.resources.*.deleted	boolean		True False
action_result.data.*.resources.*.version	numeric		2
action_result.data.*.resources.*.platform	string		mac windows linux
action_result.data.*.resources.*.rule_ids.*	string	crowdstrike ioa rule id	1
action_result.data.*.resources.*.created_by	string	crowdstrike unique user id	bb777249-c782-4434-b57a-f15ac742926c
action_result.data.*.resources.*.created_on	string	date	2021-09-15T09:52:27.651770437Z
action_result.data.*.resources.*.customer_id	string	crowdstrike customer id	4061c7ff3b634e22b38274d4b586554r
action_result.data.*.resources.*.description	string		Stops the bug
action_result.data.*.resources.*.modified_by	string	crowdstrike unique user id	bb777249-c782-4434-b57a-f15ac742926c
action_result.data.*.resources.*.modified_on	string	date	2021-09-15T09:52:27.651770437Z
action_result.data.*.resources.*.committed_on	string	date	2021-09-15T09:52:27.651770437Z
action_result.summary.rule_group_id	string	crowdstrike ioa rule group id	83f596d2f8c04f36ad39182311e90e3a
action_result.summary.rule_group_version	numeric		1
action_result.summary.rule_id	string	crowdstrike ioa rule id	1
action_result.summary.rule_version	numeric		1
action_result.message	string		Rule updated successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1

action: 'delete ioa rule'

Delete an existing IOA Rule

Type: contain
Read only: False

Action Parameters

PARAMETER	REQUIRED	DESCRIPTION	TYPE	CONTAINS
rule_group_id	required	Rule Group ID containing the rule	string	crowdstrike ioa rule group id
rule_id	required	Rule ID to delete	string	crowdstrike ioa rule id

Action Output

DATA PATH	TYPE	CONTAINS	EXAMPLE VALUES
action_result.status	string		success failed
action_result.parameter.rule_group_id	string	crowdstrike ioa rule group id	83f596d2f8c04f36ad39182311e90e3a
action_result.parameter.rule_id	string	crowdstrike ioa rule id	1
action_result.data.*.errors	string
action_result.data.*.meta.powered_by	string		empower-api
action_result.data.*.meta.query_time	numeric		5.917429897
action_result.data.*.meta.trace_id	string		6b7c63e1-0ebd-4121-90f3-cd53451be245
action_result.summary.resources_affected	string
action_result.message	string		Rule deleted successfully
summary.total_objects	numeric		1
summary.total_objects_successful	numeric		1