CrowdstrikeFalcon

The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.

Endpoint · CrowdStrike Falcon

Configuration parameters

  • legacy_version — Use legacy API
  • url — Server URL (e.g., https://api.crowdstrike.com) (required)
  • credentials — Client ID
  • client_id — Client ID
  • secret — Secret
  • Reliability — Source Reliability
  • isFetch — Fetch incidents
  • fetch_incidents_or_detections — Incident Fetch types
  • incidentType — Incident type
  • fetch_time — First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
  • incidents_per_fetch — Max incidents per fetch
  • incidentFetchInterval — Incidents Fetch Interval
  • look_back — Advanced: Time in minutes to look back when fetching incidents and detections
  • fetch_query — Endpoint Detections filter query
  • idp_detections_fetch_query — IDP Detections filter query
  • mobile_detections_fetch_query — Mobile Detections filter query
  • iom_fetch_query — IOM filter query
  • ioa_fetch_query — IOA filter query
  • on_demand_fetch_query — Detections from On-Demand Scans filter query
  • ofp_detection_fetch_query — OFP Detections filter query
  • third_party_detection_fetch_query — Third Party Detection fetch query
  • ngsiem_detection_fetch_query — NGSIEM Detection fetch query
  • automated_leads_fetch_query — NGSIEM automated leads fetch query
  • ngsiem_cases_fetch_query — NGSIEM cases fetch query
  • ngsiem_incidents_fetch_query — NGSIEM incidents fetch query
  • recon_fetch_query — Recon filter query
  • mirror_direction — Mirroring Direction
  • close_incident — Close Mirrored XSOAR Incident
  • close_in_cs_falcon — Close Mirrored CrowdStrike Falcon Incident or Detection
  • reopen_statuses — Reopen Statuses
  • isFetchEvents — Fetch events
  • fetch_events_or_detections — Event Fetch types
  • eventFetchInterval — Events Fetch Interval
  • look_back_xsiam — Advanced: Time in minutes to look back when fetching events and detections
  • fetch_assets_type — Fetch Asset types
  • assetsFetchInterval — Assets Fetch Interval
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings

Commands (98)

  • cs-device-ran-on Deprecated

    Returns a list of device IDs an indicator ran on.

  • cs-falcon-add-case-tag

    Adds tags to the specified case.

  • cs-falcon-add-host-group-members

    Add host group members.

  • cs-falcon-apply-quarantine-file-action

    Apply action to quarantined files by file IDs or filter.

  • cs-falcon-batch-upload-custom-ioc

    Uploads a batch of indicators.

  • cs-falcon-contain-host

    Contains containment for a specified host. When contained, a host can only communicate with the CrowdStrike cloud and any IPs specified in your containment policy.

  • cs-falcon-create-host-group

    Create a host group.

  • cs-falcon-create-ioa-exclusion

    Create an IOA exclusion.

  • cs-falcon-create-ml-exclusion

    Create an ML exclusion.

  • cs-falcon-cspm-list-policy-details

    Given a CSV list of policy IDs, returns detailed policy information.

  • cs-falcon-cspm-list-service-policy-settings

    Returns information about current policy settings.

  • cs-falcon-cspm-update-policy_settings

    Updates a policy setting. Can be used to override policy severity or to disable a policy entirely.

  • cs-falcon-delete-case-tag

    Deletes a tag from the specified case.

  • cs-falcon-delete-custom-ioc

    Deletes a monitored indicator.

  • cs-falcon-delete-file

    Deletes a file based on the provided ID or name. Can delete only one file at a time.

  • cs-falcon-delete-host-groups

    Deletes the requested host groups.

  • cs-falcon-delete-ioa-exclusion

    Delete the IOA exclusions by ID.

  • cs-falcon-delete-ioc Deprecated

    Deprecated. Use the cs-falcon-delete-custom-ioc command instead.

  • cs-falcon-delete-ml-exclusion

    Delete the ML exclusions by ID.

  • cs-falcon-delete-script

    Deletes a custom-script based on the provided ID. Can delete only one script at a time.

  • cs-falcon-device-count-ioc

    The number of hosts that observed the provided IOC.

  • cs-falcon-device-ran-on

    Returns a list of device IDs an indicator ran on.

  • cs-falcon-get-behavior Deprecated

    Searches for and fetches the behavior that matches the query. Deprecated - No replacement available.

  • cs-falcon-get-custom-ioc

    Gets the full definition of one or more indicators that you are watching.

  • cs-falcon-get-evidence-for-case

    Get evidence for a specific case.

  • cs-falcon-get-extracted-file

    Gets the RTR extracted file contents for the specified session and SHA256 hash.

  • cs-falcon-get-file

    Returns files based on the provided IDs. These files are used for the RTR 'put' command.

  • cs-falcon-get-ioarules

    Get IOA Rules.

  • cs-falcon-get-ioc Deprecated

    Deprecated. Use the cs-falcon-get-custom-ioc command instead.

  • cs-falcon-get-script

    Returns custom scripts based on the provided ID. Used for the RTR 'runscript' command.

  • cs-falcon-lift-host-containment

    Lifts containment on the host, which returns its network communications to normal. When lift_filesystem_containment_all is set to true, lifts filesystem containment instead.

  • cs-falcon-list-case-summaries

    Lists case summaries.

  • cs-falcon-list-cnapp-alerts

    Returns a list of CNAPP alerts. Used for debugging fetch-assets.

  • cs-falcon-list-detection-summaries

    Lists detection summaries.

  • cs-falcon-list-files

    Returns a list of put-file IDs that are available for the user in the 'put' command. Due to an API limitation, the maximum number of files returned is 100.

  • cs-falcon-list-host-files

    Gets a list of files for the specified RTR session on a host.

  • cs-falcon-list-host-group-members

    Gets the list of host group members.

  • cs-falcon-list-host-groups

    List the available host groups.

  • cs-falcon-list-identity-entities

    List identity entities.

  • cs-falcon-list-quarantined-file

    Get quarantine file metadata by specified IDs or filter.

  • cs-falcon-list-scripts

    Returns a list of custom script IDs that are available for the user in the 'runscript' command.

  • cs-falcon-list-users

    List users.

  • cs-falcon-list-workflow-definitions

    Lists workflow definitions from CrowdStrike Falcon.

  • cs-falcon-list-workflow-execution-results

    Gets detailed results for specific workflow executions. Use cs-falcon-list-workflow-executions to find execution IDs.

  • cs-falcon-list-workflow-executions

    Lists workflow executions from CrowdStrike Falcon. Use cs-falcon-workflow-execute to find executions IDs.

  • cs-falcon-ods-create-scan

    Create an ODS scan and wait for the results.

  • cs-falcon-ods-create-scheduled-scan

    Create an ODS scheduled scan.

  • cs-falcon-ods-delete-scheduled-scan

    Delete ODS scheduled scans.

  • cs-falcon-ods-query-malicious-files

    Retrieve ODS malicious file details.

  • cs-falcon-ods-query-scan

    Retrieve ODS scan details.

  • cs-falcon-ods-query-scan-host

    Retrieve ODS scan host details.

  • cs-falcon-ods-query-scheduled-scan

    Retrieve ODS scheduled scan details.

  • cs-falcon-process-details

    Retrieves the details of a process, according to the process ID that is running or that previously ran.

  • cs-falcon-processes-ran-on

    Get processes associated with a given IOC.

  • cs-falcon-refresh-session

    Refresh a session timeout on a single host.

  • cs-falcon-remove-host-group-members

    Remove host group members.

  • cs-falcon-resolve-case

    Resolves or updates a case.

  • cs-falcon-resolve-detection

    Resolves and updates a detection using the provided arguments. At least one optional argument must be passed, otherwise no change will take place. Note that IDP detections are not supported.

  • cs-falcon-resolve-identity-detection

    Perform actions on identity detection alerts.

  • cs-falcon-resolve-mobile-detection

    Perform actions on mobile detection alerts.

  • cs-falcon-rtr-kill-process

    Execute an active responder kill command on a single host.

  • cs-falcon-rtr-list-network-stats

    Executes an RTR active-responder netstat command to get a list of network status and protocol statistics across the given host.

  • cs-falcon-rtr-list-processes

    Executes an RTR active-responder ps command to get a list of active processes across the given host.

  • cs-falcon-rtr-list-scheduled-tasks

    Executes an RTR active-responder netstat command to get a list of scheduled tasks across the given host. This command is valid only for Windows hosts.

  • cs-falcon-rtr-read-registry

    Executes an RTR active-responder read registry keys command across the given hosts. This command is valid only for Windows hosts.

  • cs-falcon-rtr-remove-file

    Batch executes an RTR active-responder remove file across the hosts mapped to the given batch ID.

  • cs-falcon-rtr-retrieve-file

    Gets the RTR extracted file contents for the specified file path.

  • cs-falcon-run-command

    Sends commands to hosts.

  • cs-falcon-run-get-command

    Batch executes 'get' command across hosts to retrieve files.

  • cs-falcon-run-script

    Runs a script on the agent host.

  • cs-falcon-search-custom-iocs

    Returns a list of your uploaded IOCs that match the search criteria.

  • cs-falcon-search-detection

    Search for details of specific detections, either using a filter query, or by providing the IDs of the detections.

  • cs-falcon-search-device

    Searches for a device that matches the query.

  • cs-falcon-search-ioa-exclusion

    Get a list of IOA exclusions by specifying their IDs or a filter.

  • cs-falcon-search-iocs Deprecated

    Deprecated. Use the cs-falcon-search-custom-iocs command instead.

  • cs-falcon-search-ml-exclusion

    Get a list of ML exclusions by specifying their IDs, value, or a specific filter.

  • cs-falcon-search-ngsiem-events

    Search NGSIEM historical events. Requires NGSIEM scope with read and write permissions.

  • cs-falcon-spotlight-list-host-by-vulnerability

    Retrieve vulnerability details for a specific ID and host. Supported with the CrowdStrike Spotlight license.

  • cs-falcon-spotlight-search-vulnerability

    Retrieve vulnerability details according to the selected filter. Each request requires at least one filter parameter. Supported with the CrowdStrike Spotlight license.

  • cs-falcon-status-command

    Gets the status of a command executed on a host.

  • cs-falcon-status-get-command

    Retrieves the status of the specified batch 'get' command.

  • cs-falcon-update-custom-ioc

    Updates an indicator for CrowdStrike to monitor.

  • cs-falcon-update-host-group

    Updates a host group.

  • cs-falcon-update-ioa-exclusion

    Updates an IOA exclusion. At least one argument is required in addition to the id argument.

  • cs-falcon-update-ioc Deprecated

    Deprecated. Use the cs-falcon-update-custom-ioc command instead.

  • cs-falcon-update-ml-exclusion

    Updates an ML exclusion. At least one argument is required in addition to the id argument.

  • cs-falcon-upload-custom-ioc

    Uploads an indicator for CrowdStrike to monitor.

  • cs-falcon-upload-file

    Uploads a file to the CrowdStrike cloud. (Can be used for the RTR 'put' command).

  • cs-falcon-upload-ioc Deprecated

    Deprecated. Use the cs-falcon-upload-custom-ioc command instead.

  • cs-falcon-upload-script

    Uploads a script to Falcon CrowdStrike.

  • cs-falcon-workflow-execute

    Executes an on-demand workflow. Use cs-falcon-list-workflow-definitions to find workflows to run. Note: This command executes on-demand workflows only.

  • cs-falcon-workflow-execution-action

    Performs an action (cancel or resume) on one or more workflow executions. Use cs-falcon-list-workflow-execution-results to find execution activity status.

  • cve

    Retrieve vulnerability details according to the selected filter. Each request requires at least one filter parameter. Supported with the CrowdStrike Spotlight license.

  • endpoint

    Returns information about an endpoint. Does not support regex.

  • get-mapping-fields

    Returns the list of fields to map in outgoing mirroring. This command is only used for debugging purposes. Note that this command is supported in Cortex XSOAR only.

  • get-modified-remote-data

    Gets the list of incidents and detections that were modified since the last update time. This method is used for debugging purposes. The get-modified-remote-data command is used as part of the Mirroring feature that was introduced in Cortex XSOAR version 6.1. Note that this command is supported in Cortex XSOAR only.

  • get-remote-data

    Gets remote data from a remote incident or detection. This method does not update the current incident or detection, and should be used for debugging purposes only. Note that this command is supported in Cortex XSOAR only.

  • update-remote-system

    Updates the remote incident or detection with local incident or detection changes. This method is only used for debugging purposes and will not update the current incident or detection. Note that this command is supported in Cortex XSOAR only.