CrowdstrikeFalcon
The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.
Endpoint · CrowdStrike Falcon
Configuration parameters
legacy_version— Use legacy APIurl— Server URL (e.g., https://api.crowdstrike.com) (required)credentials— Client IDclient_id— Client IDsecret— SecretReliability— Source ReliabilityisFetch— Fetch incidentsfetch_incidents_or_detections— Incident Fetch typesincidentType— Incident typefetch_time— First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)incidents_per_fetch— Max incidents per fetchincidentFetchInterval— Incidents Fetch Intervallook_back— Advanced: Time in minutes to look back when fetching incidents and detectionsfetch_query— Endpoint Detections filter queryidp_detections_fetch_query— IDP Detections filter querymobile_detections_fetch_query— Mobile Detections filter queryiom_fetch_query— IOM filter queryioa_fetch_query— IOA filter queryon_demand_fetch_query— Detections from On-Demand Scans filter queryofp_detection_fetch_query— OFP Detections filter querythird_party_detection_fetch_query— Third Party Detection fetch queryngsiem_detection_fetch_query— NGSIEM Detection fetch queryautomated_leads_fetch_query— NGSIEM automated leads fetch queryngsiem_cases_fetch_query— NGSIEM cases fetch queryngsiem_incidents_fetch_query— NGSIEM incidents fetch queryrecon_fetch_query— Recon filter querymirror_direction— Mirroring Directionclose_incident— Close Mirrored XSOAR Incidentclose_in_cs_falcon— Close Mirrored CrowdStrike Falcon Incident or Detectionreopen_statuses— Reopen StatusesisFetchEvents— Fetch eventsfetch_events_or_detections— Event Fetch typeseventFetchInterval— Events Fetch Intervallook_back_xsiam— Advanced: Time in minutes to look back when fetching events and detectionsfetch_assets_type— Fetch Asset typesassetsFetchInterval— Assets Fetch Intervalinsecure— Trust any certificate (not secure)proxy— Use system proxy settings
Commands (98)
-
cs-device-ran-onDeprecatedReturns a list of device IDs an indicator ran on.
-
cs-falcon-add-case-tagAdds tags to the specified case.
-
cs-falcon-add-host-group-membersAdd host group members.
-
cs-falcon-apply-quarantine-file-actionApply action to quarantined files by file IDs or filter.
-
cs-falcon-batch-upload-custom-iocUploads a batch of indicators.
-
cs-falcon-contain-hostContains containment for a specified host. When contained, a host can only communicate with the CrowdStrike cloud and any IPs specified in your containment policy.
-
cs-falcon-create-host-groupCreate a host group.
-
cs-falcon-create-ioa-exclusionCreate an IOA exclusion.
-
cs-falcon-create-ml-exclusionCreate an ML exclusion.
-
cs-falcon-cspm-list-policy-detailsGiven a CSV list of policy IDs, returns detailed policy information.
-
cs-falcon-cspm-list-service-policy-settingsReturns information about current policy settings.
-
cs-falcon-cspm-update-policy_settingsUpdates a policy setting. Can be used to override policy severity or to disable a policy entirely.
-
cs-falcon-delete-case-tagDeletes a tag from the specified case.
-
cs-falcon-delete-custom-iocDeletes a monitored indicator.
-
cs-falcon-delete-fileDeletes a file based on the provided ID or name. Can delete only one file at a time.
-
cs-falcon-delete-host-groupsDeletes the requested host groups.
-
cs-falcon-delete-ioa-exclusionDelete the IOA exclusions by ID.
-
cs-falcon-delete-iocDeprecatedDeprecated. Use the cs-falcon-delete-custom-ioc command instead.
-
cs-falcon-delete-ml-exclusionDelete the ML exclusions by ID.
-
cs-falcon-delete-scriptDeletes a custom-script based on the provided ID. Can delete only one script at a time.
-
cs-falcon-device-count-iocThe number of hosts that observed the provided IOC.
-
cs-falcon-device-ran-onReturns a list of device IDs an indicator ran on.
-
cs-falcon-get-behaviorDeprecatedSearches for and fetches the behavior that matches the query. Deprecated - No replacement available.
-
cs-falcon-get-custom-iocGets the full definition of one or more indicators that you are watching.
-
cs-falcon-get-evidence-for-caseGet evidence for a specific case.
-
cs-falcon-get-extracted-fileGets the RTR extracted file contents for the specified session and SHA256 hash.
-
cs-falcon-get-fileReturns files based on the provided IDs. These files are used for the RTR 'put' command.
-
cs-falcon-get-ioarulesGet IOA Rules.
-
cs-falcon-get-iocDeprecatedDeprecated. Use the cs-falcon-get-custom-ioc command instead.
-
cs-falcon-get-scriptReturns custom scripts based on the provided ID. Used for the RTR 'runscript' command.
-
cs-falcon-lift-host-containmentLifts containment on the host, which returns its network communications to normal. When lift_filesystem_containment_all is set to true, lifts filesystem containment instead.
-
cs-falcon-list-case-summariesLists case summaries.
-
cs-falcon-list-cnapp-alertsReturns a list of CNAPP alerts. Used for debugging fetch-assets.
-
cs-falcon-list-detection-summariesLists detection summaries.
-
cs-falcon-list-filesReturns a list of put-file IDs that are available for the user in the 'put' command. Due to an API limitation, the maximum number of files returned is 100.
-
cs-falcon-list-host-filesGets a list of files for the specified RTR session on a host.
-
cs-falcon-list-host-group-membersGets the list of host group members.
-
cs-falcon-list-host-groupsList the available host groups.
-
cs-falcon-list-identity-entitiesList identity entities.
-
cs-falcon-list-quarantined-fileGet quarantine file metadata by specified IDs or filter.
-
cs-falcon-list-scriptsReturns a list of custom script IDs that are available for the user in the 'runscript' command.
-
cs-falcon-list-usersList users.
-
cs-falcon-list-workflow-definitionsLists workflow definitions from CrowdStrike Falcon.
-
cs-falcon-list-workflow-execution-resultsGets detailed results for specific workflow executions. Use cs-falcon-list-workflow-executions to find execution IDs.
-
cs-falcon-list-workflow-executionsLists workflow executions from CrowdStrike Falcon. Use cs-falcon-workflow-execute to find executions IDs.
-
cs-falcon-ods-create-scanCreate an ODS scan and wait for the results.
-
cs-falcon-ods-create-scheduled-scanCreate an ODS scheduled scan.
-
cs-falcon-ods-delete-scheduled-scanDelete ODS scheduled scans.
-
cs-falcon-ods-query-malicious-filesRetrieve ODS malicious file details.
-
cs-falcon-ods-query-scanRetrieve ODS scan details.
-
cs-falcon-ods-query-scan-hostRetrieve ODS scan host details.
-
cs-falcon-ods-query-scheduled-scanRetrieve ODS scheduled scan details.
-
cs-falcon-process-detailsRetrieves the details of a process, according to the process ID that is running or that previously ran.
-
cs-falcon-processes-ran-onGet processes associated with a given IOC.
-
cs-falcon-refresh-sessionRefresh a session timeout on a single host.
-
cs-falcon-remove-host-group-membersRemove host group members.
-
cs-falcon-resolve-caseResolves or updates a case.
-
cs-falcon-resolve-detectionResolves and updates a detection using the provided arguments. At least one optional argument must be passed, otherwise no change will take place. Note that IDP detections are not supported.
-
cs-falcon-resolve-identity-detectionPerform actions on identity detection alerts.
-
cs-falcon-resolve-mobile-detectionPerform actions on mobile detection alerts.
-
cs-falcon-rtr-kill-processExecute an active responder kill command on a single host.
-
cs-falcon-rtr-list-network-statsExecutes an RTR active-responder netstat command to get a list of network status and protocol statistics across the given host.
-
cs-falcon-rtr-list-processesExecutes an RTR active-responder ps command to get a list of active processes across the given host.
-
cs-falcon-rtr-list-scheduled-tasksExecutes an RTR active-responder netstat command to get a list of scheduled tasks across the given host. This command is valid only for Windows hosts.
-
cs-falcon-rtr-read-registryExecutes an RTR active-responder read registry keys command across the given hosts. This command is valid only for Windows hosts.
-
cs-falcon-rtr-remove-fileBatch executes an RTR active-responder remove file across the hosts mapped to the given batch ID.
-
cs-falcon-rtr-retrieve-fileGets the RTR extracted file contents for the specified file path.
-
cs-falcon-run-commandSends commands to hosts.
-
cs-falcon-run-get-commandBatch executes 'get' command across hosts to retrieve files.
-
cs-falcon-run-scriptRuns a script on the agent host.
-
cs-falcon-search-custom-iocsReturns a list of your uploaded IOCs that match the search criteria.
-
cs-falcon-search-detectionSearch for details of specific detections, either using a filter query, or by providing the IDs of the detections.
-
cs-falcon-search-deviceSearches for a device that matches the query.
-
cs-falcon-search-ioa-exclusionGet a list of IOA exclusions by specifying their IDs or a filter.
-
cs-falcon-search-iocsDeprecatedDeprecated. Use the cs-falcon-search-custom-iocs command instead.
-
cs-falcon-search-ml-exclusionGet a list of ML exclusions by specifying their IDs, value, or a specific filter.
-
cs-falcon-search-ngsiem-eventsSearch NGSIEM historical events. Requires NGSIEM scope with read and write permissions.
-
cs-falcon-spotlight-list-host-by-vulnerabilityRetrieve vulnerability details for a specific ID and host. Supported with the CrowdStrike Spotlight license.
-
cs-falcon-spotlight-search-vulnerabilityRetrieve vulnerability details according to the selected filter. Each request requires at least one filter parameter. Supported with the CrowdStrike Spotlight license.
-
cs-falcon-status-commandGets the status of a command executed on a host.
-
cs-falcon-status-get-commandRetrieves the status of the specified batch 'get' command.
-
cs-falcon-update-custom-iocUpdates an indicator for CrowdStrike to monitor.
-
cs-falcon-update-host-groupUpdates a host group.
-
cs-falcon-update-ioa-exclusionUpdates an IOA exclusion. At least one argument is required in addition to the id argument.
-
cs-falcon-update-iocDeprecatedDeprecated. Use the cs-falcon-update-custom-ioc command instead.
-
cs-falcon-update-ml-exclusionUpdates an ML exclusion. At least one argument is required in addition to the id argument.
-
cs-falcon-upload-custom-iocUploads an indicator for CrowdStrike to monitor.
-
cs-falcon-upload-fileUploads a file to the CrowdStrike cloud. (Can be used for the RTR 'put' command).
-
cs-falcon-upload-iocDeprecatedDeprecated. Use the cs-falcon-upload-custom-ioc command instead.
-
cs-falcon-upload-scriptUploads a script to Falcon CrowdStrike.
-
cs-falcon-workflow-executeExecutes an on-demand workflow. Use cs-falcon-list-workflow-definitions to find workflows to run. Note: This command executes on-demand workflows only.
-
cs-falcon-workflow-execution-actionPerforms an action (cancel or resume) on one or more workflow executions. Use cs-falcon-list-workflow-execution-results to find execution activity status.
-
cveRetrieve vulnerability details according to the selected filter. Each request requires at least one filter parameter. Supported with the CrowdStrike Spotlight license.
-
endpointReturns information about an endpoint. Does not support regex.
-
get-mapping-fieldsReturns the list of fields to map in outgoing mirroring. This command is only used for debugging purposes. Note that this command is supported in Cortex XSOAR only.
-
get-modified-remote-dataGets the list of incidents and detections that were modified since the last update time. This method is used for debugging purposes. The get-modified-remote-data command is used as part of the Mirroring feature that was introduced in Cortex XSOAR version 6.1. Note that this command is supported in Cortex XSOAR only.
-
get-remote-dataGets remote data from a remote incident or detection. This method does not update the current incident or detection, and should be used for debugging purposes only. Note that this command is supported in Cortex XSOAR only.
-
update-remote-systemUpdates the remote incident or detection with local incident or detection changes. This method is only used for debugging purposes and will not update the current incident or detection. Note that this command is supported in Cortex XSOAR only.