Skip to main content

CrowdStrike OpenAPI (Beta)

This Integration is part of the CrowdStrike OpenAPI Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

beta

This is a beta Integration, which lets you implement and test pre-release software. Since the integration is beta, it might contain bugs. Updates to the integration during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the integration to help us identify issues, fix them, and continually improve.

Use the CrowdStrike OpenAPI integration to interact with CrowdStrike APIs that do not have dedicated integrations in Cortex XSOAR, for example, CrowdStrike FalconX, etc.

To use the CrowdStrike OpenAPI integration, you need the ID and secret of an API client that has right scopes granted to it.

For more details, refer to the CrowdStrike OAuth2-Based APIs documentation.

Note: The integration is in beta as it was auto generated from the CrowdStrike Falcon OpenAPI specification and is not fully tested.

Configure CrowdStrike OpenAPI in Cortex#

ParameterRequired
Cloud Base URLTrue
Client IDTrue
Client SecretTrue
Use system proxy settingsFalse
Trust any certificate (not secure)False

cs-add-role#


Assign new MSSP Role(s) between User Group and CID Group. It does not revoke existing role(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request.

Base Command#

cs-add-role

Input#

Argument NameDescriptionRequired
domain_mssprolerequestv1_resourcesRequired

Context Output#

PathTypeDescription
CrowdStrike.domainMSSPRoleResponseV1.errors.codeNumber
CrowdStrike.domainMSSPRoleResponseV1.errors.idString
CrowdStrike.domainMSSPRoleResponseV1.errors.messageString
CrowdStrike.domainMSSPRoleResponseV1.resources.cid_group_idString
CrowdStrike.domainMSSPRoleResponseV1.resources.idString
CrowdStrike.domainMSSPRoleResponseV1.resources.user_group_idString

cs-add-user-group-members#


Add new User Group member. Maximum 500 members allowed per User Group.

Base Command#

cs-add-user-group-members

Input#

Argument NameDescriptionRequired
domain_usergroupmembersrequestv1_resourcesRequired

Context Output#

PathTypeDescription
CrowdStrike.domainUserGroupMembersResponseV1.errors.codeNumber
CrowdStrike.domainUserGroupMembersResponseV1.errors.idString
CrowdStrike.domainUserGroupMembersResponseV1.errors.messageString
CrowdStrike.domainUserGroupMembersResponseV1.resources.user_group_idString

cs-addcid-group-members#


Add new CID Group member.

Base Command#

cs-addcid-group-members

Input#

Argument NameDescriptionRequired
domain_cidgroupmembersrequestv1_resourcesRequired

Context Output#

PathTypeDescription
CrowdStrike.domainCIDGroupMembersResponseV1.errors.codeNumber
CrowdStrike.domainCIDGroupMembersResponseV1.errors.idString
CrowdStrike.domainCIDGroupMembersResponseV1.errors.messageString
CrowdStrike.domainCIDGroupMembersResponseV1.resources.cid_group_idString

cs-aggregate-allow-list#


Retrieve aggregate allowlist ticket values based on the matched filter.

Base Command#

cs-aggregate-allow-list

Input#

Argument NameDescriptionRequired
msa_aggregatequeryrequest_date_rangesRequired
msa_aggregatequeryrequest_fieldRequired
msa_aggregatequeryrequest_filterRequired
msa_aggregatequeryrequest_intervalRequired
msa_aggregatequeryrequest_min_doc_countRequired
msa_aggregatequeryrequest_missingRequired
msa_aggregatequeryrequest_nameRequired
msa_aggregatequeryrequest_qRequired
msa_aggregatequeryrequest_rangesRequired
msa_aggregatequeryrequest_sizeRequired
msa_aggregatequeryrequest_sortRequired
msa_aggregatequeryrequest_sub_aggregatesRequired
msa_aggregatequeryrequest_time_zoneRequired
msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.msaAggregatesResponse.errors.codeNumber
CrowdStrike.msaAggregatesResponse.errors.idString
CrowdStrike.msaAggregatesResponse.errors.messageString
CrowdStrike.msaAggregatesResponse.resources.buckets.countNumber
CrowdStrike.msaAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_toString
CrowdStrike.msaAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.msaAggregatesResponse.resources.nameString
CrowdStrike.msaAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregate-block-list#


Retrieve aggregate block list ticket values based on the matched filter.

Base Command#

cs-aggregate-block-list

Input#

Argument NameDescriptionRequired
msa_aggregatequeryrequest_date_rangesRequired
msa_aggregatequeryrequest_fieldRequired
msa_aggregatequeryrequest_filterRequired
msa_aggregatequeryrequest_intervalRequired
msa_aggregatequeryrequest_min_doc_countRequired
msa_aggregatequeryrequest_missingRequired
msa_aggregatequeryrequest_nameRequired
msa_aggregatequeryrequest_qRequired
msa_aggregatequeryrequest_rangesRequired
msa_aggregatequeryrequest_sizeRequired
msa_aggregatequeryrequest_sortRequired
msa_aggregatequeryrequest_sub_aggregatesRequired
msa_aggregatequeryrequest_time_zoneRequired
msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.msaAggregatesResponse.errors.codeNumber
CrowdStrike.msaAggregatesResponse.errors.idString
CrowdStrike.msaAggregatesResponse.errors.messageString
CrowdStrike.msaAggregatesResponse.resources.buckets.countNumber
CrowdStrike.msaAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_toString
CrowdStrike.msaAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.msaAggregatesResponse.resources.nameString
CrowdStrike.msaAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregate-detections#


Retrieve aggregate detection values based on the matched filter.

Base Command#

cs-aggregate-detections

Input#

Argument NameDescriptionRequired
msa_aggregatequeryrequest_date_rangesRequired
msa_aggregatequeryrequest_fieldRequired
msa_aggregatequeryrequest_filterRequired
msa_aggregatequeryrequest_intervalRequired
msa_aggregatequeryrequest_min_doc_countRequired
msa_aggregatequeryrequest_missingRequired
msa_aggregatequeryrequest_nameRequired
msa_aggregatequeryrequest_qRequired
msa_aggregatequeryrequest_rangesRequired
msa_aggregatequeryrequest_sizeRequired
msa_aggregatequeryrequest_sortRequired
msa_aggregatequeryrequest_sub_aggregatesRequired
msa_aggregatequeryrequest_time_zoneRequired
msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.msaAggregatesResponse.errors.codeNumber
CrowdStrike.msaAggregatesResponse.errors.idString
CrowdStrike.msaAggregatesResponse.errors.messageString
CrowdStrike.msaAggregatesResponse.resources.buckets.countNumber
CrowdStrike.msaAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_toString
CrowdStrike.msaAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.msaAggregatesResponse.resources.nameString
CrowdStrike.msaAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregate-device-count-collection#


Retrieve aggregate host/devices count based on the matched filter.

Base Command#

cs-aggregate-device-count-collection

Input#

Argument NameDescriptionRequired
msa_aggregatequeryrequest_date_rangesRequired
msa_aggregatequeryrequest_fieldRequired
msa_aggregatequeryrequest_filterRequired
msa_aggregatequeryrequest_intervalRequired
msa_aggregatequeryrequest_min_doc_countRequired
msa_aggregatequeryrequest_missingRequired
msa_aggregatequeryrequest_nameRequired
msa_aggregatequeryrequest_qRequired
msa_aggregatequeryrequest_rangesRequired
msa_aggregatequeryrequest_sizeRequired
msa_aggregatequeryrequest_sortRequired
msa_aggregatequeryrequest_sub_aggregatesRequired
msa_aggregatequeryrequest_time_zoneRequired
msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.msaAggregatesResponse.errors.codeNumber
CrowdStrike.msaAggregatesResponse.errors.idString
CrowdStrike.msaAggregatesResponse.errors.messageString
CrowdStrike.msaAggregatesResponse.resources.buckets.countNumber
CrowdStrike.msaAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_toString
CrowdStrike.msaAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.msaAggregatesResponse.resources.nameString
CrowdStrike.msaAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregate-escalations#


Retrieve aggregate escalation ticket values based on the matched filter.

Base Command#

cs-aggregate-escalations

Input#

Argument NameDescriptionRequired
msa_aggregatequeryrequest_date_rangesRequired
msa_aggregatequeryrequest_fieldRequired
msa_aggregatequeryrequest_filterRequired
msa_aggregatequeryrequest_intervalRequired
msa_aggregatequeryrequest_min_doc_countRequired
msa_aggregatequeryrequest_missingRequired
msa_aggregatequeryrequest_nameRequired
msa_aggregatequeryrequest_qRequired
msa_aggregatequeryrequest_rangesRequired
msa_aggregatequeryrequest_sizeRequired
msa_aggregatequeryrequest_sortRequired
msa_aggregatequeryrequest_sub_aggregatesRequired
msa_aggregatequeryrequest_time_zoneRequired
msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.msaAggregatesResponse.errors.codeNumber
CrowdStrike.msaAggregatesResponse.errors.idString
CrowdStrike.msaAggregatesResponse.errors.messageString
CrowdStrike.msaAggregatesResponse.resources.buckets.countNumber
CrowdStrike.msaAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_toString
CrowdStrike.msaAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.msaAggregatesResponse.resources.nameString
CrowdStrike.msaAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregate-notificationsv1#


Get notification aggregates as specified via JSON in request body.

Base Command#

cs-aggregate-notificationsv1

Input#

Argument NameDescriptionRequired
msa_aggregatequeryrequest_date_rangesRequired
msa_aggregatequeryrequest_fieldRequired
msa_aggregatequeryrequest_filterRequired
msa_aggregatequeryrequest_intervalRequired
msa_aggregatequeryrequest_min_doc_countRequired
msa_aggregatequeryrequest_missingRequired
msa_aggregatequeryrequest_nameRequired
msa_aggregatequeryrequest_qRequired
msa_aggregatequeryrequest_rangesRequired
msa_aggregatequeryrequest_sizeRequired
msa_aggregatequeryrequest_sortRequired
msa_aggregatequeryrequest_sub_aggregatesRequired
msa_aggregatequeryrequest_time_zoneRequired
msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.domainAggregatesResponse.errors.codeNumber
CrowdStrike.domainAggregatesResponse.errors.details.fieldString
CrowdStrike.domainAggregatesResponse.errors.details.messageString
CrowdStrike.domainAggregatesResponse.errors.details.message_keyString
CrowdStrike.domainAggregatesResponse.errors.idString
CrowdStrike.domainAggregatesResponse.errors.messageString
CrowdStrike.domainAggregatesResponse.errors.message_keyString
CrowdStrike.domainAggregatesResponse.resources.buckets.countNumber
CrowdStrike.domainAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.domainAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.domainAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.domainAggregatesResponse.resources.buckets.string_toString
CrowdStrike.domainAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.domainAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.domainAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.domainAggregatesResponse.resources.nameString
CrowdStrike.domainAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregate-remediations#


Retrieve aggregate remediation ticket values based on the matched filter.

Base Command#

cs-aggregate-remediations

Input#

Argument NameDescriptionRequired
msa_aggregatequeryrequest_date_rangesRequired
msa_aggregatequeryrequest_fieldRequired
msa_aggregatequeryrequest_filterRequired
msa_aggregatequeryrequest_intervalRequired
msa_aggregatequeryrequest_min_doc_countRequired
msa_aggregatequeryrequest_missingRequired
msa_aggregatequeryrequest_nameRequired
msa_aggregatequeryrequest_qRequired
msa_aggregatequeryrequest_rangesRequired
msa_aggregatequeryrequest_sizeRequired
msa_aggregatequeryrequest_sortRequired
msa_aggregatequeryrequest_sub_aggregatesRequired
msa_aggregatequeryrequest_time_zoneRequired
msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.msaAggregatesResponse.errors.codeNumber
CrowdStrike.msaAggregatesResponse.errors.idString
CrowdStrike.msaAggregatesResponse.errors.messageString
CrowdStrike.msaAggregatesResponse.resources.buckets.countNumber
CrowdStrike.msaAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_toString
CrowdStrike.msaAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.msaAggregatesResponse.resources.nameString
CrowdStrike.msaAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregateevents#


Aggregate events for customer.

Base Command#

cs-aggregateevents

Input#

Argument NameDescriptionRequired
fwmgr_msa_aggregatequeryrequest_date_rangesRequired
fwmgr_msa_aggregatequeryrequest_fieldRequired
fwmgr_msa_aggregatequeryrequest_filterRequired
fwmgr_msa_aggregatequeryrequest_intervalRequired
fwmgr_msa_aggregatequeryrequest_min_doc_countRequired
fwmgr_msa_aggregatequeryrequest_missingRequired
fwmgr_msa_aggregatequeryrequest_nameRequired
fwmgr_msa_aggregatequeryrequest_qRequired
fwmgr_msa_aggregatequeryrequest_rangesRequired
fwmgr_msa_aggregatequeryrequest_sizeRequired
fwmgr_msa_aggregatequeryrequest_sortRequired
fwmgr_msa_aggregatequeryrequest_sub_aggregatesRequired
fwmgr_msa_aggregatequeryrequest_time_zoneRequired
fwmgr_msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiAggregatesResponse.errors.codeNumber
CrowdStrike.fwmgrapiAggregatesResponse.errors.idString
CrowdStrike.fwmgrapiAggregatesResponse.errors.messageString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.countNumber
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.string_toString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.fwmgrapiAggregatesResponse.resources.nameString
CrowdStrike.fwmgrapiAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregatefc-incidents#


Retrieve aggregate incident values based on the matched filter.

Base Command#

cs-aggregatefc-incidents

Input#

Argument NameDescriptionRequired
msa_aggregatequeryrequest_date_rangesRequired
msa_aggregatequeryrequest_fieldRequired
msa_aggregatequeryrequest_filterRequired
msa_aggregatequeryrequest_intervalRequired
msa_aggregatequeryrequest_min_doc_countRequired
msa_aggregatequeryrequest_missingRequired
msa_aggregatequeryrequest_nameRequired
msa_aggregatequeryrequest_qRequired
msa_aggregatequeryrequest_rangesRequired
msa_aggregatequeryrequest_sizeRequired
msa_aggregatequeryrequest_sortRequired
msa_aggregatequeryrequest_sub_aggregatesRequired
msa_aggregatequeryrequest_time_zoneRequired
msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.msaAggregatesResponse.errors.codeNumber
CrowdStrike.msaAggregatesResponse.errors.idString
CrowdStrike.msaAggregatesResponse.errors.messageString
CrowdStrike.msaAggregatesResponse.resources.buckets.countNumber
CrowdStrike.msaAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_toString
CrowdStrike.msaAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.msaAggregatesResponse.resources.nameString
CrowdStrike.msaAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregatepolicyrules#


Aggregate rules within a policy for customer.

Base Command#

cs-aggregatepolicyrules

Input#

Argument NameDescriptionRequired
fwmgr_msa_aggregatequeryrequest_date_rangesRequired
fwmgr_msa_aggregatequeryrequest_fieldRequired
fwmgr_msa_aggregatequeryrequest_filterRequired
fwmgr_msa_aggregatequeryrequest_intervalRequired
fwmgr_msa_aggregatequeryrequest_min_doc_countRequired
fwmgr_msa_aggregatequeryrequest_missingRequired
fwmgr_msa_aggregatequeryrequest_nameRequired
fwmgr_msa_aggregatequeryrequest_qRequired
fwmgr_msa_aggregatequeryrequest_rangesRequired
fwmgr_msa_aggregatequeryrequest_sizeRequired
fwmgr_msa_aggregatequeryrequest_sortRequired
fwmgr_msa_aggregatequeryrequest_sub_aggregatesRequired
fwmgr_msa_aggregatequeryrequest_time_zoneRequired
fwmgr_msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiAggregatesResponse.errors.codeNumber
CrowdStrike.fwmgrapiAggregatesResponse.errors.idString
CrowdStrike.fwmgrapiAggregatesResponse.errors.messageString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.countNumber
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.string_toString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.fwmgrapiAggregatesResponse.resources.nameString
CrowdStrike.fwmgrapiAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregaterulegroups#


Aggregate rule groups for customer.

Base Command#

cs-aggregaterulegroups

Input#

Argument NameDescriptionRequired
fwmgr_msa_aggregatequeryrequest_date_rangesRequired
fwmgr_msa_aggregatequeryrequest_fieldRequired
fwmgr_msa_aggregatequeryrequest_filterRequired
fwmgr_msa_aggregatequeryrequest_intervalRequired
fwmgr_msa_aggregatequeryrequest_min_doc_countRequired
fwmgr_msa_aggregatequeryrequest_missingRequired
fwmgr_msa_aggregatequeryrequest_nameRequired
fwmgr_msa_aggregatequeryrequest_qRequired
fwmgr_msa_aggregatequeryrequest_rangesRequired
fwmgr_msa_aggregatequeryrequest_sizeRequired
fwmgr_msa_aggregatequeryrequest_sortRequired
fwmgr_msa_aggregatequeryrequest_sub_aggregatesRequired
fwmgr_msa_aggregatequeryrequest_time_zoneRequired
fwmgr_msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiAggregatesResponse.errors.codeNumber
CrowdStrike.fwmgrapiAggregatesResponse.errors.idString
CrowdStrike.fwmgrapiAggregatesResponse.errors.messageString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.countNumber
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.string_toString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.fwmgrapiAggregatesResponse.resources.nameString
CrowdStrike.fwmgrapiAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregaterules#


Aggregate rules for customer.

Base Command#

cs-aggregaterules

Input#

Argument NameDescriptionRequired
fwmgr_msa_aggregatequeryrequest_date_rangesRequired
fwmgr_msa_aggregatequeryrequest_fieldRequired
fwmgr_msa_aggregatequeryrequest_filterRequired
fwmgr_msa_aggregatequeryrequest_intervalRequired
fwmgr_msa_aggregatequeryrequest_min_doc_countRequired
fwmgr_msa_aggregatequeryrequest_missingRequired
fwmgr_msa_aggregatequeryrequest_nameRequired
fwmgr_msa_aggregatequeryrequest_qRequired
fwmgr_msa_aggregatequeryrequest_rangesRequired
fwmgr_msa_aggregatequeryrequest_sizeRequired
fwmgr_msa_aggregatequeryrequest_sortRequired
fwmgr_msa_aggregatequeryrequest_sub_aggregatesRequired
fwmgr_msa_aggregatequeryrequest_time_zoneRequired
fwmgr_msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiAggregatesResponse.errors.codeNumber
CrowdStrike.fwmgrapiAggregatesResponse.errors.idString
CrowdStrike.fwmgrapiAggregatesResponse.errors.messageString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.countNumber
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.string_toString
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.fwmgrapiAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.fwmgrapiAggregatesResponse.resources.nameString
CrowdStrike.fwmgrapiAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregates-detections-global-counts#


Get the total number of detections pushed across all customers.

Base Command#

cs-aggregates-detections-global-counts

Input#

Argument NameDescriptionRequired
filter_An FQL filter string.Required

Context Output#

PathTypeDescription
CrowdStrike.msaFacetsResponse.errors.codeNumber
CrowdStrike.msaFacetsResponse.errors.idString
CrowdStrike.msaFacetsResponse.errors.messageString
CrowdStrike.msaFacetsResponse.resources.countNumber
CrowdStrike.msaFacetsResponse.resources.facetString
CrowdStrike.msaFacetsResponse.resources.labelString
CrowdStrike.msaFacetsResponse.resources.termString

cs-aggregates-events#


Get aggregate OverWatch detection event info by providing an aggregate query.

Base Command#

cs-aggregates-events

Input#

Argument NameDescriptionRequired
msa_aggregatequeryrequest_date_rangesRequired
msa_aggregatequeryrequest_fieldRequired
msa_aggregatequeryrequest_filterRequired
msa_aggregatequeryrequest_intervalRequired
msa_aggregatequeryrequest_min_doc_countRequired
msa_aggregatequeryrequest_missingRequired
msa_aggregatequeryrequest_nameRequired
msa_aggregatequeryrequest_qRequired
msa_aggregatequeryrequest_rangesRequired
msa_aggregatequeryrequest_sizeRequired
msa_aggregatequeryrequest_sortRequired
msa_aggregatequeryrequest_sub_aggregatesRequired
msa_aggregatequeryrequest_time_zoneRequired
msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.msaAggregatesResponse.errors.codeNumber
CrowdStrike.msaAggregatesResponse.errors.idString
CrowdStrike.msaAggregatesResponse.errors.messageString
CrowdStrike.msaAggregatesResponse.resources.buckets.countNumber
CrowdStrike.msaAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_toString
CrowdStrike.msaAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.msaAggregatesResponse.resources.nameString
CrowdStrike.msaAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregates-events-collections#


Get OverWatch detection event collection info by providing an aggregate query.

Base Command#

cs-aggregates-events-collections

Input#

Argument NameDescriptionRequired
msa_aggregatequeryrequest_date_rangesRequired
msa_aggregatequeryrequest_fieldRequired
msa_aggregatequeryrequest_filterRequired
msa_aggregatequeryrequest_intervalRequired
msa_aggregatequeryrequest_min_doc_countRequired
msa_aggregatequeryrequest_missingRequired
msa_aggregatequeryrequest_nameRequired
msa_aggregatequeryrequest_qRequired
msa_aggregatequeryrequest_rangesRequired
msa_aggregatequeryrequest_sizeRequired
msa_aggregatequeryrequest_sortRequired
msa_aggregatequeryrequest_sub_aggregatesRequired
msa_aggregatequeryrequest_time_zoneRequired
msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.msaAggregatesResponse.errors.codeNumber
CrowdStrike.msaAggregatesResponse.errors.idString
CrowdStrike.msaAggregatesResponse.errors.messageString
CrowdStrike.msaAggregatesResponse.resources.buckets.countNumber
CrowdStrike.msaAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_toString
CrowdStrike.msaAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.msaAggregatesResponse.resources.nameString
CrowdStrike.msaAggregatesResponse.resources.sum_other_doc_countNumber

cs-aggregates-incidents-global-counts#


Get the total number of incidents pushed across all customers.

Base Command#

cs-aggregates-incidents-global-counts

Input#

Argument NameDescriptionRequired
filter_An FQL filter string.Required

Context Output#

PathTypeDescription
CrowdStrike.msaFacetsResponse.errors.codeNumber
CrowdStrike.msaFacetsResponse.errors.idString
CrowdStrike.msaFacetsResponse.errors.messageString
CrowdStrike.msaFacetsResponse.resources.countNumber
CrowdStrike.msaFacetsResponse.resources.facetString
CrowdStrike.msaFacetsResponse.resources.labelString
CrowdStrike.msaFacetsResponse.resources.termString

cs-aggregatesow-events-global-counts#


Get the total number of OverWatch events across all customers.

Base Command#

cs-aggregatesow-events-global-counts

Input#

Argument NameDescriptionRequired
filter_An FQL filter string.Required

Context Output#

PathTypeDescription
CrowdStrike.msaFacetsResponse.errors.codeNumber
CrowdStrike.msaFacetsResponse.errors.idString
CrowdStrike.msaFacetsResponse.errors.messageString
CrowdStrike.msaFacetsResponse.resources.countNumber
CrowdStrike.msaFacetsResponse.resources.facetString
CrowdStrike.msaFacetsResponse.resources.labelString
CrowdStrike.msaFacetsResponse.resources.termString

cs-apipreemptproxypostgraphql#


Identity Protection GraphQL API. Allows to retrieve entities, timeline activities, identity-based incidents and security assessment. Allows to perform actions on entities and identity-based incidents.

Base Command#

cs-apipreemptproxypostgraphql

Input#

Argument NameDescriptionRequired
AuthorizationAuthorization Header.Required

Context Output#

There is no context output for this command.

cs-auditeventsquery#


Search for audit events by providing an FQL filter and paging details.

Base Command#

cs-auditeventsquery

Input#

Argument NameDescriptionRequired
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-1000]. Defaults to 50.Optional
sortThe property to sort by (e.g. timestamp.desc).Optional
filter_The filter expression that should be used to limit the results (e.g., action:'token_create').Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-auditeventsread#


Gets the details of one or more audit events by id.

Base Command#

cs-auditeventsread

Input#

Argument NameDescriptionRequired
idsIDs of audit events to retrieve details for.Optional

Context Output#

PathTypeDescription
CrowdStrike.apiauditEventDetailsResponseV1.errors.codeNumber
CrowdStrike.apiauditEventDetailsResponseV1.errors.idString
CrowdStrike.apiauditEventDetailsResponseV1.errors.messageString
CrowdStrike.apiauditEventDetailsResponseV1.resources.actionString
CrowdStrike.apiauditEventDetailsResponseV1.resources.actorString
CrowdStrike.apiauditEventDetailsResponseV1.resources.descriptionString
CrowdStrike.apiauditEventDetailsResponseV1.resources.idString
CrowdStrike.apiauditEventDetailsResponseV1.resources.timestampString
CrowdStrike.apiauditEventDetailsResponseV1.resources.token_idString

cs-batch-active-responder-cmd#


Batch executes a RTR active-responder command across the hosts mapped to the given batch ID.

Base Command#

cs-batch-active-responder-cmd

Input#

Argument NameDescriptionRequired
timeoutTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes.Optional
timeout_durationTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes.Optional
domain_batchexecutecommandrequest_base_commandRequired
domain_batchexecutecommandrequest_batch_idRequired
domain_batchexecutecommandrequest_command_stringRequired
domain_batchexecutecommandrequest_optional_hostsOptional
domain_batchexecutecommandrequest_persist_allRequired

Context Output#

There is no context output for this command.

cs-batch-admin-cmd#


Batch executes a RTR administrator command across the hosts mapped to the given batch ID.

Base Command#

cs-batch-admin-cmd

Input#

Argument NameDescriptionRequired
timeoutTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes.Optional
timeout_durationTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes.Optional
domain_batchexecutecommandrequest_base_commandRequired
domain_batchexecutecommandrequest_batch_idRequired
domain_batchexecutecommandrequest_command_stringRequired
domain_batchexecutecommandrequest_optional_hostsOptional
domain_batchexecutecommandrequest_persist_allRequired

Context Output#

There is no context output for this command.

cs-batch-cmd#


Batch executes a RTR read-only command across the hosts mapped to the given batch ID.

Base Command#

cs-batch-cmd

Input#

Argument NameDescriptionRequired
timeoutTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes.Optional
timeout_durationTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes.Optional
domain_batchexecutecommandrequest_base_commandRequired
domain_batchexecutecommandrequest_batch_idRequired
domain_batchexecutecommandrequest_command_stringRequired
domain_batchexecutecommandrequest_optional_hostsOptional
domain_batchexecutecommandrequest_persist_allRequired

Context Output#

There is no context output for this command.

cs-batch-get-cmd#


Batch executes get command across hosts to retrieve files. After this call is made GET /real-time-response/combined/batch-get-command/v1 is used to query for the results.

Base Command#

cs-batch-get-cmd

Input#

Argument NameDescriptionRequired
timeoutTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes.Optional
timeout_durationTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes.Optional
domain_batchgetcommandrequest_batch_idRequired
domain_batchgetcommandrequest_file_pathRequired
domain_batchgetcommandrequest_optional_hostsOptional

Context Output#

There is no context output for this command.

cs-batch-get-cmd-status#


Retrieves the status of the specified batch get command. Will return successful files when they are finished processing.

Base Command#

cs-batch-get-cmd-status

Input#

Argument NameDescriptionRequired
timeoutTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes.Optional
timeout_durationTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes.Optional
batch_get_cmd_req_idBatch Get Command Request ID received from /real-time-response/combined/get-command/v1.Required

Context Output#

PathTypeDescription
CrowdStrike.domainBatchGetCmdStatusResponse.errors.codeNumber
CrowdStrike.domainBatchGetCmdStatusResponse.errors.idString
CrowdStrike.domainBatchGetCmdStatusResponse.errors.messageString
CrowdStrike.domainBatchGetCmdStatusResponse.resources.cloud_request_idString
CrowdStrike.domainBatchGetCmdStatusResponse.resources.created_atString
CrowdStrike.domainBatchGetCmdStatusResponse.resources.deleted_atString
CrowdStrike.domainBatchGetCmdStatusResponse.resources.idNumber
CrowdStrike.domainBatchGetCmdStatusResponse.resources.nameString
CrowdStrike.domainBatchGetCmdStatusResponse.resources.session_idString
CrowdStrike.domainBatchGetCmdStatusResponse.resources.sha256String
CrowdStrike.domainBatchGetCmdStatusResponse.resources.sizeNumber
CrowdStrike.domainBatchGetCmdStatusResponse.resources.updated_atString

cs-batch-init-sessions#


Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.

Base Command#

cs-batch-init-sessions

Input#

Argument NameDescriptionRequired
timeoutTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes.Optional
timeout_durationTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes.Optional
domain_batchinitsessionrequest_existing_batch_idOptional
domain_batchinitsessionrequest_host_idsRequired
domain_batchinitsessionrequest_queue_offlineRequired

Context Output#

There is no context output for this command.

cs-batch-refresh-sessions#


Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 10 minutes unless refreshed.

Base Command#

cs-batch-refresh-sessions

Input#

Argument NameDescriptionRequired
timeoutTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes.Optional
timeout_durationTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes.Optional
domain_batchrefreshsessionrequest_batch_idRequired
domain_batchrefreshsessionrequest_hosts_to_removeRequired

Context Output#

There is no context output for this command.

cs-create-actionsv1#


Create actions for a monitoring rule. Accepts a list of actions that will be attached to the monitoring rule.

Base Command#

cs-create-actionsv1

Input#

Argument NameDescriptionRequired
domain_registeractionsrequest_actionsRequired
domain_registeractionsrequest_rule_idRequired

Context Output#

PathTypeDescription
CrowdStrike.domainActionEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainActionEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainActionEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainActionEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainActionEntitiesResponseV1.errors.idString
CrowdStrike.domainActionEntitiesResponseV1.errors.messageString
CrowdStrike.domainActionEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainActionEntitiesResponseV1.resources.cidStringThe ID of the customer who created the action.
CrowdStrike.domainActionEntitiesResponseV1.resources.created_timestampStringThe date when the action was created.
CrowdStrike.domainActionEntitiesResponseV1.resources.frequencyString
CrowdStrike.domainActionEntitiesResponseV1.resources.idStringThe ID of the action.
CrowdStrike.domainActionEntitiesResponseV1.resources.rule_idStringThe ID of the rule on which this action is attached.
CrowdStrike.domainActionEntitiesResponseV1.resources.statusStringThe action status. It can be either 'enabled' or 'muted'.
CrowdStrike.domainActionEntitiesResponseV1.resources.typeStringThe action type. The only type currently supported is 'email'.
CrowdStrike.domainActionEntitiesResponseV1.resources.updated_timestampStringThe date when the action was updated.
CrowdStrike.domainActionEntitiesResponseV1.resources.user_uuidStringThe UUID of the user who created the action.

cs-create-device-control-policies#


Create Device Control Policies by specifying details about the policy to create.

Base Command#

cs-create-device-control-policies

Input#

Argument NameDescriptionRequired
requests_createdevicecontrolpoliciesv1_resourcesA collection of policies to create.Required

Context Output#

There is no context output for this command.

cs-create-firewall-policies#


Create Firewall Policies by specifying details about the policy to create.

Base Command#

cs-create-firewall-policies

Input#

Argument NameDescriptionRequired
requests_createfirewallpoliciesv1_resourcesA collection of policies to create.Required
clone_idThe policy ID to be cloned from.Optional

Context Output#

There is no context output for this command.

cs-create-host-groups#


Create Host Groups by specifying details about the group to create.

Base Command#

cs-create-host-groups

Input#

Argument NameDescriptionRequired
requests_creategroupsv1_resourcesA collection of device groups to create.Required

Context Output#

There is no context output for this command.

cs-create-or-updateaws-settings#


Create or update Global Settings which are applicable to all provisioned AWS accounts.

Base Command#

cs-create-or-updateaws-settings

Input#

Argument NameDescriptionRequired
models_modifyawscustomersettingsv1_resourcesRequired

Context Output#

There is no context output for this command.

cs-create-prevention-policies#


Create Prevention Policies by specifying details about the policy to create.

Base Command#

cs-create-prevention-policies

Input#

Argument NameDescriptionRequired
requests_createpreventionpoliciesv1_resourcesA collection of policies to create.Required

Context Output#

There is no context output for this command.

cs-create-rulesv1#


Create monitoring rules.

Base Command#

cs-create-rulesv1

Input#

Argument NameDescriptionRequired
X_CS_USERUUIDUser UUID.Optional
sadomain_createrulerequestv1_filterThe filter to be used for searching.Required
sadomain_createrulerequestv1_nameThe name of a particular rule.Required
sadomain_createrulerequestv1_permissionsThe permissions for a particular rule which specifies the rule's access by other users. Possible values: [public private].Required
sadomain_createrulerequestv1_priorityThe priority for a particular rule. Possible values: [medium high low].Required
sadomain_createrulerequestv1_topicThe topic of a given rule. Possible values: [SA_THIRD_PARTY SA_CVE SA_ALIAS SA_AUTHOR SA_BRAND_PRODUCT SA_VIP SA_IP SA_BIN SA_DOMAIN SA_EMAIL SA_CUSTOM].Required

Context Output#

PathTypeDescription
CrowdStrike.domainRulesEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainRulesEntitiesResponseV1.errors.idString
CrowdStrike.domainRulesEntitiesResponseV1.errors.messageString
CrowdStrike.domainRulesEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainRulesEntitiesResponseV1.resources.cidString
CrowdStrike.domainRulesEntitiesResponseV1.resources.created_timestampStringThe creation time for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.filterStringThe FQL filter contained in a rule and used for searching.
CrowdStrike.domainRulesEntitiesResponseV1.resources.idStringThe ID of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.nameStringThe name for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.permissionsStringThe permissions of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.priorityStringThe priority of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.statusStringThe status of a rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.status_messageStringThe detailed status message.
CrowdStrike.domainRulesEntitiesResponseV1.resources.topicStringThe topic of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.updated_timestampStringThe last updated time for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_idStringThe user ID of the user that created a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_nameStringThe user name of the user that created a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_uuidStringThe UUID of the user that created a given rule.

cs-create-sensor-update-policies#


Create Sensor Update Policies by specifying details about the policy to create.

Base Command#

cs-create-sensor-update-policies

Input#

Argument NameDescriptionRequired
requests_createsensorupdatepoliciesv1_resourcesA collection of policies to create.Required

Context Output#

There is no context output for this command.

cs-create-sensor-update-policiesv2#


Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection.

Base Command#

cs-create-sensor-update-policiesv2

Input#

Argument NameDescriptionRequired
requests_createsensorupdatepoliciesv2_resourcesA collection of policies to create.Required

Context Output#

There is no context output for this command.

cs-create-user#


Create a new user. After creating a user, assign one or more roles with POST /user-roles/entities/user-roles/v1.

Base Command#

cs-create-user

Input#

Argument NameDescriptionRequired
domain_usercreaterequest_firstnameOptional
domain_usercreaterequest_lastnameOptional
domain_usercreaterequest_passwordOptional
domain_usercreaterequest_uidOptional

Context Output#

There is no context output for this command.

cs-create-user-groups#


Create new User Group(s). Maximum 500 User Group(s) allowed per customer.

Base Command#

cs-create-user-groups

Input#

Argument NameDescriptionRequired
domain_usergroupsrequestv1_resourcesRequired

Context Output#

PathTypeDescription
CrowdStrike.domainUserGroupsResponseV1.errors.codeNumber
CrowdStrike.domainUserGroupsResponseV1.errors.idString
CrowdStrike.domainUserGroupsResponseV1.errors.messageString
CrowdStrike.domainUserGroupsResponseV1.resources.cidString
CrowdStrike.domainUserGroupsResponseV1.resources.descriptionString
CrowdStrike.domainUserGroupsResponseV1.resources.nameString
CrowdStrike.domainUserGroupsResponseV1.resources.user_group_idString

cs-createaws-account#


Creates a new AWS account in our system for a customer and generates the installation script.

Base Command#

cs-createaws-account

Input#

Argument NameDescriptionRequired
k8sreg_createawsaccreq_resourcesRequired

Context Output#

There is no context output for this command.

cs-createcid-groups#


Create new CID Group(s). Maximum 500 CID Group(s) allowed.

Base Command#

cs-createcid-groups

Input#

Argument NameDescriptionRequired
domain_cidgroupsrequestv1_resourcesRequired

Context Output#

PathTypeDescription
CrowdStrike.domainCIDGroupsResponseV1.errors.codeNumber
CrowdStrike.domainCIDGroupsResponseV1.errors.idString
CrowdStrike.domainCIDGroupsResponseV1.errors.messageString
CrowdStrike.domainCIDGroupsResponseV1.resources.cidString
CrowdStrike.domainCIDGroupsResponseV1.resources.cid_group_idString
CrowdStrike.domainCIDGroupsResponseV1.resources.descriptionString
CrowdStrike.domainCIDGroupsResponseV1.resources.nameString

cs-createcspm-aws-account#


Creates a new account in our system for a customer and generates a script for them to run in their AWS cloud environment to grant us access.

Base Command#

cs-createcspm-aws-account

Input#

Argument NameDescriptionRequired
registration_awsaccountcreaterequestextv2_resourcesRequired

Context Output#

There is no context output for this command.

cs-createcspmgcp-account#


Creates a new account in our system for a customer and generates a new service account for them to add access to in their GCP environment to grant us access.

Base Command#

cs-createcspmgcp-account

Input#

Argument NameDescriptionRequired
registration_gcpaccountcreaterequestextv1_resourcesRequired

Context Output#

There is no context output for this command.

cs-createml-exclusionsv1#


Create the ML exclusions.

Base Command#

cs-createml-exclusionsv1

Input#

Argument NameDescriptionRequired
requests_mlexclusioncreatereqv1_commentOptional
requests_mlexclusioncreatereqv1_excluded_fromOptional
requests_mlexclusioncreatereqv1_groupsOptional
requests_mlexclusioncreatereqv1_valueOptional

Context Output#

PathTypeDescription
CrowdStrike.responsesMlExclusionRespV1.errors.codeNumber
CrowdStrike.responsesMlExclusionRespV1.errors.idString
CrowdStrike.responsesMlExclusionRespV1.errors.messageString
CrowdStrike.responsesMlExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesMlExclusionRespV1.resources.created_byString
CrowdStrike.responsesMlExclusionRespV1.resources.created_onString
CrowdStrike.responsesMlExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesMlExclusionRespV1.resources.idString
CrowdStrike.responsesMlExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesMlExclusionRespV1.resources.modified_byString
CrowdStrike.responsesMlExclusionRespV1.resources.regexp_valueString
CrowdStrike.responsesMlExclusionRespV1.resources.valueString
CrowdStrike.responsesMlExclusionRespV1.resources.value_hashString

cs-creatert-response-policies#


Create Response Policies by specifying details about the policy to create.

Base Command#

cs-creatert-response-policies

Input#

Argument NameDescriptionRequired
requests_creatertresponsepoliciesv1_resourcesA collection of policies to create.Required

Context Output#

There is no context output for this command.

cs-createrule#


Create a rule within a rule group. Returns the rule.

Base Command#

cs-createrule

Input#

Argument NameDescriptionRequired
api_rulecreatev1_commentRequired
api_rulecreatev1_descriptionRequired
api_rulecreatev1_disposition_idRequired
api_rulecreatev1_field_valuesRequired
api_rulecreatev1_nameRequired
api_rulecreatev1_pattern_severityRequired
api_rulecreatev1_rulegroup_idRequired
api_rulecreatev1_ruletype_idRequired

Context Output#

There is no context output for this command.

cs-createrulegroup#


Create new rule group on a platform for a customer with a name and description, and return the ID.

Base Command#

cs-createrulegroup

Input#

Argument NameDescriptionRequired
X_CS_USERNAMEThe user id.Required
clone_idA rule group ID from which to copy rules. If this is provided then the 'rules' property of the body is ignored.Optional
li_aryIf this flag is set to true then the rules will be cloned from the clone_id from the CrowdStrike Firewal Rule Groups Li ary.Optional
commentAudit log comment for this action.Optional
fwmgr_api_rulegroupcreaterequestv1_descriptionRequired
fwmgr_api_rulegroupcreaterequestv1_enabledRequired
fwmgr_api_rulegroupcreaterequestv1_nameRequired
fwmgr_api_rulegroupcreaterequestv1_rulesRequired

Context Output#

There is no context output for this command.

cs-createrulegroup-mixin0#


Create a rule group for a platform with a name and an optional description. Returns the rule group.

Base Command#

cs-createrulegroup-mixin0

Input#

Argument NameDescriptionRequired
api_rulegroupcreaterequestv1_commentRequired
api_rulegroupcreaterequestv1_descriptionRequired
api_rulegroupcreaterequestv1_nameRequired
api_rulegroupcreaterequestv1_platformRequired

Context Output#

There is no context output for this command.

cs-createsv-exclusionsv1#


Create the sensor visibility exclusions.

Base Command#

cs-createsv-exclusionsv1

Input#

Argument NameDescriptionRequired
requests_svexclusioncreatereqv1_commentOptional
requests_svexclusioncreatereqv1_groupsOptional
requests_svexclusioncreatereqv1_valueOptional

Context Output#

PathTypeDescription
CrowdStrike.responsesMlExclusionRespV1.errors.codeNumber
CrowdStrike.responsesMlExclusionRespV1.errors.idString
CrowdStrike.responsesMlExclusionRespV1.errors.messageString
CrowdStrike.responsesMlExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesMlExclusionRespV1.resources.created_byString
CrowdStrike.responsesMlExclusionRespV1.resources.created_onString
CrowdStrike.responsesMlExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesMlExclusionRespV1.resources.idString
CrowdStrike.responsesMlExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesMlExclusionRespV1.resources.modified_byString
CrowdStrike.responsesMlExclusionRespV1.resources.regexp_valueString
CrowdStrike.responsesMlExclusionRespV1.resources.valueString
CrowdStrike.responsesMlExclusionRespV1.resources.value_hashString

cs-crowd-score#


Query environment wide CrowdScore and return the entity data.

Base Command#

cs-crowd-score

Input#

Argument NameDescriptionRequired
filter_Optional filter and sort criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetStarting index of overall result set from which to return ids.Optional
limitThe maximum records to return. [1-2500].Optional
sortThe property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "desc". Possible values are: score.asc, score.desc, timestamp.asc, timestamp.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.apiMsaEnvironmentScoreResponse.errors.codeNumber
CrowdStrike.apiMsaEnvironmentScoreResponse.errors.idString
CrowdStrike.apiMsaEnvironmentScoreResponse.errors.messageString
CrowdStrike.apiMsaEnvironmentScoreResponse.resources.idString
CrowdStrike.apiMsaEnvironmentScoreResponse.resources.scoreNumber
CrowdStrike.apiMsaEnvironmentScoreResponse.resources.timestampString

cs-customersettingsread#


Check current installation token settings.

Base Command#

cs-customersettingsread

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.apicustomerSettingsResponseV1.errors.codeNumber
CrowdStrike.apicustomerSettingsResponseV1.errors.idString
CrowdStrike.apicustomerSettingsResponseV1.errors.messageString
CrowdStrike.apicustomerSettingsResponseV1.resources.max_active_tokensNumber
CrowdStrike.apicustomerSettingsResponseV1.resources.tokens_requiredBoolean

cs-delete-actionv1#


Delete an action from a monitoring rule based on the action ID.

Base Command#

cs-delete-actionv1

Input#

Argument NameDescriptionRequired
id_ID of the action.Required

Context Output#

PathTypeDescription
CrowdStrike.domainQueryResponse.errors.codeNumber
CrowdStrike.domainQueryResponse.errors.details.fieldString
CrowdStrike.domainQueryResponse.errors.details.messageString
CrowdStrike.domainQueryResponse.errors.details.message_keyString
CrowdStrike.domainQueryResponse.errors.idString
CrowdStrike.domainQueryResponse.errors.messageString
CrowdStrike.domainQueryResponse.errors.message_keyString

cs-delete-device-control-policies#


Delete a set of Device Control Policies by specifying their IDs.

Base Command#

cs-delete-device-control-policies

Input#

Argument NameDescriptionRequired
idsThe IDs of the Device Control Policies to delete.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-delete-firewall-policies#


Delete a set of Firewall Policies by specifying their IDs.

Base Command#

cs-delete-firewall-policies

Input#

Argument NameDescriptionRequired
idsThe IDs of the Firewall Policies to delete.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-delete-host-groups#


Delete a set of Host Groups by specifying their IDs.

Base Command#

cs-delete-host-groups

Input#

Argument NameDescriptionRequired
idsThe IDs of the Host Groups to delete.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-delete-notificationsv1#


Delete notifications based on IDs. Notifications cannot be recovered after they are deleted.

Base Command#

cs-delete-notificationsv1

Input#

Argument NameDescriptionRequired
idsNotifications IDs.Required

Context Output#

PathTypeDescription
CrowdStrike.domainNotificationIDResponse.errors.codeNumber
CrowdStrike.domainNotificationIDResponse.errors.details.fieldString
CrowdStrike.domainNotificationIDResponse.errors.details.messageString
CrowdStrike.domainNotificationIDResponse.errors.details.message_keyString
CrowdStrike.domainNotificationIDResponse.errors.idString
CrowdStrike.domainNotificationIDResponse.errors.messageString
CrowdStrike.domainNotificationIDResponse.errors.message_keyString

cs-delete-prevention-policies#


Delete a set of Prevention Policies by specifying their IDs.

Base Command#

cs-delete-prevention-policies

Input#

Argument NameDescriptionRequired
idsThe IDs of the Prevention Policies to delete.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-delete-report#


Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.

Base Command#

cs-delete-report

Input#

Argument NameDescriptionRequired
idsID of a report.Required

Context Output#

There is no context output for this command.

cs-delete-rulesv1#


Delete monitoring rules.

Base Command#

cs-delete-rulesv1

Input#

Argument NameDescriptionRequired
X_CS_USERUUIDUser UUID.Optional
idsIDs of rules.Required

Context Output#

PathTypeDescription
CrowdStrike.domainRuleQueryResponseV1.errors.codeNumber
CrowdStrike.domainRuleQueryResponseV1.errors.details.fieldString
CrowdStrike.domainRuleQueryResponseV1.errors.details.messageString
CrowdStrike.domainRuleQueryResponseV1.errors.details.message_keyString
CrowdStrike.domainRuleQueryResponseV1.errors.idString
CrowdStrike.domainRuleQueryResponseV1.errors.messageString
CrowdStrike.domainRuleQueryResponseV1.errors.message_keyString

cs-delete-samplev2#


Removes a sample, including file, meta and submissions from the collection.

Base Command#

cs-delete-samplev2

Input#

Argument NameDescriptionRequired
X_CS_USERUUIDUser UUID.Optional
idsThe file SHA256.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-delete-samplev3#


Removes a sample, including file, meta and submissions from the collection.

Base Command#

cs-delete-samplev3

Input#

Argument NameDescriptionRequired
X_CS_USERUUIDUser UUID.Optional
idsThe file SHA256.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-delete-sensor-update-policies#


Delete a set of Sensor Update Policies by specifying their IDs.

Base Command#

cs-delete-sensor-update-policies

Input#

Argument NameDescriptionRequired
idsThe IDs of the Sensor Update Policies to delete.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-delete-sensor-visibility-exclusionsv1#


Delete the sensor visibility exclusions by id.

Base Command#

cs-delete-sensor-visibility-exclusionsv1

Input#

Argument NameDescriptionRequired
idsThe ids of the exclusions to delete.Required
commentExplains why this exclusions was deleted.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-delete-user#


Delete a user permanently.

Base Command#

cs-delete-user

Input#

Argument NameDescriptionRequired
user_uuidID of a user. Find a user's ID from /users/entities/user/v1.Required

Context Output#

PathTypeDescription
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString

cs-delete-user-group-members#


Delete User Group members entry.

Base Command#

cs-delete-user-group-members

Input#

Argument NameDescriptionRequired
domain_usergroupmembersrequestv1_resourcesRequired

Context Output#

PathTypeDescription
CrowdStrike.domainUserGroupMembersResponseV1.errors.codeNumber
CrowdStrike.domainUserGroupMembersResponseV1.errors.idString
CrowdStrike.domainUserGroupMembersResponseV1.errors.messageString
CrowdStrike.domainUserGroupMembersResponseV1.resources.user_group_idString

cs-delete-user-groups#


Delete User Group(s) by ID(s).

Base Command#

cs-delete-user-groups

Input#

Argument NameDescriptionRequired
user_group_idsUser Group IDs.Required

Context Output#

PathTypeDescription
CrowdStrike.msaEntitiesResponse.errors.codeNumber
CrowdStrike.msaEntitiesResponse.errors.idString
CrowdStrike.msaEntitiesResponse.errors.messageString

cs-deleteaws-accounts#


Delete a set of AWS Accounts by specifying their IDs.

Base Command#

cs-deleteaws-accounts

Input#

Argument NameDescriptionRequired
idsIDs of accounts to remove.Required

Context Output#

PathTypeDescription
CrowdStrike.modelsBaseResponseV1.errors.codeNumber
CrowdStrike.modelsBaseResponseV1.errors.idString
CrowdStrike.modelsBaseResponseV1.errors.messageString

cs-deleteaws-accounts-mixin0#


Delete AWS accounts.

Base Command#

cs-deleteaws-accounts-mixin0

Input#

Argument NameDescriptionRequired
idsAWS Account IDs.Required

Context Output#

PathTypeDescription
CrowdStrike.msaMetaInfo.powered_byString
CrowdStrike.msaMetaInfo.query_timeUnknown
CrowdStrike.msaMetaInfo.trace_idString
CrowdStrike.msaMetaInfo.powered_byString
CrowdStrike.msaMetaInfo.query_timeUnknown
CrowdStrike.msaMetaInfo.trace_idString

cs-deletecid-group-members#


Delete CID Group members entry.

Base Command#

cs-deletecid-group-members

Input#

Argument NameDescriptionRequired
domain_cidgroupmembersrequestv1_resourcesRequired

Context Output#

PathTypeDescription
CrowdStrike.domainCIDGroupMembersResponseV1.errors.codeNumber
CrowdStrike.domainCIDGroupMembersResponseV1.errors.idString
CrowdStrike.domainCIDGroupMembersResponseV1.errors.messageString
CrowdStrike.domainCIDGroupMembersResponseV1.resources.cid_group_idString

cs-deletecid-groups#


Delete CID Group(s) by ID(s).

Base Command#

cs-deletecid-groups

Input#

Argument NameDescriptionRequired
cid_group_idsCID group ids to be deleted.Required

Context Output#

PathTypeDescription
CrowdStrike.msaEntitiesResponse.errors.codeNumber
CrowdStrike.msaEntitiesResponse.errors.idString
CrowdStrike.msaEntitiesResponse.errors.messageString

cs-deletecspm-aws-account#


Deletes an existing AWS account or organization in our system.

Base Command#

cs-deletecspm-aws-account

Input#

Argument NameDescriptionRequired
idsAWS account IDs to remove.Optional
organization_idsAWS organization IDs to remove.Optional

Context Output#

PathTypeDescription
CrowdStrike.registrationBaseResponseV1.errors.codeNumber
CrowdStrike.registrationBaseResponseV1.errors.idString
CrowdStrike.registrationBaseResponseV1.errors.messageString

cs-deletecspm-azure-account#


Deletes an Azure subscription from the system.

Base Command#

cs-deletecspm-azure-account

Input#

Argument NameDescriptionRequired
idsAzure subscription IDs to remove.Required

Context Output#

PathTypeDescription
CrowdStrike.registrationBaseResponseV1.errors.codeNumber
CrowdStrike.registrationBaseResponseV1.errors.idString
CrowdStrike.registrationBaseResponseV1.errors.messageString

cs-deleted-roles#


Delete MSSP Role assignment(s) between User Group and CID Group. User Group ID and CID Group ID have to be specified in request. Only specified roles are removed if specified in request payload, else association between User Group and CID Group is dissolved completely (if no roles specified).

Base Command#

cs-deleted-roles

Input#

Argument NameDescriptionRequired
domain_mssprolerequestv1_resourcesRequired

Context Output#

PathTypeDescription
CrowdStrike.domainMSSPRoleResponseV1.errors.codeNumber
CrowdStrike.domainMSSPRoleResponseV1.errors.idString
CrowdStrike.domainMSSPRoleResponseV1.errors.messageString
CrowdStrike.domainMSSPRoleResponseV1.resources.cid_group_idString
CrowdStrike.domainMSSPRoleResponseV1.resources.idString
CrowdStrike.domainMSSPRoleResponseV1.resources.user_group_idString

cs-deleteioa-exclusionsv1#


Delete the IOA exclusions by id.

Base Command#

cs-deleteioa-exclusionsv1

Input#

Argument NameDescriptionRequired
idsThe ids of the exclusions to delete.Required
commentExplains why this exclusions was deleted.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-deleteml-exclusionsv1#


Delete the ML exclusions by id.

Base Command#

cs-deleteml-exclusionsv1

Input#

Argument NameDescriptionRequired
idsThe ids of the exclusions to delete.Required
commentExplains why this exclusions was deleted.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesMlExclusionRespV1.errors.codeNumber
CrowdStrike.responsesMlExclusionRespV1.errors.idString
CrowdStrike.responsesMlExclusionRespV1.errors.messageString
CrowdStrike.responsesMlExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesMlExclusionRespV1.resources.created_byString
CrowdStrike.responsesMlExclusionRespV1.resources.created_onString
CrowdStrike.responsesMlExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesMlExclusionRespV1.resources.idString
CrowdStrike.responsesMlExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesMlExclusionRespV1.resources.modified_byString
CrowdStrike.responsesMlExclusionRespV1.resources.regexp_valueString
CrowdStrike.responsesMlExclusionRespV1.resources.valueString
CrowdStrike.responsesMlExclusionRespV1.resources.value_hashString

cs-deletert-response-policies#


Delete a set of Response Policies by specifying their IDs.

Base Command#

cs-deletert-response-policies

Input#

Argument NameDescriptionRequired
idsThe IDs of the Response Policies to delete.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-deleterulegroups#


Delete rule group entities by ID.

Base Command#

cs-deleterulegroups

Input#

Argument NameDescriptionRequired
X_CS_USERNAMEThe user id.Required
idsThe IDs of the rule groups to be deleted.Required
commentAudit log comment for this action.Optional

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiQueryResponse.errors.codeNumber
CrowdStrike.fwmgrapiQueryResponse.errors.idString
CrowdStrike.fwmgrapiQueryResponse.errors.messageString

cs-deleterulegroups-mixin0#


Delete rule groups by ID.

Base Command#

cs-deleterulegroups-mixin0

Input#

Argument NameDescriptionRequired
commentExplains why the entity is being deleted.Optional
idsThe IDs of the entities.Required

Context Output#

PathTypeDescription
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString

cs-deleterules#


Delete rules from a rule group by ID.

Base Command#

cs-deleterules

Input#

Argument NameDescriptionRequired
rule_group_idThe parent rule group.Required
commentExplains why the entity is being deleted.Optional
idsThe IDs of the entities.Required

Context Output#

PathTypeDescription
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString

cs-devices-count#


Number of hosts in your customer account that have observed a given custom IOC.

Base Command#

cs-devices-count

Input#

Argument NameDescriptionRequired
type_The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. .Required
valueThe string representation of the indicator.Required

Context Output#

PathTypeDescription
CrowdStrike.apiMsaReplyIOCDevicesCount.errors.codeNumber
CrowdStrike.apiMsaReplyIOCDevicesCount.errors.idString
CrowdStrike.apiMsaReplyIOCDevicesCount.errors.messageString
CrowdStrike.apiMsaReplyIOCDevicesCount.resources.device_countNumber
CrowdStrike.apiMsaReplyIOCDevicesCount.resources.idString
CrowdStrike.apiMsaReplyIOCDevicesCount.resources.limit_exceededBoolean
CrowdStrike.apiMsaReplyIOCDevicesCount.resources.typeString
CrowdStrike.apiMsaReplyIOCDevicesCount.resources.valueString

cs-devices-ran-on#


Find hosts that have observed a given custom IOC. For details about those hosts, use GET /devices/entities/devices/v2.

Base Command#

cs-devices-ran-on

Input#

Argument NameDescriptionRequired
type_The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. .Required
valueThe string representation of the indicator.Required
limitThe first process to return, where 0 is the latest offset. Use with the offset meter to manage pagination of results.Optional
offsetThe first process to return, where 0 is the latest offset. Use with the limit meter to manage pagination of results.Optional

Context Output#

PathTypeDescription
CrowdStrike.apiMsaReplyDevicesRanOn.errors.codeNumber
CrowdStrike.apiMsaReplyDevicesRanOn.errors.idString
CrowdStrike.apiMsaReplyDevicesRanOn.errors.messageString

cs-download-sensor-installer-by-id#


Download sensor installer by SHA256 ID.

Base Command#

cs-download-sensor-installer-by-id

Input#

Argument NameDescriptionRequired
id_SHA256 of the installer to download.Required

Context Output#

There is no context output for this command.

cs-entitiesprocesses#


For the provided ProcessID retrieve the process details.

Base Command#

cs-entitiesprocesses

Input#

Argument NameDescriptionRequired
idsProcessID for the running process you want to lookup.Required

Context Output#

PathTypeDescription
CrowdStrike.apiMsaProcessDetailResponse.errors.codeNumber
CrowdStrike.apiMsaProcessDetailResponse.errors.idString
CrowdStrike.apiMsaProcessDetailResponse.errors.messageString
CrowdStrike.apiMsaProcessDetailResponse.resources.command_lineString
CrowdStrike.apiMsaProcessDetailResponse.resources.device_idString
CrowdStrike.apiMsaProcessDetailResponse.resources.file_nameString
CrowdStrike.apiMsaProcessDetailResponse.resources.process_idString
CrowdStrike.apiMsaProcessDetailResponse.resources.process_id_localString
CrowdStrike.apiMsaProcessDetailResponse.resources.start_timestampString
CrowdStrike.apiMsaProcessDetailResponse.resources.start_timestamp_rawString
CrowdStrike.apiMsaProcessDetailResponse.resources.stop_timestampString
CrowdStrike.apiMsaProcessDetailResponse.resources.stop_timestamp_rawString

cs-get-actionsv1#


Get actions based on their IDs. IDs can be retrieved using the GET /queries/actions/v1 endpoint.

Base Command#

cs-get-actionsv1

Input#

Argument NameDescriptionRequired
idsAction IDs.Required

Context Output#

PathTypeDescription
CrowdStrike.domainActionEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainActionEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainActionEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainActionEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainActionEntitiesResponseV1.errors.idString
CrowdStrike.domainActionEntitiesResponseV1.errors.messageString
CrowdStrike.domainActionEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainActionEntitiesResponseV1.resources.cidStringThe ID of the customer who created the action.
CrowdStrike.domainActionEntitiesResponseV1.resources.created_timestampStringThe date when the action was created.
CrowdStrike.domainActionEntitiesResponseV1.resources.frequencyString
CrowdStrike.domainActionEntitiesResponseV1.resources.idStringThe ID of the action.
CrowdStrike.domainActionEntitiesResponseV1.resources.rule_idStringThe ID of the rule on which this action is attached.
CrowdStrike.domainActionEntitiesResponseV1.resources.statusStringThe action status. It can be either 'enabled' or 'muted'.
CrowdStrike.domainActionEntitiesResponseV1.resources.typeStringThe action type. The only type currently supported is 'email'.
CrowdStrike.domainActionEntitiesResponseV1.resources.updated_timestampStringThe date when the action was updated.
CrowdStrike.domainActionEntitiesResponseV1.resources.user_uuidStringThe UUID of the user who created the action.

cs-get-aggregate-detects#


Get detect aggregates as specified via json in request body.

Base Command#

cs-get-aggregate-detects

Input#

Argument NameDescriptionRequired
msa_aggregatequeryrequest_date_rangesRequired
msa_aggregatequeryrequest_fieldRequired
msa_aggregatequeryrequest_filterRequired
msa_aggregatequeryrequest_intervalRequired
msa_aggregatequeryrequest_min_doc_countRequired
msa_aggregatequeryrequest_missingRequired
msa_aggregatequeryrequest_nameRequired
msa_aggregatequeryrequest_qRequired
msa_aggregatequeryrequest_rangesRequired
msa_aggregatequeryrequest_sizeRequired
msa_aggregatequeryrequest_sortRequired
msa_aggregatequeryrequest_sub_aggregatesRequired
msa_aggregatequeryrequest_time_zoneRequired
msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.msaAggregatesResponse.errors.codeNumber
CrowdStrike.msaAggregatesResponse.errors.idString
CrowdStrike.msaAggregatesResponse.errors.messageString
CrowdStrike.msaAggregatesResponse.resources.buckets.countNumber
CrowdStrike.msaAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_toString
CrowdStrike.msaAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.msaAggregatesResponse.resources.nameString
CrowdStrike.msaAggregatesResponse.resources.sum_other_doc_countNumber

cs-get-artifacts#


Download IOC packs, PCAP files, and other analysis artifacts.

Base Command#

cs-get-artifacts

Input#

Argument NameDescriptionRequired
id_ID of an artifact, such as an IOC pack, PCAP file, or actor image. Find an artifact ID in a report or summary.Required
nameThe name given to your downloaded file.Optional
Accept_EncodingFormat used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format.Optional

Context Output#

There is no context output for this command.

cs-get-assessmentv1#


Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID) and a customer ID (CID).

Base Command#

cs-get-assessmentv1

Input#

Argument NameDescriptionRequired
idsOne or more agent IDs, which you can find in the data.zta file, or the Falcon console.Required

Context Output#

PathTypeDescription
CrowdStrike.domainAssessmentsResponse.errors.codeNumber
CrowdStrike.domainAssessmentsResponse.errors.idString
CrowdStrike.domainAssessmentsResponse.errors.messageString
CrowdStrike.domainAssessmentsResponse.resources.aidString
CrowdStrike.domainAssessmentsResponse.resources.cidString
CrowdStrike.domainAssessmentsResponse.resources.event_platformString
CrowdStrike.domainAssessmentsResponse.resources.modified_timeString
CrowdStrike.domainAssessmentsResponse.resources.product_type_descString
CrowdStrike.domainAssessmentsResponse.resources.sensor_file_statusString
CrowdStrike.domainAssessmentsResponse.resources.system_serial_numberString

cs-get-available-role-ids#


Show role IDs for all roles available in your customer account. For more information on each role, provide the role ID to /customer/entities/roles/v1.

Base Command#

cs-get-available-role-ids

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-get-behaviors#


Get details on behaviors by providing behavior IDs.

Base Command#

cs-get-behaviors

Input#

Argument NameDescriptionRequired
msa_idsrequest_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.apiMsaExternalBehaviorResponse.errors.codeNumber
CrowdStrike.apiMsaExternalBehaviorResponse.errors.idString
CrowdStrike.apiMsaExternalBehaviorResponse.errors.messageString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.aidString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.behavior_idString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.cidString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.cmdlineString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.compound_ttoString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.detection_idString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.domainString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.filepathString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.incident_idString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.ioc_sourceString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.ioc_typeString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.ioc_valueString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.objectiveString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.pattern_dispositionNumber
CrowdStrike.apiMsaExternalBehaviorResponse.resources.pattern_idNumber
CrowdStrike.apiMsaExternalBehaviorResponse.resources.sha256String
CrowdStrike.apiMsaExternalBehaviorResponse.resources.tacticString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.techniqueString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.template_instance_idNumber
CrowdStrike.apiMsaExternalBehaviorResponse.resources.timestampString
CrowdStrike.apiMsaExternalBehaviorResponse.resources.user_nameString

cs-get-children#


Get link to child customer by child CID(s).

Base Command#

cs-get-children

Input#

Argument NameDescriptionRequired
idsCID of a child customer.Required

Context Output#

PathTypeDescription
CrowdStrike.domainChildrenResponseV1.resources.checksumString
CrowdStrike.domainChildrenResponseV1.resources.child_cidString
CrowdStrike.domainChildrenResponseV1.resources.child_gcidString
CrowdStrike.domainChildrenResponseV1.resources.child_ofString
CrowdStrike.domainChildrenResponseV1.resources.nameString
CrowdStrike.domainChildrenResponseV1.resources.statusString

cs-get-cloudconnectazure-entities-account-v1#


Return information about Azure account registration.

Base Command#

cs-get-cloudconnectazure-entities-account-v1

Input#

Argument NameDescriptionRequired
idsSubscriptionIDs of accounts to select for this status operation. If this is empty then all accounts are returned.Optional
scan_typeType of scan, dry or full, to perform on selected accounts.Optional

Context Output#

PathTypeDescription
CrowdStrike.registrationAzureAccountResponseV1.errors.codeNumber
CrowdStrike.registrationAzureAccountResponseV1.errors.idString
CrowdStrike.registrationAzureAccountResponseV1.errors.messageString
CrowdStrike.registrationAzureAccountResponseV1.resources.CreatedAtString
CrowdStrike.registrationAzureAccountResponseV1.resources.DeletedAtString
CrowdStrike.registrationAzureAccountResponseV1.resources.IDNumber
CrowdStrike.registrationAzureAccountResponseV1.resources.UpdatedAtString
CrowdStrike.registrationAzureAccountResponseV1.resources.cidString
CrowdStrike.registrationAzureAccountResponseV1.resources.statusStringAccount registration status.
CrowdStrike.registrationAzureAccountResponseV1.resources.subscription_idStringAzure Subscription ID.
CrowdStrike.registrationAzureAccountResponseV1.resources.tenant_idStringAzure Tenant ID to use.

cs-get-cloudconnectazure-entities-userscriptsdownload-v1#


Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment.

Base Command#

cs-get-cloudconnectazure-entities-userscriptsdownload-v1

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.errors.codeNumber
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.errors.idString
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.errors.messageString
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.resources.bashString

cs-get-cloudconnectcspmazure-entities-account-v1#


Return information about Azure account registration.

Base Command#

cs-get-cloudconnectcspmazure-entities-account-v1

Input#

Argument NameDescriptionRequired
idsSubscriptionIDs of accounts to select for this status operation. If this is empty then all accounts are returned.Optional
scan_typeType of scan, dry or full, to perform on selected accounts.Optional
statusAccount status to filter results by.Optional
limitThe maximum records to return. Defaults to 100.Optional
offsetThe offset to start retrieving records from.Optional

Context Output#

PathTypeDescription
CrowdStrike.registrationAzureAccountResponseV1.errors.codeNumber
CrowdStrike.registrationAzureAccountResponseV1.errors.idString
CrowdStrike.registrationAzureAccountResponseV1.errors.messageString
CrowdStrike.registrationAzureAccountResponseV1.resources.CreatedAtString
CrowdStrike.registrationAzureAccountResponseV1.resources.DeletedAtString
CrowdStrike.registrationAzureAccountResponseV1.resources.IDNumber
CrowdStrike.registrationAzureAccountResponseV1.resources.UpdatedAtString
CrowdStrike.registrationAzureAccountResponseV1.resources.cidString
CrowdStrike.registrationAzureAccountResponseV1.resources.statusStringAccount registration status.
CrowdStrike.registrationAzureAccountResponseV1.resources.subscription_idStringAzure Subscription ID.
CrowdStrike.registrationAzureAccountResponseV1.resources.tenant_idStringAzure Tenant ID to use.

cs-get-cloudconnectcspmazure-entities-userscriptsdownload-v1#


Return a script for customer to run in their cloud environment to grant us access to their Azure environment as a downloadable attachment.

Base Command#

cs-get-cloudconnectcspmazure-entities-userscriptsdownload-v1

Input#

Argument NameDescriptionRequired
tenant_idTenant ID to generate script for. Defaults to most recently registered tenant.Optional

Context Output#

PathTypeDescription
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.errors.codeNumber
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.errors.idString
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.errors.messageString
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.resources.bashString

cs-get-clusters#


Provides the clusters acknowledged by the Kubernetes Protection service.

Base Command#

cs-get-clusters

Input#

Argument NameDescriptionRequired
cluster_namesCluster name. For EKS it will be cluster ARN.Optional
account_idsCluster Account id. For EKS it will be AWS account ID.Optional
locationsCloud location.Optional
cluster_serviceCluster Service. Possible values are: eks.Optional
limitLimit returned accounts.Optional
offsetOffset returned accounts.Optional

Context Output#

PathTypeDescription
CrowdStrike.k8sregGetClustersResp.errors.codeNumber
CrowdStrike.k8sregGetClustersResp.errors.idString
CrowdStrike.k8sregGetClustersResp.errors.messageString
CrowdStrike.k8sregGetClustersResp.resources.account_idString
CrowdStrike.k8sregGetClustersResp.resources.cidString
CrowdStrike.k8sregGetClustersResp.resources.cluster_idString
CrowdStrike.k8sregGetClustersResp.resources.cluster_nameString
CrowdStrike.k8sregGetClustersResp.resources.cluster_serviceString
CrowdStrike.k8sregGetClustersResp.resources.created_atString
CrowdStrike.k8sregGetClustersResp.resources.last_heartbeat_atString
CrowdStrike.k8sregGetClustersResp.resources.locationString
CrowdStrike.k8sregGetClustersResp.resources.statusString
CrowdStrike.k8sregGetClustersResp.resources.updated_atString

cs-get-combined-sensor-installers-by-query#


Get sensor installer details by provided query.

Base Command#

cs-get-combined-sensor-installers-by-query

Input#

Argument NameDescriptionRequired
offsetThe first item to return, where 0 is the latest item. Use with the limit meter to manage pagination of results.Optional
limitThe number of items to return in this response (default: 100, max: 500). Use with the offset meter to manage pagination of results.Optional
sortSort items using their properties. Common sort options include: ul li version|asc /li li release_date|desc /li /ul.Optional
filter_Filter items using a query in Falcon Query Language (FQL). An asterisk wildcard includes all results. Common filter options include: ul li platform:"windows" /li li version: "5.2" /li /ul.Optional

Context Output#

PathTypeDescription
CrowdStrike.domainSensorInstallersV1.errors.codeNumber
CrowdStrike.domainSensorInstallersV1.errors.idString
CrowdStrike.domainSensorInstallersV1.errors.messageString
CrowdStrike.domainSensorInstallersV1.resources.descriptionStringinstaller description.
CrowdStrike.domainSensorInstallersV1.resources.file_sizeNumberfile size.
CrowdStrike.domainSensorInstallersV1.resources.file_typeStringfile type.
CrowdStrike.domainSensorInstallersV1.resources.nameStringinstaller file name.
CrowdStrike.domainSensorInstallersV1.resources.osString
CrowdStrike.domainSensorInstallersV1.resources.os_versionString
CrowdStrike.domainSensorInstallersV1.resources.platformStringsupported platform.
CrowdStrike.domainSensorInstallersV1.resources.release_dateStringrelease date.
CrowdStrike.domainSensorInstallersV1.resources.sha256Stringsha256.
CrowdStrike.domainSensorInstallersV1.resources.versionStringversion of the installer.

cs-get-detect-summaries#


View information about detections.

Base Command#

cs-get-detect-summaries

Input#

Argument NameDescriptionRequired
msa_idsrequest_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.domainMsaDetectSummariesResponse.errors.codeNumber
CrowdStrike.domainMsaDetectSummariesResponse.errors.idString
CrowdStrike.domainMsaDetectSummariesResponse.errors.messageString
CrowdStrike.domainMsaDetectSummariesResponse.resources.assigned_to_nameString
CrowdStrike.domainMsaDetectSummariesResponse.resources.assigned_to_uidString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.alleged_filetypeString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.behavior_idString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.cmdlineString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.confidenceNumber
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.container_idString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.control_graph_idString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.descriptionString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.device_idString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.display_nameString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.filenameString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.filepathString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.ioc_descriptionString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.ioc_sourceString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.ioc_typeString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.ioc_valueString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.md5String
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.objectiveString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.pattern_dispositionNumber
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.rule_instance_idString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.rule_instance_versionNumber
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.scenarioString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.severityNumber
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.sha256String
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.tacticString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.tactic_idString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.techniqueString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.technique_idString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.template_instance_idString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.timestampString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.triggering_process_graph_idString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.user_idString
CrowdStrike.domainMsaDetectSummariesResponse.resources.behaviors.user_nameString
CrowdStrike.domainMsaDetectSummariesResponse.resources.cidString
CrowdStrike.domainMsaDetectSummariesResponse.resources.created_timestampString
CrowdStrike.domainMsaDetectSummariesResponse.resources.detection_idString
CrowdStrike.domainMsaDetectSummariesResponse.resources.email_sentBoolean
CrowdStrike.domainMsaDetectSummariesResponse.resources.first_behaviorString
CrowdStrike.domainMsaDetectSummariesResponse.resources.last_behaviorString
CrowdStrike.domainMsaDetectSummariesResponse.resources.max_confidenceNumber
CrowdStrike.domainMsaDetectSummariesResponse.resources.max_severityNumber
CrowdStrike.domainMsaDetectSummariesResponse.resources.max_severity_displaynameString
CrowdStrike.domainMsaDetectSummariesResponse.resources.overwatch_notesString
CrowdStrike.domainMsaDetectSummariesResponse.resources.quarantined_files.idString
CrowdStrike.domainMsaDetectSummariesResponse.resources.quarantined_files.pathsString
CrowdStrike.domainMsaDetectSummariesResponse.resources.quarantined_files.sha256String
CrowdStrike.domainMsaDetectSummariesResponse.resources.quarantined_files.stateString
CrowdStrike.domainMsaDetectSummariesResponse.resources.seconds_to_resolvedNumber
CrowdStrike.domainMsaDetectSummariesResponse.resources.seconds_to_triagedNumber
CrowdStrike.domainMsaDetectSummariesResponse.resources.show_in_uiBoolean
CrowdStrike.domainMsaDetectSummariesResponse.resources.statusString

cs-get-device-control-policies#


Retrieve a set of Device Control Policies by specifying their IDs.

Base Command#

cs-get-device-control-policies

Input#

Argument NameDescriptionRequired
idsThe IDs of the Device Control Policies to return.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesDeviceControlPoliciesV1.errors.codeNumber
CrowdStrike.responsesDeviceControlPoliciesV1.errors.idString
CrowdStrike.responsesDeviceControlPoliciesV1.errors.messageString
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.platform_nameStringThe name of the platform.

cs-get-device-count-collection-queries-by-filter#


Retrieve device count collection Ids that match the provided FQL filter, criteria with scrolling enabled.

Base Command#

cs-get-device-count-collection-queries-by-filter

Input#

Argument NameDescriptionRequired
limitThe maximum records to return. [1-500].Optional
sortThe property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "desc".Optional
filter_Optional filter and sort criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetStarting index of overall result set from which to return ids.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-get-device-details#


Get details on one or more hosts by providing agent IDs (AID). You can get a host's agent IDs (AIDs) from the /devices/queries/devices/v1 endpoint, the Falcon console or the Streaming API.

Base Command#

cs-get-device-details

Input#

Argument NameDescriptionRequired
idsThe host agentIDs used to get details on.Required

Context Output#

PathTypeDescription
CrowdStrike.domainDeviceDetailsResponseSwagger.errors.codeNumber
CrowdStrike.domainDeviceDetailsResponseSwagger.errors.idString
CrowdStrike.domainDeviceDetailsResponseSwagger.errors.messageString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.agent_load_flagsString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.agent_local_timeString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.agent_versionString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.bios_manufacturerString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.bios_versionString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.build_numberString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.cidString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.config_id_baseString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.config_id_buildString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.config_id_platformString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.cpu_signatureString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.detection_suppression_statusString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.device_idString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.emailString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.external_ipString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.first_login_timestampString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.first_seenString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.group_hashString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.host_hidden_statusString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.hostnameString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.instance_idString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.last_login_timestampString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.last_seenString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.local_ipString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.mac_addressString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.machine_domainString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.major_versionString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.minor_versionString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.modified_timestampString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.os_versionString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.platform_idString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.platform_nameString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.pod_host_ip4String
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.pod_host_ip6String
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.pod_hostnameString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.pod_idString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.pod_ip4String
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.pod_ip6String
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.pod_nameString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.pod_namespaceString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.pod_service_account_nameString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.pointer_sizeString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.policies.appliedBoolean
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.policies.applied_dateString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.policies.assigned_dateString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.policies.policy_idString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.policies.policy_typeString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.policies.rule_set_idString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.policies.settings_hashString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.policies.uninstall_protectionString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.product_typeString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.product_type_descString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.provision_statusString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.reduced_functionality_modeString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.release_groupString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.serial_numberString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.service_pack_majorString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.service_pack_minorString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.service_providerString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.service_provider_account_idString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.site_nameString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.slow_changing_modified_timestampString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.statusString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.system_manufacturerString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.system_product_nameString
CrowdStrike.domainDeviceDetailsResponseSwagger.resources.zone_groupString

cs-get-firewall-policies#


Retrieve a set of Firewall Policies by specifying their IDs.

Base Command#

cs-get-firewall-policies

Input#

Argument NameDescriptionRequired
idsThe IDs of the Firewall Policies to return.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesFirewallPoliciesV1.errors.codeNumber
CrowdStrike.responsesFirewallPoliciesV1.errors.idString
CrowdStrike.responsesFirewallPoliciesV1.errors.messageString
CrowdStrike.responsesFirewallPoliciesV1.resources.channel_versionNumberChannel file version for the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesFirewallPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesFirewallPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesFirewallPoliciesV1.resources.rule_set_idStringFirewall rule set id. This id combines several firewall rules and gets attached to the policy.

cs-get-helm-values-yaml#


Provides a sample Helm values.yaml file for a customer to install alongside the agent Helm chart.

Base Command#

cs-get-helm-values-yaml

Input#

Argument NameDescriptionRequired
cluster_nameCluster name. For EKS it will be cluster ARN.Required

Context Output#

There is no context output for this command.

cs-get-host-groups#


Retrieve a set of Host Groups by specifying their IDs.

Base Command#

cs-get-host-groups

Input#

Argument NameDescriptionRequired
idsThe IDs of the Host Groups to return.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesHostGroupsV1.errors.codeNumber
CrowdStrike.responsesHostGroupsV1.errors.idString
CrowdStrike.responsesHostGroupsV1.errors.messageString
CrowdStrike.responsesHostGroupsV1.resources.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesHostGroupsV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesHostGroupsV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesHostGroupsV1.resources.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesHostGroupsV1.resources.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesHostGroupsV1.resources.idStringThe identifier of this host group.
CrowdStrike.responsesHostGroupsV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesHostGroupsV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesHostGroupsV1.resources.nameStringThe name of the group.

cs-get-incidents#


Get details on incidents by providing incident IDs.

Base Command#

cs-get-incidents

Input#

Argument NameDescriptionRequired
msa_idsrequest_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.apiMsaExternalIncidentResponse.errors.codeNumber
CrowdStrike.apiMsaExternalIncidentResponse.errors.idString
CrowdStrike.apiMsaExternalIncidentResponse.errors.messageString
CrowdStrike.apiMsaExternalIncidentResponse.resources.assigned_toString
CrowdStrike.apiMsaExternalIncidentResponse.resources.assigned_to_nameString
CrowdStrike.apiMsaExternalIncidentResponse.resources.cidString
CrowdStrike.apiMsaExternalIncidentResponse.resources.createdString
CrowdStrike.apiMsaExternalIncidentResponse.resources.descriptionString
CrowdStrike.apiMsaExternalIncidentResponse.resources.endString
CrowdStrike.apiMsaExternalIncidentResponse.resources.events_histogram.countNumber
CrowdStrike.apiMsaExternalIncidentResponse.resources.events_histogram.has_detectBoolean
CrowdStrike.apiMsaExternalIncidentResponse.resources.events_histogram.has_overwatchBoolean
CrowdStrike.apiMsaExternalIncidentResponse.resources.events_histogram.has_preventedBoolean
CrowdStrike.apiMsaExternalIncidentResponse.resources.events_histogram.timestamp_maxNumber
CrowdStrike.apiMsaExternalIncidentResponse.resources.events_histogram.timestamp_minNumber
CrowdStrike.apiMsaExternalIncidentResponse.resources.fine_scoreNumber
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.agent_load_flagsString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.agent_local_timeString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.agent_versionString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.bios_manufacturerString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.bios_versionString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.cidString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.config_id_baseString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.config_id_buildString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.config_id_platformString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.device_idString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.external_ipString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.first_login_timestampString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.first_login_userString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.first_seenString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.hostnameString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.instance_idString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.last_login_timestampString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.last_login_userString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.last_seenString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.local_ipString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.mac_addressString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.machine_domainString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.major_versionString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.minor_versionString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.modified_timestampString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.os_versionString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.platform_idString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.platform_nameString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.pod_idString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.pod_nameString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.pod_namespaceString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.pod_service_account_nameString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.product_typeString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.product_type_descString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.release_groupString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.service_providerString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.service_provider_account_idString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.site_nameString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.statusString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.system_manufacturerString
CrowdStrike.apiMsaExternalIncidentResponse.resources.hosts.system_product_nameString
CrowdStrike.apiMsaExternalIncidentResponse.resources.incident_idString
CrowdStrike.apiMsaExternalIncidentResponse.resources.incident_typeNumber
CrowdStrike.apiMsaExternalIncidentResponse.resources.lm_hosts_cappedBoolean
CrowdStrike.apiMsaExternalIncidentResponse.resources.modified_timestampString
CrowdStrike.apiMsaExternalIncidentResponse.resources.nameString
CrowdStrike.apiMsaExternalIncidentResponse.resources.startString
CrowdStrike.apiMsaExternalIncidentResponse.resources.stateString
CrowdStrike.apiMsaExternalIncidentResponse.resources.statusNumber
CrowdStrike.apiMsaExternalIncidentResponse.resources.visibilityNumber

cs-get-intel-actor-entities#


Retrieve specific actors using their actor IDs.

Base Command#

cs-get-intel-actor-entities

Input#

Argument NameDescriptionRequired
idsThe IDs of the actors you want to retrieve.Required
fieldsThe fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __\ collection\ __. Ex: slug __full__. Defaults to __basic__.Optional

Context Output#

PathTypeDescription
CrowdStrike.domainActorsResponse.errors.idString
CrowdStrike.domainActorsResponse.errors.messageString
CrowdStrike.domainActorsResponse.resources.activeBoolean
CrowdStrike.domainActorsResponse.resources.actor_typeString
CrowdStrike.domainActorsResponse.resources.created_dateNumber
CrowdStrike.domainActorsResponse.resources.descriptionString
CrowdStrike.domainActorsResponse.resources.entitlements.idNumber
CrowdStrike.domainActorsResponse.resources.entitlements.nameString
CrowdStrike.domainActorsResponse.resources.entitlements.slugString
CrowdStrike.domainActorsResponse.resources.entitlements.valueString
CrowdStrike.domainActorsResponse.resources.first_activity_dateNumber
CrowdStrike.domainActorsResponse.resources.idNumber
CrowdStrike.domainActorsResponse.resources.known_asString
CrowdStrike.domainActorsResponse.resources.last_activity_dateNumber
CrowdStrike.domainActorsResponse.resources.last_modified_dateNumber
CrowdStrike.domainActorsResponse.resources.motivations.idNumber
CrowdStrike.domainActorsResponse.resources.motivations.nameString
CrowdStrike.domainActorsResponse.resources.motivations.slugString
CrowdStrike.domainActorsResponse.resources.motivations.valueString
CrowdStrike.domainActorsResponse.resources.nameString
CrowdStrike.domainActorsResponse.resources.notify_usersBoolean
CrowdStrike.domainActorsResponse.resources.origins.idNumber
CrowdStrike.domainActorsResponse.resources.origins.nameString
CrowdStrike.domainActorsResponse.resources.origins.slugString
CrowdStrike.domainActorsResponse.resources.origins.valueString
CrowdStrike.domainActorsResponse.resources.rich_text_descriptionString
CrowdStrike.domainActorsResponse.resources.short_descriptionString
CrowdStrike.domainActorsResponse.resources.slugString
CrowdStrike.domainActorsResponse.resources.target_countries.idNumber
CrowdStrike.domainActorsResponse.resources.target_countries.nameString
CrowdStrike.domainActorsResponse.resources.target_countries.slugString
CrowdStrike.domainActorsResponse.resources.target_countries.valueString
CrowdStrike.domainActorsResponse.resources.target_industries.idNumber
CrowdStrike.domainActorsResponse.resources.target_industries.nameString
CrowdStrike.domainActorsResponse.resources.target_industries.slugString
CrowdStrike.domainActorsResponse.resources.target_industries.valueString
CrowdStrike.domainActorsResponse.resources.urlString

cs-get-intel-indicator-entities#


Retrieve specific indicators using their indicator IDs.

Base Command#

cs-get-intel-indicator-entities

Input#

Argument NameDescriptionRequired
msa_idsrequest_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.domainPublicIndicatorsV3Response.errors.codeNumber
CrowdStrike.domainPublicIndicatorsV3Response.errors.idString
CrowdStrike.domainPublicIndicatorsV3Response.errors.messageString
CrowdStrike.domainPublicIndicatorsV3Response.resources._markerString
CrowdStrike.domainPublicIndicatorsV3Response.resources.deletedBoolean
CrowdStrike.domainPublicIndicatorsV3Response.resources.idString
CrowdStrike.domainPublicIndicatorsV3Response.resources.indicatorString
CrowdStrike.domainPublicIndicatorsV3Response.resources.labels.created_onNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.labels.last_valid_onNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.labels.nameString
CrowdStrike.domainPublicIndicatorsV3Response.resources.last_updatedNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.malicious_confidenceString
CrowdStrike.domainPublicIndicatorsV3Response.resources.published_dateNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.created_dateNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.idString
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.indicatorString
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.last_valid_dateNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.typeString
CrowdStrike.domainPublicIndicatorsV3Response.resources.typeString

cs-get-intel-report-entities#


Retrieve specific reports using their report IDs.

Base Command#

cs-get-intel-report-entities

Input#

Argument NameDescriptionRequired
idsThe IDs of the reports you want to retrieve.Required
fieldsThe fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __\ collection\ __. Ex: slug __full__. Defaults to __basic__.Optional

Context Output#

PathTypeDescription
CrowdStrike.domainNewsResponse.errors.codeNumber
CrowdStrike.domainNewsResponse.errors.idString
CrowdStrike.domainNewsResponse.errors.messageString
CrowdStrike.domainNewsResponse.resources.activeBoolean
CrowdStrike.domainNewsResponse.resources.actors.idNumber
CrowdStrike.domainNewsResponse.resources.actors.nameString
CrowdStrike.domainNewsResponse.resources.actors.slugString
CrowdStrike.domainNewsResponse.resources.actors.urlString
CrowdStrike.domainNewsResponse.resources.attachments.idNumber
CrowdStrike.domainNewsResponse.resources.attachments.urlString
CrowdStrike.domainNewsResponse.resources.created_dateNumber
CrowdStrike.domainNewsResponse.resources.descriptionString
CrowdStrike.domainNewsResponse.resources.entitlements.idNumber
CrowdStrike.domainNewsResponse.resources.entitlements.nameString
CrowdStrike.domainNewsResponse.resources.entitlements.slugString
CrowdStrike.domainNewsResponse.resources.entitlements.valueString
CrowdStrike.domainNewsResponse.resources.idNumber
CrowdStrike.domainNewsResponse.resources.last_modified_dateNumber
CrowdStrike.domainNewsResponse.resources.motivations.idNumber
CrowdStrike.domainNewsResponse.resources.motivations.nameString
CrowdStrike.domainNewsResponse.resources.motivations.slugString
CrowdStrike.domainNewsResponse.resources.motivations.valueString
CrowdStrike.domainNewsResponse.resources.nameString
CrowdStrike.domainNewsResponse.resources.notify_usersBoolean
CrowdStrike.domainNewsResponse.resources.rich_text_descriptionString
CrowdStrike.domainNewsResponse.resources.short_descriptionString
CrowdStrike.domainNewsResponse.resources.slugString
CrowdStrike.domainNewsResponse.resources.tags.idNumber
CrowdStrike.domainNewsResponse.resources.tags.nameString
CrowdStrike.domainNewsResponse.resources.tags.slugString
CrowdStrike.domainNewsResponse.resources.tags.valueString
CrowdStrike.domainNewsResponse.resources.target_countries.idNumber
CrowdStrike.domainNewsResponse.resources.target_countries.nameString
CrowdStrike.domainNewsResponse.resources.target_countries.slugString
CrowdStrike.domainNewsResponse.resources.target_countries.valueString
CrowdStrike.domainNewsResponse.resources.target_industries.idNumber
CrowdStrike.domainNewsResponse.resources.target_industries.nameString
CrowdStrike.domainNewsResponse.resources.target_industries.slugString
CrowdStrike.domainNewsResponse.resources.target_industries.valueString
CrowdStrike.domainNewsResponse.resources.urlString

cs-get-intel-reportpdf#


Return a Report PDF attachment.

Base Command#

cs-get-intel-reportpdf

Input#

Argument NameDescriptionRequired
id_The ID of the report you want to download as a PDF.Required

Context Output#

There is no context output for this command.

cs-get-intel-rule-entities#


Retrieve details for rule sets for the specified ids.

Base Command#

cs-get-intel-rule-entities

Input#

Argument NameDescriptionRequired
idsThe ids of rules to return.Required

Context Output#

PathTypeDescription
CrowdStrike.domainRulesResponse.errors.codeNumber
CrowdStrike.domainRulesResponse.errors.idString
CrowdStrike.domainRulesResponse.errors.messageString
CrowdStrike.domainRulesResponse.resources.created_dateNumber
CrowdStrike.domainRulesResponse.resources.descriptionString
CrowdStrike.domainRulesResponse.resources.idNumber
CrowdStrike.domainRulesResponse.resources.last_modified_dateNumber
CrowdStrike.domainRulesResponse.resources.nameString
CrowdStrike.domainRulesResponse.resources.rich_text_descriptionString
CrowdStrike.domainRulesResponse.resources.short_descriptionString
CrowdStrike.domainRulesResponse.resources.typeString

cs-get-intel-rule-file#


Download earlier rule sets.

Base Command#

cs-get-intel-rule-file

Input#

Argument NameDescriptionRequired
AcceptChoose the format you want the rule set in.Optional
id_The ID of the rule set.Required
formatChoose the format you want the rule set in. Valid formats are zip and gzip. Defaults to zip.Optional

Context Output#

There is no context output for this command.

cs-get-latest-intel-rule-file#


Download the latest rule set.

Base Command#

cs-get-latest-intel-rule-file

Input#

Argument NameDescriptionRequired
AcceptChoose the format you want the rule set in.Optional
type_The rule news report type. Accepted values: snort-suricata-master snort-suricata-update snort-suricata-changelog yara-master yara-update yara-changelog common-event-format netwitness.Required
formatChoose the format you want the rule set in. Valid formats are zip and gzip. Defaults to zip.Optional

Context Output#

There is no context output for this command.

cs-get-locations#


Provides the cloud locations acknowledged by the Kubernetes Protection service.

Base Command#

cs-get-locations

Input#

Argument NameDescriptionRequired
cloudsCloud Provider. Possible values are: aws, azure, gcp.Optional

Context Output#

PathTypeDescription
CrowdStrike.k8sregGetLocationsResp.errors.codeNumber
CrowdStrike.k8sregGetLocationsResp.errors.idString
CrowdStrike.k8sregGetLocationsResp.errors.messageString
CrowdStrike.k8sregGetLocationsResp.resources.cloudString
CrowdStrike.k8sregGetLocationsResp.resources.locationString

cs-get-mal-query-downloadv1#


Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time.

Base Command#

cs-get-mal-query-downloadv1

Input#

Argument NameDescriptionRequired
idsThe file SHA256.Required

Context Output#

There is no context output for this command.

cs-get-mal-query-entities-samples-fetchv1#


Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing.

Base Command#

cs-get-mal-query-entities-samples-fetchv1

Input#

Argument NameDescriptionRequired
idsMultidownload job id.Required

Context Output#

There is no context output for this command.

cs-get-mal-query-metadatav1#


Retrieve indexed files metadata by their hash.

Base Command#

cs-get-mal-query-metadatav1

Input#

Argument NameDescriptionRequired
idsThe file SHA256.Required

Context Output#

PathTypeDescription
CrowdStrike.malquerySampleMetadataResponse.errors.codeNumber
CrowdStrike.malquerySampleMetadataResponse.errors.idString
CrowdStrike.malquerySampleMetadataResponse.errors.messageString
CrowdStrike.malquerySampleMetadataResponse.errors.typeString
CrowdStrike.malquerySampleMetadataResponse.resources.familyStringSample family.
CrowdStrike.malquerySampleMetadataResponse.resources.filesizeNumberSample size.
CrowdStrike.malquerySampleMetadataResponse.resources.filetypeStringSample file type.
CrowdStrike.malquerySampleMetadataResponse.resources.first_seenStringDate when it was first seen.
CrowdStrike.malquerySampleMetadataResponse.resources.labelStringSample label.
CrowdStrike.malquerySampleMetadataResponse.resources.md5StringSample MD5.
CrowdStrike.malquerySampleMetadataResponse.resources.sha1StringSample SHA1.
CrowdStrike.malquerySampleMetadataResponse.resources.sha256StringSample SHA256.

cs-get-mal-query-quotasv1#


Get information about search and download quotas in your environment.

Base Command#

cs-get-mal-query-quotasv1

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.malqueryRateLimitsResponse.errors.codeNumber
CrowdStrike.malqueryRateLimitsResponse.errors.idString
CrowdStrike.malqueryRateLimitsResponse.errors.messageString

cs-get-mal-query-requestv1#


Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time.

Base Command#

cs-get-mal-query-requestv1

Input#

Argument NameDescriptionRequired
idsIdentifier of a MalQuery request.Required

Context Output#

PathTypeDescription
CrowdStrike.malqueryRequestResponse.errors.codeNumber
CrowdStrike.malqueryRequestResponse.errors.idString
CrowdStrike.malqueryRequestResponse.errors.messageString
CrowdStrike.malqueryRequestResponse.errors.typeString
CrowdStrike.malqueryRequestResponse.resources.familyStringSample family.
CrowdStrike.malqueryRequestResponse.resources.filesizeNumberSample size.
CrowdStrike.malqueryRequestResponse.resources.filetypeStringSample file type.
CrowdStrike.malqueryRequestResponse.resources.first_seenStringDate when it was first seen.
CrowdStrike.malqueryRequestResponse.resources.ignore_reasonStringReason why the resource is ignored.
CrowdStrike.malqueryRequestResponse.resources.labelStringSample label.
CrowdStrike.malqueryRequestResponse.resources.label_confidenceStringResource label confidence.
CrowdStrike.malqueryRequestResponse.resources.md5StringSample MD5.
CrowdStrike.malqueryRequestResponse.resources.patternStringSearch pattern.
CrowdStrike.malqueryRequestResponse.resources.pattern_typeStringSearch pattern type.
CrowdStrike.malqueryRequestResponse.resources.samples.familyStringSample family.
CrowdStrike.malqueryRequestResponse.resources.samples.filesizeNumberSample size.
CrowdStrike.malqueryRequestResponse.resources.samples.filetypeStringSample file type.
CrowdStrike.malqueryRequestResponse.resources.samples.first_seenStringDate when it was first seen.
CrowdStrike.malqueryRequestResponse.resources.samples.labelStringSample label.
CrowdStrike.malqueryRequestResponse.resources.samples.md5StringSample MD5.
CrowdStrike.malqueryRequestResponse.resources.samples.sha1StringSample SHA1.
CrowdStrike.malqueryRequestResponse.resources.samples.sha256StringSample SHA256.
CrowdStrike.malqueryRequestResponse.resources.sha1StringSample SHA1.
CrowdStrike.malqueryRequestResponse.resources.sha256StringSample SHA256.
CrowdStrike.malqueryRequestResponse.resources.yara_ruleStringSearch YARA rule.

cs-get-notifications-detailed-translatedv1#


Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.This endpoint will return translated notification content. The only target language available is English. A single notification can be translated per request.

Base Command#

cs-get-notifications-detailed-translatedv1

Input#

Argument NameDescriptionRequired
idsNotification IDs.Required

Context Output#

PathTypeDescription
CrowdStrike.domainNotificationDetailsResponseV1.errors.codeNumber
CrowdStrike.domainNotificationDetailsResponseV1.errors.details.fieldString
CrowdStrike.domainNotificationDetailsResponseV1.errors.details.messageString
CrowdStrike.domainNotificationDetailsResponseV1.errors.details.message_keyString
CrowdStrike.domainNotificationDetailsResponseV1.errors.idString
CrowdStrike.domainNotificationDetailsResponseV1.errors.messageString
CrowdStrike.domainNotificationDetailsResponseV1.errors.message_keyString
CrowdStrike.domainNotificationDetailsResponseV1.errors.codeNumber
CrowdStrike.domainNotificationDetailsResponseV1.errors.details.fieldString
CrowdStrike.domainNotificationDetailsResponseV1.errors.details.messageString
CrowdStrike.domainNotificationDetailsResponseV1.errors.details.message_keyString
CrowdStrike.domainNotificationDetailsResponseV1.errors.idString
CrowdStrike.domainNotificationDetailsResponseV1.errors.messageString
CrowdStrike.domainNotificationDetailsResponseV1.errors.message_keyString

cs-get-notifications-detailedv1#


Get detailed notifications based on their IDs. These include the raw intelligence content that generated the match.

Base Command#

cs-get-notifications-detailedv1

Input#

Argument NameDescriptionRequired
idsNotification IDs.Required

Context Output#

PathTypeDescription
CrowdStrike.domainNotificationDetailsResponseV1.errors.codeNumber
CrowdStrike.domainNotificationDetailsResponseV1.errors.details.fieldString
CrowdStrike.domainNotificationDetailsResponseV1.errors.details.messageString
CrowdStrike.domainNotificationDetailsResponseV1.errors.details.message_keyString
CrowdStrike.domainNotificationDetailsResponseV1.errors.idString
CrowdStrike.domainNotificationDetailsResponseV1.errors.messageString
CrowdStrike.domainNotificationDetailsResponseV1.errors.message_keyString
CrowdStrike.domainNotificationDetailsResponseV1.errors.codeNumber
CrowdStrike.domainNotificationDetailsResponseV1.errors.details.fieldString
CrowdStrike.domainNotificationDetailsResponseV1.errors.details.messageString
CrowdStrike.domainNotificationDetailsResponseV1.errors.details.message_keyString
CrowdStrike.domainNotificationDetailsResponseV1.errors.idString
CrowdStrike.domainNotificationDetailsResponseV1.errors.messageString
CrowdStrike.domainNotificationDetailsResponseV1.errors.message_keyString

cs-get-notifications-translatedv1#


Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint. This endpoint will return translated notification content. The only target language available is English.

Base Command#

cs-get-notifications-translatedv1

Input#

Argument NameDescriptionRequired
idsNotification IDs.Required

Context Output#

PathTypeDescription
CrowdStrike.domainNotificationEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.idString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.messageString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_uidStringThe email of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_usernameStringThe name of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_uuidStringThe unique ID of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.created_dateStringThe date when the notification was generated.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.idStringThe ID of the notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_dateStringTimestamp when the intelligence item is considered to have been posted.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_idStringID of the intelligence item which generated the match.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_typeStringType of intelligence item based on format, e.g. post, reply, botnet_config.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_idStringThe ID of the rule that generated this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_nameStringThe name of the rule that generated this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_priorityString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_topicString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.statusStringThe notification status. This can be one of: new, in-progress, closed-false-positive, closed-true-positive.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.updated_dateStringThe date when the notification was updated.
CrowdStrike.domainNotificationEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.idString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.messageString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_uidStringThe email of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_usernameStringThe name of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_uuidStringThe unique ID of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.created_dateStringThe date when the notification was generated.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.idStringThe ID of the notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_dateStringTimestamp when the intelligence item is considered to have been posted.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_idStringID of the intelligence item which generated the match.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_typeStringType of intelligence item based on format, e.g. post, reply, botnet_config.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_idStringThe ID of the rule that generated this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_nameStringThe name of the rule that generated this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_priorityString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_topicString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.statusStringThe notification status. This can be one of: new, in-progress, closed-false-positive, closed-true-positive.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.updated_dateStringThe date when the notification was updated.

cs-get-notificationsv1#


Get notifications based on their IDs. IDs can be retrieved using the GET /queries/notifications/v1 endpoint.

Base Command#

cs-get-notificationsv1

Input#

Argument NameDescriptionRequired
idsNotification IDs.Required

Context Output#

PathTypeDescription
CrowdStrike.domainNotificationEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.idString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.messageString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_uidStringThe email of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_usernameStringThe name of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_uuidStringThe unique ID of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.created_dateStringThe date when the notification was generated.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.idStringThe ID of the notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_dateStringTimestamp when the intelligence item is considered to have been posted.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_idStringID of the intelligence item which generated the match.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_typeStringType of intelligence item based on format, e.g. post, reply, botnet_config.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_idStringThe ID of the rule that generated this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_nameStringThe name of the rule that generated this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_priorityString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_topicString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.statusStringThe notification status. This can be one of: new, in-progress, closed-false-positive, closed-true-positive.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.updated_dateStringThe date when the notification was updated.
CrowdStrike.domainNotificationEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.idString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.messageString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_uidStringThe email of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_usernameStringThe name of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_uuidStringThe unique ID of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.created_dateStringThe date when the notification was generated.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.idStringThe ID of the notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_dateStringTimestamp when the intelligence item is considered to have been posted.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_idStringID of the intelligence item which generated the match.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_typeStringType of intelligence item based on format, e.g. post, reply, botnet_config.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_idStringThe ID of the rule that generated this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_nameStringThe name of the rule that generated this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_priorityString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_topicString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.statusStringThe notification status. This can be one of: new, in-progress, closed-false-positive, closed-true-positive.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.updated_dateStringThe date when the notification was updated.

cs-get-prevention-policies#


Retrieve a set of Prevention Policies by specifying their IDs.

Base Command#

cs-get-prevention-policies

Input#

Argument NameDescriptionRequired
idsThe IDs of the Prevention Policies to return.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesPreventionPoliciesV1.errors.codeNumber
CrowdStrike.responsesPreventionPoliciesV1.errors.idString
CrowdStrike.responsesPreventionPoliciesV1.errors.messageString
CrowdStrike.responsesPreventionPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesPreventionPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesPreventionPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.nameStringThe name of the category.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.idStringThe id of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.
CrowdStrike.responsesPreventionPoliciesV1.errors.codeNumber
CrowdStrike.responsesPreventionPoliciesV1.errors.idString
CrowdStrike.responsesPreventionPoliciesV1.errors.messageString
CrowdStrike.responsesPreventionPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesPreventionPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesPreventionPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.nameStringThe name of the category.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.idStringThe id of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.

cs-get-reports#


Get a full sandbox report.

Base Command#

cs-get-reports

Input#

Argument NameDescriptionRequired
idsID of a report. Find a report ID from the response when submitting a malware sample or search with /falconx/queries/reports/v1.Required

Context Output#

PathTypeDescription
CrowdStrike.falconxReportV1Response.errors.codeNumber
CrowdStrike.falconxReportV1Response.errors.idString
CrowdStrike.falconxReportV1Response.errors.messageString
CrowdStrike.falconxReportV1Response.resources.cidString
CrowdStrike.falconxReportV1Response.resources.created_timestampString
CrowdStrike.falconxReportV1Response.resources.idString
CrowdStrike.falconxReportV1Response.resources.intel.actors.created_timestampString
CrowdStrike.falconxReportV1Response.resources.intel.actors.descriptionString
CrowdStrike.falconxReportV1Response.resources.intel.actors.first_activity_timestampString
CrowdStrike.falconxReportV1Response.resources.intel.actors.idNumber
CrowdStrike.falconxReportV1Response.resources.intel.actors.image_artifact_idString
CrowdStrike.falconxReportV1Response.resources.intel.actors.known_asString
CrowdStrike.falconxReportV1Response.resources.intel.actors.last_activity_timestampString
CrowdStrike.falconxReportV1Response.resources.intel.actors.nameString
CrowdStrike.falconxReportV1Response.resources.intel.actors.origins.idNumber
CrowdStrike.falconxReportV1Response.resources.intel.actors.origins.nameString
CrowdStrike.falconxReportV1Response.resources.intel.actors.origins.slugString
CrowdStrike.falconxReportV1Response.resources.intel.actors.origins.valueString
CrowdStrike.falconxReportV1Response.resources.intel.actors.short_descriptionString
CrowdStrike.falconxReportV1Response.resources.intel.actors.slugString
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_countries.idNumber
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_countries.nameString
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_countries.slugString
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_countries.valueString
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_industries.idNumber
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_industries.nameString
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_industries.slugString
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_industries.valueString
CrowdStrike.falconxReportV1Response.resources.intel.actors.thumbnail_artifact_idString
CrowdStrike.falconxReportV1Response.resources.intel.related_indicators.created_timestampString
CrowdStrike.falconxReportV1Response.resources.intel.related_indicators.idString
CrowdStrike.falconxReportV1Response.resources.intel.related_indicators.typeString
CrowdStrike.falconxReportV1Response.resources.intel.related_indicators.updated_timestampString
CrowdStrike.falconxReportV1Response.resources.intel.related_indicators.valueString
CrowdStrike.falconxReportV1Response.resources.ioc_report_broad_csv_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_broad_json_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_broad_maec_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_broad_stix_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_strict_csv_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_strict_json_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_strict_maec_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_strict_stix_artifact_idString
CrowdStrike.falconxReportV1Response.resources.malquery.errors.codeNumber
CrowdStrike.falconxReportV1Response.resources.malquery.errors.messageString
CrowdStrike.falconxReportV1Response.resources.malquery.inputString
CrowdStrike.falconxReportV1Response.resources.malquery.resources.familyString
CrowdStrike.falconxReportV1Response.resources.malquery.resources.file_sizeNumber
CrowdStrike.falconxReportV1Response.resources.malquery.resources.file_typeString
CrowdStrike.falconxReportV1Response.resources.malquery.resources.first_seen_timestampString
CrowdStrike.falconxReportV1Response.resources.malquery.resources.labelString
CrowdStrike.falconxReportV1Response.resources.malquery.resources.md5String
CrowdStrike.falconxReportV1Response.resources.malquery.resources.sha1String
CrowdStrike.falconxReportV1Response.resources.malquery.resources.sha256String
CrowdStrike.falconxReportV1Response.resources.malquery.typeString
CrowdStrike.falconxReportV1Response.resources.malquery.verdictString
CrowdStrike.falconxReportV1Response.resources.originString
CrowdStrike.falconxReportV1Response.resources.sandbox.architectureString
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.addressString
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.associated_runtime.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.associated_runtime.pidNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.compromisedBoolean
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.countryString
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.portNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.protocolString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.addressString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.compromisedBoolean
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.countryString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.domainString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.registrar_creation_timestampString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.registrar_nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.registrar_name_serversString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.registrar_organizationString
CrowdStrike.falconxReportV1Response.resources.sandbox.environment_descriptionString
CrowdStrike.falconxReportV1Response.resources.sandbox.environment_idNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.error_messageString
CrowdStrike.falconxReportV1Response.resources.sandbox.error_originString
CrowdStrike.falconxReportV1Response.resources.sandbox.error_typeString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.descriptionString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.file_available_to_downloadBoolean
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.file_pathString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.file_sizeNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.md5String
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.runtime_processString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.sha1String
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.sha256String
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.threat_levelNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.threat_level_readableString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_interesting_strings.filenameString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_interesting_strings.processString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_interesting_strings.sourceString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_interesting_strings.typeString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_interesting_strings.valueString
CrowdStrike.falconxReportV1Response.resources.sandbox.file_imports.moduleString
CrowdStrike.falconxReportV1Response.resources.sandbox.file_sizeNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.file_typeString
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.headerString
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.hostString
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.host_ipString
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.host_portNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.methodString
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.response_codeNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.response_phraseString
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.urlString
CrowdStrike.falconxReportV1Response.resources.sandbox.incidents.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.ioc_report_broad_artifact_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.ioc_report_strict_artifact_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.memory_forensics.stream_uidString
CrowdStrike.falconxReportV1Response.resources.sandbox.memory_forensics.valueString
CrowdStrike.falconxReportV1Response.resources.sandbox.memory_strings_artifact_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.mitre_attacks.attack_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.mitre_attacks.tacticString
CrowdStrike.falconxReportV1Response.resources.sandbox.mitre_attacks.techniqueString
CrowdStrike.falconxReportV1Response.resources.sandbox.packerString
CrowdStrike.falconxReportV1Response.resources.sandbox.pcap_report_artifact_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.command_lineString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.file_accesses.maskString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.file_accesses.pathString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.file_accesses.typeString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.handles.idNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.handles.pathString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.handles.typeString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.icon_artifact_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.normalized_pathString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.parent_uidString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.pidNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.process_flags.dataString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.process_flags.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.registry.keyString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.registry.operationString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.registry.pathString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.registry.statusString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.registry.status_human_readableString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.registry.valueString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.cls_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.dispatch_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.parameters.argument_numberNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.parameters.commentString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.parameters.meaningString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.parameters.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.parameters.valueString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.resultString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.statusString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.sha256String
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.executedBoolean
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.file_nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.human_keywordsString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.instructions_artifact_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.matched_signatures.idString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.matched_signatures.valueString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.uidString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.uidString
CrowdStrike.falconxReportV1Response.resources.sandbox.sha256String
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.attack_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.categoryString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.descriptionString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.identifierString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.originString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.relevanceNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.threat_levelNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.threat_level_humanString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.typeNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.submission_typeString
CrowdStrike.falconxReportV1Response.resources.sandbox.submit_nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.submit_urlString
CrowdStrike.falconxReportV1Response.resources.sandbox.suricata_alerts.categoryString
CrowdStrike.falconxReportV1Response.resources.sandbox.suricata_alerts.descriptionString
CrowdStrike.falconxReportV1Response.resources.sandbox.suricata_alerts.destination_ipString
CrowdStrike.falconxReportV1Response.resources.sandbox.suricata_alerts.destination_portNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.suricata_alerts.protocolString
CrowdStrike.falconxReportV1Response.resources.sandbox.suricata_alerts.sidString
CrowdStrike.falconxReportV1Response.resources.sandbox.target_urlString
CrowdStrike.falconxReportV1Response.resources.sandbox.threat_scoreNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.verdictString
CrowdStrike.falconxReportV1Response.resources.sandbox.version_info.idString
CrowdStrike.falconxReportV1Response.resources.sandbox.version_info.valueString
CrowdStrike.falconxReportV1Response.resources.sandbox.windows_version_bitnessNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.windows_version_editionString
CrowdStrike.falconxReportV1Response.resources.sandbox.windows_version_nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.windows_version_service_packString
CrowdStrike.falconxReportV1Response.resources.sandbox.windows_version_versionString
CrowdStrike.falconxReportV1Response.resources.user_idString
CrowdStrike.falconxReportV1Response.resources.user_nameString
CrowdStrike.falconxReportV1Response.resources.user_uuidString
CrowdStrike.falconxReportV1Response.resources.verdictString
CrowdStrike.falconxReportV1Response.errors.codeNumber
CrowdStrike.falconxReportV1Response.errors.idString
CrowdStrike.falconxReportV1Response.errors.messageString
CrowdStrike.falconxReportV1Response.resources.cidString
CrowdStrike.falconxReportV1Response.resources.created_timestampString
CrowdStrike.falconxReportV1Response.resources.idString
CrowdStrike.falconxReportV1Response.resources.intel.actors.created_timestampString
CrowdStrike.falconxReportV1Response.resources.intel.actors.descriptionString
CrowdStrike.falconxReportV1Response.resources.intel.actors.first_activity_timestampString
CrowdStrike.falconxReportV1Response.resources.intel.actors.idNumber
CrowdStrike.falconxReportV1Response.resources.intel.actors.image_artifact_idString
CrowdStrike.falconxReportV1Response.resources.intel.actors.known_asString
CrowdStrike.falconxReportV1Response.resources.intel.actors.last_activity_timestampString
CrowdStrike.falconxReportV1Response.resources.intel.actors.nameString
CrowdStrike.falconxReportV1Response.resources.intel.actors.origins.idNumber
CrowdStrike.falconxReportV1Response.resources.intel.actors.origins.nameString
CrowdStrike.falconxReportV1Response.resources.intel.actors.origins.slugString
CrowdStrike.falconxReportV1Response.resources.intel.actors.origins.valueString
CrowdStrike.falconxReportV1Response.resources.intel.actors.short_descriptionString
CrowdStrike.falconxReportV1Response.resources.intel.actors.slugString
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_countries.idNumber
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_countries.nameString
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_countries.slugString
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_countries.valueString
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_industries.idNumber
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_industries.nameString
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_industries.slugString
CrowdStrike.falconxReportV1Response.resources.intel.actors.target_industries.valueString
CrowdStrike.falconxReportV1Response.resources.intel.actors.thumbnail_artifact_idString
CrowdStrike.falconxReportV1Response.resources.intel.related_indicators.created_timestampString
CrowdStrike.falconxReportV1Response.resources.intel.related_indicators.idString
CrowdStrike.falconxReportV1Response.resources.intel.related_indicators.typeString
CrowdStrike.falconxReportV1Response.resources.intel.related_indicators.updated_timestampString
CrowdStrike.falconxReportV1Response.resources.intel.related_indicators.valueString
CrowdStrike.falconxReportV1Response.resources.ioc_report_broad_csv_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_broad_json_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_broad_maec_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_broad_stix_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_strict_csv_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_strict_json_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_strict_maec_artifact_idString
CrowdStrike.falconxReportV1Response.resources.ioc_report_strict_stix_artifact_idString
CrowdStrike.falconxReportV1Response.resources.malquery.errors.codeNumber
CrowdStrike.falconxReportV1Response.resources.malquery.errors.messageString
CrowdStrike.falconxReportV1Response.resources.malquery.inputString
CrowdStrike.falconxReportV1Response.resources.malquery.resources.familyString
CrowdStrike.falconxReportV1Response.resources.malquery.resources.file_sizeNumber
CrowdStrike.falconxReportV1Response.resources.malquery.resources.file_typeString
CrowdStrike.falconxReportV1Response.resources.malquery.resources.first_seen_timestampString
CrowdStrike.falconxReportV1Response.resources.malquery.resources.labelString
CrowdStrike.falconxReportV1Response.resources.malquery.resources.md5String
CrowdStrike.falconxReportV1Response.resources.malquery.resources.sha1String
CrowdStrike.falconxReportV1Response.resources.malquery.resources.sha256String
CrowdStrike.falconxReportV1Response.resources.malquery.typeString
CrowdStrike.falconxReportV1Response.resources.malquery.verdictString
CrowdStrike.falconxReportV1Response.resources.originString
CrowdStrike.falconxReportV1Response.resources.sandbox.architectureString
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.addressString
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.associated_runtime.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.associated_runtime.pidNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.compromisedBoolean
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.countryString
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.portNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.contacted_hosts.protocolString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.addressString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.compromisedBoolean
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.countryString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.domainString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.registrar_creation_timestampString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.registrar_nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.registrar_name_serversString
CrowdStrike.falconxReportV1Response.resources.sandbox.dns_requests.registrar_organizationString
CrowdStrike.falconxReportV1Response.resources.sandbox.environment_descriptionString
CrowdStrike.falconxReportV1Response.resources.sandbox.environment_idNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.error_messageString
CrowdStrike.falconxReportV1Response.resources.sandbox.error_originString
CrowdStrike.falconxReportV1Response.resources.sandbox.error_typeString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.descriptionString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.file_available_to_downloadBoolean
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.file_pathString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.file_sizeNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.md5String
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.runtime_processString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.sha1String
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.sha256String
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.threat_levelNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_files.threat_level_readableString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_interesting_strings.filenameString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_interesting_strings.processString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_interesting_strings.sourceString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_interesting_strings.typeString
CrowdStrike.falconxReportV1Response.resources.sandbox.extracted_interesting_strings.valueString
CrowdStrike.falconxReportV1Response.resources.sandbox.file_imports.moduleString
CrowdStrike.falconxReportV1Response.resources.sandbox.file_sizeNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.file_typeString
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.headerString
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.hostString
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.host_ipString
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.host_portNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.methodString
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.response_codeNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.response_phraseString
CrowdStrike.falconxReportV1Response.resources.sandbox.http_requests.urlString
CrowdStrike.falconxReportV1Response.resources.sandbox.incidents.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.ioc_report_broad_artifact_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.ioc_report_strict_artifact_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.memory_forensics.stream_uidString
CrowdStrike.falconxReportV1Response.resources.sandbox.memory_forensics.valueString
CrowdStrike.falconxReportV1Response.resources.sandbox.memory_strings_artifact_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.mitre_attacks.attack_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.mitre_attacks.tacticString
CrowdStrike.falconxReportV1Response.resources.sandbox.mitre_attacks.techniqueString
CrowdStrike.falconxReportV1Response.resources.sandbox.packerString
CrowdStrike.falconxReportV1Response.resources.sandbox.pcap_report_artifact_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.command_lineString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.file_accesses.maskString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.file_accesses.pathString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.file_accesses.typeString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.handles.idNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.handles.pathString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.handles.typeString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.icon_artifact_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.normalized_pathString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.parent_uidString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.pidNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.process_flags.dataString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.process_flags.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.registry.keyString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.registry.operationString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.registry.pathString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.registry.statusString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.registry.status_human_readableString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.registry.valueString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.cls_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.dispatch_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.parameters.argument_numberNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.parameters.commentString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.parameters.meaningString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.parameters.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.parameters.valueString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.resultString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.script_calls.statusString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.sha256String
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.executedBoolean
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.file_nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.human_keywordsString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.instructions_artifact_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.matched_signatures.idString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.matched_signatures.valueString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.streams.uidString
CrowdStrike.falconxReportV1Response.resources.sandbox.processes.uidString
CrowdStrike.falconxReportV1Response.resources.sandbox.sha256String
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.attack_idString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.categoryString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.descriptionString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.identifierString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.originString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.relevanceNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.threat_levelNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.threat_level_humanString
CrowdStrike.falconxReportV1Response.resources.sandbox.signatures.typeNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.submission_typeString
CrowdStrike.falconxReportV1Response.resources.sandbox.submit_nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.submit_urlString
CrowdStrike.falconxReportV1Response.resources.sandbox.suricata_alerts.categoryString
CrowdStrike.falconxReportV1Response.resources.sandbox.suricata_alerts.descriptionString
CrowdStrike.falconxReportV1Response.resources.sandbox.suricata_alerts.destination_ipString
CrowdStrike.falconxReportV1Response.resources.sandbox.suricata_alerts.destination_portNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.suricata_alerts.protocolString
CrowdStrike.falconxReportV1Response.resources.sandbox.suricata_alerts.sidString
CrowdStrike.falconxReportV1Response.resources.sandbox.target_urlString
CrowdStrike.falconxReportV1Response.resources.sandbox.threat_scoreNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.verdictString
CrowdStrike.falconxReportV1Response.resources.sandbox.version_info.idString
CrowdStrike.falconxReportV1Response.resources.sandbox.version_info.valueString
CrowdStrike.falconxReportV1Response.resources.sandbox.windows_version_bitnessNumber
CrowdStrike.falconxReportV1Response.resources.sandbox.windows_version_editionString
CrowdStrike.falconxReportV1Response.resources.sandbox.windows_version_nameString
CrowdStrike.falconxReportV1Response.resources.sandbox.windows_version_service_packString
CrowdStrike.falconxReportV1Response.resources.sandbox.windows_version_versionString
CrowdStrike.falconxReportV1Response.resources.user_idString
CrowdStrike.falconxReportV1Response.resources.user_nameString
CrowdStrike.falconxReportV1Response.resources.user_uuidString
CrowdStrike.falconxReportV1Response.resources.verdictString

cs-get-roles#


Get info about a role.

Base Command#

cs-get-roles

Input#

Argument NameDescriptionRequired
idsID of a role. Find a role ID from /customer/queries/roles/v1 or /users/queries/roles/v1.Required

Context Output#

PathTypeDescription
CrowdStrike.domainUserRoleResponse.errors.codeNumber
CrowdStrike.domainUserRoleResponse.errors.idString
CrowdStrike.domainUserRoleResponse.errors.messageString
CrowdStrike.domainUserRoleResponse.resources.cidString
CrowdStrike.domainUserRoleResponse.resources.descriptionString
CrowdStrike.domainUserRoleResponse.resources.display_nameString
CrowdStrike.domainUserRoleResponse.resources.idString
CrowdStrike.domainUserRoleResponse.errors.codeNumber
CrowdStrike.domainUserRoleResponse.errors.idString
CrowdStrike.domainUserRoleResponse.errors.messageString
CrowdStrike.domainUserRoleResponse.resources.cidString
CrowdStrike.domainUserRoleResponse.resources.descriptionString
CrowdStrike.domainUserRoleResponse.resources.display_nameString
CrowdStrike.domainUserRoleResponse.resources.idString

cs-get-roles-byid#


Get MSSP Role assignment(s). MSSP Role assignment is of the format :.

Base Command#

cs-get-roles-byid

Input#

Argument NameDescriptionRequired
idsMSSP Role assignment is of the format user_group_id : cid_group_id.Required

Context Output#

PathTypeDescription
CrowdStrike.domainMSSPRoleResponseV1.errors.codeNumber
CrowdStrike.domainMSSPRoleResponseV1.errors.idString
CrowdStrike.domainMSSPRoleResponseV1.errors.messageString
CrowdStrike.domainMSSPRoleResponseV1.resources.cid_group_idString
CrowdStrike.domainMSSPRoleResponseV1.resources.idString
CrowdStrike.domainMSSPRoleResponseV1.resources.user_group_idString
CrowdStrike.domainMSSPRoleResponseV1.errors.codeNumber
CrowdStrike.domainMSSPRoleResponseV1.errors.idString
CrowdStrike.domainMSSPRoleResponseV1.errors.messageString
CrowdStrike.domainMSSPRoleResponseV1.resources.cid_group_idString
CrowdStrike.domainMSSPRoleResponseV1.resources.idString
CrowdStrike.domainMSSPRoleResponseV1.resources.user_group_idString

cs-get-rulesv1#


Get monitoring rules rules by provided IDs.

Base Command#

cs-get-rulesv1

Input#

Argument NameDescriptionRequired
X_CS_USERUUIDUser UUID.Optional
idsIDs of rules.Required

Context Output#

PathTypeDescription
CrowdStrike.domainRulesEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainRulesEntitiesResponseV1.errors.idString
CrowdStrike.domainRulesEntitiesResponseV1.errors.messageString
CrowdStrike.domainRulesEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainRulesEntitiesResponseV1.resources.cidString
CrowdStrike.domainRulesEntitiesResponseV1.resources.created_timestampStringThe creation time for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.filterStringThe FQL filter contained in a rule and used for searching.
CrowdStrike.domainRulesEntitiesResponseV1.resources.idStringThe ID of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.nameStringThe name for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.permissionsStringThe permissions of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.priorityStringThe priority of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.statusStringThe status of a rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.status_messageStringThe detailed status message.
CrowdStrike.domainRulesEntitiesResponseV1.resources.topicStringThe topic of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.updated_timestampStringThe last updated time for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_idStringThe user ID of the user that created a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_nameStringThe user name of the user that created a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_uuidStringThe UUID of the user that created a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainRulesEntitiesResponseV1.errors.idString
CrowdStrike.domainRulesEntitiesResponseV1.errors.messageString
CrowdStrike.domainRulesEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainRulesEntitiesResponseV1.resources.cidString
CrowdStrike.domainRulesEntitiesResponseV1.resources.created_timestampStringThe creation time for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.filterStringThe FQL filter contained in a rule and used for searching.
CrowdStrike.domainRulesEntitiesResponseV1.resources.idStringThe ID of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.nameStringThe name for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.permissionsStringThe permissions of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.priorityStringThe priority of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.statusStringThe status of a rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.status_messageStringThe detailed status message.
CrowdStrike.domainRulesEntitiesResponseV1.resources.topicStringThe topic of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.updated_timestampStringThe last updated time for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_idStringThe user ID of the user that created a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_nameStringThe user name of the user that created a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_uuidStringThe UUID of the user that created a given rule.

cs-get-samplev2#


Retrieves the file associated with the given ID (SHA256).

Base Command#

cs-get-samplev2

Input#

Argument NameDescriptionRequired
X_CS_USERUUIDUser UUID.Optional
idsThe file SHA256.Required
password_protectedFlag whether the sample should be zipped and password protected with pass='infected'.Optional

Context Output#

There is no context output for this command.

cs-get-samplev3#


Retrieves the file associated with the given ID (SHA256).

Base Command#

cs-get-samplev3

Input#

Argument NameDescriptionRequired
X_CS_USERUUIDUser UUID.Optional
idsThe file SHA256.Required
password_protectedFlag whether the sample should be zipped and password protected with pass='infected'.Optional

Context Output#

There is no context output for this command.

cs-get-scans#


Check the status of a volume scan. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute.

Base Command#

cs-get-scans

Input#

Argument NameDescriptionRequired
idsID of a submitted scan.Required

Context Output#

PathTypeDescription
CrowdStrike.mlscannerScanV1Response.errors.codeNumber
CrowdStrike.mlscannerScanV1Response.errors.idString
CrowdStrike.mlscannerScanV1Response.errors.messageString
CrowdStrike.mlscannerScanV1Response.resources.cidString
CrowdStrike.mlscannerScanV1Response.resources.created_timestampString
CrowdStrike.mlscannerScanV1Response.resources.idString
CrowdStrike.mlscannerScanV1Response.resources.samples.errorString
CrowdStrike.mlscannerScanV1Response.resources.samples.sha256String
CrowdStrike.mlscannerScanV1Response.resources.samples.verdictString
CrowdStrike.mlscannerScanV1Response.resources.statusString
CrowdStrike.mlscannerScanV1Response.errors.codeNumber
CrowdStrike.mlscannerScanV1Response.errors.idString
CrowdStrike.mlscannerScanV1Response.errors.messageString
CrowdStrike.mlscannerScanV1Response.resources.cidString
CrowdStrike.mlscannerScanV1Response.resources.created_timestampString
CrowdStrike.mlscannerScanV1Response.resources.idString
CrowdStrike.mlscannerScanV1Response.resources.samples.errorString
CrowdStrike.mlscannerScanV1Response.resources.samples.sha256String
CrowdStrike.mlscannerScanV1Response.resources.samples.verdictString
CrowdStrike.mlscannerScanV1Response.resources.statusString

cs-get-scans-aggregates#


Get scans aggregations as specified via json in request body.

Base Command#

cs-get-scans-aggregates

Input#

Argument NameDescriptionRequired
msa_aggregatequeryrequest_date_rangesRequired
msa_aggregatequeryrequest_fieldRequired
msa_aggregatequeryrequest_filterRequired
msa_aggregatequeryrequest_intervalRequired
msa_aggregatequeryrequest_min_doc_countRequired
msa_aggregatequeryrequest_missingRequired
msa_aggregatequeryrequest_nameRequired
msa_aggregatequeryrequest_qRequired
msa_aggregatequeryrequest_rangesRequired
msa_aggregatequeryrequest_sizeRequired
msa_aggregatequeryrequest_sortRequired
msa_aggregatequeryrequest_sub_aggregatesRequired
msa_aggregatequeryrequest_time_zoneRequired
msa_aggregatequeryrequest_typeRequired

Context Output#

There is no context output for this command.

cs-get-sensor-installers-by-query#


Get sensor installer IDs by provided query.

Base Command#

cs-get-sensor-installers-by-query

Input#

Argument NameDescriptionRequired
offsetThe first item to return, where 0 is the latest item. Use with the limit meter to manage pagination of results.Optional
limitThe number of items to return in this response (default: 100, max: 500). Use with the offset meter to manage pagination of results.Optional
sortSort items using their properties. Common sort options include: ul li version|asc /li li release_date|desc /li /ul.Optional
filter_Filter items using a query in Falcon Query Language (FQL). An asterisk wildcard includes all results. Common filter options include: ul li platform:"windows" /li li version: "5.2" /li /ul.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-get-sensor-installers-entities#


Get sensor installer details by provided SHA256 IDs.

Base Command#

cs-get-sensor-installers-entities

Input#

Argument NameDescriptionRequired
idsThe IDs of the installers.Required

Context Output#

PathTypeDescription
CrowdStrike.domainSensorInstallersV1.errors.codeNumber
CrowdStrike.domainSensorInstallersV1.errors.idString
CrowdStrike.domainSensorInstallersV1.errors.messageString
CrowdStrike.domainSensorInstallersV1.resources.descriptionStringinstaller description.
CrowdStrike.domainSensorInstallersV1.resources.file_sizeNumberfile size.
CrowdStrike.domainSensorInstallersV1.resources.file_typeStringfile type.
CrowdStrike.domainSensorInstallersV1.resources.nameStringinstaller file name.
CrowdStrike.domainSensorInstallersV1.resources.osString
CrowdStrike.domainSensorInstallersV1.resources.os_versionString
CrowdStrike.domainSensorInstallersV1.resources.platformStringsupported platform.
CrowdStrike.domainSensorInstallersV1.resources.release_dateStringrelease date.
CrowdStrike.domainSensorInstallersV1.resources.sha256Stringsha256.
CrowdStrike.domainSensorInstallersV1.resources.versionStringversion of the installer.
CrowdStrike.domainSensorInstallersV1.errors.codeNumber
CrowdStrike.domainSensorInstallersV1.errors.idString
CrowdStrike.domainSensorInstallersV1.errors.messageString
CrowdStrike.domainSensorInstallersV1.resources.descriptionStringinstaller description.
CrowdStrike.domainSensorInstallersV1.resources.file_sizeNumberfile size.
CrowdStrike.domainSensorInstallersV1.resources.file_typeStringfile type.
CrowdStrike.domainSensorInstallersV1.resources.nameStringinstaller file name.
CrowdStrike.domainSensorInstallersV1.resources.osString
CrowdStrike.domainSensorInstallersV1.resources.os_versionString
CrowdStrike.domainSensorInstallersV1.resources.platformStringsupported platform.
CrowdStrike.domainSensorInstallersV1.resources.release_dateStringrelease date.
CrowdStrike.domainSensorInstallersV1.resources.sha256Stringsha256.
CrowdStrike.domainSensorInstallersV1.resources.versionStringversion of the installer.

cs-get-sensor-installersccid-by-query#


Get CCID to use with sensor installers.

Base Command#

cs-get-sensor-installersccid-by-query

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-get-sensor-update-policies#


Retrieve a set of Sensor Update Policies by specifying their IDs.

Base Command#

cs-get-sensor-update-policies

Input#

Argument NameDescriptionRequired
idsThe IDs of the Sensor Update Policies to return.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.platform_nameStringThe name of the platform.

cs-get-sensor-update-policiesv2#


Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs.

Base Command#

cs-get-sensor-update-policiesv2

Input#

Argument NameDescriptionRequired
idsThe IDs of the Sensor Update Policies to return.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.platform_nameStringThe name of the platform.

cs-get-sensor-visibility-exclusionsv1#


Get a set of Sensor Visibility Exclusions by specifying their IDs.

Base Command#

cs-get-sensor-visibility-exclusionsv1

Input#

Argument NameDescriptionRequired
idsThe ids of the exclusions to retrieve.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesSvExclusionRespV1.errors.codeNumber
CrowdStrike.responsesSvExclusionRespV1.errors.idString
CrowdStrike.responsesSvExclusionRespV1.errors.messageString
CrowdStrike.responsesSvExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesSvExclusionRespV1.resources.created_byString
CrowdStrike.responsesSvExclusionRespV1.resources.created_onString
CrowdStrike.responsesSvExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSvExclusionRespV1.resources.idString
CrowdStrike.responsesSvExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesSvExclusionRespV1.resources.modified_byString
CrowdStrike.responsesSvExclusionRespV1.resources.regexp_valueString
CrowdStrike.responsesSvExclusionRespV1.resources.valueString
CrowdStrike.responsesSvExclusionRespV1.resources.value_hashString
CrowdStrike.responsesSvExclusionRespV1.errors.codeNumber
CrowdStrike.responsesSvExclusionRespV1.errors.idString
CrowdStrike.responsesSvExclusionRespV1.errors.messageString
CrowdStrike.responsesSvExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesSvExclusionRespV1.resources.created_byString
CrowdStrike.responsesSvExclusionRespV1.resources.created_onString
CrowdStrike.responsesSvExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSvExclusionRespV1.resources.idString
CrowdStrike.responsesSvExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesSvExclusionRespV1.resources.modified_byString
CrowdStrike.responsesSvExclusionRespV1.resources.regexp_valueString
CrowdStrike.responsesSvExclusionRespV1.resources.valueString
CrowdStrike.responsesSvExclusionRespV1.resources.value_hashString

cs-get-submissions#


Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.

Base Command#

cs-get-submissions

Input#

Argument NameDescriptionRequired
idsID of a submitted malware sample. Find a submission ID from the response when submitting a malware sample or search with /falconx/queries/submissions/v1.Required

Context Output#

PathTypeDescription
CrowdStrike.falconxSubmissionV1Response.errors.codeNumber
CrowdStrike.falconxSubmissionV1Response.errors.idString
CrowdStrike.falconxSubmissionV1Response.errors.messageString
CrowdStrike.falconxSubmissionV1Response.resources.cidString
CrowdStrike.falconxSubmissionV1Response.resources.created_timestampString
CrowdStrike.falconxSubmissionV1Response.resources.idString
CrowdStrike.falconxSubmissionV1Response.resources.originString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.action_scriptString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.command_lineString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.document_passwordString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.enable_torBoolean
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.environment_idNumber
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.sha256String
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.submit_nameString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.system_dateString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.system_timeString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.urlString
CrowdStrike.falconxSubmissionV1Response.resources.stateString
CrowdStrike.falconxSubmissionV1Response.resources.user_idString
CrowdStrike.falconxSubmissionV1Response.resources.user_nameString
CrowdStrike.falconxSubmissionV1Response.resources.user_uuidString
CrowdStrike.falconxSubmissionV1Response.errors.codeNumber
CrowdStrike.falconxSubmissionV1Response.errors.idString
CrowdStrike.falconxSubmissionV1Response.errors.messageString
CrowdStrike.falconxSubmissionV1Response.resources.cidString
CrowdStrike.falconxSubmissionV1Response.resources.created_timestampString
CrowdStrike.falconxSubmissionV1Response.resources.idString
CrowdStrike.falconxSubmissionV1Response.resources.originString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.action_scriptString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.command_lineString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.document_passwordString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.enable_torBoolean
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.environment_idNumber
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.sha256String
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.submit_nameString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.system_dateString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.system_timeString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.urlString
CrowdStrike.falconxSubmissionV1Response.resources.stateString
CrowdStrike.falconxSubmissionV1Response.resources.user_idString
CrowdStrike.falconxSubmissionV1Response.resources.user_nameString
CrowdStrike.falconxSubmissionV1Response.resources.user_uuidString

cs-get-summary-reports#


Get a short summary version of a sandbox report.

Base Command#

cs-get-summary-reports

Input#

Argument NameDescriptionRequired
idsID of a summary. Find a summary ID from the response when submitting a malware sample or search with /falconx/queries/reports/v1.Required

Context Output#

PathTypeDescription
CrowdStrike.falconxSummaryReportV1Response.errors.codeNumber
CrowdStrike.falconxSummaryReportV1Response.errors.idString
CrowdStrike.falconxSummaryReportV1Response.errors.messageString
CrowdStrike.falconxSummaryReportV1Response.resources.cidString
CrowdStrike.falconxSummaryReportV1Response.resources.created_timestampString
CrowdStrike.falconxSummaryReportV1Response.resources.idString
CrowdStrike.falconxSummaryReportV1Response.resources.intel.actors.idNumber
CrowdStrike.falconxSummaryReportV1Response.resources.intel.actors.nameString
CrowdStrike.falconxSummaryReportV1Response.resources.intel.actors.slugString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_broad_csv_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_broad_json_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_broad_maec_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_broad_stix_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_strict_csv_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_strict_json_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_strict_maec_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_strict_stix_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.originString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.environment_descriptionString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.environment_idNumber
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.error_messageString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.error_originString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.error_typeString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.file_typeString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.incidents.nameString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.sha256String
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.submission_typeString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.submit_nameString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.submit_urlString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.threat_scoreNumber
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.verdictString
CrowdStrike.falconxSummaryReportV1Response.resources.user_idString
CrowdStrike.falconxSummaryReportV1Response.resources.user_nameString
CrowdStrike.falconxSummaryReportV1Response.resources.verdictString
CrowdStrike.falconxSummaryReportV1Response.errors.codeNumber
CrowdStrike.falconxSummaryReportV1Response.errors.idString
CrowdStrike.falconxSummaryReportV1Response.errors.messageString
CrowdStrike.falconxSummaryReportV1Response.resources.cidString
CrowdStrike.falconxSummaryReportV1Response.resources.created_timestampString
CrowdStrike.falconxSummaryReportV1Response.resources.idString
CrowdStrike.falconxSummaryReportV1Response.resources.intel.actors.idNumber
CrowdStrike.falconxSummaryReportV1Response.resources.intel.actors.nameString
CrowdStrike.falconxSummaryReportV1Response.resources.intel.actors.slugString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_broad_csv_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_broad_json_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_broad_maec_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_broad_stix_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_strict_csv_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_strict_json_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_strict_maec_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.ioc_report_strict_stix_artifact_idString
CrowdStrike.falconxSummaryReportV1Response.resources.originString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.environment_descriptionString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.environment_idNumber
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.error_messageString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.error_originString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.error_typeString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.file_typeString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.incidents.nameString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.sha256String
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.submission_typeString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.submit_nameString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.submit_urlString
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.threat_scoreNumber
CrowdStrike.falconxSummaryReportV1Response.resources.sandbox.verdictString
CrowdStrike.falconxSummaryReportV1Response.resources.user_idString
CrowdStrike.falconxSummaryReportV1Response.resources.user_nameString
CrowdStrike.falconxSummaryReportV1Response.resources.verdictString

cs-get-user-group-members-byid#


Get User Group members by User Group ID(s).

Base Command#

cs-get-user-group-members-byid

Input#

Argument NameDescriptionRequired
user_group_idsUser Group IDs to search for.Required

Context Output#

PathTypeDescription
CrowdStrike.domainUserGroupMembersResponseV1.errors.codeNumber
CrowdStrike.domainUserGroupMembersResponseV1.errors.idString
CrowdStrike.domainUserGroupMembersResponseV1.errors.messageString
CrowdStrike.domainUserGroupMembersResponseV1.resources.user_group_idString
CrowdStrike.domainUserGroupMembersResponseV1.errors.codeNumber
CrowdStrike.domainUserGroupMembersResponseV1.errors.idString
CrowdStrike.domainUserGroupMembersResponseV1.errors.messageString
CrowdStrike.domainUserGroupMembersResponseV1.resources.user_group_idString

cs-get-user-groups-byid#


Get User Group by ID(s).

Base Command#

cs-get-user-groups-byid

Input#

Argument NameDescriptionRequired
user_group_idsUser Group IDs to search for.Required

Context Output#

PathTypeDescription
CrowdStrike.domainUserGroupsResponseV1.errors.codeNumber
CrowdStrike.domainUserGroupsResponseV1.errors.idString
CrowdStrike.domainUserGroupsResponseV1.errors.messageString
CrowdStrike.domainUserGroupsResponseV1.resources.cidString
CrowdStrike.domainUserGroupsResponseV1.resources.descriptionString
CrowdStrike.domainUserGroupsResponseV1.resources.nameString
CrowdStrike.domainUserGroupsResponseV1.resources.user_group_idString
CrowdStrike.domainUserGroupsResponseV1.errors.codeNumber
CrowdStrike.domainUserGroupsResponseV1.errors.idString
CrowdStrike.domainUserGroupsResponseV1.errors.messageString
CrowdStrike.domainUserGroupsResponseV1.resources.cidString
CrowdStrike.domainUserGroupsResponseV1.resources.descriptionString
CrowdStrike.domainUserGroupsResponseV1.resources.nameString
CrowdStrike.domainUserGroupsResponseV1.resources.user_group_idString

cs-get-user-role-ids#


Show role IDs of roles assigned to a user. For more information on each role, provide the role ID to /customer/entities/roles/v1.

Base Command#

cs-get-user-role-ids

Input#

Argument NameDescriptionRequired
user_uuidID of a user. Find a user's ID from /users/entities/user/v1.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-get-vulnerabilities#


Get details on vulnerabilities by providing one or more IDs.

Base Command#

cs-get-vulnerabilities

Input#

Argument NameDescriptionRequired
idsOne or more vulnerability IDs (max: 400). Find vulnerability IDs with GET /spotlight/queries/vulnerabilities/v1.Required

Context Output#

PathTypeDescription
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.errors.codeNumber
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.errors.idString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.errors.messageString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.aidString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.cidString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.closed_timestampString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.created_timestampString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.idString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.statusString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.updated_timestampString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.errors.codeNumber
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.errors.idString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.errors.messageString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.aidString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.cidString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.closed_timestampString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.created_timestampString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.idString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.statusString
CrowdStrike.domainSPAPIVulnerabilitiesEntitiesResponseV2.resources.updated_timestampString

cs-getaws-accounts#


Retrieve a set of AWS Accounts by specifying their IDs.

Base Command#

cs-getaws-accounts

Input#

Argument NameDescriptionRequired
idsIDs of accounts to retrieve details.Required

Context Output#

PathTypeDescription
CrowdStrike.modelsAWSAccountsV1.errors.codeNumber
CrowdStrike.modelsAWSAccountsV1.errors.idString
CrowdStrike.modelsAWSAccountsV1.errors.messageString
CrowdStrike.modelsAWSAccountsV1.resources.aliasStringAlias/Name associated with the account. This is only updated once the account is in a registered state.
CrowdStrike.modelsAWSAccountsV1.resources.cidString
CrowdStrike.modelsAWSAccountsV1.resources.cloudformation_stack_idStringUnique identifier for the cloudformation stack id used for provisioning.
CrowdStrike.modelsAWSAccountsV1.resources.cloudformation_urlStringURL of the CloudFormation template to execute. This is returned when mode is to set 'cloudformation' when provisioning.
CrowdStrike.modelsAWSAccountsV1.resources.cloudtrail_bucket_owner_idStringThe 12 digit AWS account which is hosting the S3 bucket containing cloudtrail logs for this account. If this field is set, it takes precedence of the settings level field.
CrowdStrike.modelsAWSAccountsV1.resources.cloudtrail_bucket_regionStringRegion where the S3 bucket containing cloudtrail logs resides. This is only set if using cloudformation to provision and create the trail.
CrowdStrike.modelsAWSAccountsV1.resources.created_timestampStringTimestamp of when the account was first provisioned within CrowdStrike's system.'
CrowdStrike.modelsAWSAccountsV1.resources.external_idStringID assigned for use with cross account IAM role access.
CrowdStrike.modelsAWSAccountsV1.resources.iam_role_arnStringThe full arn of the IAM role created in this account to control access.
CrowdStrike.modelsAWSAccountsV1.resources.idString12 digit AWS provided unique identifier for the account.
CrowdStrike.modelsAWSAccountsV1.resources.last_modified_timestampStringTimestamp of when the account was last modified.
CrowdStrike.modelsAWSAccountsV1.resources.last_scanned_timestampStringTimestamp of when the account was scanned.
CrowdStrike.modelsAWSAccountsV1.resources.policy_versionStringCurrent version of permissions associated with IAM role and granted access.
CrowdStrike.modelsAWSAccountsV1.resources.provisioning_stateStringProvisioning state of the account. Values can be; initiated, registered, unregistered.
CrowdStrike.modelsAWSAccountsV1.resources.rate_limit_reqsNumberRate limiting setting to control the maximum number of requests that can be made within the rate_limit_time duration.
CrowdStrike.modelsAWSAccountsV1.resources.rate_limit_timeNumberRate limiting setting to control the number of seconds for which rate_limit_reqs applies.
CrowdStrike.modelsAWSAccountsV1.resources.template_versionStringCurrent version of cloudformation template used to manage access.
CrowdStrike.modelsAWSAccountsV1.errors.codeNumber
CrowdStrike.modelsAWSAccountsV1.errors.idString
CrowdStrike.modelsAWSAccountsV1.errors.messageString
CrowdStrike.modelsAWSAccountsV1.resources.aliasStringAlias/Name associated with the account. This is only updated once the account is in a registered state.
CrowdStrike.modelsAWSAccountsV1.resources.cidString
CrowdStrike.modelsAWSAccountsV1.resources.cloudformation_stack_idStringUnique identifier for the cloudformation stack id used for provisioning.
CrowdStrike.modelsAWSAccountsV1.resources.cloudformation_urlStringURL of the CloudFormation template to execute. This is returned when mode is to set 'cloudformation' when provisioning.
CrowdStrike.modelsAWSAccountsV1.resources.cloudtrail_bucket_owner_idStringThe 12 digit AWS account which is hosting the S3 bucket containing cloudtrail logs for this account. If this field is set, it takes precedence of the settings level field.
CrowdStrike.modelsAWSAccountsV1.resources.cloudtrail_bucket_regionStringRegion where the S3 bucket containing cloudtrail logs resides. This is only set if using cloudformation to provision and create the trail.
CrowdStrike.modelsAWSAccountsV1.resources.created_timestampStringTimestamp of when the account was first provisioned within CrowdStrike's system.'
CrowdStrike.modelsAWSAccountsV1.resources.external_idStringID assigned for use with cross account IAM role access.
CrowdStrike.modelsAWSAccountsV1.resources.iam_role_arnStringThe full arn of the IAM role created in this account to control access.
CrowdStrike.modelsAWSAccountsV1.resources.idString12 digit AWS provided unique identifier for the account.
CrowdStrike.modelsAWSAccountsV1.resources.last_modified_timestampStringTimestamp of when the account was last modified.
CrowdStrike.modelsAWSAccountsV1.resources.last_scanned_timestampStringTimestamp of when the account was scanned.
CrowdStrike.modelsAWSAccountsV1.resources.policy_versionStringCurrent version of permissions associated with IAM role and granted access.
CrowdStrike.modelsAWSAccountsV1.resources.provisioning_stateStringProvisioning state of the account. Values can be; initiated, registered, unregistered.
CrowdStrike.modelsAWSAccountsV1.resources.rate_limit_reqsNumberRate limiting setting to control the maximum number of requests that can be made within the rate_limit_time duration.
CrowdStrike.modelsAWSAccountsV1.resources.rate_limit_timeNumberRate limiting setting to control the number of seconds for which rate_limit_reqs applies.
CrowdStrike.modelsAWSAccountsV1.resources.template_versionStringCurrent version of cloudformation template used to manage access.

cs-getaws-accounts-mixin0#


Provides a list of AWS accounts.

Base Command#

cs-getaws-accounts-mixin0

Input#

Argument NameDescriptionRequired
idsAWS Account IDs.Optional
statusFilter by account status.Optional
limitLimit returned accounts.Optional
offsetOffset returned accounts.Optional

Context Output#

PathTypeDescription
CrowdStrike.k8sregGetAWSAccountsResp.errors.codeNumber
CrowdStrike.k8sregGetAWSAccountsResp.errors.idString
CrowdStrike.k8sregGetAWSAccountsResp.errors.messageString
CrowdStrike.k8sregGetAWSAccountsResp.resources.account_idString
CrowdStrike.k8sregGetAWSAccountsResp.resources.aws_permissions_status.nameString
CrowdStrike.k8sregGetAWSAccountsResp.resources.aws_permissions_status.statusString
CrowdStrike.k8sregGetAWSAccountsResp.resources.cidString
CrowdStrike.k8sregGetAWSAccountsResp.resources.cloudformation_urlString
CrowdStrike.k8sregGetAWSAccountsResp.resources.created_atString
CrowdStrike.k8sregGetAWSAccountsResp.resources.from_cspmBoolean
CrowdStrike.k8sregGetAWSAccountsResp.resources.iam_role_arnString
CrowdStrike.k8sregGetAWSAccountsResp.resources.is_masterBoolean
CrowdStrike.k8sregGetAWSAccountsResp.resources.organization_idString
CrowdStrike.k8sregGetAWSAccountsResp.resources.regionString
CrowdStrike.k8sregGetAWSAccountsResp.resources.statusString
CrowdStrike.k8sregGetAWSAccountsResp.resources.updated_atString
CrowdStrike.k8sregGetAWSAccountsResp.errors.codeNumber
CrowdStrike.k8sregGetAWSAccountsResp.errors.idString
CrowdStrike.k8sregGetAWSAccountsResp.errors.messageString
CrowdStrike.k8sregGetAWSAccountsResp.resources.account_idString
CrowdStrike.k8sregGetAWSAccountsResp.resources.aws_permissions_status.nameString
CrowdStrike.k8sregGetAWSAccountsResp.resources.aws_permissions_status.statusString
CrowdStrike.k8sregGetAWSAccountsResp.resources.cidString
CrowdStrike.k8sregGetAWSAccountsResp.resources.cloudformation_urlString
CrowdStrike.k8sregGetAWSAccountsResp.resources.created_atString
CrowdStrike.k8sregGetAWSAccountsResp.resources.from_cspmBoolean
CrowdStrike.k8sregGetAWSAccountsResp.resources.iam_role_arnString
CrowdStrike.k8sregGetAWSAccountsResp.resources.is_masterBoolean
CrowdStrike.k8sregGetAWSAccountsResp.resources.organization_idString
CrowdStrike.k8sregGetAWSAccountsResp.resources.regionString
CrowdStrike.k8sregGetAWSAccountsResp.resources.statusString
CrowdStrike.k8sregGetAWSAccountsResp.resources.updated_atString

cs-getaws-settings#


Retrieve a set of Global Settings which are applicable to all provisioned AWS accounts.

Base Command#

cs-getaws-settings

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.modelsCustomerConfigurationsV1.errors.codeNumber
CrowdStrike.modelsCustomerConfigurationsV1.errors.idString
CrowdStrike.modelsCustomerConfigurationsV1.errors.messageString
CrowdStrike.modelsCustomerConfigurationsV1.resources.cloudtrail_bucket_owner_idStringThe 12 digit AWS account which is hosting the centralized S3 bucket containing cloudtrail logs for all accounts.
CrowdStrike.modelsCustomerConfigurationsV1.resources.created_timestampStringTimestamp of when the settings were first provisioned within CrowdStrike's system.'
CrowdStrike.modelsCustomerConfigurationsV1.resources.last_modified_timestampStringTimestamp of when the settings were last modified.
CrowdStrike.modelsCustomerConfigurationsV1.resources.static_external_idStringBy setting this value, all subsequent accounts that are provisioned will default to using this value as the external ID.
CrowdStrike.modelsCustomerConfigurationsV1.errors.codeNumber
CrowdStrike.modelsCustomerConfigurationsV1.errors.idString
CrowdStrike.modelsCustomerConfigurationsV1.errors.messageString
CrowdStrike.modelsCustomerConfigurationsV1.resources.cloudtrail_bucket_owner_idStringThe 12 digit AWS account which is hosting the centralized S3 bucket containing cloudtrail logs for all accounts.
CrowdStrike.modelsCustomerConfigurationsV1.resources.created_timestampStringTimestamp of when the settings were first provisioned within CrowdStrike's system.'
CrowdStrike.modelsCustomerConfigurationsV1.resources.last_modified_timestampStringTimestamp of when the settings were last modified.
CrowdStrike.modelsCustomerConfigurationsV1.resources.static_external_idStringBy setting this value, all subsequent accounts that are provisioned will default to using this value as the external ID.

cs-getcid-group-by-id#


Get CID Group(s) by ID(s).

Base Command#

cs-getcid-group-by-id

Input#

Argument NameDescriptionRequired
cid_group_idsCID Group IDs to be searched on.Required

Context Output#

PathTypeDescription
CrowdStrike.domainCIDGroupsResponseV1.errors.codeNumber
CrowdStrike.domainCIDGroupsResponseV1.errors.idString
CrowdStrike.domainCIDGroupsResponseV1.errors.messageString
CrowdStrike.domainCIDGroupsResponseV1.resources.cidString
CrowdStrike.domainCIDGroupsResponseV1.resources.cid_group_idString
CrowdStrike.domainCIDGroupsResponseV1.resources.descriptionString
CrowdStrike.domainCIDGroupsResponseV1.resources.nameString
CrowdStrike.domainCIDGroupsResponseV1.errors.codeNumber
CrowdStrike.domainCIDGroupsResponseV1.errors.idString
CrowdStrike.domainCIDGroupsResponseV1.errors.messageString
CrowdStrike.domainCIDGroupsResponseV1.resources.cidString
CrowdStrike.domainCIDGroupsResponseV1.resources.cid_group_idString
CrowdStrike.domainCIDGroupsResponseV1.resources.descriptionString
CrowdStrike.domainCIDGroupsResponseV1.resources.nameString

cs-getcid-group-members-by#


Get CID Group members by CID Group IDs.

Base Command#

cs-getcid-group-members-by

Input#

Argument NameDescriptionRequired
cid_group_idsCID Group IDs to be searched on.Required

Context Output#

PathTypeDescription
CrowdStrike.domainCIDGroupMembersResponseV1.errors.codeNumber
CrowdStrike.domainCIDGroupMembersResponseV1.errors.idString
CrowdStrike.domainCIDGroupMembersResponseV1.errors.messageString
CrowdStrike.domainCIDGroupMembersResponseV1.resources.cid_group_idString
CrowdStrike.domainCIDGroupMembersResponseV1.errors.codeNumber
CrowdStrike.domainCIDGroupMembersResponseV1.errors.idString
CrowdStrike.domainCIDGroupMembersResponseV1.errors.messageString
CrowdStrike.domainCIDGroupMembersResponseV1.resources.cid_group_idString

cs-getcspm-aws-account#


Returns information about the current status of an AWS account.

Base Command#

cs-getcspm-aws-account

Input#

Argument NameDescriptionRequired
scan_typeType of scan, dry or full, to perform on selected accounts.Optional
idsAWS account IDs.Optional
organization_idsAWS organization IDs.Optional
statusAccount status to filter results by.Optional
limitThe maximum records to return. Defaults to 100.Optional
offsetThe offset to start retrieving records from.Optional
group_byField to group by. Possible values are: organization.Optional

Context Output#

PathTypeDescription
CrowdStrike.registrationAWSAccountResponseV2.errors.codeNumber
CrowdStrike.registrationAWSAccountResponseV2.errors.idString
CrowdStrike.registrationAWSAccountResponseV2.errors.messageString
CrowdStrike.registrationAWSAccountResponseV2.resources.CreatedAtString
CrowdStrike.registrationAWSAccountResponseV2.resources.DeletedAtString
CrowdStrike.registrationAWSAccountResponseV2.resources.IDNumber
CrowdStrike.registrationAWSAccountResponseV2.resources.UpdatedAtString
CrowdStrike.registrationAWSAccountResponseV2.resources.account_idString12 digit AWS provided unique identifier for the account.
CrowdStrike.registrationAWSAccountResponseV2.resources.aws_cloudtrail_bucket_nameStringAWS CloudTrail bucket name to store logs.
CrowdStrike.registrationAWSAccountResponseV2.resources.aws_cloudtrail_regionStringAWS CloudTrail region.
CrowdStrike.registrationAWSAccountResponseV2.resources.aws_permissions_status.nameString
CrowdStrike.registrationAWSAccountResponseV2.resources.aws_permissions_status.statusString
CrowdStrike.registrationAWSAccountResponseV2.resources.cidString
CrowdStrike.registrationAWSAccountResponseV2.resources.cloudformation_urlString
CrowdStrike.registrationAWSAccountResponseV2.resources.eventbus_nameString
CrowdStrike.registrationAWSAccountResponseV2.resources.external_idStringID assigned for use with cross account IAM role access.
CrowdStrike.registrationAWSAccountResponseV2.resources.iam_role_arnStringThe full arn of the IAM role created in this account to control access.
CrowdStrike.registrationAWSAccountResponseV2.resources.intermediate_role_arnString
CrowdStrike.registrationAWSAccountResponseV2.resources.is_masterBoolean
CrowdStrike.registrationAWSAccountResponseV2.resources.organization_idStringUp to 34 character AWS provided unique identifier for the organization.
CrowdStrike.registrationAWSAccountResponseV2.resources.statusStringAccount registration status.
CrowdStrike.registrationAWSAccountResponseV2.errors.codeNumber
CrowdStrike.registrationAWSAccountResponseV2.errors.idString
CrowdStrike.registrationAWSAccountResponseV2.errors.messageString
CrowdStrike.registrationAWSAccountResponseV2.resources.CreatedAtString
CrowdStrike.registrationAWSAccountResponseV2.resources.DeletedAtString
CrowdStrike.registrationAWSAccountResponseV2.resources.IDNumber
CrowdStrike.registrationAWSAccountResponseV2.resources.UpdatedAtString
CrowdStrike.registrationAWSAccountResponseV2.resources.account_idString12 digit AWS provided unique identifier for the account.
CrowdStrike.registrationAWSAccountResponseV2.resources.aws_cloudtrail_bucket_nameStringAWS CloudTrail bucket name to store logs.
CrowdStrike.registrationAWSAccountResponseV2.resources.aws_cloudtrail_regionStringAWS CloudTrail region.
CrowdStrike.registrationAWSAccountResponseV2.resources.aws_permissions_status.nameString
CrowdStrike.registrationAWSAccountResponseV2.resources.aws_permissions_status.statusString
CrowdStrike.registrationAWSAccountResponseV2.resources.cidString
CrowdStrike.registrationAWSAccountResponseV2.resources.cloudformation_urlString
CrowdStrike.registrationAWSAccountResponseV2.resources.eventbus_nameString
CrowdStrike.registrationAWSAccountResponseV2.resources.external_idStringID assigned for use with cross account IAM role access.
CrowdStrike.registrationAWSAccountResponseV2.resources.iam_role_arnStringThe full arn of the IAM role created in this account to control access.
CrowdStrike.registrationAWSAccountResponseV2.resources.intermediate_role_arnString
CrowdStrike.registrationAWSAccountResponseV2.resources.is_masterBoolean
CrowdStrike.registrationAWSAccountResponseV2.resources.organization_idStringUp to 34 character AWS provided unique identifier for the organization.
CrowdStrike.registrationAWSAccountResponseV2.resources.statusStringAccount registration status.

cs-getcspm-aws-account-scripts-attachment#


Return a script for customer to run in their cloud environment to grant us access to their AWS environment as a downloadable attachment.

Base Command#

cs-getcspm-aws-account-scripts-attachment

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.registrationAWSProvisionGetAccountScriptResponseV2.errors.codeNumber
CrowdStrike.registrationAWSProvisionGetAccountScriptResponseV2.errors.idString
CrowdStrike.registrationAWSProvisionGetAccountScriptResponseV2.errors.messageString
CrowdStrike.registrationAWSProvisionGetAccountScriptResponseV2.resources.bashString
CrowdStrike.registrationAWSProvisionGetAccountScriptResponseV2.errors.codeNumber
CrowdStrike.registrationAWSProvisionGetAccountScriptResponseV2.errors.idString
CrowdStrike.registrationAWSProvisionGetAccountScriptResponseV2.errors.messageString
CrowdStrike.registrationAWSProvisionGetAccountScriptResponseV2.resources.bashString

cs-getcspm-aws-console-setupur-ls#


Return a URL for customer to visit in their cloud environment to grant us access to their AWS environment.

Base Command#

cs-getcspm-aws-console-setupur-ls

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.registrationAWSAccountConsoleURL.account_idString
CrowdStrike.registrationAWSAccountConsoleURL.urlString
CrowdStrike.registrationAWSAccountConsoleURL.account_idString
CrowdStrike.registrationAWSAccountConsoleURL.urlString

cs-getcspm-azure-user-scripts#


Return a script for customer to run in their cloud environment to grant us access to their Azure environment.

Base Command#

cs-getcspm-azure-user-scripts

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.errors.codeNumber
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.errors.idString
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.errors.messageString
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.resources.bashString
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.errors.codeNumber
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.errors.idString
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.errors.messageString
CrowdStrike.registrationAzureProvisionGetUserScriptResponseV1.resources.bashString

cs-getcspm-policy#


Given a policy ID, returns detailed policy information.

Base Command#

cs-getcspm-policy

Input#

Argument NameDescriptionRequired
idsPolicy ID.Required

Context Output#

PathTypeDescription
CrowdStrike.registrationPolicyResponseV1.errors.codeNumber
CrowdStrike.registrationPolicyResponseV1.errors.idString
CrowdStrike.registrationPolicyResponseV1.errors.messageString
CrowdStrike.registrationPolicyResponseV1.resources.CreatedAtString
CrowdStrike.registrationPolicyResponseV1.resources.DeletedAtString
CrowdStrike.registrationPolicyResponseV1.resources.IDNumber
CrowdStrike.registrationPolicyResponseV1.resources.UpdatedAtString
CrowdStrike.registrationPolicyResponseV1.resources.alert_logicString
CrowdStrike.registrationPolicyResponseV1.resources.api_commandString
CrowdStrike.registrationPolicyResponseV1.resources.cli_commandString
CrowdStrike.registrationPolicyResponseV1.resources.cloud_documentString
CrowdStrike.registrationPolicyResponseV1.resources.cloud_platformNumber
CrowdStrike.registrationPolicyResponseV1.resources.cloud_platform_typeString
CrowdStrike.registrationPolicyResponseV1.resources.cloud_serviceNumber
CrowdStrike.registrationPolicyResponseV1.resources.cloud_service_friendlyString
CrowdStrike.registrationPolicyResponseV1.resources.cloud_service_subtypeString
CrowdStrike.registrationPolicyResponseV1.resources.cloud_service_typeString
CrowdStrike.registrationPolicyResponseV1.resources.default_severityString
CrowdStrike.registrationPolicyResponseV1.resources.descriptionString
CrowdStrike.registrationPolicyResponseV1.resources.event_typeString
CrowdStrike.registrationPolicyResponseV1.resources.mitre_attack_cloud_matrixString
CrowdStrike.registrationPolicyResponseV1.resources.mitre_attack_cloud_subtypeString
CrowdStrike.registrationPolicyResponseV1.resources.policy_fail_queryString
CrowdStrike.registrationPolicyResponseV1.resources.policy_pass_queryString
CrowdStrike.registrationPolicyResponseV1.resources.policy_remediationString
CrowdStrike.registrationPolicyResponseV1.resources.policy_severityNumber
CrowdStrike.registrationPolicyResponseV1.resources.policy_statementString
CrowdStrike.registrationPolicyResponseV1.errors.codeNumber
CrowdStrike.registrationPolicyResponseV1.errors.idString
CrowdStrike.registrationPolicyResponseV1.errors.messageString
CrowdStrike.registrationPolicyResponseV1.resources.CreatedAtString
CrowdStrike.registrationPolicyResponseV1.resources.DeletedAtString
CrowdStrike.registrationPolicyResponseV1.resources.IDNumber
CrowdStrike.registrationPolicyResponseV1.resources.UpdatedAtString
CrowdStrike.registrationPolicyResponseV1.resources.alert_logicString
CrowdStrike.registrationPolicyResponseV1.resources.api_commandString
CrowdStrike.registrationPolicyResponseV1.resources.cli_commandString
CrowdStrike.registrationPolicyResponseV1.resources.cloud_documentString
CrowdStrike.registrationPolicyResponseV1.resources.cloud_platformNumber
CrowdStrike.registrationPolicyResponseV1.resources.cloud_platform_typeString
CrowdStrike.registrationPolicyResponseV1.resources.cloud_serviceNumber
CrowdStrike.registrationPolicyResponseV1.resources.cloud_service_friendlyString
CrowdStrike.registrationPolicyResponseV1.resources.cloud_service_subtypeString
CrowdStrike.registrationPolicyResponseV1.resources.cloud_service_typeString
CrowdStrike.registrationPolicyResponseV1.resources.default_severityString
CrowdStrike.registrationPolicyResponseV1.resources.descriptionString
CrowdStrike.registrationPolicyResponseV1.resources.event_typeString
CrowdStrike.registrationPolicyResponseV1.resources.mitre_attack_cloud_matrixString
CrowdStrike.registrationPolicyResponseV1.resources.mitre_attack_cloud_subtypeString
CrowdStrike.registrationPolicyResponseV1.resources.policy_fail_queryString
CrowdStrike.registrationPolicyResponseV1.resources.policy_pass_queryString
CrowdStrike.registrationPolicyResponseV1.resources.policy_remediationString
CrowdStrike.registrationPolicyResponseV1.resources.policy_severityNumber
CrowdStrike.registrationPolicyResponseV1.resources.policy_statementString

cs-getcspm-policy-settings#


Returns information about current policy settings.

Base Command#

cs-getcspm-policy-settings

Input#

Argument NameDescriptionRequired
serviceService type to filter policy settings by.Optional
policy_idPolicy ID.Optional
cloud_platformCloud Platform (e.g.: aws|azure|gcp). Possible values are: aws, azure, gcp.Optional

Context Output#

PathTypeDescription
CrowdStrike.registrationPolicySettingsResponseV1.errors.codeNumber
CrowdStrike.registrationPolicySettingsResponseV1.errors.idString
CrowdStrike.registrationPolicySettingsResponseV1.errors.messageString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cidString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cis_benchmark.benchmark_shortString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cis_benchmark.idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.cis_benchmark.recommendation_numberString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cloud_serviceString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cloud_service_subtypeString
CrowdStrike.registrationPolicySettingsResponseV1.resources.default_severityString
CrowdStrike.registrationPolicySettingsResponseV1.resources.nameString
CrowdStrike.registrationPolicySettingsResponseV1.resources.nist_benchmark.benchmark_shortString
CrowdStrike.registrationPolicySettingsResponseV1.resources.nist_benchmark.idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.nist_benchmark.recommendation_numberString
CrowdStrike.registrationPolicySettingsResponseV1.resources.pci_benchmark.benchmark_shortString
CrowdStrike.registrationPolicySettingsResponseV1.resources.pci_benchmark.idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.pci_benchmark.recommendation_numberString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.account_idString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.enabledBoolean
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.severityString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.tag_excludedBoolean
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.tenant_idString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_timestampString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_typeString
CrowdStrike.registrationPolicySettingsResponseV1.errors.codeNumber
CrowdStrike.registrationPolicySettingsResponseV1.errors.idString
CrowdStrike.registrationPolicySettingsResponseV1.errors.messageString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cidString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cis_benchmark.benchmark_shortString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cis_benchmark.idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.cis_benchmark.recommendation_numberString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cloud_serviceString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cloud_service_subtypeString
CrowdStrike.registrationPolicySettingsResponseV1.resources.default_severityString
CrowdStrike.registrationPolicySettingsResponseV1.resources.nameString
CrowdStrike.registrationPolicySettingsResponseV1.resources.nist_benchmark.benchmark_shortString
CrowdStrike.registrationPolicySettingsResponseV1.resources.nist_benchmark.idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.nist_benchmark.recommendation_numberString
CrowdStrike.registrationPolicySettingsResponseV1.resources.pci_benchmark.benchmark_shortString
CrowdStrike.registrationPolicySettingsResponseV1.resources.pci_benchmark.idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.pci_benchmark.recommendation_numberString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.account_idString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.enabledBoolean
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.severityString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.tag_excludedBoolean
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.tenant_idString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_timestampString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_typeString

cs-getcspm-scan-schedule#


Returns scan schedule configuration for one or more cloud platforms.

Base Command#

cs-getcspm-scan-schedule

Input#

Argument NameDescriptionRequired
cloud_platformCloud Platform.Optional

Context Output#

PathTypeDescription
CrowdStrike.registrationScanScheduleResponseV1.errors.codeNumber
CrowdStrike.registrationScanScheduleResponseV1.errors.idString
CrowdStrike.registrationScanScheduleResponseV1.errors.messageString
CrowdStrike.registrationScanScheduleResponseV1.resources.cloud_platformString
CrowdStrike.registrationScanScheduleResponseV1.resources.next_scan_timestampString
CrowdStrike.registrationScanScheduleResponseV1.resources.scan_scheduleString
CrowdStrike.registrationScanScheduleResponseV1.errors.codeNumber
CrowdStrike.registrationScanScheduleResponseV1.errors.idString
CrowdStrike.registrationScanScheduleResponseV1.errors.messageString
CrowdStrike.registrationScanScheduleResponseV1.resources.cloud_platformString
CrowdStrike.registrationScanScheduleResponseV1.resources.next_scan_timestampString
CrowdStrike.registrationScanScheduleResponseV1.resources.scan_scheduleString

cs-getcspmcgp-account#


Returns information about the current status of an GCP account.

Base Command#

cs-getcspmcgp-account

Input#

Argument NameDescriptionRequired
scan_typeType of scan, dry or full, to perform on selected accounts.Optional
idsParent IDs of accounts.Optional

Context Output#

PathTypeDescription
CrowdStrike.registrationGCPAccountResponseV1.errors.codeNumber
CrowdStrike.registrationGCPAccountResponseV1.errors.idString
CrowdStrike.registrationGCPAccountResponseV1.errors.messageString
CrowdStrike.registrationGCPAccountResponseV1.resources.cidString
CrowdStrike.registrationGCPAccountResponseV1.resources.parent_idStringGCP ParentID.
CrowdStrike.registrationGCPAccountResponseV1.resources.statusStringAccount registration status.
CrowdStrike.registrationGCPAccountResponseV1.errors.codeNumber
CrowdStrike.registrationGCPAccountResponseV1.errors.idString
CrowdStrike.registrationGCPAccountResponseV1.errors.messageString
CrowdStrike.registrationGCPAccountResponseV1.resources.cidString
CrowdStrike.registrationGCPAccountResponseV1.resources.parent_idStringGCP ParentID.
CrowdStrike.registrationGCPAccountResponseV1.resources.statusStringAccount registration status.

cs-getcspmgcp-user-scripts#


Return a script for customer to run in their cloud environment to grant us access to their GCP environment.

Base Command#

cs-getcspmgcp-user-scripts

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.errors.codeNumber
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.errors.idString
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.errors.messageString
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.resources.bashString
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.errors.codeNumber
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.errors.idString
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.errors.messageString
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.resources.bashString

cs-getcspmgcp-user-scripts-attachment#


Return a script for customer to run in their cloud environment to grant us access to their GCP environment as a downloadable attachment.

Base Command#

cs-getcspmgcp-user-scripts-attachment

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.errors.codeNumber
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.errors.idString
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.errors.messageString
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.resources.bashString
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.errors.codeNumber
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.errors.idString
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.errors.messageString
CrowdStrike.registrationGCPProvisionGetUserScriptResponseV1.resources.bashString

cs-getevents#


Get events entities by ID and optionally version.

Base Command#

cs-getevents

Input#

Argument NameDescriptionRequired
idsThe events to retrieve, identified by ID.Required

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiEventsResponse.errors.codeNumber
CrowdStrike.fwmgrapiEventsResponse.errors.idString
CrowdStrike.fwmgrapiEventsResponse.errors.messageString
CrowdStrike.fwmgrapiEventsResponse.resources.aidString
CrowdStrike.fwmgrapiEventsResponse.resources.cidString
CrowdStrike.fwmgrapiEventsResponse.resources.command_lineString
CrowdStrike.fwmgrapiEventsResponse.resources.connection_directionString
CrowdStrike.fwmgrapiEventsResponse.resources.event_typeString
CrowdStrike.fwmgrapiEventsResponse.resources.hiddenBoolean
CrowdStrike.fwmgrapiEventsResponse.resources.host_nameString
CrowdStrike.fwmgrapiEventsResponse.resources.icmp_codeString
CrowdStrike.fwmgrapiEventsResponse.resources.icmp_typeString
CrowdStrike.fwmgrapiEventsResponse.resources.idString
CrowdStrike.fwmgrapiEventsResponse.resources.image_file_nameString
CrowdStrike.fwmgrapiEventsResponse.resources.ipvString
CrowdStrike.fwmgrapiEventsResponse.resources.local_addressString
CrowdStrike.fwmgrapiEventsResponse.resources.local_portString
CrowdStrike.fwmgrapiEventsResponse.resources.match_countString
CrowdStrike.fwmgrapiEventsResponse.resources.match_count_since_last_eventString
CrowdStrike.fwmgrapiEventsResponse.resources.network_profileString
CrowdStrike.fwmgrapiEventsResponse.resources.pidString
CrowdStrike.fwmgrapiEventsResponse.resources.policy_idString
CrowdStrike.fwmgrapiEventsResponse.resources.policy_nameString
CrowdStrike.fwmgrapiEventsResponse.resources.protocolString
CrowdStrike.fwmgrapiEventsResponse.resources.remote_addressString
CrowdStrike.fwmgrapiEventsResponse.resources.remote_portString
CrowdStrike.fwmgrapiEventsResponse.resources.rule_actionString
CrowdStrike.fwmgrapiEventsResponse.resources.rule_descriptionString
CrowdStrike.fwmgrapiEventsResponse.resources.rule_family_idString
CrowdStrike.fwmgrapiEventsResponse.resources.rule_group_nameString
CrowdStrike.fwmgrapiEventsResponse.resources.rule_idString
CrowdStrike.fwmgrapiEventsResponse.resources.rule_nameString
CrowdStrike.fwmgrapiEventsResponse.resources.statusString
CrowdStrike.fwmgrapiEventsResponse.resources.timestampString
CrowdStrike.fwmgrapiEventsResponse.resources.tree_idString
CrowdStrike.fwmgrapiEventsResponse.errors.codeNumber
CrowdStrike.fwmgrapiEventsResponse.errors.idString
CrowdStrike.fwmgrapiEventsResponse.errors.messageString
CrowdStrike.fwmgrapiEventsResponse.resources.aidString
CrowdStrike.fwmgrapiEventsResponse.resources.cidString
CrowdStrike.fwmgrapiEventsResponse.resources.command_lineString
CrowdStrike.fwmgrapiEventsResponse.resources.connection_directionString
CrowdStrike.fwmgrapiEventsResponse.resources.event_typeString
CrowdStrike.fwmgrapiEventsResponse.resources.hiddenBoolean
CrowdStrike.fwmgrapiEventsResponse.resources.host_nameString
CrowdStrike.fwmgrapiEventsResponse.resources.icmp_codeString
CrowdStrike.fwmgrapiEventsResponse.resources.icmp_typeString
CrowdStrike.fwmgrapiEventsResponse.resources.idString
CrowdStrike.fwmgrapiEventsResponse.resources.image_file_nameString
CrowdStrike.fwmgrapiEventsResponse.resources.ipvString
CrowdStrike.fwmgrapiEventsResponse.resources.local_addressString
CrowdStrike.fwmgrapiEventsResponse.resources.local_portString
CrowdStrike.fwmgrapiEventsResponse.resources.match_countString
CrowdStrike.fwmgrapiEventsResponse.resources.match_count_since_last_eventString
CrowdStrike.fwmgrapiEventsResponse.resources.network_profileString
CrowdStrike.fwmgrapiEventsResponse.resources.pidString
CrowdStrike.fwmgrapiEventsResponse.resources.policy_idString
CrowdStrike.fwmgrapiEventsResponse.resources.policy_nameString
CrowdStrike.fwmgrapiEventsResponse.resources.protocolString
CrowdStrike.fwmgrapiEventsResponse.resources.remote_addressString
CrowdStrike.fwmgrapiEventsResponse.resources.remote_portString
CrowdStrike.fwmgrapiEventsResponse.resources.rule_actionString
CrowdStrike.fwmgrapiEventsResponse.resources.rule_descriptionString
CrowdStrike.fwmgrapiEventsResponse.resources.rule_family_idString
CrowdStrike.fwmgrapiEventsResponse.resources.rule_group_nameString
CrowdStrike.fwmgrapiEventsResponse.resources.rule_idString
CrowdStrike.fwmgrapiEventsResponse.resources.rule_nameString
CrowdStrike.fwmgrapiEventsResponse.resources.statusString
CrowdStrike.fwmgrapiEventsResponse.resources.timestampString
CrowdStrike.fwmgrapiEventsResponse.resources.tree_idString

cs-getfirewallfields#


Get the firewall field specifications by ID.

Base Command#

cs-getfirewallfields

Input#

Argument NameDescriptionRequired
idsThe IDs of the rule types to retrieve.Required

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiFirewallFieldsResponse.errors.codeNumber
CrowdStrike.fwmgrapiFirewallFieldsResponse.errors.idString
CrowdStrike.fwmgrapiFirewallFieldsResponse.errors.messageString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.idString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.platformString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.platform_fields.labelString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.platform_fields.nameString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.platform_fields.options.labelString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.platform_fields.options.valueString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.platform_fields.typeString
CrowdStrike.fwmgrapiFirewallFieldsResponse.errors.codeNumber
CrowdStrike.fwmgrapiFirewallFieldsResponse.errors.idString
CrowdStrike.fwmgrapiFirewallFieldsResponse.errors.messageString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.idString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.platformString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.platform_fields.labelString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.platform_fields.nameString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.platform_fields.options.labelString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.platform_fields.options.valueString
CrowdStrike.fwmgrapiFirewallFieldsResponse.resources.platform_fields.typeString

cs-getioa-events#


For CSPM IOA events, gets list of IOA events.

Base Command#

cs-getioa-events

Input#

Argument NameDescriptionRequired
policy_idPolicy ID.Required
cloud_providerCloud Provider (e.g.: aws|azure|gcp).Required
account_idCloud account ID (e.g.: AWS accountID, Azure subscriptionID).Optional
azure_tenant_idAzure tenantID.Optional
user_idsuser IDs.Optional
offsetStarting index of overall result set from which to return events.Optional
limitThe maximum records to return. [1-500].Optional

Context Output#

PathTypeDescription
CrowdStrike.registrationExternalIOAEventResponse.errors.codeNumber
CrowdStrike.registrationExternalIOAEventResponse.errors.idString
CrowdStrike.registrationExternalIOAEventResponse.errors.messageString
CrowdStrike.registrationExternalIOAEventResponse.errors.codeNumber
CrowdStrike.registrationExternalIOAEventResponse.errors.idString
CrowdStrike.registrationExternalIOAEventResponse.errors.messageString

cs-getioa-exclusionsv1#


Get a set of IOA Exclusions by specifying their IDs.

Base Command#

cs-getioa-exclusionsv1

Input#

Argument NameDescriptionRequired
idsThe ids of the exclusions to retrieve.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesIoaExclusionRespV1.errors.codeNumber
CrowdStrike.responsesIoaExclusionRespV1.errors.idString
CrowdStrike.responsesIoaExclusionRespV1.errors.messageString
CrowdStrike.responsesIoaExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesIoaExclusionRespV1.resources.cl_regexString
CrowdStrike.responsesIoaExclusionRespV1.resources.created_byString
CrowdStrike.responsesIoaExclusionRespV1.resources.created_onString
CrowdStrike.responsesIoaExclusionRespV1.resources.descriptionString
CrowdStrike.responsesIoaExclusionRespV1.resources.detection_jsonString
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesIoaExclusionRespV1.resources.idString
CrowdStrike.responsesIoaExclusionRespV1.resources.ifn_regexString
CrowdStrike.responsesIoaExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesIoaExclusionRespV1.resources.modified_byString
CrowdStrike.responsesIoaExclusionRespV1.resources.nameString
CrowdStrike.responsesIoaExclusionRespV1.resources.pattern_idString
CrowdStrike.responsesIoaExclusionRespV1.resources.pattern_nameString
CrowdStrike.responsesIoaExclusionRespV1.errors.codeNumber
CrowdStrike.responsesIoaExclusionRespV1.errors.idString
CrowdStrike.responsesIoaExclusionRespV1.errors.messageString
CrowdStrike.responsesIoaExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesIoaExclusionRespV1.resources.cl_regexString
CrowdStrike.responsesIoaExclusionRespV1.resources.created_byString
CrowdStrike.responsesIoaExclusionRespV1.resources.created_onString
CrowdStrike.responsesIoaExclusionRespV1.resources.descriptionString
CrowdStrike.responsesIoaExclusionRespV1.resources.detection_jsonString
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesIoaExclusionRespV1.resources.idString
CrowdStrike.responsesIoaExclusionRespV1.resources.ifn_regexString
CrowdStrike.responsesIoaExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesIoaExclusionRespV1.resources.modified_byString
CrowdStrike.responsesIoaExclusionRespV1.resources.nameString
CrowdStrike.responsesIoaExclusionRespV1.resources.pattern_idString
CrowdStrike.responsesIoaExclusionRespV1.resources.pattern_nameString

cs-getioa-users#


For CSPM IOA users, gets list of IOA users.

Base Command#

cs-getioa-users

Input#

Argument NameDescriptionRequired
policy_idPolicy ID.Required
cloud_providerCloud Provider (e.g.: aws|azure|gcp).Required
account_idCloud account ID (e.g.: AWS accountID, Azure subscriptionID).Optional
azure_tenant_idAzure tenantID.Optional

Context Output#

PathTypeDescription
CrowdStrike.registrationIOAUserResponse.errors.codeNumber
CrowdStrike.registrationIOAUserResponse.errors.idString
CrowdStrike.registrationIOAUserResponse.errors.messageString
CrowdStrike.registrationIOAUserResponse.resources.user_idString
CrowdStrike.registrationIOAUserResponse.resources.user_nameString
CrowdStrike.registrationIOAUserResponse.errors.codeNumber
CrowdStrike.registrationIOAUserResponse.errors.idString
CrowdStrike.registrationIOAUserResponse.errors.messageString
CrowdStrike.registrationIOAUserResponse.resources.user_idString
CrowdStrike.registrationIOAUserResponse.resources.user_nameString

cs-getioc#


DEPRECATED Use the new IOC Management endpoint (GET /iocs/entities/indicators/v1). Get an IOC by providing a type and value.

Base Command#

cs-getioc

Input#

Argument NameDescriptionRequired
type_The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. .Required
valueThe string representation of the indicator.Required

Context Output#

PathTypeDescription
CrowdStrike.apiMsaReplyIOC.errors.codeNumber
CrowdStrike.apiMsaReplyIOC.errors.idString
CrowdStrike.apiMsaReplyIOC.errors.messageString
CrowdStrike.apiMsaReplyIOC.resources.batch_idString
CrowdStrike.apiMsaReplyIOC.resources.created_byString
CrowdStrike.apiMsaReplyIOC.resources.created_timestampString
CrowdStrike.apiMsaReplyIOC.resources.descriptionString
CrowdStrike.apiMsaReplyIOC.resources.expiration_daysNumber
CrowdStrike.apiMsaReplyIOC.resources.expiration_timestampString
CrowdStrike.apiMsaReplyIOC.resources.modified_byString
CrowdStrike.apiMsaReplyIOC.resources.modified_timestampString
CrowdStrike.apiMsaReplyIOC.resources.policyString
CrowdStrike.apiMsaReplyIOC.resources.share_levelString
CrowdStrike.apiMsaReplyIOC.resources.sourceString
CrowdStrike.apiMsaReplyIOC.resources.typeString
CrowdStrike.apiMsaReplyIOC.resources.valueString
CrowdStrike.apiMsaReplyIOC.errors.codeNumber
CrowdStrike.apiMsaReplyIOC.errors.idString
CrowdStrike.apiMsaReplyIOC.errors.messageString
CrowdStrike.apiMsaReplyIOC.resources.batch_idString
CrowdStrike.apiMsaReplyIOC.resources.created_byString
CrowdStrike.apiMsaReplyIOC.resources.created_timestampString
CrowdStrike.apiMsaReplyIOC.resources.descriptionString
CrowdStrike.apiMsaReplyIOC.resources.expiration_daysNumber
CrowdStrike.apiMsaReplyIOC.resources.expiration_timestampString
CrowdStrike.apiMsaReplyIOC.resources.modified_byString
CrowdStrike.apiMsaReplyIOC.resources.modified_timestampString
CrowdStrike.apiMsaReplyIOC.resources.policyString
CrowdStrike.apiMsaReplyIOC.resources.share_levelString
CrowdStrike.apiMsaReplyIOC.resources.sourceString
CrowdStrike.apiMsaReplyIOC.resources.typeString
CrowdStrike.apiMsaReplyIOC.resources.valueString

cs-getml-exclusionsv1#


Get a set of ML Exclusions by specifying their IDs.

Base Command#

cs-getml-exclusionsv1

Input#

Argument NameDescriptionRequired
idsThe ids of the exclusions to retrieve.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesMlExclusionRespV1.errors.codeNumber
CrowdStrike.responsesMlExclusionRespV1.errors.idString
CrowdStrike.responsesMlExclusionRespV1.errors.messageString
CrowdStrike.responsesMlExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesMlExclusionRespV1.resources.created_byString
CrowdStrike.responsesMlExclusionRespV1.resources.created_onString
CrowdStrike.responsesMlExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesMlExclusionRespV1.resources.idString
CrowdStrike.responsesMlExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesMlExclusionRespV1.resources.modified_byString
CrowdStrike.responsesMlExclusionRespV1.resources.regexp_valueString
CrowdStrike.responsesMlExclusionRespV1.resources.valueString
CrowdStrike.responsesMlExclusionRespV1.resources.value_hashString
CrowdStrike.responsesMlExclusionRespV1.errors.codeNumber
CrowdStrike.responsesMlExclusionRespV1.errors.idString
CrowdStrike.responsesMlExclusionRespV1.errors.messageString
CrowdStrike.responsesMlExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesMlExclusionRespV1.resources.created_byString
CrowdStrike.responsesMlExclusionRespV1.resources.created_onString
CrowdStrike.responsesMlExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesMlExclusionRespV1.resources.idString
CrowdStrike.responsesMlExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesMlExclusionRespV1.resources.modified_byString
CrowdStrike.responsesMlExclusionRespV1.resources.regexp_valueString
CrowdStrike.responsesMlExclusionRespV1.resources.valueString
CrowdStrike.responsesMlExclusionRespV1.resources.value_hashString

cs-getpatterns#


Get pattern severities by ID.

Base Command#

cs-getpatterns

Input#

Argument NameDescriptionRequired
idsThe IDs of the entities.Required

Context Output#

PathTypeDescription
CrowdStrike.apiPatternsResponse.errors.codeNumber
CrowdStrike.apiPatternsResponse.errors.idString
CrowdStrike.apiPatternsResponse.errors.messageString
CrowdStrike.apiPatternsResponse.resources.nameString
CrowdStrike.apiPatternsResponse.resources.severityString
CrowdStrike.apiPatternsResponse.errors.codeNumber
CrowdStrike.apiPatternsResponse.errors.idString
CrowdStrike.apiPatternsResponse.errors.messageString
CrowdStrike.apiPatternsResponse.resources.nameString
CrowdStrike.apiPatternsResponse.resources.severityString

cs-getplatforms#


Get platforms by ID, e.g., windows or mac or droid.

Base Command#

cs-getplatforms

Input#

Argument NameDescriptionRequired
idsThe IDs of the platforms to retrieve.Required

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiPlatformsResponse.errors.codeNumber
CrowdStrike.fwmgrapiPlatformsResponse.errors.idString
CrowdStrike.fwmgrapiPlatformsResponse.errors.messageString
CrowdStrike.fwmgrapiPlatformsResponse.resources.idString
CrowdStrike.fwmgrapiPlatformsResponse.resources.labelString
CrowdStrike.fwmgrapiPlatformsResponse.errors.codeNumber
CrowdStrike.fwmgrapiPlatformsResponse.errors.idString
CrowdStrike.fwmgrapiPlatformsResponse.errors.messageString
CrowdStrike.fwmgrapiPlatformsResponse.resources.idString
CrowdStrike.fwmgrapiPlatformsResponse.resources.labelString

cs-getplatforms-mixin0#


Get platforms by ID.

Base Command#

cs-getplatforms-mixin0

Input#

Argument NameDescriptionRequired
idsThe IDs of the entities.Required

Context Output#

PathTypeDescription
CrowdStrike.apiPlatformsResponse.errors.codeNumber
CrowdStrike.apiPlatformsResponse.errors.idString
CrowdStrike.apiPlatformsResponse.errors.messageString
CrowdStrike.apiPlatformsResponse.resources.idString
CrowdStrike.apiPlatformsResponse.resources.labelString
CrowdStrike.apiPlatformsResponse.errors.codeNumber
CrowdStrike.apiPlatformsResponse.errors.idString
CrowdStrike.apiPlatformsResponse.errors.messageString
CrowdStrike.apiPlatformsResponse.resources.idString
CrowdStrike.apiPlatformsResponse.resources.labelString

cs-getpolicycontainers#


Get policy container entities by policy ID.

Base Command#

cs-getpolicycontainers

Input#

Argument NameDescriptionRequired
idsThe policy container(s) to retrieve, identified by policy ID.Required

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiPolicyContainersResponse.errors.codeNumber
CrowdStrike.fwmgrapiPolicyContainersResponse.errors.idString
CrowdStrike.fwmgrapiPolicyContainersResponse.errors.messageString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.created_byString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.created_onString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.default_inboundString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.default_outboundString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.deletedBoolean
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.enforceBoolean
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.is_default_policyBoolean
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.modified_byString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.modified_onString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.platform_idString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.policy_idString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.test_modeBoolean
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.trackingString
CrowdStrike.fwmgrapiPolicyContainersResponse.errors.codeNumber
CrowdStrike.fwmgrapiPolicyContainersResponse.errors.idString
CrowdStrike.fwmgrapiPolicyContainersResponse.errors.messageString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.created_byString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.created_onString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.default_inboundString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.default_outboundString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.deletedBoolean
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.enforceBoolean
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.is_default_policyBoolean
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.modified_byString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.modified_onString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.platform_idString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.policy_idString
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.test_modeBoolean
CrowdStrike.fwmgrapiPolicyContainersResponse.resources.trackingString

cs-getrt-response-policies#


Retrieve a set of Response Policies by specifying their IDs.

Base Command#

cs-getrt-response-policies

Input#

Argument NameDescriptionRequired
idsThe IDs of the RTR Policies to return.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesRTResponsePoliciesV1.errors.codeNumber
CrowdStrike.responsesRTResponsePoliciesV1.errors.idString
CrowdStrike.responsesRTResponsePoliciesV1.errors.messageString
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesRTResponsePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.nameStringThe name of the category.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.idStringThe id of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.
CrowdStrike.responsesRTResponsePoliciesV1.errors.codeNumber
CrowdStrike.responsesRTResponsePoliciesV1.errors.idString
CrowdStrike.responsesRTResponsePoliciesV1.errors.messageString
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesRTResponsePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.nameStringThe name of the category.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.idStringThe id of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.

cs-getrulegroups#


Get rule group entities by ID. These groups do not contain their rule entites, just the rule IDs in precedence order.

Base Command#

cs-getrulegroups

Input#

Argument NameDescriptionRequired
idsThe IDs of the rule groups to retrieve.Required

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiRuleGroupsResponse.errors.codeNumber
CrowdStrike.fwmgrapiRuleGroupsResponse.errors.idString
CrowdStrike.fwmgrapiRuleGroupsResponse.errors.messageString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.created_byString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.created_onString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.customer_idString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.deletedBoolean
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.descriptionString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.enabledBoolean
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.idString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.modified_byString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.modified_onString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.nameString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.trackingString
CrowdStrike.fwmgrapiRuleGroupsResponse.errors.codeNumber
CrowdStrike.fwmgrapiRuleGroupsResponse.errors.idString
CrowdStrike.fwmgrapiRuleGroupsResponse.errors.messageString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.created_byString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.created_onString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.customer_idString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.deletedBoolean
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.descriptionString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.enabledBoolean
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.idString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.modified_byString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.modified_onString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.nameString
CrowdStrike.fwmgrapiRuleGroupsResponse.resources.trackingString

cs-getrulegroups-mixin0#


Get rule groups by ID.

Base Command#

cs-getrulegroups-mixin0

Input#

Argument NameDescriptionRequired
idsThe IDs of the entities.Required

Context Output#

PathTypeDescription
CrowdStrike.apiRuleGroupsResponse.errors.codeNumber
CrowdStrike.apiRuleGroupsResponse.errors.idString
CrowdStrike.apiRuleGroupsResponse.errors.messageString
CrowdStrike.apiRuleGroupsResponse.resources.commentString
CrowdStrike.apiRuleGroupsResponse.resources.committed_onString
CrowdStrike.apiRuleGroupsResponse.resources.created_byString
CrowdStrike.apiRuleGroupsResponse.resources.created_onString
CrowdStrike.apiRuleGroupsResponse.resources.customer_idString
CrowdStrike.apiRuleGroupsResponse.resources.deletedBoolean
CrowdStrike.apiRuleGroupsResponse.resources.descriptionString
CrowdStrike.apiRuleGroupsResponse.resources.enabledBoolean
CrowdStrike.apiRuleGroupsResponse.resources.idString
CrowdStrike.apiRuleGroupsResponse.resources.modified_byString
CrowdStrike.apiRuleGroupsResponse.resources.modified_onString
CrowdStrike.apiRuleGroupsResponse.resources.nameString
CrowdStrike.apiRuleGroupsResponse.resources.platformString
CrowdStrike.apiRuleGroupsResponse.resources.rules.action_labelString
CrowdStrike.apiRuleGroupsResponse.resources.rules.commentString
CrowdStrike.apiRuleGroupsResponse.resources.rules.committed_onString
CrowdStrike.apiRuleGroupsResponse.resources.rules.created_byString
CrowdStrike.apiRuleGroupsResponse.resources.rules.created_onString
CrowdStrike.apiRuleGroupsResponse.resources.rules.customer_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.deletedBoolean
CrowdStrike.apiRuleGroupsResponse.resources.rules.descriptionString
CrowdStrike.apiRuleGroupsResponse.resources.rules.disposition_idNumber
CrowdStrike.apiRuleGroupsResponse.resources.rules.enabledBoolean
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.final_valueString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.labelString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.nameString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.typeString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.valueString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.values.labelString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.values.valueString
CrowdStrike.apiRuleGroupsResponse.resources.rules.instance_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.instance_versionNumber
CrowdStrike.apiRuleGroupsResponse.resources.rules.magic_cookieNumber
CrowdStrike.apiRuleGroupsResponse.resources.rules.modified_byString
CrowdStrike.apiRuleGroupsResponse.resources.rules.modified_onString
CrowdStrike.apiRuleGroupsResponse.resources.rules.nameString
CrowdStrike.apiRuleGroupsResponse.resources.rules.pattern_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.pattern_severityString
CrowdStrike.apiRuleGroupsResponse.resources.rules.rulegroup_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.ruletype_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.ruletype_nameString
CrowdStrike.apiRuleGroupsResponse.resources.versionNumber
CrowdStrike.apiRuleGroupsResponse.errors.codeNumber
CrowdStrike.apiRuleGroupsResponse.errors.idString
CrowdStrike.apiRuleGroupsResponse.errors.messageString
CrowdStrike.apiRuleGroupsResponse.resources.commentString
CrowdStrike.apiRuleGroupsResponse.resources.committed_onString
CrowdStrike.apiRuleGroupsResponse.resources.created_byString
CrowdStrike.apiRuleGroupsResponse.resources.created_onString
CrowdStrike.apiRuleGroupsResponse.resources.customer_idString
CrowdStrike.apiRuleGroupsResponse.resources.deletedBoolean
CrowdStrike.apiRuleGroupsResponse.resources.descriptionString
CrowdStrike.apiRuleGroupsResponse.resources.enabledBoolean
CrowdStrike.apiRuleGroupsResponse.resources.idString
CrowdStrike.apiRuleGroupsResponse.resources.modified_byString
CrowdStrike.apiRuleGroupsResponse.resources.modified_onString
CrowdStrike.apiRuleGroupsResponse.resources.nameString
CrowdStrike.apiRuleGroupsResponse.resources.platformString
CrowdStrike.apiRuleGroupsResponse.resources.rules.action_labelString
CrowdStrike.apiRuleGroupsResponse.resources.rules.commentString
CrowdStrike.apiRuleGroupsResponse.resources.rules.committed_onString
CrowdStrike.apiRuleGroupsResponse.resources.rules.created_byString
CrowdStrike.apiRuleGroupsResponse.resources.rules.created_onString
CrowdStrike.apiRuleGroupsResponse.resources.rules.customer_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.deletedBoolean
CrowdStrike.apiRuleGroupsResponse.resources.rules.descriptionString
CrowdStrike.apiRuleGroupsResponse.resources.rules.disposition_idNumber
CrowdStrike.apiRuleGroupsResponse.resources.rules.enabledBoolean
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.final_valueString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.labelString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.nameString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.typeString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.valueString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.values.labelString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.values.valueString
CrowdStrike.apiRuleGroupsResponse.resources.rules.instance_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.instance_versionNumber
CrowdStrike.apiRuleGroupsResponse.resources.rules.magic_cookieNumber
CrowdStrike.apiRuleGroupsResponse.resources.rules.modified_byString
CrowdStrike.apiRuleGroupsResponse.resources.rules.modified_onString
CrowdStrike.apiRuleGroupsResponse.resources.rules.nameString
CrowdStrike.apiRuleGroupsResponse.resources.rules.pattern_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.pattern_severityString
CrowdStrike.apiRuleGroupsResponse.resources.rules.rulegroup_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.ruletype_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.ruletype_nameString
CrowdStrike.apiRuleGroupsResponse.resources.versionNumber

cs-getrules#


Get rule entities by ID (64-bit unsigned int as decimal string) or Family ID (32-character hexadecimal string).

Base Command#

cs-getrules

Input#

Argument NameDescriptionRequired
idsThe rules to retrieve, identified by ID.Required

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiRulesResponse.errors.codeNumber
CrowdStrike.fwmgrapiRulesResponse.errors.idString
CrowdStrike.fwmgrapiRulesResponse.errors.messageString
CrowdStrike.fwmgrapiRulesResponse.resources.actionString
CrowdStrike.fwmgrapiRulesResponse.resources.address_familyString
CrowdStrike.fwmgrapiRulesResponse.resources.created_byString
CrowdStrike.fwmgrapiRulesResponse.resources.created_onString
CrowdStrike.fwmgrapiRulesResponse.resources.customer_idString
CrowdStrike.fwmgrapiRulesResponse.resources.deletedBoolean
CrowdStrike.fwmgrapiRulesResponse.resources.descriptionString
CrowdStrike.fwmgrapiRulesResponse.resources.directionString
CrowdStrike.fwmgrapiRulesResponse.resources.enabledBoolean
CrowdStrike.fwmgrapiRulesResponse.resources.familyString
CrowdStrike.fwmgrapiRulesResponse.resources.fields.final_valueString
CrowdStrike.fwmgrapiRulesResponse.resources.fields.labelString
CrowdStrike.fwmgrapiRulesResponse.resources.fields.nameString
CrowdStrike.fwmgrapiRulesResponse.resources.fields.typeString
CrowdStrike.fwmgrapiRulesResponse.resources.fields.valueString
CrowdStrike.fwmgrapiRulesResponse.resources.idString
CrowdStrike.fwmgrapiRulesResponse.resources.local_address.addressString
CrowdStrike.fwmgrapiRulesResponse.resources.local_address.netmaskNumber
CrowdStrike.fwmgrapiRulesResponse.resources.local_port.endNumber
CrowdStrike.fwmgrapiRulesResponse.resources.local_port.startNumber
CrowdStrike.fwmgrapiRulesResponse.resources.modified_byString
CrowdStrike.fwmgrapiRulesResponse.resources.modified_onString
CrowdStrike.fwmgrapiRulesResponse.resources.nameString
CrowdStrike.fwmgrapiRulesResponse.resources.protocolString
CrowdStrike.fwmgrapiRulesResponse.resources.remote_address.addressString
CrowdStrike.fwmgrapiRulesResponse.resources.remote_address.netmaskNumber
CrowdStrike.fwmgrapiRulesResponse.resources.remote_port.endNumber
CrowdStrike.fwmgrapiRulesResponse.resources.remote_port.startNumber
CrowdStrike.fwmgrapiRulesResponse.resources.versionNumber
CrowdStrike.fwmgrapiRulesResponse.errors.codeNumber
CrowdStrike.fwmgrapiRulesResponse.errors.idString
CrowdStrike.fwmgrapiRulesResponse.errors.messageString
CrowdStrike.fwmgrapiRulesResponse.resources.actionString
CrowdStrike.fwmgrapiRulesResponse.resources.address_familyString
CrowdStrike.fwmgrapiRulesResponse.resources.created_byString
CrowdStrike.fwmgrapiRulesResponse.resources.created_onString
CrowdStrike.fwmgrapiRulesResponse.resources.customer_idString
CrowdStrike.fwmgrapiRulesResponse.resources.deletedBoolean
CrowdStrike.fwmgrapiRulesResponse.resources.descriptionString
CrowdStrike.fwmgrapiRulesResponse.resources.directionString
CrowdStrike.fwmgrapiRulesResponse.resources.enabledBoolean
CrowdStrike.fwmgrapiRulesResponse.resources.familyString
CrowdStrike.fwmgrapiRulesResponse.resources.fields.final_valueString
CrowdStrike.fwmgrapiRulesResponse.resources.fields.labelString
CrowdStrike.fwmgrapiRulesResponse.resources.fields.nameString
CrowdStrike.fwmgrapiRulesResponse.resources.fields.typeString
CrowdStrike.fwmgrapiRulesResponse.resources.fields.valueString
CrowdStrike.fwmgrapiRulesResponse.resources.idString
CrowdStrike.fwmgrapiRulesResponse.resources.local_address.addressString
CrowdStrike.fwmgrapiRulesResponse.resources.local_address.netmaskNumber
CrowdStrike.fwmgrapiRulesResponse.resources.local_port.endNumber
CrowdStrike.fwmgrapiRulesResponse.resources.local_port.startNumber
CrowdStrike.fwmgrapiRulesResponse.resources.modified_byString
CrowdStrike.fwmgrapiRulesResponse.resources.modified_onString
CrowdStrike.fwmgrapiRulesResponse.resources.nameString
CrowdStrike.fwmgrapiRulesResponse.resources.protocolString
CrowdStrike.fwmgrapiRulesResponse.resources.remote_address.addressString
CrowdStrike.fwmgrapiRulesResponse.resources.remote_address.netmaskNumber
CrowdStrike.fwmgrapiRulesResponse.resources.remote_port.endNumber
CrowdStrike.fwmgrapiRulesResponse.resources.remote_port.startNumber
CrowdStrike.fwmgrapiRulesResponse.resources.versionNumber

cs-getrules-mixin0#


Get rules by ID and optionally version in the following format: ID[:version]. The max number of IDs is constrained by URL size.

Base Command#

cs-getrules-mixin0

Input#

Argument NameDescriptionRequired
idsThe IDs of the entities.Required

Context Output#

PathTypeDescription
CrowdStrike.apiRulesResponse.errors.codeNumber
CrowdStrike.apiRulesResponse.errors.idString
CrowdStrike.apiRulesResponse.errors.messageString
CrowdStrike.apiRulesResponse.resources.action_labelString
CrowdStrike.apiRulesResponse.resources.commentString
CrowdStrike.apiRulesResponse.resources.committed_onString
CrowdStrike.apiRulesResponse.resources.created_byString
CrowdStrike.apiRulesResponse.resources.created_onString
CrowdStrike.apiRulesResponse.resources.customer_idString
CrowdStrike.apiRulesResponse.resources.deletedBoolean
CrowdStrike.apiRulesResponse.resources.descriptionString
CrowdStrike.apiRulesResponse.resources.disposition_idNumber
CrowdStrike.apiRulesResponse.resources.enabledBoolean
CrowdStrike.apiRulesResponse.resources.field_values.final_valueString
CrowdStrike.apiRulesResponse.resources.field_values.labelString
CrowdStrike.apiRulesResponse.resources.field_values.nameString
CrowdStrike.apiRulesResponse.resources.field_values.typeString
CrowdStrike.apiRulesResponse.resources.field_values.valueString
CrowdStrike.apiRulesResponse.resources.field_values.values.labelString
CrowdStrike.apiRulesResponse.resources.field_values.values.valueString
CrowdStrike.apiRulesResponse.resources.instance_idString
CrowdStrike.apiRulesResponse.resources.instance_versionNumber
CrowdStrike.apiRulesResponse.resources.magic_cookieNumber
CrowdStrike.apiRulesResponse.resources.modified_byString
CrowdStrike.apiRulesResponse.resources.modified_onString
CrowdStrike.apiRulesResponse.resources.nameString
CrowdStrike.apiRulesResponse.resources.pattern_idString
CrowdStrike.apiRulesResponse.resources.pattern_severityString
CrowdStrike.apiRulesResponse.resources.rulegroup_idString
CrowdStrike.apiRulesResponse.resources.ruletype_idString
CrowdStrike.apiRulesResponse.resources.ruletype_nameString
CrowdStrike.apiRulesResponse.errors.codeNumber
CrowdStrike.apiRulesResponse.errors.idString
CrowdStrike.apiRulesResponse.errors.messageString
CrowdStrike.apiRulesResponse.resources.action_labelString
CrowdStrike.apiRulesResponse.resources.commentString
CrowdStrike.apiRulesResponse.resources.committed_onString
CrowdStrike.apiRulesResponse.resources.created_byString
CrowdStrike.apiRulesResponse.resources.created_onString
CrowdStrike.apiRulesResponse.resources.customer_idString
CrowdStrike.apiRulesResponse.resources.deletedBoolean
CrowdStrike.apiRulesResponse.resources.descriptionString
CrowdStrike.apiRulesResponse.resources.disposition_idNumber
CrowdStrike.apiRulesResponse.resources.enabledBoolean
CrowdStrike.apiRulesResponse.resources.field_values.final_valueString
CrowdStrike.apiRulesResponse.resources.field_values.labelString
CrowdStrike.apiRulesResponse.resources.field_values.nameString
CrowdStrike.apiRulesResponse.resources.field_values.typeString
CrowdStrike.apiRulesResponse.resources.field_values.valueString
CrowdStrike.apiRulesResponse.resources.field_values.values.labelString
CrowdStrike.apiRulesResponse.resources.field_values.values.valueString
CrowdStrike.apiRulesResponse.resources.instance_idString
CrowdStrike.apiRulesResponse.resources.instance_versionNumber
CrowdStrike.apiRulesResponse.resources.magic_cookieNumber
CrowdStrike.apiRulesResponse.resources.modified_byString
CrowdStrike.apiRulesResponse.resources.modified_onString
CrowdStrike.apiRulesResponse.resources.nameString
CrowdStrike.apiRulesResponse.resources.pattern_idString
CrowdStrike.apiRulesResponse.resources.pattern_severityString
CrowdStrike.apiRulesResponse.resources.rulegroup_idString
CrowdStrike.apiRulesResponse.resources.ruletype_idString
CrowdStrike.apiRulesResponse.resources.ruletype_nameString

cs-getrulesget#


Get rules by ID and optionally version in the following format: ID[:version].

Base Command#

cs-getrulesget

Input#

Argument NameDescriptionRequired
api_rulesgetrequestv1_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.apiRulesResponse.errors.codeNumber
CrowdStrike.apiRulesResponse.errors.idString
CrowdStrike.apiRulesResponse.errors.messageString
CrowdStrike.apiRulesResponse.resources.action_labelString
CrowdStrike.apiRulesResponse.resources.commentString
CrowdStrike.apiRulesResponse.resources.committed_onString
CrowdStrike.apiRulesResponse.resources.created_byString
CrowdStrike.apiRulesResponse.resources.created_onString
CrowdStrike.apiRulesResponse.resources.customer_idString
CrowdStrike.apiRulesResponse.resources.deletedBoolean
CrowdStrike.apiRulesResponse.resources.descriptionString
CrowdStrike.apiRulesResponse.resources.disposition_idNumber
CrowdStrike.apiRulesResponse.resources.enabledBoolean
CrowdStrike.apiRulesResponse.resources.field_values.final_valueString
CrowdStrike.apiRulesResponse.resources.field_values.labelString
CrowdStrike.apiRulesResponse.resources.field_values.nameString
CrowdStrike.apiRulesResponse.resources.field_values.typeString
CrowdStrike.apiRulesResponse.resources.field_values.valueString
CrowdStrike.apiRulesResponse.resources.field_values.values.labelString
CrowdStrike.apiRulesResponse.resources.field_values.values.valueString
CrowdStrike.apiRulesResponse.resources.instance_idString
CrowdStrike.apiRulesResponse.resources.instance_versionNumber
CrowdStrike.apiRulesResponse.resources.magic_cookieNumber
CrowdStrike.apiRulesResponse.resources.modified_byString
CrowdStrike.apiRulesResponse.resources.modified_onString
CrowdStrike.apiRulesResponse.resources.nameString
CrowdStrike.apiRulesResponse.resources.pattern_idString
CrowdStrike.apiRulesResponse.resources.pattern_severityString
CrowdStrike.apiRulesResponse.resources.rulegroup_idString
CrowdStrike.apiRulesResponse.resources.ruletype_idString
CrowdStrike.apiRulesResponse.resources.ruletype_nameString
CrowdStrike.apiRulesResponse.errors.codeNumber
CrowdStrike.apiRulesResponse.errors.idString
CrowdStrike.apiRulesResponse.errors.messageString
CrowdStrike.apiRulesResponse.resources.action_labelString
CrowdStrike.apiRulesResponse.resources.commentString
CrowdStrike.apiRulesResponse.resources.committed_onString
CrowdStrike.apiRulesResponse.resources.created_byString
CrowdStrike.apiRulesResponse.resources.created_onString
CrowdStrike.apiRulesResponse.resources.customer_idString
CrowdStrike.apiRulesResponse.resources.deletedBoolean
CrowdStrike.apiRulesResponse.resources.descriptionString
CrowdStrike.apiRulesResponse.resources.disposition_idNumber
CrowdStrike.apiRulesResponse.resources.enabledBoolean
CrowdStrike.apiRulesResponse.resources.field_values.final_valueString
CrowdStrike.apiRulesResponse.resources.field_values.labelString
CrowdStrike.apiRulesResponse.resources.field_values.nameString
CrowdStrike.apiRulesResponse.resources.field_values.typeString
CrowdStrike.apiRulesResponse.resources.field_values.valueString
CrowdStrike.apiRulesResponse.resources.field_values.values.labelString
CrowdStrike.apiRulesResponse.resources.field_values.values.valueString
CrowdStrike.apiRulesResponse.resources.instance_idString
CrowdStrike.apiRulesResponse.resources.instance_versionNumber
CrowdStrike.apiRulesResponse.resources.magic_cookieNumber
CrowdStrike.apiRulesResponse.resources.modified_byString
CrowdStrike.apiRulesResponse.resources.modified_onString
CrowdStrike.apiRulesResponse.resources.nameString
CrowdStrike.apiRulesResponse.resources.pattern_idString
CrowdStrike.apiRulesResponse.resources.pattern_severityString
CrowdStrike.apiRulesResponse.resources.rulegroup_idString
CrowdStrike.apiRulesResponse.resources.ruletype_idString
CrowdStrike.apiRulesResponse.resources.ruletype_nameString

cs-getruletypes#


Get rule types by ID.

Base Command#

cs-getruletypes

Input#

Argument NameDescriptionRequired
idsThe IDs of the entities.Required

Context Output#

PathTypeDescription
CrowdStrike.apiRuleTypesResponse.errors.codeNumber
CrowdStrike.apiRuleTypesResponse.errors.idString
CrowdStrike.apiRuleTypesResponse.errors.messageString
CrowdStrike.apiRuleTypesResponse.resources.channelNumber
CrowdStrike.apiRuleTypesResponse.resources.disposition_map.idNumber
CrowdStrike.apiRuleTypesResponse.resources.disposition_map.labelString
CrowdStrike.apiRuleTypesResponse.resources.fields.nameString
CrowdStrike.apiRuleTypesResponse.resources.fields.valueString
CrowdStrike.apiRuleTypesResponse.resources.idString
CrowdStrike.apiRuleTypesResponse.resources.long_descString
CrowdStrike.apiRuleTypesResponse.resources.nameString
CrowdStrike.apiRuleTypesResponse.resources.platformString
CrowdStrike.apiRuleTypesResponse.resources.releasedBoolean
CrowdStrike.apiRuleTypesResponse.errors.codeNumber
CrowdStrike.apiRuleTypesResponse.errors.idString
CrowdStrike.apiRuleTypesResponse.errors.messageString
CrowdStrike.apiRuleTypesResponse.resources.channelNumber
CrowdStrike.apiRuleTypesResponse.resources.disposition_map.idNumber
CrowdStrike.apiRuleTypesResponse.resources.disposition_map.labelString
CrowdStrike.apiRuleTypesResponse.resources.fields.nameString
CrowdStrike.apiRuleTypesResponse.resources.fields.valueString
CrowdStrike.apiRuleTypesResponse.resources.idString
CrowdStrike.apiRuleTypesResponse.resources.long_descString
CrowdStrike.apiRuleTypesResponse.resources.nameString
CrowdStrike.apiRuleTypesResponse.resources.platformString
CrowdStrike.apiRuleTypesResponse.resources.releasedBoolean

cs-grant-user-role-ids#


Assign one or more roles to a user.

Base Command#

cs-grant-user-role-ids

Input#

Argument NameDescriptionRequired
user_uuidID of a user. Find a user's ID from /users/entities/user/v1.Required
domain_roleids_roleidsRequired

Context Output#

PathTypeDescription
CrowdStrike.domainUserRoleIDsResponse.errors.codeNumber
CrowdStrike.domainUserRoleIDsResponse.errors.idString
CrowdStrike.domainUserRoleIDsResponse.errors.messageString
CrowdStrike.domainUserRoleIDsResponse.errors.codeNumber
CrowdStrike.domainUserRoleIDsResponse.errors.idString
CrowdStrike.domainUserRoleIDsResponse.errors.messageString

cs-indicatorcombinedv1#


Get Combined for Indicators.

Base Command#

cs-indicatorcombinedv1

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from. Offset and After ms are mutually exclusive. If none provided then scrolling will be used by default.Optional
limitThe maximum records to return.Optional
sortThe sort expression that should be used to sort the results. Possible values are: action, applied_globally, metadata.av_hits, metadata.company_name.raw, created_by, created_on, expiration, expired, metadata.filename.raw, modified_by, modified_on, metadata.original_filename.raw, metadata.product_name.raw, metadata.product_version, severity_number, source, type, value.Optional

Context Output#

PathTypeDescription
CrowdStrike.apiIndicatorRespV1.errors.codeNumber
CrowdStrike.apiIndicatorRespV1.errors.idString
CrowdStrike.apiIndicatorRespV1.errors.messageString
CrowdStrike.apiIndicatorRespV1.resources.actionString
CrowdStrike.apiIndicatorRespV1.resources.applied_globallyBoolean
CrowdStrike.apiIndicatorRespV1.resources.created_byString
CrowdStrike.apiIndicatorRespV1.resources.created_onString
CrowdStrike.apiIndicatorRespV1.resources.deletedBoolean
CrowdStrike.apiIndicatorRespV1.resources.descriptionString
CrowdStrike.apiIndicatorRespV1.resources.expirationString
CrowdStrike.apiIndicatorRespV1.resources.expiredBoolean
CrowdStrike.apiIndicatorRespV1.resources.idString
CrowdStrike.apiIndicatorRespV1.resources.mobile_actionString
CrowdStrike.apiIndicatorRespV1.resources.modified_byString
CrowdStrike.apiIndicatorRespV1.resources.modified_onString
CrowdStrike.apiIndicatorRespV1.resources.severityString
CrowdStrike.apiIndicatorRespV1.resources.sourceString
CrowdStrike.apiIndicatorRespV1.resources.typeString
CrowdStrike.apiIndicatorRespV1.resources.valueString
CrowdStrike.apiIndicatorRespV1.errors.codeNumber
CrowdStrike.apiIndicatorRespV1.errors.idString
CrowdStrike.apiIndicatorRespV1.errors.messageString
CrowdStrike.apiIndicatorRespV1.resources.actionString
CrowdStrike.apiIndicatorRespV1.resources.applied_globallyBoolean
CrowdStrike.apiIndicatorRespV1.resources.created_byString
CrowdStrike.apiIndicatorRespV1.resources.created_onString
CrowdStrike.apiIndicatorRespV1.resources.deletedBoolean
CrowdStrike.apiIndicatorRespV1.resources.descriptionString
CrowdStrike.apiIndicatorRespV1.resources.expirationString
CrowdStrike.apiIndicatorRespV1.resources.expiredBoolean
CrowdStrike.apiIndicatorRespV1.resources.idString
CrowdStrike.apiIndicatorRespV1.resources.mobile_actionString
CrowdStrike.apiIndicatorRespV1.resources.modified_byString
CrowdStrike.apiIndicatorRespV1.resources.modified_onString
CrowdStrike.apiIndicatorRespV1.resources.severityString
CrowdStrike.apiIndicatorRespV1.resources.sourceString
CrowdStrike.apiIndicatorRespV1.resources.typeString
CrowdStrike.apiIndicatorRespV1.resources.valueString

cs-indicatorcreatev1#


Create Indicators.

Base Command#

cs-indicatorcreatev1

Input#

Argument NameDescriptionRequired
X_CS_USERNAMEThe username.Optional
retrodetectsWhether to submit to retrodetects.Optional
ignore_warningsSet to true to ignore warnings and add all IOCs.Optional
api_indicatorcreatereqsv1_commentOptional
api_indicatorcreatereqsv1_indicatorsRequired

Context Output#

There is no context output for this command.

cs-indicatordeletev1#


Delete Indicators by ids.

Base Command#

cs-indicatordeletev1

Input#

Argument NameDescriptionRequired
filter_The FQL expression to delete Indicators in bulk. If both 'filter' and 'ids' are provided, then filter takes precedence and ignores ids.Optional
idsThe ids of the Indicators to delete. If both 'filter' and 'ids' are provided, then filter takes precedence and ignores ids.Optional
commentThe comment why these indicators were deleted.Optional

Context Output#

PathTypeDescription
CrowdStrike.apiIndicatorQueryResponse.errors.codeNumber
CrowdStrike.apiIndicatorQueryResponse.errors.idString
CrowdStrike.apiIndicatorQueryResponse.errors.messageString
CrowdStrike.apiIndicatorQueryResponse.errors.codeNumber
CrowdStrike.apiIndicatorQueryResponse.errors.idString
CrowdStrike.apiIndicatorQueryResponse.errors.messageString

cs-indicatorgetv1#


Get Indicators by ids.

Base Command#

cs-indicatorgetv1

Input#

Argument NameDescriptionRequired
idsThe ids of the Indicators to retrieve.Required

Context Output#

PathTypeDescription
CrowdStrike.apiIndicatorRespV1.errors.codeNumber
CrowdStrike.apiIndicatorRespV1.errors.idString
CrowdStrike.apiIndicatorRespV1.errors.messageString
CrowdStrike.apiIndicatorRespV1.resources.actionString
CrowdStrike.apiIndicatorRespV1.resources.applied_globallyBoolean
CrowdStrike.apiIndicatorRespV1.resources.created_byString
CrowdStrike.apiIndicatorRespV1.resources.created_onString
CrowdStrike.apiIndicatorRespV1.resources.deletedBoolean
CrowdStrike.apiIndicatorRespV1.resources.descriptionString
CrowdStrike.apiIndicatorRespV1.resources.expirationString
CrowdStrike.apiIndicatorRespV1.resources.expiredBoolean
CrowdStrike.apiIndicatorRespV1.resources.idString
CrowdStrike.apiIndicatorRespV1.resources.mobile_actionString
CrowdStrike.apiIndicatorRespV1.resources.modified_byString
CrowdStrike.apiIndicatorRespV1.resources.modified_onString
CrowdStrike.apiIndicatorRespV1.resources.severityString
CrowdStrike.apiIndicatorRespV1.resources.sourceString
CrowdStrike.apiIndicatorRespV1.resources.typeString
CrowdStrike.apiIndicatorRespV1.resources.valueString
CrowdStrike.apiIndicatorRespV1.errors.codeNumber
CrowdStrike.apiIndicatorRespV1.errors.idString
CrowdStrike.apiIndicatorRespV1.errors.messageString
CrowdStrike.apiIndicatorRespV1.resources.actionString
CrowdStrike.apiIndicatorRespV1.resources.applied_globallyBoolean
CrowdStrike.apiIndicatorRespV1.resources.created_byString
CrowdStrike.apiIndicatorRespV1.resources.created_onString
CrowdStrike.apiIndicatorRespV1.resources.deletedBoolean
CrowdStrike.apiIndicatorRespV1.resources.descriptionString
CrowdStrike.apiIndicatorRespV1.resources.expirationString
CrowdStrike.apiIndicatorRespV1.resources.expiredBoolean
CrowdStrike.apiIndicatorRespV1.resources.idString
CrowdStrike.apiIndicatorRespV1.resources.mobile_actionString
CrowdStrike.apiIndicatorRespV1.resources.modified_byString
CrowdStrike.apiIndicatorRespV1.resources.modified_onString
CrowdStrike.apiIndicatorRespV1.resources.severityString
CrowdStrike.apiIndicatorRespV1.resources.sourceString
CrowdStrike.apiIndicatorRespV1.resources.typeString
CrowdStrike.apiIndicatorRespV1.resources.valueString

cs-indicatorsearchv1#


Search for Indicators.

Base Command#

cs-indicatorsearchv1

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from. Offset and After ms are mutually exclusive. If none provided then scrolling will be used by default.Optional
limitThe maximum records to return.Optional
sortThe sort expression that should be used to sort the results. Possible values are: action, applied_globally, metadata.av_hits, metadata.company_name.raw, created_by, created_on, expiration, expired, metadata.filename.raw, modified_by, modified_on, metadata.original_filename.raw, metadata.product_name.raw, metadata.product_version, severity_number, source, type, value.Optional

Context Output#

PathTypeDescription
CrowdStrike.apiIndicatorQueryRespV1.errors.codeNumber
CrowdStrike.apiIndicatorQueryRespV1.errors.idString
CrowdStrike.apiIndicatorQueryRespV1.errors.messageString
CrowdStrike.apiIndicatorQueryRespV1.errors.codeNumber
CrowdStrike.apiIndicatorQueryRespV1.errors.idString
CrowdStrike.apiIndicatorQueryRespV1.errors.messageString

cs-indicatorupdatev1#


Update Indicators.

Base Command#

cs-indicatorupdatev1

Input#

Argument NameDescriptionRequired
X_CS_USERNAMEThe username.Optional
retrodetectsWhether to submit to retrodetects.Optional
ignore_warningsSet to true to ignore warnings and add all IOCs.Optional
api_indicatorupdatereqsv1_bulk_update_actionapi_indicatorupdatereqsv1_bulk_update action.Optional
api_indicatorupdatereqsv1_bulk_update_applied_globallyapi_indicatorupdatereqsv1_bulk_update applied_globally.Optional
api_indicatorupdatereqsv1_bulk_update_descriptionapi_indicatorupdatereqsv1_bulk_update description.Optional
api_indicatorupdatereqsv1_bulk_update_expirationapi_indicatorupdatereqsv1_bulk_update expiration.Optional
api_indicatorupdatereqsv1_bulk_update_filterapi_indicatorupdatereqsv1_bulk_update filter.Optional
api_indicatorupdatereqsv1_bulk_update_host_groupsapi_indicatorupdatereqsv1_bulk_update host_groups.Optional
api_indicatorupdatereqsv1_bulk_update_mobile_actionapi_indicatorupdatereqsv1_bulk_update mobile_action.Optional
api_indicatorupdatereqsv1_bulk_update_platformsapi_indicatorupdatereqsv1_bulk_update platforms.Optional
api_indicatorupdatereqsv1_bulk_update_severityapi_indicatorupdatereqsv1_bulk_update severity.Optional
api_indicatorupdatereqsv1_bulk_update_sourceapi_indicatorupdatereqsv1_bulk_update source.Optional
api_indicatorupdatereqsv1_bulk_update_tagsapi_indicatorupdatereqsv1_bulk_update tags.Optional
api_indicatorupdatereqsv1_commentOptional
api_indicatorupdatereqsv1_indicatorsRequired

Context Output#

PathTypeDescription
CrowdStrike.apiIndicatorRespV1.errors.codeNumber
CrowdStrike.apiIndicatorRespV1.errors.idString
CrowdStrike.apiIndicatorRespV1.errors.messageString
CrowdStrike.apiIndicatorRespV1.resources.actionString
CrowdStrike.apiIndicatorRespV1.resources.applied_globallyBoolean
CrowdStrike.apiIndicatorRespV1.resources.created_byString
CrowdStrike.apiIndicatorRespV1.resources.created_onString
CrowdStrike.apiIndicatorRespV1.resources.deletedBoolean
CrowdStrike.apiIndicatorRespV1.resources.descriptionString
CrowdStrike.apiIndicatorRespV1.resources.expirationString
CrowdStrike.apiIndicatorRespV1.resources.expiredBoolean
CrowdStrike.apiIndicatorRespV1.resources.idString
CrowdStrike.apiIndicatorRespV1.resources.mobile_actionString
CrowdStrike.apiIndicatorRespV1.resources.modified_byString
CrowdStrike.apiIndicatorRespV1.resources.modified_onString
CrowdStrike.apiIndicatorRespV1.resources.severityString
CrowdStrike.apiIndicatorRespV1.resources.sourceString
CrowdStrike.apiIndicatorRespV1.resources.typeString
CrowdStrike.apiIndicatorRespV1.resources.valueString
CrowdStrike.apiIndicatorRespV1.errors.codeNumber
CrowdStrike.apiIndicatorRespV1.errors.idString
CrowdStrike.apiIndicatorRespV1.errors.messageString
CrowdStrike.apiIndicatorRespV1.resources.actionString
CrowdStrike.apiIndicatorRespV1.resources.applied_globallyBoolean
CrowdStrike.apiIndicatorRespV1.resources.created_byString
CrowdStrike.apiIndicatorRespV1.resources.created_onString
CrowdStrike.apiIndicatorRespV1.resources.deletedBoolean
CrowdStrike.apiIndicatorRespV1.resources.descriptionString
CrowdStrike.apiIndicatorRespV1.resources.expirationString
CrowdStrike.apiIndicatorRespV1.resources.expiredBoolean
CrowdStrike.apiIndicatorRespV1.resources.idString
CrowdStrike.apiIndicatorRespV1.resources.mobile_actionString
CrowdStrike.apiIndicatorRespV1.resources.modified_byString
CrowdStrike.apiIndicatorRespV1.resources.modified_onString
CrowdStrike.apiIndicatorRespV1.resources.severityString
CrowdStrike.apiIndicatorRespV1.resources.sourceString
CrowdStrike.apiIndicatorRespV1.resources.typeString
CrowdStrike.apiIndicatorRespV1.resources.valueString

cs-list-available-streamso-auth2#


Discover all event streams in your environment.

Base Command#

cs-list-available-streamso-auth2

Input#

Argument NameDescriptionRequired
appIdLabel that identifies your connection. Max: 32 alphanumeric characters (a-z, A-Z, 0-9).Required
formatFormat for streaming events. Valid values: json, flatjson.Optional

Context Output#

PathTypeDescription
CrowdStrike.maindiscoveryResponseV2.errors.codeNumber
CrowdStrike.maindiscoveryResponseV2.errors.idString
CrowdStrike.maindiscoveryResponseV2.errors.messageString
CrowdStrike.maindiscoveryResponseV2.resources.dataFeedURLString
CrowdStrike.maindiscoveryResponseV2.resources.refreshActiveSessionIntervalNumber
CrowdStrike.maindiscoveryResponseV2.resources.refreshActiveSessionURLString
CrowdStrike.maindiscoveryResponseV2.errors.codeNumber
CrowdStrike.maindiscoveryResponseV2.errors.idString
CrowdStrike.maindiscoveryResponseV2.errors.messageString
CrowdStrike.maindiscoveryResponseV2.resources.dataFeedURLString
CrowdStrike.maindiscoveryResponseV2.resources.refreshActiveSessionIntervalNumber
CrowdStrike.maindiscoveryResponseV2.resources.refreshActiveSessionURLString

cs-oauth2-access-token#


Generate an OAuth2 access token.

Base Command#

cs-oauth2-access-token

Input#

Argument NameDescriptionRequired
client_idThe API client ID to authenticate your API requests. For information on generating API clients, see API documentation inside Falcon.Required
client_secretThe API client secret to authenticate your API requests. For information on generating API clients, see API documentation inside Falcon.Required
member_cidFor MSSP Master CIDs, optionally lock the token to act on behalf of this member CID.Optional

Context Output#

There is no context output for this command.

cs-oauth2-revoke-token#


Revoke a previously issued OAuth2 access token before the end of its standard 30-minute life .

Base Command#

cs-oauth2-revoke-token

Input#

Argument NameDescriptionRequired
tokenThe OAuth2 access token you want to revoke. Include your API client ID and secret in basic auth format (Authorization: basic encoded API client ID and secret ) in your request header.Required

Context Output#

PathTypeDescription
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString

cs-patch-cloudconnectazure-entities-clientid-v1#


Update an Azure service account in our system by with the user-created client_id created with the public key we've provided.

Base Command#

cs-patch-cloudconnectazure-entities-clientid-v1

Input#

Argument NameDescriptionRequired
id_ClientID to use for the Service Principal associated with the customer's Azure account.Required

Context Output#

There is no context output for this command.

cs-patch-cloudconnectcspmazure-entities-clientid-v1#


Update an Azure service account in our system by with the user-created client_id created with the public key we've provided.

Base Command#

cs-patch-cloudconnectcspmazure-entities-clientid-v1

Input#

Argument NameDescriptionRequired
id_ClientID to use for the Service Principal associated with the customer's Azure account.Required
tenant_idTenant ID to update client ID for. Required if multiple tenants are registered.Optional

Context Output#

There is no context output for this command.

cs-patchcspm-aws-account#


Patches a existing account in our system for a customer.

Base Command#

cs-patchcspm-aws-account

Input#

Argument NameDescriptionRequired
registration_awsaccountpatchrequest_resourcesRequired

Context Output#

There is no context output for this command.

cs-perform-actionv2#


Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host.

Base Command#

cs-perform-actionv2

Input#

Argument NameDescriptionRequired
action_nameSpecify one of these actions: - contain - This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy - lift_containment: This action lifts containment on the host, which returns its network communications to normal - hide_host: This action will delete a host. After the host is deleted, no new detections for that host will be reported via UI or APIs - unhide_host: This action will restore a host. Detection reporting will resume after the host is restored.Required
msa_entityactionrequestv2_action__metersOptional
msa_entityactionrequestv2_idsRequired

Context Output#

There is no context output for this command.

cs-perform-device-control-policies-action#


Perform the specified action on the Device Control Policies specified in the request.

Base Command#

cs-perform-device-control-policies-action

Input#

Argument NameDescriptionRequired
action_nameThe action to perform. Possible values are: add-host-group, disable, enable, remove-host-group.Required
msa_entityactionrequestv2_action__metersOptional
msa_entityactionrequestv2_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.responsesDeviceControlPoliciesV1.errors.codeNumber
CrowdStrike.responsesDeviceControlPoliciesV1.errors.idString
CrowdStrike.responsesDeviceControlPoliciesV1.errors.messageString
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesDeviceControlPoliciesV1.errors.codeNumber
CrowdStrike.responsesDeviceControlPoliciesV1.errors.idString
CrowdStrike.responsesDeviceControlPoliciesV1.errors.messageString
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.platform_nameStringThe name of the platform.

cs-perform-firewall-policies-action#


Perform the specified action on the Firewall Policies specified in the request.

Base Command#

cs-perform-firewall-policies-action

Input#

Argument NameDescriptionRequired
action_nameThe action to perform. Possible values are: add-host-group, disable, enable, remove-host-group.Required
msa_entityactionrequestv2_action__metersOptional
msa_entityactionrequestv2_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.responsesFirewallPoliciesV1.errors.codeNumber
CrowdStrike.responsesFirewallPoliciesV1.errors.idString
CrowdStrike.responsesFirewallPoliciesV1.errors.messageString
CrowdStrike.responsesFirewallPoliciesV1.resources.channel_versionNumberChannel file version for the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesFirewallPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesFirewallPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesFirewallPoliciesV1.resources.rule_set_idStringFirewall rule set id. This id combines several firewall rules and gets attached to the policy.
CrowdStrike.responsesFirewallPoliciesV1.errors.codeNumber
CrowdStrike.responsesFirewallPoliciesV1.errors.idString
CrowdStrike.responsesFirewallPoliciesV1.errors.messageString
CrowdStrike.responsesFirewallPoliciesV1.resources.channel_versionNumberChannel file version for the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesFirewallPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesFirewallPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesFirewallPoliciesV1.resources.rule_set_idStringFirewall rule set id. This id combines several firewall rules and gets attached to the policy.

cs-perform-group-action#


Perform the specified action on the Host Groups specified in the request.

Base Command#

cs-perform-group-action

Input#

Argument NameDescriptionRequired
action_nameThe action to perform. Possible values are: add-hosts, remove-hosts.Required
msa_entityactionrequestv2_action__metersOptional
msa_entityactionrequestv2_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.responsesHostGroupsV1.errors.codeNumber
CrowdStrike.responsesHostGroupsV1.errors.idString
CrowdStrike.responsesHostGroupsV1.errors.messageString
CrowdStrike.responsesHostGroupsV1.resources.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesHostGroupsV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesHostGroupsV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesHostGroupsV1.resources.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesHostGroupsV1.resources.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesHostGroupsV1.resources.idStringThe identifier of this host group.
CrowdStrike.responsesHostGroupsV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesHostGroupsV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesHostGroupsV1.resources.nameStringThe name of the group.
CrowdStrike.responsesHostGroupsV1.errors.codeNumber
CrowdStrike.responsesHostGroupsV1.errors.idString
CrowdStrike.responsesHostGroupsV1.errors.messageString
CrowdStrike.responsesHostGroupsV1.resources.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesHostGroupsV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesHostGroupsV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesHostGroupsV1.resources.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesHostGroupsV1.resources.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesHostGroupsV1.resources.idStringThe identifier of this host group.
CrowdStrike.responsesHostGroupsV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesHostGroupsV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesHostGroupsV1.resources.nameStringThe name of the group.

cs-perform-incident-action#


Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description.

Base Command#

cs-perform-incident-action

Input#

Argument NameDescriptionRequired
msa_entityactionrequestv2_action__metersOptional
msa_entityactionrequestv2_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString

cs-perform-prevention-policies-action#


Perform the specified action on the Prevention Policies specified in the request.

Base Command#

cs-perform-prevention-policies-action

Input#

Argument NameDescriptionRequired
action_nameThe action to perform. Possible values are: add-host-group, add-rule-group, disable, enable, remove-host-group, remove-rule-group.Required
msa_entityactionrequestv2_action__metersOptional
msa_entityactionrequestv2_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.responsesPreventionPoliciesV1.errors.codeNumber
CrowdStrike.responsesPreventionPoliciesV1.errors.idString
CrowdStrike.responsesPreventionPoliciesV1.errors.messageString
CrowdStrike.responsesPreventionPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesPreventionPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesPreventionPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.nameStringThe name of the category.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.idStringThe id of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.
CrowdStrike.responsesPreventionPoliciesV1.errors.codeNumber
CrowdStrike.responsesPreventionPoliciesV1.errors.idString
CrowdStrike.responsesPreventionPoliciesV1.errors.messageString
CrowdStrike.responsesPreventionPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesPreventionPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesPreventionPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.nameStringThe name of the category.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.idStringThe id of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.

cs-perform-sensor-update-policies-action#


Perform the specified action on the Sensor Update Policies specified in the request.

Base Command#

cs-perform-sensor-update-policies-action

Input#

Argument NameDescriptionRequired
action_nameThe action to perform. Possible values are: add-host-group, disable, enable, remove-host-group.Required
msa_entityactionrequestv2_action__metersOptional
msa_entityactionrequestv2_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.platform_nameStringThe name of the platform.

cs-performrt-response-policies-action#


Perform the specified action on the Response Policies specified in the request.

Base Command#

cs-performrt-response-policies-action

Input#

Argument NameDescriptionRequired
action_nameThe action to perform. Possible values are: add-host-group, add-rule-group, disable, enable, remove-host-group, remove-rule-group.Required
msa_entityactionrequestv2_action__metersOptional
msa_entityactionrequestv2_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.responsesRTResponsePoliciesV1.errors.codeNumber
CrowdStrike.responsesRTResponsePoliciesV1.errors.idString
CrowdStrike.responsesRTResponsePoliciesV1.errors.messageString
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesRTResponsePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.nameStringThe name of the category.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.idStringThe id of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.
CrowdStrike.responsesRTResponsePoliciesV1.errors.codeNumber
CrowdStrike.responsesRTResponsePoliciesV1.errors.idString
CrowdStrike.responsesRTResponsePoliciesV1.errors.messageString
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesRTResponsePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.nameStringThe name of the category.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.idStringThe id of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.

cs-post-cloudconnectazure-entities-account-v1#


Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.

Base Command#

cs-post-cloudconnectazure-entities-account-v1

Input#

Argument NameDescriptionRequired
registration_azureaccountcreaterequestexternalv1_resourcesRequired

Context Output#

There is no context output for this command.

cs-post-cloudconnectcspmazure-entities-account-v1#


Creates a new account in our system for a customer and generates a script for them to run in their cloud environment to grant us access.

Base Command#

cs-post-cloudconnectcspmazure-entities-account-v1

Input#

Argument NameDescriptionRequired
registration_azureaccountcreaterequestexternalv1_resourcesRequired

Context Output#

There is no context output for this command.

cs-post-mal-query-entities-samples-multidownloadv1#


Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip.

Base Command#

cs-post-mal-query-entities-samples-multidownloadv1

Input#

Argument NameDescriptionRequired
malquery_multidownloadrequestv1_samplesList of sample sha256 ids.Required

Context Output#

PathTypeDescription
CrowdStrike.malqueryExternalQueryResponse.errors.codeNumber
CrowdStrike.malqueryExternalQueryResponse.errors.idString
CrowdStrike.malqueryExternalQueryResponse.errors.messageString
CrowdStrike.malqueryExternalQueryResponse.errors.typeString
CrowdStrike.malqueryExternalQueryResponse.resources.familyStringSample family.
CrowdStrike.malqueryExternalQueryResponse.resources.filesizeNumberSample size.
CrowdStrike.malqueryExternalQueryResponse.resources.filetypeStringSample file type.
CrowdStrike.malqueryExternalQueryResponse.resources.first_seenStringDate when it was first seen.
CrowdStrike.malqueryExternalQueryResponse.resources.ignore_reasonStringReason why the resource is ignored.
CrowdStrike.malqueryExternalQueryResponse.resources.labelStringSample label.
CrowdStrike.malqueryExternalQueryResponse.resources.label_confidenceStringResource label confidence.
CrowdStrike.malqueryExternalQueryResponse.resources.md5StringSample MD5.
CrowdStrike.malqueryExternalQueryResponse.resources.patternStringSearch pattern.
CrowdStrike.malqueryExternalQueryResponse.resources.pattern_typeStringSearch pattern type.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.familyStringSample family.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.filesizeNumberSample size.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.filetypeStringSample file type.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.first_seenStringDate when it was first seen.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.labelStringSample label.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.md5StringSample MD5.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.sha1StringSample SHA1.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.sha256StringSample SHA256.
CrowdStrike.malqueryExternalQueryResponse.resources.sha1StringSample SHA1.
CrowdStrike.malqueryExternalQueryResponse.resources.sha256StringSample SHA256.
CrowdStrike.malqueryExternalQueryResponse.resources.yara_ruleStringSearch YARA rule.
CrowdStrike.malqueryExternalQueryResponse.errors.codeNumber
CrowdStrike.malqueryExternalQueryResponse.errors.idString
CrowdStrike.malqueryExternalQueryResponse.errors.messageString
CrowdStrike.malqueryExternalQueryResponse.errors.typeString
CrowdStrike.malqueryExternalQueryResponse.resources.familyStringSample family.
CrowdStrike.malqueryExternalQueryResponse.resources.filesizeNumberSample size.
CrowdStrike.malqueryExternalQueryResponse.resources.filetypeStringSample file type.
CrowdStrike.malqueryExternalQueryResponse.resources.first_seenStringDate when it was first seen.
CrowdStrike.malqueryExternalQueryResponse.resources.ignore_reasonStringReason why the resource is ignored.
CrowdStrike.malqueryExternalQueryResponse.resources.labelStringSample label.
CrowdStrike.malqueryExternalQueryResponse.resources.label_confidenceStringResource label confidence.
CrowdStrike.malqueryExternalQueryResponse.resources.md5StringSample MD5.
CrowdStrike.malqueryExternalQueryResponse.resources.patternStringSearch pattern.
CrowdStrike.malqueryExternalQueryResponse.resources.pattern_typeStringSearch pattern type.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.familyStringSample family.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.filesizeNumberSample size.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.filetypeStringSample file type.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.first_seenStringDate when it was first seen.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.labelStringSample label.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.md5StringSample MD5.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.sha1StringSample SHA1.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.sha256StringSample SHA256.
CrowdStrike.malqueryExternalQueryResponse.resources.sha1StringSample SHA1.
CrowdStrike.malqueryExternalQueryResponse.resources.sha256StringSample SHA256.
CrowdStrike.malqueryExternalQueryResponse.resources.yara_ruleStringSearch YARA rule.

cs-post-mal-query-exact-searchv1#


Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint.

Base Command#

cs-post-mal-query-exact-searchv1

Input#

Argument NameDescriptionRequired
malquery_externalexactsearchparametersv1_options_filter_filetypesmalquery_externalexactsearchparametersv1_options filter_filetypes.Optional
malquery_externalexactsearchparametersv1_options_filter_metamalquery_externalexactsearchparametersv1_options filter_meta.Optional
malquery_externalexactsearchparametersv1_options_limitmalquery_externalexactsearchparametersv1_options limit.Optional
malquery_externalexactsearchparametersv1_options_max_datemalquery_externalexactsearchparametersv1_options max_date.Optional
malquery_externalexactsearchparametersv1_options_max_sizemalquery_externalexactsearchparametersv1_options max_size.Optional
malquery_externalexactsearchparametersv1_options_min_datemalquery_externalexactsearchparametersv1_options min_date.Optional
malquery_externalexactsearchparametersv1_options_min_sizemalquery_externalexactsearchparametersv1_options min_size.Optional
malquery_externalexactsearchparametersv1_patternsPatterns to search for.Required

Context Output#

PathTypeDescription
CrowdStrike.malqueryExternalQueryResponse.errors.codeNumber
CrowdStrike.malqueryExternalQueryResponse.errors.idString
CrowdStrike.malqueryExternalQueryResponse.errors.messageString
CrowdStrike.malqueryExternalQueryResponse.errors.typeString
CrowdStrike.malqueryExternalQueryResponse.resources.familyStringSample family.
CrowdStrike.malqueryExternalQueryResponse.resources.filesizeNumberSample size.
CrowdStrike.malqueryExternalQueryResponse.resources.filetypeStringSample file type.
CrowdStrike.malqueryExternalQueryResponse.resources.first_seenStringDate when it was first seen.
CrowdStrike.malqueryExternalQueryResponse.resources.ignore_reasonStringReason why the resource is ignored.
CrowdStrike.malqueryExternalQueryResponse.resources.labelStringSample label.
CrowdStrike.malqueryExternalQueryResponse.resources.label_confidenceStringResource label confidence.
CrowdStrike.malqueryExternalQueryResponse.resources.md5StringSample MD5.
CrowdStrike.malqueryExternalQueryResponse.resources.patternStringSearch pattern.
CrowdStrike.malqueryExternalQueryResponse.resources.pattern_typeStringSearch pattern type.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.familyStringSample family.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.filesizeNumberSample size.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.filetypeStringSample file type.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.first_seenStringDate when it was first seen.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.labelStringSample label.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.md5StringSample MD5.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.sha1StringSample SHA1.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.sha256StringSample SHA256.
CrowdStrike.malqueryExternalQueryResponse.resources.sha1StringSample SHA1.
CrowdStrike.malqueryExternalQueryResponse.resources.sha256StringSample SHA256.
CrowdStrike.malqueryExternalQueryResponse.resources.yara_ruleStringSearch YARA rule.
CrowdStrike.malqueryExternalQueryResponse.errors.codeNumber
CrowdStrike.malqueryExternalQueryResponse.errors.idString
CrowdStrike.malqueryExternalQueryResponse.errors.messageString
CrowdStrike.malqueryExternalQueryResponse.errors.typeString
CrowdStrike.malqueryExternalQueryResponse.resources.familyStringSample family.
CrowdStrike.malqueryExternalQueryResponse.resources.filesizeNumberSample size.
CrowdStrike.malqueryExternalQueryResponse.resources.filetypeStringSample file type.
CrowdStrike.malqueryExternalQueryResponse.resources.first_seenStringDate when it was first seen.
CrowdStrike.malqueryExternalQueryResponse.resources.ignore_reasonStringReason why the resource is ignored.
CrowdStrike.malqueryExternalQueryResponse.resources.labelStringSample label.
CrowdStrike.malqueryExternalQueryResponse.resources.label_confidenceStringResource label confidence.
CrowdStrike.malqueryExternalQueryResponse.resources.md5StringSample MD5.
CrowdStrike.malqueryExternalQueryResponse.resources.patternStringSearch pattern.
CrowdStrike.malqueryExternalQueryResponse.resources.pattern_typeStringSearch pattern type.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.familyStringSample family.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.filesizeNumberSample size.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.filetypeStringSample file type.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.first_seenStringDate when it was first seen.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.labelStringSample label.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.md5StringSample MD5.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.sha1StringSample SHA1.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.sha256StringSample SHA256.
CrowdStrike.malqueryExternalQueryResponse.resources.sha1StringSample SHA1.
CrowdStrike.malqueryExternalQueryResponse.resources.sha256StringSample SHA256.
CrowdStrike.malqueryExternalQueryResponse.resources.yara_ruleStringSearch YARA rule.

cs-post-mal-query-fuzzy-searchv1#


Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity.

Base Command#

cs-post-mal-query-fuzzy-searchv1

Input#

Argument NameDescriptionRequired
malquery_fuzzysearchparametersv1_options_filter_metamalquery_fuzzysearchparametersv1_options filter_meta.Optional
malquery_fuzzysearchparametersv1_options_limitmalquery_fuzzysearchparametersv1_options limit.Optional
malquery_fuzzysearchparametersv1_patternsRequired

Context Output#

PathTypeDescription
CrowdStrike.malqueryFuzzySearchResponse.errors.codeNumber
CrowdStrike.malqueryFuzzySearchResponse.errors.idString
CrowdStrike.malqueryFuzzySearchResponse.errors.messageString
CrowdStrike.malqueryFuzzySearchResponse.errors.typeString
CrowdStrike.malqueryFuzzySearchResponse.resources.familyStringSample family.
CrowdStrike.malqueryFuzzySearchResponse.resources.filesizeNumberSample size.
CrowdStrike.malqueryFuzzySearchResponse.resources.filetypeStringSample file type.
CrowdStrike.malqueryFuzzySearchResponse.resources.first_seenStringDate when it was first seen.
CrowdStrike.malqueryFuzzySearchResponse.resources.labelStringSample label.
CrowdStrike.malqueryFuzzySearchResponse.resources.md5StringSample MD5.
CrowdStrike.malqueryFuzzySearchResponse.resources.sha1StringSample SHA1.
CrowdStrike.malqueryFuzzySearchResponse.resources.sha256StringSample SHA256.
CrowdStrike.malqueryFuzzySearchResponse.errors.codeNumber
CrowdStrike.malqueryFuzzySearchResponse.errors.idString
CrowdStrike.malqueryFuzzySearchResponse.errors.messageString
CrowdStrike.malqueryFuzzySearchResponse.errors.typeString
CrowdStrike.malqueryFuzzySearchResponse.resources.familyStringSample family.
CrowdStrike.malqueryFuzzySearchResponse.resources.filesizeNumberSample size.
CrowdStrike.malqueryFuzzySearchResponse.resources.filetypeStringSample file type.
CrowdStrike.malqueryFuzzySearchResponse.resources.first_seenStringDate when it was first seen.
CrowdStrike.malqueryFuzzySearchResponse.resources.labelStringSample label.
CrowdStrike.malqueryFuzzySearchResponse.resources.md5StringSample MD5.
CrowdStrike.malqueryFuzzySearchResponse.resources.sha1StringSample SHA1.
CrowdStrike.malqueryFuzzySearchResponse.resources.sha256StringSample SHA256.

cs-post-mal-query-huntv1#


Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint.

Base Command#

cs-post-mal-query-huntv1

Input#

Argument NameDescriptionRequired
malquery_externalhuntparametersv1_options_filter_filetypesmalquery_externalhuntparametersv1_options filter_filetypes.Optional
malquery_externalhuntparametersv1_options_filter_metamalquery_externalhuntparametersv1_options filter_meta.Optional
malquery_externalhuntparametersv1_options_limitmalquery_externalhuntparametersv1_options limit.Optional
malquery_externalhuntparametersv1_options_max_datemalquery_externalhuntparametersv1_options max_date.Optional
malquery_externalhuntparametersv1_options_max_sizemalquery_externalhuntparametersv1_options max_size.Optional
malquery_externalhuntparametersv1_options_min_datemalquery_externalhuntparametersv1_options min_date.Optional
malquery_externalhuntparametersv1_options_min_sizemalquery_externalhuntparametersv1_options min_size.Optional
malquery_externalhuntparametersv1_yara_ruleA YARA rule that defines your search.Required

Context Output#

PathTypeDescription
CrowdStrike.malqueryExternalQueryResponse.errors.codeNumber
CrowdStrike.malqueryExternalQueryResponse.errors.idString
CrowdStrike.malqueryExternalQueryResponse.errors.messageString
CrowdStrike.malqueryExternalQueryResponse.errors.typeString
CrowdStrike.malqueryExternalQueryResponse.resources.familyStringSample family.
CrowdStrike.malqueryExternalQueryResponse.resources.filesizeNumberSample size.
CrowdStrike.malqueryExternalQueryResponse.resources.filetypeStringSample file type.
CrowdStrike.malqueryExternalQueryResponse.resources.first_seenStringDate when it was first seen.
CrowdStrike.malqueryExternalQueryResponse.resources.ignore_reasonStringReason why the resource is ignored.
CrowdStrike.malqueryExternalQueryResponse.resources.labelStringSample label.
CrowdStrike.malqueryExternalQueryResponse.resources.label_confidenceStringResource label confidence.
CrowdStrike.malqueryExternalQueryResponse.resources.md5StringSample MD5.
CrowdStrike.malqueryExternalQueryResponse.resources.patternStringSearch pattern.
CrowdStrike.malqueryExternalQueryResponse.resources.pattern_typeStringSearch pattern type.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.familyStringSample family.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.filesizeNumberSample size.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.filetypeStringSample file type.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.first_seenStringDate when it was first seen.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.labelStringSample label.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.md5StringSample MD5.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.sha1StringSample SHA1.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.sha256StringSample SHA256.
CrowdStrike.malqueryExternalQueryResponse.resources.sha1StringSample SHA1.
CrowdStrike.malqueryExternalQueryResponse.resources.sha256StringSample SHA256.
CrowdStrike.malqueryExternalQueryResponse.resources.yara_ruleStringSearch YARA rule.
CrowdStrike.malqueryExternalQueryResponse.errors.codeNumber
CrowdStrike.malqueryExternalQueryResponse.errors.idString
CrowdStrike.malqueryExternalQueryResponse.errors.messageString
CrowdStrike.malqueryExternalQueryResponse.errors.typeString
CrowdStrike.malqueryExternalQueryResponse.resources.familyStringSample family.
CrowdStrike.malqueryExternalQueryResponse.resources.filesizeNumberSample size.
CrowdStrike.malqueryExternalQueryResponse.resources.filetypeStringSample file type.
CrowdStrike.malqueryExternalQueryResponse.resources.first_seenStringDate when it was first seen.
CrowdStrike.malqueryExternalQueryResponse.resources.ignore_reasonStringReason why the resource is ignored.
CrowdStrike.malqueryExternalQueryResponse.resources.labelStringSample label.
CrowdStrike.malqueryExternalQueryResponse.resources.label_confidenceStringResource label confidence.
CrowdStrike.malqueryExternalQueryResponse.resources.md5StringSample MD5.
CrowdStrike.malqueryExternalQueryResponse.resources.patternStringSearch pattern.
CrowdStrike.malqueryExternalQueryResponse.resources.pattern_typeStringSearch pattern type.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.familyStringSample family.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.filesizeNumberSample size.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.filetypeStringSample file type.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.first_seenStringDate when it was first seen.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.labelStringSample label.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.md5StringSample MD5.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.sha1StringSample SHA1.
CrowdStrike.malqueryExternalQueryResponse.resources.samples.sha256StringSample SHA256.
CrowdStrike.malqueryExternalQueryResponse.resources.sha1StringSample SHA1.
CrowdStrike.malqueryExternalQueryResponse.resources.sha256StringSample SHA256.
CrowdStrike.malqueryExternalQueryResponse.resources.yara_ruleStringSearch YARA rule.

cs-preview-rulev1#


Preview rules notification count and distribution. This will return aggregations on: channel, count, site.

Base Command#

cs-preview-rulev1

Input#

Argument NameDescriptionRequired
X_CS_USERUUIDUser UUID.Optional
domain_rulepreviewrequest_filterRequired
domain_rulepreviewrequest_topicRequired

Context Output#

PathTypeDescription
CrowdStrike.domainAggregatesResponse.errors.codeNumber
CrowdStrike.domainAggregatesResponse.errors.details.fieldString
CrowdStrike.domainAggregatesResponse.errors.details.messageString
CrowdStrike.domainAggregatesResponse.errors.details.message_keyString
CrowdStrike.domainAggregatesResponse.errors.idString
CrowdStrike.domainAggregatesResponse.errors.messageString
CrowdStrike.domainAggregatesResponse.errors.message_keyString
CrowdStrike.domainAggregatesResponse.resources.buckets.countNumber
CrowdStrike.domainAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.domainAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.domainAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.domainAggregatesResponse.resources.buckets.string_toString
CrowdStrike.domainAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.domainAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.domainAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.domainAggregatesResponse.resources.nameString
CrowdStrike.domainAggregatesResponse.resources.sum_other_doc_countNumber
CrowdStrike.domainAggregatesResponse.errors.codeNumber
CrowdStrike.domainAggregatesResponse.errors.details.fieldString
CrowdStrike.domainAggregatesResponse.errors.details.messageString
CrowdStrike.domainAggregatesResponse.errors.details.message_keyString
CrowdStrike.domainAggregatesResponse.errors.idString
CrowdStrike.domainAggregatesResponse.errors.messageString
CrowdStrike.domainAggregatesResponse.errors.message_keyString
CrowdStrike.domainAggregatesResponse.resources.buckets.countNumber
CrowdStrike.domainAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.domainAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.domainAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.domainAggregatesResponse.resources.buckets.string_toString
CrowdStrike.domainAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.domainAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.domainAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.domainAggregatesResponse.resources.nameString
CrowdStrike.domainAggregatesResponse.resources.sum_other_doc_countNumber

cs-processes-ran-on#


Search for processes associated with a custom IOC.

Base Command#

cs-processes-ran-on

Input#

Argument NameDescriptionRequired
type_The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. .Required
valueThe string representation of the indicator.Required
device_idSpecify a host's ID to return only processes from that host. Get a host's ID from GET /devices/queries/devices/v1, the Falcon console, or the Streaming API.Required
limitThe first process to return, where 0 is the latest offset. Use with the offset meter to manage pagination of results.Optional
offsetThe first process to return, where 0 is the latest offset. Use with the limit meter to manage pagination of results.Optional

Context Output#

PathTypeDescription
CrowdStrike.apiMsaReplyProcessesRanOn.errors.codeNumber
CrowdStrike.apiMsaReplyProcessesRanOn.errors.idString
CrowdStrike.apiMsaReplyProcessesRanOn.errors.messageString
CrowdStrike.apiMsaReplyProcessesRanOn.errors.codeNumber
CrowdStrike.apiMsaReplyProcessesRanOn.errors.idString
CrowdStrike.apiMsaReplyProcessesRanOn.errors.messageString

cs-provisionaws-accounts#


Provision AWS Accounts by specifying details about the accounts to provision.

Base Command#

cs-provisionaws-accounts

Input#

Argument NameDescriptionRequired
modeMode for provisioning. Allowed values are manual or cloudformation. Defaults to manual if not defined. Possible values are: cloudformation, manual.Optional
models_createawsaccountsv1_resourcesRequired

Context Output#

There is no context output for this command.

cs-query-actionsv1#


Query actions based on provided criteria. Use the IDs from this response to get the action entities on GET /entities/actions/v1.

Base Command#

cs-query-actionsv1

Input#

Argument NameDescriptionRequired
offsetStarting index of overall result set from which to return IDs.Optional
limitNumber of IDs to return.Optional
sortPossible order by fields: created_timestamp, updated_timestamp. Ex: 'updated_timestamp|desc'.Optional
filter_FQL query to filter actions by. Possible filter properties are: [id cid user_uuid rule_id type frequency recipients status created_timestamp updated_timestamp].Optional
qFree text search across all indexed fields.Optional

Context Output#

PathTypeDescription
CrowdStrike.domainQueryResponse.errors.codeNumber
CrowdStrike.domainQueryResponse.errors.details.fieldString
CrowdStrike.domainQueryResponse.errors.details.messageString
CrowdStrike.domainQueryResponse.errors.details.message_keyString
CrowdStrike.domainQueryResponse.errors.idString
CrowdStrike.domainQueryResponse.errors.messageString
CrowdStrike.domainQueryResponse.errors.message_keyString
CrowdStrike.domainQueryResponse.errors.codeNumber
CrowdStrike.domainQueryResponse.errors.details.fieldString
CrowdStrike.domainQueryResponse.errors.details.messageString
CrowdStrike.domainQueryResponse.errors.details.message_keyString
CrowdStrike.domainQueryResponse.errors.idString
CrowdStrike.domainQueryResponse.errors.messageString
CrowdStrike.domainQueryResponse.errors.message_keyString

cs-query-allow-list-filter#


Retrieve allowlist tickets that match the provided filter criteria with scrolling enabled.

Base Command#

cs-query-allow-list-filter

Input#

Argument NameDescriptionRequired
limitThe maximum records to return. [1-500].Optional
sortThe property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "desc".Optional
filter_Optional filter and sort criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetStarting index of overall result set from which to return ids.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-behaviors#


Search for behaviors by providing an FQL filter, sorting, and paging details.

Base Command#

cs-query-behaviors

Input#

Argument NameDescriptionRequired
filter_Optional filter and sort criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetStarting index of overall result set from which to return ids.Optional
limitThe maximum records to return. [1-500].Optional
sortThe property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "desc". Possible values are: timestamp.asc, timestamp.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-block-list-filter#


Retrieve block listtickets that match the provided filter criteria with scrolling enabled.

Base Command#

cs-query-block-list-filter

Input#

Argument NameDescriptionRequired
limitThe maximum records to return. [1-500].Optional
sortThe property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "desc".Optional
filter_Optional filter and sort criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetStarting index of overall result set from which to return ids.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-children#


Query for customers linked as children.

Base Command#

cs-query-children

Input#

Argument NameDescriptionRequired
sortThe sort expression used to sort the results. Possible values are: last_modified_timestamp.Optional
offsetStarting index of overall result set from which to return ids.Optional
limitNumber of ids to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-combined-device-control-policies#


Search for Device Control Policies in your environment by providing an FQL filter and paging details. Returns a set of Device Control Policies which match the filter criteria.

Base Command#

cs-query-combined-device-control-policies

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by. Possible values are: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesDeviceControlPoliciesV1.errors.codeNumber
CrowdStrike.responsesDeviceControlPoliciesV1.errors.idString
CrowdStrike.responsesDeviceControlPoliciesV1.errors.messageString
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesDeviceControlPoliciesV1.errors.codeNumber
CrowdStrike.responsesDeviceControlPoliciesV1.errors.idString
CrowdStrike.responsesDeviceControlPoliciesV1.errors.messageString
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.platform_nameStringThe name of the platform.

cs-query-combined-device-control-policy-members#


Search for members of a Device Control Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.

Base Command#

cs-query-combined-device-control-policy-members

Input#

Argument NameDescriptionRequired
id_The ID of the Device Control Policy to search for members of.Optional
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesPolicyMembersRespV1.errors.codeNumber
CrowdStrike.responsesPolicyMembersRespV1.errors.idString
CrowdStrike.responsesPolicyMembersRespV1.errors.messageString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_load_flagsString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_local_timeString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.build_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.cidString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_baseString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_buildString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_platformString
CrowdStrike.responsesPolicyMembersRespV1.resources.cpu_signatureString
CrowdStrike.responsesPolicyMembersRespV1.resources.detection_suppression_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.device_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.emailString
CrowdStrike.responsesPolicyMembersRespV1.resources.external_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.group_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.host_hidden_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.instance_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.local_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.mac_addressString
CrowdStrike.responsesPolicyMembersRespV1.resources.machine_domainString
CrowdStrike.responsesPolicyMembersRespV1.resources.major_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.minor_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.os_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_namespaceString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_service_account_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pointer_sizeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.appliedBoolean
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.applied_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.assigned_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.rule_set_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.settings_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.uninstall_protectionString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_type_descString
CrowdStrike.responsesPolicyMembersRespV1.resources.provision_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.reduced_functionality_modeString
CrowdStrike.responsesPolicyMembersRespV1.resources.release_groupString
CrowdStrike.responsesPolicyMembersRespV1.resources.serial_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_majorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_minorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_providerString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_provider_account_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.site_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.slow_changing_modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_product_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.zone_groupString
CrowdStrike.responsesPolicyMembersRespV1.errors.codeNumber
CrowdStrike.responsesPolicyMembersRespV1.errors.idString
CrowdStrike.responsesPolicyMembersRespV1.errors.messageString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_load_flagsString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_local_timeString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.build_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.cidString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_baseString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_buildString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_platformString
CrowdStrike.responsesPolicyMembersRespV1.resources.cpu_signatureString
CrowdStrike.responsesPolicyMembersRespV1.resources.detection_suppression_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.device_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.emailString
CrowdStrike.responsesPolicyMembersRespV1.resources.external_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.group_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.host_hidden_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.instance_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.local_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.mac_addressString
CrowdStrike.responsesPolicyMembersRespV1.resources.machine_domainString
CrowdStrike.responsesPolicyMembersRespV1.resources.major_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.minor_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.os_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_namespaceString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_service_account_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pointer_sizeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.appliedBoolean
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.applied_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.assigned_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.rule_set_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.settings_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.uninstall_protectionString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_type_descString
CrowdStrike.responsesPolicyMembersRespV1.resources.provision_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.reduced_functionality_modeString
CrowdStrike.responsesPolicyMembersRespV1.resources.release_groupString
CrowdStrike.responsesPolicyMembersRespV1.resources.serial_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_majorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_minorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_providerString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_provider_account_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.site_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.slow_changing_modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_product_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.zone_groupString

cs-query-combined-firewall-policies#


Search for Firewall Policies in your environment by providing an FQL filter and paging details. Returns a set of Firewall Policies which match the filter criteria.

Base Command#

cs-query-combined-firewall-policies

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by. Possible values are: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesFirewallPoliciesV1.errors.codeNumber
CrowdStrike.responsesFirewallPoliciesV1.errors.idString
CrowdStrike.responsesFirewallPoliciesV1.errors.messageString
CrowdStrike.responsesFirewallPoliciesV1.resources.channel_versionNumberChannel file version for the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesFirewallPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesFirewallPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesFirewallPoliciesV1.resources.rule_set_idStringFirewall rule set id. This id combines several firewall rules and gets attached to the policy.
CrowdStrike.responsesFirewallPoliciesV1.errors.codeNumber
CrowdStrike.responsesFirewallPoliciesV1.errors.idString
CrowdStrike.responsesFirewallPoliciesV1.errors.messageString
CrowdStrike.responsesFirewallPoliciesV1.resources.channel_versionNumberChannel file version for the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesFirewallPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesFirewallPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesFirewallPoliciesV1.resources.rule_set_idStringFirewall rule set id. This id combines several firewall rules and gets attached to the policy.

cs-query-combined-firewall-policy-members#


Search for members of a Firewall Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.

Base Command#

cs-query-combined-firewall-policy-members

Input#

Argument NameDescriptionRequired
id_The ID of the Firewall Policy to search for members of.Optional
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesPolicyMembersRespV1.errors.codeNumber
CrowdStrike.responsesPolicyMembersRespV1.errors.idString
CrowdStrike.responsesPolicyMembersRespV1.errors.messageString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_load_flagsString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_local_timeString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.build_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.cidString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_baseString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_buildString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_platformString
CrowdStrike.responsesPolicyMembersRespV1.resources.cpu_signatureString
CrowdStrike.responsesPolicyMembersRespV1.resources.detection_suppression_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.device_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.emailString
CrowdStrike.responsesPolicyMembersRespV1.resources.external_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.group_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.host_hidden_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.instance_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.local_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.mac_addressString
CrowdStrike.responsesPolicyMembersRespV1.resources.machine_domainString
CrowdStrike.responsesPolicyMembersRespV1.resources.major_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.minor_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.os_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_namespaceString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_service_account_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pointer_sizeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.appliedBoolean
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.applied_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.assigned_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.rule_set_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.settings_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.uninstall_protectionString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_type_descString
CrowdStrike.responsesPolicyMembersRespV1.resources.provision_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.reduced_functionality_modeString
CrowdStrike.responsesPolicyMembersRespV1.resources.release_groupString
CrowdStrike.responsesPolicyMembersRespV1.resources.serial_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_majorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_minorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_providerString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_provider_account_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.site_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.slow_changing_modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_product_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.zone_groupString
CrowdStrike.responsesPolicyMembersRespV1.errors.codeNumber
CrowdStrike.responsesPolicyMembersRespV1.errors.idString
CrowdStrike.responsesPolicyMembersRespV1.errors.messageString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_load_flagsString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_local_timeString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.build_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.cidString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_baseString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_buildString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_platformString
CrowdStrike.responsesPolicyMembersRespV1.resources.cpu_signatureString
CrowdStrike.responsesPolicyMembersRespV1.resources.detection_suppression_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.device_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.emailString
CrowdStrike.responsesPolicyMembersRespV1.resources.external_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.group_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.host_hidden_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.instance_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.local_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.mac_addressString
CrowdStrike.responsesPolicyMembersRespV1.resources.machine_domainString
CrowdStrike.responsesPolicyMembersRespV1.resources.major_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.minor_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.os_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_namespaceString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_service_account_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pointer_sizeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.appliedBoolean
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.applied_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.assigned_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.rule_set_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.settings_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.uninstall_protectionString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_type_descString
CrowdStrike.responsesPolicyMembersRespV1.resources.provision_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.reduced_functionality_modeString
CrowdStrike.responsesPolicyMembersRespV1.resources.release_groupString
CrowdStrike.responsesPolicyMembersRespV1.resources.serial_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_majorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_minorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_providerString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_provider_account_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.site_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.slow_changing_modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_product_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.zone_groupString

cs-query-combined-group-members#


Search for members of a Host Group in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.

Base Command#

cs-query-combined-group-members

Input#

Argument NameDescriptionRequired
id_The ID of the Host Group to search for members of.Optional
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesHostGroupMembersV1.errors.codeNumber
CrowdStrike.responsesHostGroupMembersV1.errors.idString
CrowdStrike.responsesHostGroupMembersV1.errors.messageString
CrowdStrike.responsesHostGroupMembersV1.resources.agent_load_flagsString
CrowdStrike.responsesHostGroupMembersV1.resources.agent_local_timeString
CrowdStrike.responsesHostGroupMembersV1.resources.agent_versionString
CrowdStrike.responsesHostGroupMembersV1.resources.bios_manufacturerString
CrowdStrike.responsesHostGroupMembersV1.resources.bios_versionString
CrowdStrike.responsesHostGroupMembersV1.resources.build_numberString
CrowdStrike.responsesHostGroupMembersV1.resources.cidString
CrowdStrike.responsesHostGroupMembersV1.resources.config_id_baseString
CrowdStrike.responsesHostGroupMembersV1.resources.config_id_buildString
CrowdStrike.responsesHostGroupMembersV1.resources.config_id_platformString
CrowdStrike.responsesHostGroupMembersV1.resources.detection_suppression_statusString
CrowdStrike.responsesHostGroupMembersV1.resources.device_idString
CrowdStrike.responsesHostGroupMembersV1.resources.emailString
CrowdStrike.responsesHostGroupMembersV1.resources.external_ipString
CrowdStrike.responsesHostGroupMembersV1.resources.first_login_timestampString
CrowdStrike.responsesHostGroupMembersV1.resources.first_login_userString
CrowdStrike.responsesHostGroupMembersV1.resources.first_seenString
CrowdStrike.responsesHostGroupMembersV1.resources.group_hashString
CrowdStrike.responsesHostGroupMembersV1.resources.host_hidden_statusString
CrowdStrike.responsesHostGroupMembersV1.resources.hostnameString
CrowdStrike.responsesHostGroupMembersV1.resources.instance_idString
CrowdStrike.responsesHostGroupMembersV1.resources.last_login_timestampString
CrowdStrike.responsesHostGroupMembersV1.resources.last_login_userString
CrowdStrike.responsesHostGroupMembersV1.resources.last_seenString
CrowdStrike.responsesHostGroupMembersV1.resources.local_ipString
CrowdStrike.responsesHostGroupMembersV1.resources.mac_addressString
CrowdStrike.responsesHostGroupMembersV1.resources.machine_domainString
CrowdStrike.responsesHostGroupMembersV1.resources.major_versionString
CrowdStrike.responsesHostGroupMembersV1.resources.minor_versionString
CrowdStrike.responsesHostGroupMembersV1.resources.modified_timestampString
CrowdStrike.responsesHostGroupMembersV1.resources.os_versionString
CrowdStrike.responsesHostGroupMembersV1.resources.platform_idString
CrowdStrike.responsesHostGroupMembersV1.resources.platform_nameString
CrowdStrike.responsesHostGroupMembersV1.resources.pointer_sizeString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.appliedBoolean
CrowdStrike.responsesHostGroupMembersV1.resources.policies.applied_dateString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.assigned_dateString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.policy_idString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.policy_typeString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.rule_set_idString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.settings_hashString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.uninstall_protectionString
CrowdStrike.responsesHostGroupMembersV1.resources.product_typeString
CrowdStrike.responsesHostGroupMembersV1.resources.product_type_descString
CrowdStrike.responsesHostGroupMembersV1.resources.provision_statusString
CrowdStrike.responsesHostGroupMembersV1.resources.release_groupString
CrowdStrike.responsesHostGroupMembersV1.resources.service_pack_majorString
CrowdStrike.responsesHostGroupMembersV1.resources.service_pack_minorString
CrowdStrike.responsesHostGroupMembersV1.resources.service_providerString
CrowdStrike.responsesHostGroupMembersV1.resources.service_provider_account_idString
CrowdStrike.responsesHostGroupMembersV1.resources.site_nameString
CrowdStrike.responsesHostGroupMembersV1.resources.slow_changing_modified_timestampString
CrowdStrike.responsesHostGroupMembersV1.resources.statusString
CrowdStrike.responsesHostGroupMembersV1.resources.system_manufacturerString
CrowdStrike.responsesHostGroupMembersV1.resources.system_product_nameString
CrowdStrike.responsesHostGroupMembersV1.errors.codeNumber
CrowdStrike.responsesHostGroupMembersV1.errors.idString
CrowdStrike.responsesHostGroupMembersV1.errors.messageString
CrowdStrike.responsesHostGroupMembersV1.resources.agent_load_flagsString
CrowdStrike.responsesHostGroupMembersV1.resources.agent_local_timeString
CrowdStrike.responsesHostGroupMembersV1.resources.agent_versionString
CrowdStrike.responsesHostGroupMembersV1.resources.bios_manufacturerString
CrowdStrike.responsesHostGroupMembersV1.resources.bios_versionString
CrowdStrike.responsesHostGroupMembersV1.resources.build_numberString
CrowdStrike.responsesHostGroupMembersV1.resources.cidString
CrowdStrike.responsesHostGroupMembersV1.resources.config_id_baseString
CrowdStrike.responsesHostGroupMembersV1.resources.config_id_buildString
CrowdStrike.responsesHostGroupMembersV1.resources.config_id_platformString
CrowdStrike.responsesHostGroupMembersV1.resources.detection_suppression_statusString
CrowdStrike.responsesHostGroupMembersV1.resources.device_idString
CrowdStrike.responsesHostGroupMembersV1.resources.emailString
CrowdStrike.responsesHostGroupMembersV1.resources.external_ipString
CrowdStrike.responsesHostGroupMembersV1.resources.first_login_timestampString
CrowdStrike.responsesHostGroupMembersV1.resources.first_login_userString
CrowdStrike.responsesHostGroupMembersV1.resources.first_seenString
CrowdStrike.responsesHostGroupMembersV1.resources.group_hashString
CrowdStrike.responsesHostGroupMembersV1.resources.host_hidden_statusString
CrowdStrike.responsesHostGroupMembersV1.resources.hostnameString
CrowdStrike.responsesHostGroupMembersV1.resources.instance_idString
CrowdStrike.responsesHostGroupMembersV1.resources.last_login_timestampString
CrowdStrike.responsesHostGroupMembersV1.resources.last_login_userString
CrowdStrike.responsesHostGroupMembersV1.resources.last_seenString
CrowdStrike.responsesHostGroupMembersV1.resources.local_ipString
CrowdStrike.responsesHostGroupMembersV1.resources.mac_addressString
CrowdStrike.responsesHostGroupMembersV1.resources.machine_domainString
CrowdStrike.responsesHostGroupMembersV1.resources.major_versionString
CrowdStrike.responsesHostGroupMembersV1.resources.minor_versionString
CrowdStrike.responsesHostGroupMembersV1.resources.modified_timestampString
CrowdStrike.responsesHostGroupMembersV1.resources.os_versionString
CrowdStrike.responsesHostGroupMembersV1.resources.platform_idString
CrowdStrike.responsesHostGroupMembersV1.resources.platform_nameString
CrowdStrike.responsesHostGroupMembersV1.resources.pointer_sizeString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.appliedBoolean
CrowdStrike.responsesHostGroupMembersV1.resources.policies.applied_dateString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.assigned_dateString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.policy_idString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.policy_typeString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.rule_set_idString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.settings_hashString
CrowdStrike.responsesHostGroupMembersV1.resources.policies.uninstall_protectionString
CrowdStrike.responsesHostGroupMembersV1.resources.product_typeString
CrowdStrike.responsesHostGroupMembersV1.resources.product_type_descString
CrowdStrike.responsesHostGroupMembersV1.resources.provision_statusString
CrowdStrike.responsesHostGroupMembersV1.resources.release_groupString
CrowdStrike.responsesHostGroupMembersV1.resources.service_pack_majorString
CrowdStrike.responsesHostGroupMembersV1.resources.service_pack_minorString
CrowdStrike.responsesHostGroupMembersV1.resources.service_providerString
CrowdStrike.responsesHostGroupMembersV1.resources.service_provider_account_idString
CrowdStrike.responsesHostGroupMembersV1.resources.site_nameString
CrowdStrike.responsesHostGroupMembersV1.resources.slow_changing_modified_timestampString
CrowdStrike.responsesHostGroupMembersV1.resources.statusString
CrowdStrike.responsesHostGroupMembersV1.resources.system_manufacturerString
CrowdStrike.responsesHostGroupMembersV1.resources.system_product_nameString

cs-query-combined-host-groups#


Search for Host Groups in your environment by providing an FQL filter and paging details. Returns a set of Host Groups which match the filter criteria.

Base Command#

cs-query-combined-host-groups

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by. Possible values are: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, group_type.asc, group_type.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesHostGroupsV1.errors.codeNumber
CrowdStrike.responsesHostGroupsV1.errors.idString
CrowdStrike.responsesHostGroupsV1.errors.messageString
CrowdStrike.responsesHostGroupsV1.resources.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesHostGroupsV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesHostGroupsV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesHostGroupsV1.resources.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesHostGroupsV1.resources.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesHostGroupsV1.resources.idStringThe identifier of this host group.
CrowdStrike.responsesHostGroupsV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesHostGroupsV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesHostGroupsV1.resources.nameStringThe name of the group.
CrowdStrike.responsesHostGroupsV1.errors.codeNumber
CrowdStrike.responsesHostGroupsV1.errors.idString
CrowdStrike.responsesHostGroupsV1.errors.messageString
CrowdStrike.responsesHostGroupsV1.resources.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesHostGroupsV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesHostGroupsV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesHostGroupsV1.resources.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesHostGroupsV1.resources.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesHostGroupsV1.resources.idStringThe identifier of this host group.
CrowdStrike.responsesHostGroupsV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesHostGroupsV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesHostGroupsV1.resources.nameStringThe name of the group.

cs-query-combined-prevention-policies#


Search for Prevention Policies in your environment by providing an FQL filter and paging details. Returns a set of Prevention Policies which match the filter criteria.

Base Command#

cs-query-combined-prevention-policies

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by. Possible values are: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesPreventionPoliciesV1.errors.codeNumber
CrowdStrike.responsesPreventionPoliciesV1.errors.idString
CrowdStrike.responsesPreventionPoliciesV1.errors.messageString
CrowdStrike.responsesPreventionPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesPreventionPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesPreventionPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.nameStringThe name of the category.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.idStringThe id of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.
CrowdStrike.responsesPreventionPoliciesV1.errors.codeNumber
CrowdStrike.responsesPreventionPoliciesV1.errors.idString
CrowdStrike.responsesPreventionPoliciesV1.errors.messageString
CrowdStrike.responsesPreventionPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesPreventionPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesPreventionPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.nameStringThe name of the category.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.idStringThe id of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.

cs-query-combined-prevention-policy-members#


Search for members of a Prevention Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.

Base Command#

cs-query-combined-prevention-policy-members

Input#

Argument NameDescriptionRequired
id_The ID of the Prevention Policy to search for members of.Optional
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesPolicyMembersRespV1.errors.codeNumber
CrowdStrike.responsesPolicyMembersRespV1.errors.idString
CrowdStrike.responsesPolicyMembersRespV1.errors.messageString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_load_flagsString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_local_timeString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.build_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.cidString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_baseString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_buildString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_platformString
CrowdStrike.responsesPolicyMembersRespV1.resources.cpu_signatureString
CrowdStrike.responsesPolicyMembersRespV1.resources.detection_suppression_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.device_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.emailString
CrowdStrike.responsesPolicyMembersRespV1.resources.external_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.group_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.host_hidden_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.instance_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.local_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.mac_addressString
CrowdStrike.responsesPolicyMembersRespV1.resources.machine_domainString
CrowdStrike.responsesPolicyMembersRespV1.resources.major_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.minor_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.os_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_namespaceString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_service_account_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pointer_sizeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.appliedBoolean
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.applied_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.assigned_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.rule_set_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.settings_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.uninstall_protectionString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_type_descString
CrowdStrike.responsesPolicyMembersRespV1.resources.provision_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.reduced_functionality_modeString
CrowdStrike.responsesPolicyMembersRespV1.resources.release_groupString
CrowdStrike.responsesPolicyMembersRespV1.resources.serial_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_majorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_minorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_providerString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_provider_account_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.site_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.slow_changing_modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_product_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.zone_groupString
CrowdStrike.responsesPolicyMembersRespV1.errors.codeNumber
CrowdStrike.responsesPolicyMembersRespV1.errors.idString
CrowdStrike.responsesPolicyMembersRespV1.errors.messageString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_load_flagsString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_local_timeString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.build_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.cidString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_baseString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_buildString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_platformString
CrowdStrike.responsesPolicyMembersRespV1.resources.cpu_signatureString
CrowdStrike.responsesPolicyMembersRespV1.resources.detection_suppression_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.device_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.emailString
CrowdStrike.responsesPolicyMembersRespV1.resources.external_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.group_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.host_hidden_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.instance_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.local_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.mac_addressString
CrowdStrike.responsesPolicyMembersRespV1.resources.machine_domainString
CrowdStrike.responsesPolicyMembersRespV1.resources.major_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.minor_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.os_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_namespaceString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_service_account_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pointer_sizeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.appliedBoolean
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.applied_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.assigned_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.rule_set_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.settings_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.uninstall_protectionString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_type_descString
CrowdStrike.responsesPolicyMembersRespV1.resources.provision_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.reduced_functionality_modeString
CrowdStrike.responsesPolicyMembersRespV1.resources.release_groupString
CrowdStrike.responsesPolicyMembersRespV1.resources.serial_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_majorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_minorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_providerString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_provider_account_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.site_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.slow_changing_modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_product_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.zone_groupString

cs-query-combined-sensor-update-builds#


Retrieve available builds for use with Sensor Update Policies.

Base Command#

cs-query-combined-sensor-update-builds

Input#

Argument NameDescriptionRequired
platformThe platform to return builds for. Possible values are: linux, mac, windows.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesSensorUpdateBuildsV1.errors.codeNumber
CrowdStrike.responsesSensorUpdateBuildsV1.errors.idString
CrowdStrike.responsesSensorUpdateBuildsV1.errors.messageString
CrowdStrike.responsesSensorUpdateBuildsV1.resources.buildString
CrowdStrike.responsesSensorUpdateBuildsV1.resources.platformString
CrowdStrike.responsesSensorUpdateBuildsV1.errors.codeNumber
CrowdStrike.responsesSensorUpdateBuildsV1.errors.idString
CrowdStrike.responsesSensorUpdateBuildsV1.errors.messageString
CrowdStrike.responsesSensorUpdateBuildsV1.resources.buildString
CrowdStrike.responsesSensorUpdateBuildsV1.resources.platformString

cs-query-combined-sensor-update-policies#


Search for Sensor Update Policies in your environment by providing an FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria.

Base Command#

cs-query-combined-sensor-update-policies

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by. Possible values are: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.platform_nameStringThe name of the platform.

cs-query-combined-sensor-update-policiesv2#


Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing an FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria.

Base Command#

cs-query-combined-sensor-update-policiesv2

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by. Possible values are: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.platform_nameStringThe name of the platform.

cs-query-combined-sensor-update-policy-members#


Search for members of a Sensor Update Policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.

Base Command#

cs-query-combined-sensor-update-policy-members

Input#

Argument NameDescriptionRequired
id_The ID of the Sensor Update Policy to search for members of.Optional
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesPolicyMembersRespV1.errors.codeNumber
CrowdStrike.responsesPolicyMembersRespV1.errors.idString
CrowdStrike.responsesPolicyMembersRespV1.errors.messageString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_load_flagsString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_local_timeString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.build_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.cidString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_baseString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_buildString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_platformString
CrowdStrike.responsesPolicyMembersRespV1.resources.cpu_signatureString
CrowdStrike.responsesPolicyMembersRespV1.resources.detection_suppression_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.device_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.emailString
CrowdStrike.responsesPolicyMembersRespV1.resources.external_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.group_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.host_hidden_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.instance_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.local_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.mac_addressString
CrowdStrike.responsesPolicyMembersRespV1.resources.machine_domainString
CrowdStrike.responsesPolicyMembersRespV1.resources.major_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.minor_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.os_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_namespaceString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_service_account_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pointer_sizeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.appliedBoolean
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.applied_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.assigned_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.rule_set_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.settings_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.uninstall_protectionString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_type_descString
CrowdStrike.responsesPolicyMembersRespV1.resources.provision_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.reduced_functionality_modeString
CrowdStrike.responsesPolicyMembersRespV1.resources.release_groupString
CrowdStrike.responsesPolicyMembersRespV1.resources.serial_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_majorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_minorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_providerString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_provider_account_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.site_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.slow_changing_modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_product_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.zone_groupString
CrowdStrike.responsesPolicyMembersRespV1.errors.codeNumber
CrowdStrike.responsesPolicyMembersRespV1.errors.idString
CrowdStrike.responsesPolicyMembersRespV1.errors.messageString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_load_flagsString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_local_timeString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.build_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.cidString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_baseString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_buildString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_platformString
CrowdStrike.responsesPolicyMembersRespV1.resources.cpu_signatureString
CrowdStrike.responsesPolicyMembersRespV1.resources.detection_suppression_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.device_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.emailString
CrowdStrike.responsesPolicyMembersRespV1.resources.external_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.group_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.host_hidden_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.instance_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.local_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.mac_addressString
CrowdStrike.responsesPolicyMembersRespV1.resources.machine_domainString
CrowdStrike.responsesPolicyMembersRespV1.resources.major_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.minor_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.os_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_namespaceString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_service_account_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pointer_sizeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.appliedBoolean
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.applied_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.assigned_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.rule_set_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.settings_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.uninstall_protectionString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_type_descString
CrowdStrike.responsesPolicyMembersRespV1.resources.provision_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.reduced_functionality_modeString
CrowdStrike.responsesPolicyMembersRespV1.resources.release_groupString
CrowdStrike.responsesPolicyMembersRespV1.resources.serial_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_majorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_minorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_providerString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_provider_account_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.site_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.slow_changing_modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_product_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.zone_groupString

cs-query-combinedrt-response-policies#


Search for Response Policies in your environment by providing an FQL filter and paging details. Returns a set of Response Policies which match the filter criteria.

Base Command#

cs-query-combinedrt-response-policies

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by. Possible values are: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesRTResponsePoliciesV1.errors.codeNumber
CrowdStrike.responsesRTResponsePoliciesV1.errors.idString
CrowdStrike.responsesRTResponsePoliciesV1.errors.messageString
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesRTResponsePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.nameStringThe name of the category.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.idStringThe id of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.
CrowdStrike.responsesRTResponsePoliciesV1.errors.codeNumber
CrowdStrike.responsesRTResponsePoliciesV1.errors.idString
CrowdStrike.responsesRTResponsePoliciesV1.errors.messageString
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesRTResponsePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.nameStringThe name of the category.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.idStringThe id of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.

cs-query-combinedrt-response-policy-members#


Search for members of a Response policy in your environment by providing an FQL filter and paging details. Returns a set of host details which match the filter criteria.

Base Command#

cs-query-combinedrt-response-policy-members

Input#

Argument NameDescriptionRequired
id_The ID of the Response policy to search for members of.Optional
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by.Optional

Context Output#

PathTypeDescription
CrowdStrike.responsesPolicyMembersRespV1.errors.codeNumber
CrowdStrike.responsesPolicyMembersRespV1.errors.idString
CrowdStrike.responsesPolicyMembersRespV1.errors.messageString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_load_flagsString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_local_timeString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.build_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.cidString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_baseString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_buildString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_platformString
CrowdStrike.responsesPolicyMembersRespV1.resources.cpu_signatureString
CrowdStrike.responsesPolicyMembersRespV1.resources.detection_suppression_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.device_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.emailString
CrowdStrike.responsesPolicyMembersRespV1.resources.external_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.group_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.host_hidden_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.instance_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.local_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.mac_addressString
CrowdStrike.responsesPolicyMembersRespV1.resources.machine_domainString
CrowdStrike.responsesPolicyMembersRespV1.resources.major_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.minor_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.os_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_namespaceString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_service_account_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pointer_sizeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.appliedBoolean
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.applied_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.assigned_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.rule_set_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.settings_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.uninstall_protectionString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_type_descString
CrowdStrike.responsesPolicyMembersRespV1.resources.provision_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.reduced_functionality_modeString
CrowdStrike.responsesPolicyMembersRespV1.resources.release_groupString
CrowdStrike.responsesPolicyMembersRespV1.resources.serial_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_majorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_minorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_providerString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_provider_account_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.site_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.slow_changing_modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_product_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.zone_groupString
CrowdStrike.responsesPolicyMembersRespV1.errors.codeNumber
CrowdStrike.responsesPolicyMembersRespV1.errors.idString
CrowdStrike.responsesPolicyMembersRespV1.errors.messageString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_load_flagsString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_local_timeString
CrowdStrike.responsesPolicyMembersRespV1.resources.agent_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.bios_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.build_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.cidString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_baseString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_buildString
CrowdStrike.responsesPolicyMembersRespV1.resources.config_id_platformString
CrowdStrike.responsesPolicyMembersRespV1.resources.cpu_signatureString
CrowdStrike.responsesPolicyMembersRespV1.resources.detection_suppression_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.device_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.emailString
CrowdStrike.responsesPolicyMembersRespV1.resources.external_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.first_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.group_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.host_hidden_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.instance_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_login_userString
CrowdStrike.responsesPolicyMembersRespV1.resources.last_seenString
CrowdStrike.responsesPolicyMembersRespV1.resources.local_ipString
CrowdStrike.responsesPolicyMembersRespV1.resources.mac_addressString
CrowdStrike.responsesPolicyMembersRespV1.resources.machine_domainString
CrowdStrike.responsesPolicyMembersRespV1.resources.major_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.minor_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.os_versionString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.platform_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_host_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_hostnameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip4String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_ip6String
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_namespaceString
CrowdStrike.responsesPolicyMembersRespV1.resources.pod_service_account_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.pointer_sizeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.appliedBoolean
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.applied_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.assigned_dateString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.policy_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.rule_set_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.settings_hashString
CrowdStrike.responsesPolicyMembersRespV1.resources.policies.uninstall_protectionString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_typeString
CrowdStrike.responsesPolicyMembersRespV1.resources.product_type_descString
CrowdStrike.responsesPolicyMembersRespV1.resources.provision_statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.reduced_functionality_modeString
CrowdStrike.responsesPolicyMembersRespV1.resources.release_groupString
CrowdStrike.responsesPolicyMembersRespV1.resources.serial_numberString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_majorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_pack_minorString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_providerString
CrowdStrike.responsesPolicyMembersRespV1.resources.service_provider_account_idString
CrowdStrike.responsesPolicyMembersRespV1.resources.site_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.slow_changing_modified_timestampString
CrowdStrike.responsesPolicyMembersRespV1.resources.statusString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_manufacturerString
CrowdStrike.responsesPolicyMembersRespV1.resources.system_product_nameString
CrowdStrike.responsesPolicyMembersRespV1.resources.zone_groupString

cs-query-detection-ids-by-filter#


Retrieve DetectionsIds that match the provided FQL filter, criteria with scrolling enabled.

Base Command#

cs-query-detection-ids-by-filter

Input#

Argument NameDescriptionRequired
limitThe maximum records to return. [1-500].Optional
sortThe property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "desc".Optional
filter_Optional filter and sort criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetStarting index of overall result set from which to return ids.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-detects#


Search for detection IDs that match a given query.

Base Command#

cs-query-detects

Input#

Argument NameDescriptionRequired
offsetThe first detection to return, where 0 is the latest detection. Use with the limit meter to manage pagination of results.Optional
limitThe maximum number of detections to return in this response (default: 9999; max: 9999). Use with the offset meter to manage pagination of results.Optional
sortSort detections using these options: - first_behavior: Timestamp of the first behavior associated with this detection - last_behavior: Timestamp of the last behavior associated with this detection - max_severity: Highest severity of the behaviors associated with this detection - max_confidence: Highest confidence of the behaviors associated with this detection - adversary_id: ID of the adversary associated with this detection, if any - devices.hostname: Hostname of the host where this detection was detected Sort either asc (ascending) or desc (descending). For example: last_behavior\|asc.Optional
filter_Filter detections using a query in Falcon Query Language (FQL) An asterisk wildcard includes all results. Common filter options include: - status - device.device_id - max_severity The full list of valid filter options is extensive. Review it in our documentation inside the Falcon console.Optional
qSearch all detection metadata for the provided string.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-device-control-policies#


Search for Device Control Policies in your environment by providing an FQL filter and paging details. Returns a set of Device Control Policy IDs which match the filter criteria.

Base Command#

cs-query-device-control-policies

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by. Possible values are: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-device-control-policy-members#


Search for members of a Device Control Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.

Base Command#

cs-query-device-control-policy-members

Input#

Argument NameDescriptionRequired
id_The ID of the Device Control Policy to search for members of.Optional
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-devices-by-filter#


Search for hosts in your environment by platform, hostname, IP, and other criteria.

Base Command#

cs-query-devices-by-filter

Input#

Argument NameDescriptionRequired
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by (e.g. status.desc or hostname.asc).Optional
filter_The filter expression that should be used to limit the results.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-devices-by-filter-scroll#


Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit).

Base Command#

cs-query-devices-by-filter-scroll

Input#

Argument NameDescriptionRequired
offsetThe offset to page from, for the next result set.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by (e.g. status.desc or hostname.asc).Optional
filter_The filter expression that should be used to limit the results.Optional

Context Output#

PathTypeDescription
CrowdStrike.domainDeviceResponse.errors.codeNumber
CrowdStrike.domainDeviceResponse.errors.idString
CrowdStrike.domainDeviceResponse.errors.messageString
CrowdStrike.domainDeviceResponse.errors.codeNumber
CrowdStrike.domainDeviceResponse.errors.idString
CrowdStrike.domainDeviceResponse.errors.messageString

cs-query-escalations-filter#


Retrieve escalation tickets that match the provided filter criteria with scrolling enabled.

Base Command#

cs-query-escalations-filter

Input#

Argument NameDescriptionRequired
limitThe maximum records to return. [1-500].Optional
sortThe property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "desc".Optional
filter_Optional filter and sort criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetStarting index of overall result set from which to return ids.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-firewall-policies#


Search for Firewall Policies in your environment by providing an FQL filter and paging details. Returns a set of Firewall Policy IDs which match the filter criteria.

Base Command#

cs-query-firewall-policies

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by. Possible values are: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-firewall-policy-members#


Search for members of a Firewall Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.

Base Command#

cs-query-firewall-policy-members

Input#

Argument NameDescriptionRequired
id_The ID of the Firewall Policy to search for members of.Optional
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-group-members#


Search for members of a Host Group in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.

Base Command#

cs-query-group-members

Input#

Argument NameDescriptionRequired
id_The ID of the Host Group to search for members of.Optional
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-hidden-devices#


Retrieve hidden hosts that match the provided filter criteria.

Base Command#

cs-query-hidden-devices

Input#

Argument NameDescriptionRequired
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by (e.g. status.desc or hostname.asc).Optional
filter_The filter expression that should be used to limit the results.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-host-groups#


Search for Host Groups in your environment by providing an FQL filter and paging details. Returns a set of Host Group IDs which match the filter criteria.

Base Command#

cs-query-host-groups

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by. Possible values are: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, group_type.asc, group_type.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-incident-ids-by-filter#


Retrieve incidents that match the provided filter criteria with scrolling enabled.

Base Command#

cs-query-incident-ids-by-filter

Input#

Argument NameDescriptionRequired
limitThe maximum records to return. [1-500].Optional
sortThe property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "desc".Optional
filter_Optional filter and sort criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetStarting index of overall result set from which to return ids.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-incidents#


Search for incidents by providing an FQL filter, sorting, and paging details.

Base Command#

cs-query-incidents

Input#

Argument NameDescriptionRequired
sortThe property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "desc". Possible values are: assigned_to.asc, assigned_to.desc, assigned_to_name.asc, assigned_to_name.desc, end.asc, end.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, sort_score.asc, sort_score.desc, start.asc, start.desc, state.asc, state.desc, status.asc, status.desc.Optional
filter_Optional filter and sort criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetStarting index of overall result set from which to return ids.Optional
limitThe maximum records to return. [1-500].Optional

Context Output#

PathTypeDescription
CrowdStrike.apiMsaIncidentQueryResponse.errors.codeNumber
CrowdStrike.apiMsaIncidentQueryResponse.errors.idString
CrowdStrike.apiMsaIncidentQueryResponse.errors.messageString
CrowdStrike.apiMsaIncidentQueryResponse.errors.codeNumber
CrowdStrike.apiMsaIncidentQueryResponse.errors.idString
CrowdStrike.apiMsaIncidentQueryResponse.errors.messageString

cs-query-intel-actor-entities#


Get info about actors that match provided FQL filters.

Base Command#

cs-query-intel-actor-entities

Input#

Argument NameDescriptionRequired
offsetSet the starting row number to return actors from. Defaults to 0.Optional
limitSet the number of actors to return. The value must be between 1 and 5000.Optional
sortOrder fields in ascending or descending order. Ex: created_date|asc.Optional
filter_Filter your query by specifying FQL filter meters. Filter meters include: actors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url.Optional
qPerform a generic substring search across all fields.Optional
fieldsThe fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __\ collection\ __. Ex: slug __full__. Defaults to __basic__.Optional

Context Output#

PathTypeDescription
CrowdStrike.domainActorsResponse.errors.codeNumber
CrowdStrike.domainActorsResponse.errors.idString
CrowdStrike.domainActorsResponse.errors.messageString
CrowdStrike.domainActorsResponse.resources.activeBoolean
CrowdStrike.domainActorsResponse.resources.actor_typeString
CrowdStrike.domainActorsResponse.resources.created_dateNumber
CrowdStrike.domainActorsResponse.resources.descriptionString
CrowdStrike.domainActorsResponse.resources.entitlements.idNumber
CrowdStrike.domainActorsResponse.resources.entitlements.nameString
CrowdStrike.domainActorsResponse.resources.entitlements.slugString
CrowdStrike.domainActorsResponse.resources.entitlements.valueString
CrowdStrike.domainActorsResponse.resources.first_activity_dateNumber
CrowdStrike.domainActorsResponse.resources.idNumber
CrowdStrike.domainActorsResponse.resources.known_asString
CrowdStrike.domainActorsResponse.resources.last_activity_dateNumber
CrowdStrike.domainActorsResponse.resources.last_modified_dateNumber
CrowdStrike.domainActorsResponse.resources.motivations.idNumber
CrowdStrike.domainActorsResponse.resources.motivations.nameString
CrowdStrike.domainActorsResponse.resources.motivations.slugString
CrowdStrike.domainActorsResponse.resources.motivations.valueString
CrowdStrike.domainActorsResponse.resources.nameString
CrowdStrike.domainActorsResponse.resources.notify_usersBoolean
CrowdStrike.domainActorsResponse.resources.origins.idNumber
CrowdStrike.domainActorsResponse.resources.origins.nameString
CrowdStrike.domainActorsResponse.resources.origins.slugString
CrowdStrike.domainActorsResponse.resources.origins.valueString
CrowdStrike.domainActorsResponse.resources.rich_text_descriptionString
CrowdStrike.domainActorsResponse.resources.short_descriptionString
CrowdStrike.domainActorsResponse.resources.slugString
CrowdStrike.domainActorsResponse.resources.target_countries.idNumber
CrowdStrike.domainActorsResponse.resources.target_countries.nameString
CrowdStrike.domainActorsResponse.resources.target_countries.slugString
CrowdStrike.domainActorsResponse.resources.target_countries.valueString
CrowdStrike.domainActorsResponse.resources.target_industries.idNumber
CrowdStrike.domainActorsResponse.resources.target_industries.nameString
CrowdStrike.domainActorsResponse.resources.target_industries.slugString
CrowdStrike.domainActorsResponse.resources.target_industries.valueString
CrowdStrike.domainActorsResponse.resources.urlString
CrowdStrike.domainActorsResponse.errors.codeNumber
CrowdStrike.domainActorsResponse.errors.idString
CrowdStrike.domainActorsResponse.errors.messageString
CrowdStrike.domainActorsResponse.resources.activeBoolean
CrowdStrike.domainActorsResponse.resources.actor_typeString
CrowdStrike.domainActorsResponse.resources.created_dateNumber
CrowdStrike.domainActorsResponse.resources.descriptionString
CrowdStrike.domainActorsResponse.resources.entitlements.idNumber
CrowdStrike.domainActorsResponse.resources.entitlements.nameString
CrowdStrike.domainActorsResponse.resources.entitlements.slugString
CrowdStrike.domainActorsResponse.resources.entitlements.valueString
CrowdStrike.domainActorsResponse.resources.first_activity_dateNumber
CrowdStrike.domainActorsResponse.resources.idNumber
CrowdStrike.domainActorsResponse.resources.known_asString
CrowdStrike.domainActorsResponse.resources.last_activity_dateNumber
CrowdStrike.domainActorsResponse.resources.last_modified_dateNumber
CrowdStrike.domainActorsResponse.resources.motivations.idNumber
CrowdStrike.domainActorsResponse.resources.motivations.nameString
CrowdStrike.domainActorsResponse.resources.motivations.slugString
CrowdStrike.domainActorsResponse.resources.motivations.valueString
CrowdStrike.domainActorsResponse.resources.nameString
CrowdStrike.domainActorsResponse.resources.notify_usersBoolean
CrowdStrike.domainActorsResponse.resources.origins.idNumber
CrowdStrike.domainActorsResponse.resources.origins.nameString
CrowdStrike.domainActorsResponse.resources.origins.slugString
CrowdStrike.domainActorsResponse.resources.origins.valueString
CrowdStrike.domainActorsResponse.resources.rich_text_descriptionString
CrowdStrike.domainActorsResponse.resources.short_descriptionString
CrowdStrike.domainActorsResponse.resources.slugString
CrowdStrike.domainActorsResponse.resources.target_countries.idNumber
CrowdStrike.domainActorsResponse.resources.target_countries.nameString
CrowdStrike.domainActorsResponse.resources.target_countries.slugString
CrowdStrike.domainActorsResponse.resources.target_countries.valueString
CrowdStrike.domainActorsResponse.resources.target_industries.idNumber
CrowdStrike.domainActorsResponse.resources.target_industries.nameString
CrowdStrike.domainActorsResponse.resources.target_industries.slugString
CrowdStrike.domainActorsResponse.resources.target_industries.valueString
CrowdStrike.domainActorsResponse.resources.urlString

cs-query-intel-actor-ids#


Get actor IDs that match provided FQL filters.

Base Command#

cs-query-intel-actor-ids

Input#

Argument NameDescriptionRequired
offsetSet the starting row number to return actors IDs from. Defaults to 0.Optional
limitSet the number of actor IDs to return. The value must be between 1 and 5000.Optional
sortOrder fields in ascending or descending order. Ex: created_date|asc.Optional
filter_Filter your query by specifying FQL filter meters. Filter meters include: actors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url.Optional
qPerform a generic substring search across all fields.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-intel-indicator-entities#


Get info about indicators that match provided FQL filters.

Base Command#

cs-query-intel-indicator-entities

Input#

Argument NameDescriptionRequired
offsetSet the starting row number to return indicators from. Defaults to 0.Optional
limitSet the number of indicators to return. The number must be between 1 and 50000.Optional
sortOrder fields in ascending or descending order. Ex: published_date|asc.Optional
filter_Filter your query by specifying FQL filter meters. Filter meters include: _marker, actors, deleted, domain_types, id, indicator, ip_address_types, kill_chains, labels, labels.created_on, labels.last_valid_on, labels.name, last_updated, malicious_confidence, malware_families, published_date, reports, targets, threat_types, type, vulnerabilities.Optional
qPerform a generic substring search across all fields.Optional
include_deletedIf true, include both published and deleted indicators in the response. Defaults to false.Optional

Context Output#

PathTypeDescription
CrowdStrike.domainPublicIndicatorsV3Response.errors.codeNumber
CrowdStrike.domainPublicIndicatorsV3Response.errors.idString
CrowdStrike.domainPublicIndicatorsV3Response.errors.messageString
CrowdStrike.domainPublicIndicatorsV3Response.resources._markerString
CrowdStrike.domainPublicIndicatorsV3Response.resources.deletedBoolean
CrowdStrike.domainPublicIndicatorsV3Response.resources.idString
CrowdStrike.domainPublicIndicatorsV3Response.resources.indicatorString
CrowdStrike.domainPublicIndicatorsV3Response.resources.labels.created_onNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.labels.last_valid_onNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.labels.nameString
CrowdStrike.domainPublicIndicatorsV3Response.resources.last_updatedNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.malicious_confidenceString
CrowdStrike.domainPublicIndicatorsV3Response.resources.published_dateNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.created_dateNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.idString
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.indicatorString
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.last_valid_dateNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.typeString
CrowdStrike.domainPublicIndicatorsV3Response.resources.typeString
CrowdStrike.domainPublicIndicatorsV3Response.errors.codeNumber
CrowdStrike.domainPublicIndicatorsV3Response.errors.idString
CrowdStrike.domainPublicIndicatorsV3Response.errors.messageString
CrowdStrike.domainPublicIndicatorsV3Response.resources._markerString
CrowdStrike.domainPublicIndicatorsV3Response.resources.deletedBoolean
CrowdStrike.domainPublicIndicatorsV3Response.resources.idString
CrowdStrike.domainPublicIndicatorsV3Response.resources.indicatorString
CrowdStrike.domainPublicIndicatorsV3Response.resources.labels.created_onNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.labels.last_valid_onNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.labels.nameString
CrowdStrike.domainPublicIndicatorsV3Response.resources.last_updatedNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.malicious_confidenceString
CrowdStrike.domainPublicIndicatorsV3Response.resources.published_dateNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.created_dateNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.idString
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.indicatorString
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.last_valid_dateNumber
CrowdStrike.domainPublicIndicatorsV3Response.resources.relations.typeString
CrowdStrike.domainPublicIndicatorsV3Response.resources.typeString

cs-query-intel-indicator-ids#


Get indicators IDs that match provided FQL filters.

Base Command#

cs-query-intel-indicator-ids

Input#

Argument NameDescriptionRequired
offsetSet the starting row number to return indicator IDs from. Defaults to 0.Optional
limitSet the number of indicator IDs to return. The number must be between 1 and 50000.Optional
sortOrder fields in ascending or descending order. Ex: published_date|asc.Optional
filter_Filter your query by specifying FQL filter meters. Filter meters include: _marker, actors, deleted, domain_types, id, indicator, ip_address_types, kill_chains, labels, labels.created_on, labels.last_valid_on, labels.name, last_updated, malicious_confidence, malware_families, published_date, reports, targets, threat_types, type, vulnerabilities.Optional
qPerform a generic substring search across all fields.Optional
include_deletedIf true, include both published and deleted indicators in the response. Defaults to false.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-intel-report-entities#


Get info about reports that match provided FQL filters.

Base Command#

cs-query-intel-report-entities

Input#

Argument NameDescriptionRequired
offsetSet the starting row number to return reports from. Defaults to 0.Optional
limitSet the number of reports to return. The value must be between 1 and 5000.Optional
sortOrder fields in ascending or descending order. Ex: created_date|asc.Optional
filter_Filter your query by specifying FQL filter meters. Filter meters include: actors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url.Optional
qPerform a generic substring search across all fields.Optional
fieldsThe fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores like: __\ collection\ __. Ex: slug __full__. Defaults to __basic__.Optional

Context Output#

PathTypeDescription
CrowdStrike.domainNewsResponse.errors.codeNumber
CrowdStrike.domainNewsResponse.errors.idString
CrowdStrike.domainNewsResponse.errors.messageString
CrowdStrike.domainNewsResponse.resources.activeBoolean
CrowdStrike.domainNewsResponse.resources.actors.idNumber
CrowdStrike.domainNewsResponse.resources.actors.nameString
CrowdStrike.domainNewsResponse.resources.actors.slugString
CrowdStrike.domainNewsResponse.resources.actors.urlString
CrowdStrike.domainNewsResponse.resources.attachments.idNumber
CrowdStrike.domainNewsResponse.resources.attachments.urlString
CrowdStrike.domainNewsResponse.resources.created_dateNumber
CrowdStrike.domainNewsResponse.resources.descriptionString
CrowdStrike.domainNewsResponse.resources.entitlements.idNumber
CrowdStrike.domainNewsResponse.resources.entitlements.nameString
CrowdStrike.domainNewsResponse.resources.entitlements.slugString
CrowdStrike.domainNewsResponse.resources.entitlements.valueString
CrowdStrike.domainNewsResponse.resources.idNumber
CrowdStrike.domainNewsResponse.resources.last_modified_dateNumber
CrowdStrike.domainNewsResponse.resources.motivations.idNumber
CrowdStrike.domainNewsResponse.resources.motivations.nameString
CrowdStrike.domainNewsResponse.resources.motivations.slugString
CrowdStrike.domainNewsResponse.resources.motivations.valueString
CrowdStrike.domainNewsResponse.resources.nameString
CrowdStrike.domainNewsResponse.resources.notify_usersBoolean
CrowdStrike.domainNewsResponse.resources.rich_text_descriptionString
CrowdStrike.domainNewsResponse.resources.short_descriptionString
CrowdStrike.domainNewsResponse.resources.slugString
CrowdStrike.domainNewsResponse.resources.tags.idNumber
CrowdStrike.domainNewsResponse.resources.tags.nameString
CrowdStrike.domainNewsResponse.resources.tags.slugString
CrowdStrike.domainNewsResponse.resources.tags.valueString
CrowdStrike.domainNewsResponse.resources.target_countries.idNumber
CrowdStrike.domainNewsResponse.resources.target_countries.nameString
CrowdStrike.domainNewsResponse.resources.target_countries.slugString
CrowdStrike.domainNewsResponse.resources.target_countries.valueString
CrowdStrike.domainNewsResponse.resources.target_industries.idNumber
CrowdStrike.domainNewsResponse.resources.target_industries.nameString
CrowdStrike.domainNewsResponse.resources.target_industries.slugString
CrowdStrike.domainNewsResponse.resources.target_industries.valueString
CrowdStrike.domainNewsResponse.resources.urlString
CrowdStrike.domainNewsResponse.errors.codeNumber
CrowdStrike.domainNewsResponse.errors.idString
CrowdStrike.domainNewsResponse.errors.messageString
CrowdStrike.domainNewsResponse.resources.activeBoolean
CrowdStrike.domainNewsResponse.resources.actors.idNumber
CrowdStrike.domainNewsResponse.resources.actors.nameString
CrowdStrike.domainNewsResponse.resources.actors.slugString
CrowdStrike.domainNewsResponse.resources.actors.urlString
CrowdStrike.domainNewsResponse.resources.attachments.idNumber
CrowdStrike.domainNewsResponse.resources.attachments.urlString
CrowdStrike.domainNewsResponse.resources.created_dateNumber
CrowdStrike.domainNewsResponse.resources.descriptionString
CrowdStrike.domainNewsResponse.resources.entitlements.idNumber
CrowdStrike.domainNewsResponse.resources.entitlements.nameString
CrowdStrike.domainNewsResponse.resources.entitlements.slugString
CrowdStrike.domainNewsResponse.resources.entitlements.valueString
CrowdStrike.domainNewsResponse.resources.idNumber
CrowdStrike.domainNewsResponse.resources.last_modified_dateNumber
CrowdStrike.domainNewsResponse.resources.motivations.idNumber
CrowdStrike.domainNewsResponse.resources.motivations.nameString
CrowdStrike.domainNewsResponse.resources.motivations.slugString
CrowdStrike.domainNewsResponse.resources.motivations.valueString
CrowdStrike.domainNewsResponse.resources.nameString
CrowdStrike.domainNewsResponse.resources.notify_usersBoolean
CrowdStrike.domainNewsResponse.resources.rich_text_descriptionString
CrowdStrike.domainNewsResponse.resources.short_descriptionString
CrowdStrike.domainNewsResponse.resources.slugString
CrowdStrike.domainNewsResponse.resources.tags.idNumber
CrowdStrike.domainNewsResponse.resources.tags.nameString
CrowdStrike.domainNewsResponse.resources.tags.slugString
CrowdStrike.domainNewsResponse.resources.tags.valueString
CrowdStrike.domainNewsResponse.resources.target_countries.idNumber
CrowdStrike.domainNewsResponse.resources.target_countries.nameString
CrowdStrike.domainNewsResponse.resources.target_countries.slugString
CrowdStrike.domainNewsResponse.resources.target_countries.valueString
CrowdStrike.domainNewsResponse.resources.target_industries.idNumber
CrowdStrike.domainNewsResponse.resources.target_industries.nameString
CrowdStrike.domainNewsResponse.resources.target_industries.slugString
CrowdStrike.domainNewsResponse.resources.target_industries.valueString
CrowdStrike.domainNewsResponse.resources.urlString

cs-query-intel-report-ids#


Get report IDs that match provided FQL filters.

Base Command#

cs-query-intel-report-ids

Input#

Argument NameDescriptionRequired
offsetSet the starting row number to return report IDs from. Defaults to 0.Optional
limitSet the number of report IDs to return. The value must be between 1 and 5000.Optional
sortOrder fields in ascending or descending order. Ex: created_date|asc.Optional
filter_Filter your query by specifying FQL filter meters. Filter meters include: actors, actors.id, actors.name, actors.slug, actors.url, created_date, description, id, last_modified_date, motivations, motivations.id, motivations.slug, motivations.value, name, name.raw, short_description, slug, sub_type, sub_type.id, sub_type.name, sub_type.slug, tags, tags.id, tags.slug, tags.value, target_countries, target_countries.id, target_countries.slug, target_countries.value, target_industries, target_industries.id, target_industries.slug, target_industries.value, type, type.id, type.name, type.slug, url.Optional
qPerform a generic substring search across all fields.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-intel-rule-ids#


Search for rule IDs that match provided filter criteria.

Base Command#

cs-query-intel-rule-ids

Input#

Argument NameDescriptionRequired
offsetSet the starting row number to return reports from. Defaults to 0.Optional
limitThe number of rule IDs to return. Defaults to 10.Optional
sortOrder fields in ascending or descending order. Ex: created_date|asc.Optional
nameSearch by rule title.Optional
type_The rule news report type. Accepted values: snort-suricata-master snort-suricata-update snort-suricata-changelog yara-master yara-update yara-changelog common-event-format netwitness.Required
descriptionSubstring match on description field.Optional
tagsSearch for rule tags.Optional
min_created_dateFilter results to those created on or after a certain date.Optional
max_created_dateFilter results to those created on or before a certain date.Optional
qPerform a generic substring search across all fields.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-notificationsv1#


Query notifications based on provided criteria. Use the IDs from this response to get the notification entities on GET /entities/notifications/v1 or GET /entities/notifications-detailed/v1.

Base Command#

cs-query-notificationsv1

Input#

Argument NameDescriptionRequired
offsetStarting index of overall result set from which to return ids.Optional
limitNumber of ids to return.Optional
sortPossible order by fields: created_date, updated_date. Ex: 'updated_date|desc'.Optional
filter_FQL query to filter notifications by. Possible filter properties are: [id cid user_uuid status rule_id rule_name rule_topic rule_priority item_type created_date updated_date].Optional
qFree text search across all indexed fields.Optional

Context Output#

PathTypeDescription
CrowdStrike.domainQueryResponse.errors.codeNumber
CrowdStrike.domainQueryResponse.errors.details.fieldString
CrowdStrike.domainQueryResponse.errors.details.messageString
CrowdStrike.domainQueryResponse.errors.details.message_keyString
CrowdStrike.domainQueryResponse.errors.idString
CrowdStrike.domainQueryResponse.errors.messageString
CrowdStrike.domainQueryResponse.errors.message_keyString
CrowdStrike.domainQueryResponse.errors.codeNumber
CrowdStrike.domainQueryResponse.errors.details.fieldString
CrowdStrike.domainQueryResponse.errors.details.messageString
CrowdStrike.domainQueryResponse.errors.details.message_keyString
CrowdStrike.domainQueryResponse.errors.idString
CrowdStrike.domainQueryResponse.errors.messageString
CrowdStrike.domainQueryResponse.errors.message_keyString

cs-query-prevention-policies#


Search for Prevention Policies in your environment by providing an FQL filter and paging details. Returns a set of Prevention Policy IDs which match the filter criteria.

Base Command#

cs-query-prevention-policies

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by. Possible values are: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-prevention-policy-members#


Search for members of a Prevention Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.

Base Command#

cs-query-prevention-policy-members

Input#

Argument NameDescriptionRequired
id_The ID of the Prevention Policy to search for members of.Optional
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-remediations-filter#


Retrieve remediation tickets that match the provided filter criteria with scrolling enabled.

Base Command#

cs-query-remediations-filter

Input#

Argument NameDescriptionRequired
limitThe maximum records to return. [1-500].Optional
sortThe property to sort on, followed by a dot (.), followed by the sort direction, either "asc" or "desc".Optional
filter_Optional filter and sort criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetStarting index of overall result set from which to return ids.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-reports#


Find sandbox reports by providing an FQL filter and paging details. Returns a set of report IDs that match your criteria.

Base Command#

cs-query-reports

Input#

Argument NameDescriptionRequired
filter_Optional filter and sort criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetThe offset to start retrieving reports from.Optional
limitMaximum number of report IDs to return. Max: 5000.Optional
sortSort order: asc or desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-roles#


Query MSSP Role assignment. At least one of CID Group ID or User Group ID should also be provided. Role ID is optional.

Base Command#

cs-query-roles

Input#

Argument NameDescriptionRequired
user_group_idUser Group ID to fetch MSSP role for.Optional
cid_group_idCID Group ID to fetch MSSP role for.Optional
role_idRole ID to fetch MSSP role for.Optional
sortThe sort expression used to sort the results. Possible values are: last_modified_timestamp.Optional
offsetStarting index of overall result set from which to return ids.Optional
limitNumber of ids to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-rulesv1#


Query monitoring rules based on provided criteria. Use the IDs from this response to fetch the rules on /entities/rules/v1.

Base Command#

cs-query-rulesv1

Input#

Argument NameDescriptionRequired
X_CS_USERUUIDUser UUID.Optional
offsetStarting index of overall result set from which to return ids.Optional
limitNumber of ids to return.Optional
sortPossible order by fields: created_timestamp, last_updated_timestamp. Ex: 'last_updated_timestamp|desc'.Optional
filter_FQL query to filter rules by. Possible filter properties are: [id cid user_uuid topic priority permissions filter status created_timestamp last_updated_timestamp].Optional
qFree text search across all indexed fields.Optional

Context Output#

PathTypeDescription
CrowdStrike.domainRuleQueryResponseV1.errors.codeNumber
CrowdStrike.domainRuleQueryResponseV1.errors.details.fieldString
CrowdStrike.domainRuleQueryResponseV1.errors.details.messageString
CrowdStrike.domainRuleQueryResponseV1.errors.details.message_keyString
CrowdStrike.domainRuleQueryResponseV1.errors.idString
CrowdStrike.domainRuleQueryResponseV1.errors.messageString
CrowdStrike.domainRuleQueryResponseV1.errors.message_keyString
CrowdStrike.domainRuleQueryResponseV1.errors.codeNumber
CrowdStrike.domainRuleQueryResponseV1.errors.details.fieldString
CrowdStrike.domainRuleQueryResponseV1.errors.details.messageString
CrowdStrike.domainRuleQueryResponseV1.errors.details.message_keyString
CrowdStrike.domainRuleQueryResponseV1.errors.idString
CrowdStrike.domainRuleQueryResponseV1.errors.messageString
CrowdStrike.domainRuleQueryResponseV1.errors.message_keyString

cs-query-samplev1#


Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200.

Base Command#

cs-query-samplev1

Input#

Argument NameDescriptionRequired
X_CS_USERUUIDUser UUID.Optional
samplestore_querysamplesrequest_sha256sOptional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-sensor-update-policies#


Search for Sensor Update Policies in your environment by providing an FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria.

Base Command#

cs-query-sensor-update-policies

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by. Possible values are: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-sensor-update-policy-members#


Search for members of a Sensor Update Policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.

Base Command#

cs-query-sensor-update-policy-members

Input#

Argument NameDescriptionRequired
id_The ID of the Sensor Update Policy to search for members of.Optional
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-sensor-visibility-exclusionsv1#


Search for sensor visibility exclusions.

Base Command#

cs-query-sensor-visibility-exclusionsv1

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-500].Optional
sortThe sort expression that should be used to sort the results. Possible values are: applied_globally.asc, applied_globally.desc, created_by.asc, created_by.desc, created_on.asc, created_on.desc, last_modified.asc, last_modified.desc, modified_by.asc, modified_by.desc, value.asc, value.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-submissions#


Find submission IDs for uploaded files by providing an FQL filter and paging details. Returns a set of submission IDs that match your criteria.

Base Command#

cs-query-submissions

Input#

Argument NameDescriptionRequired
filter_Optional filter and sort criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetThe offset to start retrieving submissions from.Optional
limitMaximum number of submission IDs to return. Max: 5000.Optional
sortSort order: asc or desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-submissions-mixin0#


Find IDs for submitted scans by providing an FQL filter and paging details. Returns a set of volume IDs that match your criteria.

Base Command#

cs-query-submissions-mixin0

Input#

Argument NameDescriptionRequired
filter_Optional filter and sort criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetThe offset to start retrieving submissions from.Optional
limitMaximum number of volume IDs to return. Max: 5000.Optional
sortSort order: asc or desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.mlscannerQueryResponse.errors.codeNumber
CrowdStrike.mlscannerQueryResponse.errors.idString
CrowdStrike.mlscannerQueryResponse.errors.messageString
CrowdStrike.mlscannerQueryResponse.errors.codeNumber
CrowdStrike.mlscannerQueryResponse.errors.idString
CrowdStrike.mlscannerQueryResponse.errors.messageString

cs-query-user-group-members#


Query User Group member by User UUID.

Base Command#

cs-query-user-group-members

Input#

Argument NameDescriptionRequired
user_uuidUser UUID to lookup associated user group ID.Required
sortThe sort expression used to sort the results. Possible values are: last_modified_timestamp.Optional
offsetStarting index of overall result set from which to return ids.Optional
limitNumber of ids to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-user-groups#


Query User Groups.

Base Command#

cs-query-user-groups

Input#

Argument NameDescriptionRequired
nameName to lookup groups for.Optional
sortThe sort expression used to sort the results. Possible values are: last_modified_timestamp, name.Optional
offsetStarting index of overall result set from which to return ids.Optional
limitNumber of ids to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-query-vulnerabilities#


Search for Vulnerabilities in your environment by providing an FQL filter and paging details. Returns a set of Vulnerability IDs which match the filter criteria.

Base Command#

cs-query-vulnerabilities

Input#

Argument NameDescriptionRequired
afterA pagination token used with the limit meter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results.Optional
limitThe number of items to return in this response (default: 100, max: 400). Use with the after meter to manage pagination of results.Optional
sortSort vulnerabilities by their properties. Common sort options include: ul li created_timestamp|desc /li li closed_timestamp|asc /li /ul.Optional
filter_Filter items using a query in Falcon Query Language (FQL). Wildcards are unsupported. Common filter options include: ul li created_timestamp: '2019-11-25T22:36:12Z' /li li closed_timestamp: '2019-11-25T22:36:12Z' /li li aid:'8e7656b27d8c49a34a1af416424d6231' /li /ul.Required

Context Output#

PathTypeDescription
CrowdStrike.domainSPAPIQueryVulnerabilitiesResponse.errors.codeNumber
CrowdStrike.domainSPAPIQueryVulnerabilitiesResponse.errors.idString
CrowdStrike.domainSPAPIQueryVulnerabilitiesResponse.errors.messageString
CrowdStrike.domainSPAPIQueryVulnerabilitiesResponse.errors.codeNumber
CrowdStrike.domainSPAPIQueryVulnerabilitiesResponse.errors.idString
CrowdStrike.domainSPAPIQueryVulnerabilitiesResponse.errors.messageString

cs-queryaws-accounts#


Search for provisioned AWS Accounts by providing an FQL filter and paging details. Returns a set of AWS accounts which match the filter criteria.

Base Command#

cs-queryaws-accounts

Input#

Argument NameDescriptionRequired
limitThe maximum records to return. [1-500]. Defaults to 100.Optional
offsetThe offset to start retrieving records from.Optional
sortThe property to sort by (e.g. alias.desc or state.asc).Optional
filter_The filter expression that should be used to limit the results.Optional

Context Output#

PathTypeDescription
CrowdStrike.modelsAWSAccountsV1.errors.codeNumber
CrowdStrike.modelsAWSAccountsV1.errors.idString
CrowdStrike.modelsAWSAccountsV1.errors.messageString
CrowdStrike.modelsAWSAccountsV1.resources.aliasStringAlias/Name associated with the account. This is only updated once the account is in a registered state.
CrowdStrike.modelsAWSAccountsV1.resources.cidString
CrowdStrike.modelsAWSAccountsV1.resources.cloudformation_stack_idStringUnique identifier for the cloudformation stack id used for provisioning.
CrowdStrike.modelsAWSAccountsV1.resources.cloudformation_urlStringURL of the CloudFormation template to execute. This is returned when mode is to set 'cloudformation' when provisioning.
CrowdStrike.modelsAWSAccountsV1.resources.cloudtrail_bucket_owner_idStringThe 12 digit AWS account which is hosting the S3 bucket containing cloudtrail logs for this account. If this field is set, it takes precedence of the settings level field.
CrowdStrike.modelsAWSAccountsV1.resources.cloudtrail_bucket_regionStringRegion where the S3 bucket containing cloudtrail logs resides. This is only set if using cloudformation to provision and create the trail.
CrowdStrike.modelsAWSAccountsV1.resources.created_timestampStringTimestamp of when the account was first provisioned within CrowdStrike's system.'
CrowdStrike.modelsAWSAccountsV1.resources.external_idStringID assigned for use with cross account IAM role access.
CrowdStrike.modelsAWSAccountsV1.resources.iam_role_arnStringThe full arn of the IAM role created in this account to control access.
CrowdStrike.modelsAWSAccountsV1.resources.idString12 digit AWS provided unique identifier for the account.
CrowdStrike.modelsAWSAccountsV1.resources.last_modified_timestampStringTimestamp of when the account was last modified.
CrowdStrike.modelsAWSAccountsV1.resources.last_scanned_timestampStringTimestamp of when the account was scanned.
CrowdStrike.modelsAWSAccountsV1.resources.policy_versionStringCurrent version of permissions associated with IAM role and granted access.
CrowdStrike.modelsAWSAccountsV1.resources.provisioning_stateStringProvisioning state of the account. Values can be; initiated, registered, unregistered.
CrowdStrike.modelsAWSAccountsV1.resources.rate_limit_reqsNumberRate limiting setting to control the maximum number of requests that can be made within the rate_limit_time duration.
CrowdStrike.modelsAWSAccountsV1.resources.rate_limit_timeNumberRate limiting setting to control the number of seconds for which rate_limit_reqs applies.
CrowdStrike.modelsAWSAccountsV1.resources.template_versionStringCurrent version of cloudformation template used to manage access.
CrowdStrike.modelsAWSAccountsV1.errors.codeNumber
CrowdStrike.modelsAWSAccountsV1.errors.idString
CrowdStrike.modelsAWSAccountsV1.errors.messageString
CrowdStrike.modelsAWSAccountsV1.resources.aliasStringAlias/Name associated with the account. This is only updated once the account is in a registered state.
CrowdStrike.modelsAWSAccountsV1.resources.cidString
CrowdStrike.modelsAWSAccountsV1.resources.cloudformation_stack_idStringUnique identifier for the cloudformation stack id used for provisioning.
CrowdStrike.modelsAWSAccountsV1.resources.cloudformation_urlStringURL of the CloudFormation template to execute. This is returned when mode is to set 'cloudformation' when provisioning.
CrowdStrike.modelsAWSAccountsV1.resources.cloudtrail_bucket_owner_idStringThe 12 digit AWS account which is hosting the S3 bucket containing cloudtrail logs for this account. If this field is set, it takes precedence of the settings level field.
CrowdStrike.modelsAWSAccountsV1.resources.cloudtrail_bucket_regionStringRegion where the S3 bucket containing cloudtrail logs resides. This is only set if using cloudformation to provision and create the trail.
CrowdStrike.modelsAWSAccountsV1.resources.created_timestampStringTimestamp of when the account was first provisioned within CrowdStrike's system.'
CrowdStrike.modelsAWSAccountsV1.resources.external_idStringID assigned for use with cross account IAM role access.
CrowdStrike.modelsAWSAccountsV1.resources.iam_role_arnStringThe full arn of the IAM role created in this account to control access.
CrowdStrike.modelsAWSAccountsV1.resources.idString12 digit AWS provided unique identifier for the account.
CrowdStrike.modelsAWSAccountsV1.resources.last_modified_timestampStringTimestamp of when the account was last modified.
CrowdStrike.modelsAWSAccountsV1.resources.last_scanned_timestampStringTimestamp of when the account was scanned.
CrowdStrike.modelsAWSAccountsV1.resources.policy_versionStringCurrent version of permissions associated with IAM role and granted access.
CrowdStrike.modelsAWSAccountsV1.resources.provisioning_stateStringProvisioning state of the account. Values can be; initiated, registered, unregistered.
CrowdStrike.modelsAWSAccountsV1.resources.rate_limit_reqsNumberRate limiting setting to control the maximum number of requests that can be made within the rate_limit_time duration.
CrowdStrike.modelsAWSAccountsV1.resources.rate_limit_timeNumberRate limiting setting to control the number of seconds for which rate_limit_reqs applies.
CrowdStrike.modelsAWSAccountsV1.resources.template_versionStringCurrent version of cloudformation template used to manage access.

cs-queryaws-accounts-fori-ds#


Search for provisioned AWS Accounts by providing an FQL filter and paging details. Returns a set of AWS account IDs which match the filter criteria.

Base Command#

cs-queryaws-accounts-fori-ds

Input#

Argument NameDescriptionRequired
limitThe maximum records to return. [1-500]. Defaults to 100.Optional
offsetThe offset to start retrieving records from.Optional
sortThe property to sort by (e.g. alias.desc or state.asc).Optional
filter_The filter expression that should be used to limit the results.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-querycid-group-members#


Query a CID Groups members by associated CID.

Base Command#

cs-querycid-group-members

Input#

Argument NameDescriptionRequired
cidCID to lookup associated CID group ID.Required
sortThe sort expression used to sort the results. Possible values are: last_modified_timestamp.Optional
offsetStarting index of overall result set from which to return id.Optional
limitNumber of ids to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-querycid-groups#


Query CID Groups.

Base Command#

cs-querycid-groups

Input#

Argument NameDescriptionRequired
nameName to lookup groups for.Optional
sortThe sort expression used to sort the results. Possible values are: last_modified_timestamp, name.Optional
offsetStarting index of overall result set from which to return ids.Optional
limitNumber of ids to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-queryevents#


Find all event IDs matching the query with filter.

Base Command#

cs-queryevents

Input#

Argument NameDescriptionRequired
sortPossible order by fields:.Optional
filter_FQL query specifying the filter meters. Filter term criteria: enabled, platform, name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.Optional
qMatch query criteria, which includes all the filter string fields, plus TODO.Optional
offsetStarting index of overall result set from which to return ids.Optional
afterA pagination token used with the limit meter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results.Optional
limitNumber of ids to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiQueryResponse.errors.codeNumber
CrowdStrike.fwmgrapiQueryResponse.errors.idString
CrowdStrike.fwmgrapiQueryResponse.errors.messageString
CrowdStrike.fwmgrapiQueryResponse.errors.codeNumber
CrowdStrike.fwmgrapiQueryResponse.errors.idString
CrowdStrike.fwmgrapiQueryResponse.errors.messageString

cs-queryfirewallfields#


Get the firewall field specification IDs for the provided platform.

Base Command#

cs-queryfirewallfields

Input#

Argument NameDescriptionRequired
platform_idGet fields configuration for this platform.Optional
offsetStarting index of overall result set from which to return ids.Optional
limitNumber of ids to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.fwmgrmsaQueryResponse.errors.codeNumber
CrowdStrike.fwmgrmsaQueryResponse.errors.idString
CrowdStrike.fwmgrmsaQueryResponse.errors.messageString
CrowdStrike.fwmgrmsaQueryResponse.errors.codeNumber
CrowdStrike.fwmgrmsaQueryResponse.errors.idString
CrowdStrike.fwmgrmsaQueryResponse.errors.messageString

cs-queryio-cs#


DEPRECATED Use the new IOC Management endpoint (GET /iocs/queries/indicators/v1). Search the custom IOCs in your customer account.

Base Command#

cs-queryio-cs

Input#

Argument NameDescriptionRequired
typesThe type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. .Optional
valuesThe string representation of the indicator.Optional
from_expiration_timestampFind custom IOCs created after this time (RFC-3339 timestamp).Optional
to_expiration_timestampFind custom IOCs created before this time (RFC-3339 timestamp).Optional
policies\ndetect: Find custom IOCs that produce notifications\n\nnone: Find custom IOCs the particular indicator has been detected on a host. This is equivalent to turning the indicator off. .Optional
sourcesThe source where this indicator originated. This can be used for tracking where this indicator was defined. Limit 200 characters.Optional
share_levelsThe level at which the indicator will be shared. Currently only red share level (not shared) is supported, indicating that the IOC isn't shared with other FH customers.Optional
created_bycreated_by.Optional
deleted_byThe user or API client who deleted the custom IOC.Optional
include_deletedtrue: Include deleted IOCs false: Don't include deleted IOCs (default).Optional

Context Output#

PathTypeDescription
CrowdStrike.apiMsaReplyIOCIDs.errors.codeNumber
CrowdStrike.apiMsaReplyIOCIDs.errors.idString
CrowdStrike.apiMsaReplyIOCIDs.errors.messageString
CrowdStrike.apiMsaReplyIOCIDs.errors.codeNumber
CrowdStrike.apiMsaReplyIOCIDs.errors.idString
CrowdStrike.apiMsaReplyIOCIDs.errors.messageString

cs-queryioa-exclusionsv1#


Search for IOA exclusions.

Base Command#

cs-queryioa-exclusionsv1

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-500].Optional
sortThe sort expression that should be used to sort the results. Possible values are: applied_globally.asc, applied_globally.desc, created_by.asc, created_by.desc, created_on.asc, created_on.desc, last_modified.asc, last_modified.desc, modified_by.asc, modified_by.desc, name.asc, name.desc, pattern_id.asc, pattern_id.desc, pattern_name.asc, pattern_name.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-queryml-exclusionsv1#


Search for ML exclusions.

Base Command#

cs-queryml-exclusionsv1

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-500].Optional
sortThe sort expression that should be used to sort the results. Possible values are: applied_globally.asc, applied_globally.desc, created_by.asc, created_by.desc, created_on.asc, created_on.desc, last_modified.asc, last_modified.desc, modified_by.asc, modified_by.desc, value.asc, value.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-querypatterns#


Get all pattern severity IDs.

Base Command#

cs-querypatterns

Input#

Argument NameDescriptionRequired
offsetStarting index of overall result set from which to return IDs.Optional
limitNumber of IDs to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-queryplatforms#


Get the list of platform names.

Base Command#

cs-queryplatforms

Input#

Argument NameDescriptionRequired
offsetStarting index of overall result set from which to return ids.Optional
limitNumber of ids to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.fwmgrmsaQueryResponse.errors.codeNumber
CrowdStrike.fwmgrmsaQueryResponse.errors.idString
CrowdStrike.fwmgrmsaQueryResponse.errors.messageString
CrowdStrike.fwmgrmsaQueryResponse.errors.codeNumber
CrowdStrike.fwmgrmsaQueryResponse.errors.idString
CrowdStrike.fwmgrmsaQueryResponse.errors.messageString

cs-queryplatforms-mixin0#


Get all platform IDs.

Base Command#

cs-queryplatforms-mixin0

Input#

Argument NameDescriptionRequired
offsetStarting index of overall result set from which to return IDs.Optional
limitNumber of IDs to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-querypolicyrules#


Find all firewall rule IDs matching the query with filter, and return them in precedence order.

Base Command#

cs-querypolicyrules

Input#

Argument NameDescriptionRequired
id_The ID of the policy container within which to query.Optional
sortPossible order by fields:.Optional
filter_FQL query specifying the filter meters. Filter term criteria: enabled, platform, name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.Optional
qMatch query criteria, which includes all the filter string fields, plus TODO.Optional
offsetStarting index of overall result set from which to return ids.Optional
limitNumber of ids to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiQueryResponse.errors.codeNumber
CrowdStrike.fwmgrapiQueryResponse.errors.idString
CrowdStrike.fwmgrapiQueryResponse.errors.messageString
CrowdStrike.fwmgrapiQueryResponse.errors.codeNumber
CrowdStrike.fwmgrapiQueryResponse.errors.idString
CrowdStrike.fwmgrapiQueryResponse.errors.messageString

cs-queryrt-response-policies#


Search for Response Policies in your environment by providing an FQL filter with sort and/or paging details. This returns a set of Response Policy IDs that match the given criteria.

Base Command#

cs-queryrt-response-policies

Input#

Argument NameDescriptionRequired
filter_The filter expression that should be used to determine the results.Optional
offsetThe offset of the first record to retrieve from.Optional
limitThe maximum number of records to return [1-5000].Optional
sortThe property to sort results by. Possible values are: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-queryrt-response-policy-members#


Search for members of a Response policy in your environment by providing an FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.

Base Command#

cs-queryrt-response-policy-members

Input#

Argument NameDescriptionRequired
id_The ID of the Response policy to search for members of.Optional
filter_The filter expression that should be used to limit the results.Optional
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-5000].Optional
sortThe property to sort by.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-queryrulegroups#


Find all rule group IDs matching the query with filter.

Base Command#

cs-queryrulegroups

Input#

Argument NameDescriptionRequired
sortPossible order by fields:.Optional
filter_FQL query specifying the filter meters. Filter term criteria: enabled, platform, name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.Optional
qMatch query criteria, which includes all the filter string fields, plus TODO.Optional
offsetStarting index of overall result set from which to return ids.Optional
afterA pagination token used with the limit meter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results.Optional
limitNumber of ids to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiQueryResponse.errors.codeNumber
CrowdStrike.fwmgrapiQueryResponse.errors.idString
CrowdStrike.fwmgrapiQueryResponse.errors.messageString
CrowdStrike.fwmgrapiQueryResponse.errors.codeNumber
CrowdStrike.fwmgrapiQueryResponse.errors.idString
CrowdStrike.fwmgrapiQueryResponse.errors.messageString

cs-queryrulegroups-mixin0#


Finds all rule group IDs matching the query with optional filter.

Base Command#

cs-queryrulegroups-mixin0

Input#

Argument NameDescriptionRequired
sortPossible order by fields: {created_by, created_on, modified_by, modified_on, enabled, name, description}. Possible values are: created_by, created_on, description, enabled, modified_by, modified_on, name.Optional
filter_FQL query specifying the filter meters. Filter term criteria: [enabled platform name description rules.action_label rules.name rules.description rules.pattern_severity rules.ruletype_name rules.enabled]. Filter range criteria: created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.Optional
qMatch query criteria, which includes all the filter string fields.Optional
offsetStarting index of overall result set from which to return IDs.Optional
limitNumber of IDs to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-queryrulegroupsfull#


Find all rule groups matching the query with optional filter.

Base Command#

cs-queryrulegroupsfull

Input#

Argument NameDescriptionRequired
sortPossible order by fields: {created_by, created_on, modified_by, modified_on, enabled, name, description}. Possible values are: created_by, created_on, description, enabled, modified_by, modified_on, name.Optional
filter_FQL query specifying the filter meters. Filter term criteria: [enabled platform name description rules.action_label rules.name rules.description rules.pattern_severity rules.ruletype_name rules.enabled]. Filter range criteria: created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.Optional
qMatch query criteria, which includes all the filter string fields.Optional
offsetStarting index of overall result set from which to return IDs.Optional
limitNumber of IDs to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-queryrules#


Find all rule IDs matching the query with filter.

Base Command#

cs-queryrules

Input#

Argument NameDescriptionRequired
sortPossible order by fields:.Optional
filter_FQL query specifying the filter meters. Filter term criteria: enabled, platform, name, description, etc TODO. Filter range criteria: created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.Optional
qMatch query criteria, which includes all the filter string fields, plus TODO.Optional
offsetStarting index of overall result set from which to return ids.Optional
afterA pagination token used with the limit meter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results.Optional
limitNumber of ids to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiQueryResponse.errors.codeNumber
CrowdStrike.fwmgrapiQueryResponse.errors.idString
CrowdStrike.fwmgrapiQueryResponse.errors.messageString
CrowdStrike.fwmgrapiQueryResponse.errors.codeNumber
CrowdStrike.fwmgrapiQueryResponse.errors.idString
CrowdStrike.fwmgrapiQueryResponse.errors.messageString

cs-queryrules-mixin0#


Finds all rule IDs matching the query with optional filter.

Base Command#

cs-queryrules-mixin0

Input#

Argument NameDescriptionRequired
sortPossible order by fields: {rules.ruletype_name, rules.enabled, rules.created_by, rules.current_version.name, rules.current_version.modified_by, rules.created_on, rules.current_version.description, rules.current_version.pattern_severity, rules.current_version.action_label, rules.current_version.modified_on}. Possible values are: rules.created_by, rules.created_on, rules.current_version.action_label, rules.current_version.description, rules.current_version.modified_by, rules.current_version.modified_on, rules.current_version.name, rules.current_version.pattern_severity, rules.enabled, rules.ruletype_name.Optional
filter_FQL query specifying the filter meters. Filter term criteria: [enabled platform name description rules.action_label rules.name rules.description rules.pattern_severity rules.ruletype_name rules.enabled]. Filter range criteria: created_on, modified_on; use any common date format, such as '2010-05-15T14:55:21.892315096Z'.Optional
qMatch query criteria, which includes all the filter string fields.Optional
offsetStarting index of overall result set from which to return IDs.Optional
limitNumber of IDs to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-queryruletypes#


Get all rule type IDs.

Base Command#

cs-queryruletypes

Input#

Argument NameDescriptionRequired
offsetStarting index of overall result set from which to return IDs.Optional
limitNumber of IDs to return.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-refresh-active-stream-session#


Refresh an active event stream. Use the URL shown in a GET /sensors/entities/datafeed/v2 response.

Base Command#

cs-refresh-active-stream-session

Input#

Argument NameDescriptionRequired
action_nameAction name. Allowed value is refresh_active_stream_session.Required
appIdLabel that identifies your connection. Max: 32 alphanumeric characters (a-z, A-Z, 0-9).Required
partitionPartition to request data for.Required

Context Output#

PathTypeDescription
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString

cs-regenerateapi-key#


Regenerate API key for docker registry integrations.

Base Command#

cs-regenerateapi-key

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.k8sregRegenAPIKeyResp.errors.codeNumber
CrowdStrike.k8sregRegenAPIKeyResp.errors.idString
CrowdStrike.k8sregRegenAPIKeyResp.errors.messageString
CrowdStrike.k8sregRegenAPIKeyResp.resources.api_keyString
CrowdStrike.k8sregRegenAPIKeyResp.errors.codeNumber
CrowdStrike.k8sregRegenAPIKeyResp.errors.idString
CrowdStrike.k8sregRegenAPIKeyResp.errors.messageString
CrowdStrike.k8sregRegenAPIKeyResp.resources.api_keyString

cs-retrieve-emails-bycid#


List the usernames (usually an email address) for all users in your customer account.

Base Command#

cs-retrieve-emails-bycid

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-retrieve-user#


Get info about a user.

Base Command#

cs-retrieve-user

Input#

Argument NameDescriptionRequired
idsID of a user. Find a user's ID from /users/entities/user/v1.Required

Context Output#

PathTypeDescription
CrowdStrike.domainUserMetaDataResponse.errors.codeNumber
CrowdStrike.domainUserMetaDataResponse.errors.idString
CrowdStrike.domainUserMetaDataResponse.errors.messageString
CrowdStrike.domainUserMetaDataResponse.resources.customerString
CrowdStrike.domainUserMetaDataResponse.resources.firstNameString
CrowdStrike.domainUserMetaDataResponse.resources.lastNameString
CrowdStrike.domainUserMetaDataResponse.resources.uidString
CrowdStrike.domainUserMetaDataResponse.resources.uuidString
CrowdStrike.domainUserMetaDataResponse.errors.codeNumber
CrowdStrike.domainUserMetaDataResponse.errors.idString
CrowdStrike.domainUserMetaDataResponse.errors.messageString
CrowdStrike.domainUserMetaDataResponse.resources.customerString
CrowdStrike.domainUserMetaDataResponse.resources.firstNameString
CrowdStrike.domainUserMetaDataResponse.resources.lastNameString
CrowdStrike.domainUserMetaDataResponse.resources.uidString
CrowdStrike.domainUserMetaDataResponse.resources.uuidString

cs-retrieve-useruui-ds-bycid#


List user IDs for all users in your customer account. For more information on each user, provide the user ID to /users/entities/user/v1.

Base Command#

cs-retrieve-useruui-ds-bycid

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-retrieve-useruuid#


Get a user's ID by providing a username (usually an email address).

Base Command#

cs-retrieve-useruuid

Input#

Argument NameDescriptionRequired
uidA username. This is usually the user's email address, but may vary based on your configuration.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-reveal-uninstall-token#


Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value 'MAINTENANCE' as the value for 'device_id'.

Base Command#

cs-reveal-uninstall-token

Input#

Argument NameDescriptionRequired
requests_revealuninstalltokenv1_audit_messageAn optional message to append to the recorded audit log.Optional
requests_revealuninstalltokenv1_device_idThe id of the device to reveal the token for.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesRevealUninstallTokenRespV1.errors.codeNumber
CrowdStrike.responsesRevealUninstallTokenRespV1.errors.idString
CrowdStrike.responsesRevealUninstallTokenRespV1.errors.messageString
CrowdStrike.responsesRevealUninstallTokenRespV1.resources.device_idStringThe device the token belongs to.
CrowdStrike.responsesRevealUninstallTokenRespV1.resources.seed_idNumberThe seedID of the uninstall token.
CrowdStrike.responsesRevealUninstallTokenRespV1.resources.uninstall_tokenStringThe uninstall token.
CrowdStrike.responsesRevealUninstallTokenRespV1.errors.codeNumber
CrowdStrike.responsesRevealUninstallTokenRespV1.errors.idString
CrowdStrike.responsesRevealUninstallTokenRespV1.errors.messageString
CrowdStrike.responsesRevealUninstallTokenRespV1.resources.device_idStringThe device the token belongs to.
CrowdStrike.responsesRevealUninstallTokenRespV1.resources.seed_idNumberThe seedID of the uninstall token.
CrowdStrike.responsesRevealUninstallTokenRespV1.resources.uninstall_tokenStringThe uninstall token.

cs-revoke-user-role-ids#


Revoke one or more roles from a user.

Base Command#

cs-revoke-user-role-ids

Input#

Argument NameDescriptionRequired
user_uuidID of a user. Find a user's ID from /users/entities/user/v1.Required
idsOne or more role IDs to revoke. Find a role's ID from /users/queries/roles/v1.Required

Context Output#

PathTypeDescription
CrowdStrike.domainUserRoleIDsResponse.errors.codeNumber
CrowdStrike.domainUserRoleIDsResponse.errors.idString
CrowdStrike.domainUserRoleIDsResponse.errors.messageString
CrowdStrike.domainUserRoleIDsResponse.errors.codeNumber
CrowdStrike.domainUserRoleIDsResponse.errors.idString
CrowdStrike.domainUserRoleIDsResponse.errors.messageString

cs-rtr-aggregate-sessions#


Get aggregates on session data.

Base Command#

cs-rtr-aggregate-sessions

Input#

Argument NameDescriptionRequired
msa_aggregatequeryrequest_date_rangesRequired
msa_aggregatequeryrequest_fieldRequired
msa_aggregatequeryrequest_filterRequired
msa_aggregatequeryrequest_intervalRequired
msa_aggregatequeryrequest_min_doc_countRequired
msa_aggregatequeryrequest_missingRequired
msa_aggregatequeryrequest_nameRequired
msa_aggregatequeryrequest_qRequired
msa_aggregatequeryrequest_rangesRequired
msa_aggregatequeryrequest_sizeRequired
msa_aggregatequeryrequest_sortRequired
msa_aggregatequeryrequest_sub_aggregatesRequired
msa_aggregatequeryrequest_time_zoneRequired
msa_aggregatequeryrequest_typeRequired

Context Output#

PathTypeDescription
CrowdStrike.msaAggregatesResponse.errors.codeNumber
CrowdStrike.msaAggregatesResponse.errors.idString
CrowdStrike.msaAggregatesResponse.errors.messageString
CrowdStrike.msaAggregatesResponse.resources.buckets.countNumber
CrowdStrike.msaAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_toString
CrowdStrike.msaAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.msaAggregatesResponse.resources.nameString
CrowdStrike.msaAggregatesResponse.resources.sum_other_doc_countNumber
CrowdStrike.msaAggregatesResponse.errors.codeNumber
CrowdStrike.msaAggregatesResponse.errors.idString
CrowdStrike.msaAggregatesResponse.errors.messageString
CrowdStrike.msaAggregatesResponse.resources.buckets.countNumber
CrowdStrike.msaAggregatesResponse.resources.buckets.fromUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.key_as_stringString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_fromString
CrowdStrike.msaAggregatesResponse.resources.buckets.string_toString
CrowdStrike.msaAggregatesResponse.resources.buckets.toUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.valueUnknown
CrowdStrike.msaAggregatesResponse.resources.buckets.value_as_stringString
CrowdStrike.msaAggregatesResponse.resources.nameString
CrowdStrike.msaAggregatesResponse.resources.sum_other_doc_countNumber

cs-rtr-check-active-responder-command-status#


Get status of an executed active-responder command on a single host.

Base Command#

cs-rtr-check-active-responder-command-status

Input#

Argument NameDescriptionRequired
cloud_request_idCloud Request ID of the executed command to query.Required
sequence_idSequence ID that we want to retrieve. Command responses are chunked across sequences.Required

Context Output#

PathTypeDescription
CrowdStrike.domainStatusResponseWrapper.errors.codeNumber
CrowdStrike.domainStatusResponseWrapper.errors.idString
CrowdStrike.domainStatusResponseWrapper.errors.messageString
CrowdStrike.domainStatusResponseWrapper.resources.base_commandString
CrowdStrike.domainStatusResponseWrapper.resources.completeBoolean
CrowdStrike.domainStatusResponseWrapper.resources.sequence_idNumber
CrowdStrike.domainStatusResponseWrapper.resources.session_idString
CrowdStrike.domainStatusResponseWrapper.resources.stderrString
CrowdStrike.domainStatusResponseWrapper.resources.stdoutString
CrowdStrike.domainStatusResponseWrapper.resources.task_idString
CrowdStrike.domainStatusResponseWrapper.errors.codeNumber
CrowdStrike.domainStatusResponseWrapper.errors.idString
CrowdStrike.domainStatusResponseWrapper.errors.messageString
CrowdStrike.domainStatusResponseWrapper.resources.base_commandString
CrowdStrike.domainStatusResponseWrapper.resources.completeBoolean
CrowdStrike.domainStatusResponseWrapper.resources.sequence_idNumber
CrowdStrike.domainStatusResponseWrapper.resources.session_idString
CrowdStrike.domainStatusResponseWrapper.resources.stderrString
CrowdStrike.domainStatusResponseWrapper.resources.stdoutString
CrowdStrike.domainStatusResponseWrapper.resources.task_idString

cs-rtr-check-admin-command-status#


Get status of an executed RTR administrator command on a single host.

Base Command#

cs-rtr-check-admin-command-status

Input#

Argument NameDescriptionRequired
cloud_request_idCloud Request ID of the executed command to query.Required
sequence_idSequence ID that we want to retrieve. Command responses are chunked across sequences.Required

Context Output#

PathTypeDescription
CrowdStrike.domainStatusResponseWrapper.errors.codeNumber
CrowdStrike.domainStatusResponseWrapper.errors.idString
CrowdStrike.domainStatusResponseWrapper.errors.messageString
CrowdStrike.domainStatusResponseWrapper.resources.base_commandString
CrowdStrike.domainStatusResponseWrapper.resources.completeBoolean
CrowdStrike.domainStatusResponseWrapper.resources.sequence_idNumber
CrowdStrike.domainStatusResponseWrapper.resources.session_idString
CrowdStrike.domainStatusResponseWrapper.resources.stderrString
CrowdStrike.domainStatusResponseWrapper.resources.stdoutString
CrowdStrike.domainStatusResponseWrapper.resources.task_idString
CrowdStrike.domainStatusResponseWrapper.errors.codeNumber
CrowdStrike.domainStatusResponseWrapper.errors.idString
CrowdStrike.domainStatusResponseWrapper.errors.messageString
CrowdStrike.domainStatusResponseWrapper.resources.base_commandString
CrowdStrike.domainStatusResponseWrapper.resources.completeBoolean
CrowdStrike.domainStatusResponseWrapper.resources.sequence_idNumber
CrowdStrike.domainStatusResponseWrapper.resources.session_idString
CrowdStrike.domainStatusResponseWrapper.resources.stderrString
CrowdStrike.domainStatusResponseWrapper.resources.stdoutString
CrowdStrike.domainStatusResponseWrapper.resources.task_idString

cs-rtr-check-command-status#


Get status of an executed command on a single host.

Base Command#

cs-rtr-check-command-status

Input#

Argument NameDescriptionRequired
cloud_request_idCloud Request ID of the executed command to query.Required
sequence_idSequence ID that we want to retrieve. Command responses are chunked across sequences.Required

Context Output#

PathTypeDescription
CrowdStrike.domainStatusResponseWrapper.errors.codeNumber
CrowdStrike.domainStatusResponseWrapper.errors.idString
CrowdStrike.domainStatusResponseWrapper.errors.messageString
CrowdStrike.domainStatusResponseWrapper.resources.base_commandString
CrowdStrike.domainStatusResponseWrapper.resources.completeBoolean
CrowdStrike.domainStatusResponseWrapper.resources.sequence_idNumber
CrowdStrike.domainStatusResponseWrapper.resources.session_idString
CrowdStrike.domainStatusResponseWrapper.resources.stderrString
CrowdStrike.domainStatusResponseWrapper.resources.stdoutString
CrowdStrike.domainStatusResponseWrapper.resources.task_idString
CrowdStrike.domainStatusResponseWrapper.errors.codeNumber
CrowdStrike.domainStatusResponseWrapper.errors.idString
CrowdStrike.domainStatusResponseWrapper.errors.messageString
CrowdStrike.domainStatusResponseWrapper.resources.base_commandString
CrowdStrike.domainStatusResponseWrapper.resources.completeBoolean
CrowdStrike.domainStatusResponseWrapper.resources.sequence_idNumber
CrowdStrike.domainStatusResponseWrapper.resources.session_idString
CrowdStrike.domainStatusResponseWrapper.resources.stderrString
CrowdStrike.domainStatusResponseWrapper.resources.stdoutString
CrowdStrike.domainStatusResponseWrapper.resources.task_idString

cs-rtr-create-put-files#


Upload a new put-file to use for the RTR put command.

Base Command#

cs-rtr-create-put-files

Input#

Argument NameDescriptionRequired
fileput-file to upload.Required
descriptionFile description.Required
nameFile name (if different than actual file name).Optional
comments_for_audit_logThe audit log comment.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString

cs-rtr-create-scripts#


Upload a new custom-script to use for the RTR runscript command.

Base Command#

cs-rtr-create-scripts

Input#

Argument NameDescriptionRequired
filecustom-script file to upload. These should be powershell scripts.Optional
descriptionFile description.Required
nameFile name (if different than actual file name).Optional
comments_for_audit_logThe audit log comment.Optional
permission_typePermission for the custom-script. Valid permission values: - private, usable by only the user who uploaded it - group, usable by all RTR Admins - public, usable by all active-responders and RTR admins.Required
contentThe script text that you want to use to upload.Optional
platformPlatforms for the file. Currently supports: windows, mac, linux, . If no platform is provided, it will default to 'windows'.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString

cs-rtr-delete-file#


Delete a RTR session file.

Base Command#

cs-rtr-delete-file

Input#

Argument NameDescriptionRequired
idsRTR Session file id.Required
session_idRTR Session id.Required

Context Output#

There is no context output for this command.

cs-rtr-delete-put-files#


Delete a put-file based on the ID given. Can only delete one file at a time.

Base Command#

cs-rtr-delete-put-files

Input#

Argument NameDescriptionRequired
idsFile id.Required

Context Output#

PathTypeDescription
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString

cs-rtr-delete-queued-session#


Delete a queued session command.

Base Command#

cs-rtr-delete-queued-session

Input#

Argument NameDescriptionRequired
session_idRTR Session id.Required
cloud_request_idCloud Request ID of the executed command to query.Required

Context Output#

There is no context output for this command.

cs-rtr-delete-scripts#


Delete a custom-script based on the ID given. Can only delete one script at a time.

Base Command#

cs-rtr-delete-scripts

Input#

Argument NameDescriptionRequired
idsFile id.Required

Context Output#

PathTypeDescription
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString

cs-rtr-delete-session#


Delete a session.

Base Command#

cs-rtr-delete-session

Input#

Argument NameDescriptionRequired
session_idRTR Session id.Required

Context Output#

There is no context output for this command.

cs-rtr-execute-active-responder-command#


Execute an active responder command on a single host.

Base Command#

cs-rtr-execute-active-responder-command

Input#

Argument NameDescriptionRequired
domain_commandexecuterequest_base_commandRequired
domain_commandexecuterequest_command_stringRequired
domain_commandexecuterequest_device_idRequired
domain_commandexecuterequest_idRequired
domain_commandexecuterequest_persistRequired
domain_commandexecuterequest_session_idRequired

Context Output#

There is no context output for this command.

cs-rtr-execute-admin-command#


Execute a RTR administrator command on a single host.

Base Command#

cs-rtr-execute-admin-command

Input#

Argument NameDescriptionRequired
domain_commandexecuterequest_base_commandRequired
domain_commandexecuterequest_command_stringRequired
domain_commandexecuterequest_device_idRequired
domain_commandexecuterequest_idRequired
domain_commandexecuterequest_persistRequired
domain_commandexecuterequest_session_idRequired

Context Output#

There is no context output for this command.

cs-rtr-execute-command#


Execute a command on a single host.

Base Command#

cs-rtr-execute-command

Input#

Argument NameDescriptionRequired
domain_commandexecuterequest_base_commandRequired
domain_commandexecuterequest_command_stringRequired
domain_commandexecuterequest_device_idRequired
domain_commandexecuterequest_idRequired
domain_commandexecuterequest_persistRequired
domain_commandexecuterequest_session_idRequired

Context Output#

There is no context output for this command.

cs-rtr-get-extracted-file-contents#


Get RTR extracted file contents for specified session and sha256.

Base Command#

cs-rtr-get-extracted-file-contents

Input#

Argument NameDescriptionRequired
session_idRTR Session id.Required
sha256Extracted SHA256 (e.g. 'efa256a96af3b556cd3fc9d8b1cf587d72807d7805ced441e8149fc279db422b').Required
filenameFilename to use for the archive name and the file within the archive.Optional

Context Output#

There is no context output for this command.

cs-rtr-get-put-files#


Get put-files based on the ID's given. These are used for the RTR put command.

Base Command#

cs-rtr-get-put-files

Input#

Argument NameDescriptionRequired
idsFile IDs.Required

Context Output#

PathTypeDescription
CrowdStrike.binservclientMsaPFResponse.errors.codeNumber
CrowdStrike.binservclientMsaPFResponse.errors.idString
CrowdStrike.binservclientMsaPFResponse.errors.messageString
CrowdStrike.binservclientMsaPFResponse.resources.bucketString
CrowdStrike.binservclientMsaPFResponse.resources.cidString
CrowdStrike.binservclientMsaPFResponse.resources.comments_for_audit_logString
CrowdStrike.binservclientMsaPFResponse.resources.contentString
CrowdStrike.binservclientMsaPFResponse.resources.created_byString
CrowdStrike.binservclientMsaPFResponse.resources.created_by_uuidString
CrowdStrike.binservclientMsaPFResponse.resources.created_timestampString
CrowdStrike.binservclientMsaPFResponse.resources.descriptionString
CrowdStrike.binservclientMsaPFResponse.resources.file_typeString
CrowdStrike.binservclientMsaPFResponse.resources.idString
CrowdStrike.binservclientMsaPFResponse.resources.modified_byString
CrowdStrike.binservclientMsaPFResponse.resources.modified_by_uuidString
CrowdStrike.binservclientMsaPFResponse.resources.modified_timestampString
CrowdStrike.binservclientMsaPFResponse.resources.nameString
CrowdStrike.binservclientMsaPFResponse.resources.pathString
CrowdStrike.binservclientMsaPFResponse.resources.permission_typeString
CrowdStrike.binservclientMsaPFResponse.resources.run_attempt_countNumber
CrowdStrike.binservclientMsaPFResponse.resources.run_success_countNumber
CrowdStrike.binservclientMsaPFResponse.resources.sha256String
CrowdStrike.binservclientMsaPFResponse.resources.sizeNumber
CrowdStrike.binservclientMsaPFResponse.resources.write_accessBoolean
CrowdStrike.binservclientMsaPFResponse.errors.codeNumber
CrowdStrike.binservclientMsaPFResponse.errors.idString
CrowdStrike.binservclientMsaPFResponse.errors.messageString
CrowdStrike.binservclientMsaPFResponse.resources.bucketString
CrowdStrike.binservclientMsaPFResponse.resources.cidString
CrowdStrike.binservclientMsaPFResponse.resources.comments_for_audit_logString
CrowdStrike.binservclientMsaPFResponse.resources.contentString
CrowdStrike.binservclientMsaPFResponse.resources.created_byString
CrowdStrike.binservclientMsaPFResponse.resources.created_by_uuidString
CrowdStrike.binservclientMsaPFResponse.resources.created_timestampString
CrowdStrike.binservclientMsaPFResponse.resources.descriptionString
CrowdStrike.binservclientMsaPFResponse.resources.file_typeString
CrowdStrike.binservclientMsaPFResponse.resources.idString
CrowdStrike.binservclientMsaPFResponse.resources.modified_byString
CrowdStrike.binservclientMsaPFResponse.resources.modified_by_uuidString
CrowdStrike.binservclientMsaPFResponse.resources.modified_timestampString
CrowdStrike.binservclientMsaPFResponse.resources.nameString
CrowdStrike.binservclientMsaPFResponse.resources.pathString
CrowdStrike.binservclientMsaPFResponse.resources.permission_typeString
CrowdStrike.binservclientMsaPFResponse.resources.run_attempt_countNumber
CrowdStrike.binservclientMsaPFResponse.resources.run_success_countNumber
CrowdStrike.binservclientMsaPFResponse.resources.sha256String
CrowdStrike.binservclientMsaPFResponse.resources.sizeNumber
CrowdStrike.binservclientMsaPFResponse.resources.write_accessBoolean

cs-rtr-get-scripts#


Get custom-scripts based on the ID's given. These are used for the RTR runscript command.

Base Command#

cs-rtr-get-scripts

Input#

Argument NameDescriptionRequired
idsFile IDs.Required

Context Output#

PathTypeDescription
CrowdStrike.binservclientMsaPFResponse.errors.codeNumber
CrowdStrike.binservclientMsaPFResponse.errors.idString
CrowdStrike.binservclientMsaPFResponse.errors.messageString
CrowdStrike.binservclientMsaPFResponse.resources.bucketString
CrowdStrike.binservclientMsaPFResponse.resources.cidString
CrowdStrike.binservclientMsaPFResponse.resources.comments_for_audit_logString
CrowdStrike.binservclientMsaPFResponse.resources.contentString
CrowdStrike.binservclientMsaPFResponse.resources.created_byString
CrowdStrike.binservclientMsaPFResponse.resources.created_by_uuidString
CrowdStrike.binservclientMsaPFResponse.resources.created_timestampString
CrowdStrike.binservclientMsaPFResponse.resources.descriptionString
CrowdStrike.binservclientMsaPFResponse.resources.file_typeString
CrowdStrike.binservclientMsaPFResponse.resources.idString
CrowdStrike.binservclientMsaPFResponse.resources.modified_byString
CrowdStrike.binservclientMsaPFResponse.resources.modified_by_uuidString
CrowdStrike.binservclientMsaPFResponse.resources.modified_timestampString
CrowdStrike.binservclientMsaPFResponse.resources.nameString
CrowdStrike.binservclientMsaPFResponse.resources.pathString
CrowdStrike.binservclientMsaPFResponse.resources.permission_typeString
CrowdStrike.binservclientMsaPFResponse.resources.run_attempt_countNumber
CrowdStrike.binservclientMsaPFResponse.resources.run_success_countNumber
CrowdStrike.binservclientMsaPFResponse.resources.sha256String
CrowdStrike.binservclientMsaPFResponse.resources.sizeNumber
CrowdStrike.binservclientMsaPFResponse.resources.write_accessBoolean
CrowdStrike.binservclientMsaPFResponse.errors.codeNumber
CrowdStrike.binservclientMsaPFResponse.errors.idString
CrowdStrike.binservclientMsaPFResponse.errors.messageString
CrowdStrike.binservclientMsaPFResponse.resources.bucketString
CrowdStrike.binservclientMsaPFResponse.resources.cidString
CrowdStrike.binservclientMsaPFResponse.resources.comments_for_audit_logString
CrowdStrike.binservclientMsaPFResponse.resources.contentString
CrowdStrike.binservclientMsaPFResponse.resources.created_byString
CrowdStrike.binservclientMsaPFResponse.resources.created_by_uuidString
CrowdStrike.binservclientMsaPFResponse.resources.created_timestampString
CrowdStrike.binservclientMsaPFResponse.resources.descriptionString
CrowdStrike.binservclientMsaPFResponse.resources.file_typeString
CrowdStrike.binservclientMsaPFResponse.resources.idString
CrowdStrike.binservclientMsaPFResponse.resources.modified_byString
CrowdStrike.binservclientMsaPFResponse.resources.modified_by_uuidString
CrowdStrike.binservclientMsaPFResponse.resources.modified_timestampString
CrowdStrike.binservclientMsaPFResponse.resources.nameString
CrowdStrike.binservclientMsaPFResponse.resources.pathString
CrowdStrike.binservclientMsaPFResponse.resources.permission_typeString
CrowdStrike.binservclientMsaPFResponse.resources.run_attempt_countNumber
CrowdStrike.binservclientMsaPFResponse.resources.run_success_countNumber
CrowdStrike.binservclientMsaPFResponse.resources.sha256String
CrowdStrike.binservclientMsaPFResponse.resources.sizeNumber
CrowdStrike.binservclientMsaPFResponse.resources.write_accessBoolean

cs-rtr-init-session#


Initialize a new session with the RTR cloud.

Base Command#

cs-rtr-init-session

Input#

Argument NameDescriptionRequired
domain_initrequest_device_idRequired
domain_initrequest_originRequired
domain_initrequest_queue_offlineRequired

Context Output#

There is no context output for this command.

cs-rtr-list-all-sessions#


Get a list of session_ids.

Base Command#

cs-rtr-list-all-sessions

Input#

Argument NameDescriptionRequired
offsetStarting index of overall result set from which to return ids.Optional
limitNumber of ids to return.Optional
sortSort by spec. Ex: 'date_created|asc'.Optional
filter_Optional filter criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon. “user_id” can accept a special value ‘@me’ which will restrict results to records with current user’s ID.Optional

Context Output#

PathTypeDescription
CrowdStrike.domainListSessionsResponseMsa.errors.codeNumber
CrowdStrike.domainListSessionsResponseMsa.errors.idString
CrowdStrike.domainListSessionsResponseMsa.errors.messageString
CrowdStrike.domainListSessionsResponseMsa.errors.codeNumber
CrowdStrike.domainListSessionsResponseMsa.errors.idString
CrowdStrike.domainListSessionsResponseMsa.errors.messageString

cs-rtr-list-files#


Get a list of files for the specified RTR session.

Base Command#

cs-rtr-list-files

Input#

Argument NameDescriptionRequired
session_idRTR Session id.Required

Context Output#

PathTypeDescription
CrowdStrike.domainListFilesResponseWrapper.errors.codeNumber
CrowdStrike.domainListFilesResponseWrapper.errors.idString
CrowdStrike.domainListFilesResponseWrapper.errors.messageString
CrowdStrike.domainListFilesResponseWrapper.resources.cloud_request_idString
CrowdStrike.domainListFilesResponseWrapper.resources.created_atString
CrowdStrike.domainListFilesResponseWrapper.resources.deleted_atString
CrowdStrike.domainListFilesResponseWrapper.resources.idNumber
CrowdStrike.domainListFilesResponseWrapper.resources.nameString
CrowdStrike.domainListFilesResponseWrapper.resources.session_idString
CrowdStrike.domainListFilesResponseWrapper.resources.sha256String
CrowdStrike.domainListFilesResponseWrapper.resources.sizeNumber
CrowdStrike.domainListFilesResponseWrapper.resources.updated_atString
CrowdStrike.domainListFilesResponseWrapper.errors.codeNumber
CrowdStrike.domainListFilesResponseWrapper.errors.idString
CrowdStrike.domainListFilesResponseWrapper.errors.messageString
CrowdStrike.domainListFilesResponseWrapper.resources.cloud_request_idString
CrowdStrike.domainListFilesResponseWrapper.resources.created_atString
CrowdStrike.domainListFilesResponseWrapper.resources.deleted_atString
CrowdStrike.domainListFilesResponseWrapper.resources.idNumber
CrowdStrike.domainListFilesResponseWrapper.resources.nameString
CrowdStrike.domainListFilesResponseWrapper.resources.session_idString
CrowdStrike.domainListFilesResponseWrapper.resources.sha256String
CrowdStrike.domainListFilesResponseWrapper.resources.sizeNumber
CrowdStrike.domainListFilesResponseWrapper.resources.updated_atString

cs-rtr-list-put-files#


Get a list of put-file ID's that are available to the user for the put command.

Base Command#

cs-rtr-list-put-files

Input#

Argument NameDescriptionRequired
filter_Optional filter criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetStarting index of overall result set from which to return ids.Optional
limitNumber of ids to return.Optional
sortSort by spec. Ex: 'created_at|asc'.Optional

Context Output#

PathTypeDescription
CrowdStrike.binservclientMsaPutFileResponse.errors.codeNumber
CrowdStrike.binservclientMsaPutFileResponse.errors.idString
CrowdStrike.binservclientMsaPutFileResponse.errors.messageString
CrowdStrike.binservclientMsaPutFileResponse.errors.codeNumber
CrowdStrike.binservclientMsaPutFileResponse.errors.idString
CrowdStrike.binservclientMsaPutFileResponse.errors.messageString

cs-rtr-list-queued-sessions#


Get queued session metadata by session ID.

Base Command#

cs-rtr-list-queued-sessions

Input#

Argument NameDescriptionRequired
msa_idsrequest_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.domainQueuedSessionResponseWrapper.errors.codeNumber
CrowdStrike.domainQueuedSessionResponseWrapper.errors.idString
CrowdStrike.domainQueuedSessionResponseWrapper.errors.messageString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.base_commandString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.cloud_request_idString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.command_stringString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.created_atString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.deleted_atString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.statusString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.status_textString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.updated_atString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.aidString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.created_atString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.deleted_atString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.idString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.statusString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.updated_atString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.user_idString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.user_uuidString
CrowdStrike.domainQueuedSessionResponseWrapper.errors.codeNumber
CrowdStrike.domainQueuedSessionResponseWrapper.errors.idString
CrowdStrike.domainQueuedSessionResponseWrapper.errors.messageString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.base_commandString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.cloud_request_idString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.command_stringString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.created_atString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.deleted_atString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.statusString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.status_textString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.Commands.updated_atString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.aidString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.created_atString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.deleted_atString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.idString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.statusString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.updated_atString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.user_idString
CrowdStrike.domainQueuedSessionResponseWrapper.resources.user_uuidString

cs-rtr-list-scripts#


Get a list of custom-script ID's that are available to the user for the runscript command.

Base Command#

cs-rtr-list-scripts

Input#

Argument NameDescriptionRequired
filter_Optional filter criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon.Optional
offsetStarting index of overall result set from which to return ids.Optional
limitNumber of ids to return.Optional
sortSort by spec. Ex: 'created_at|asc'.Optional

Context Output#

PathTypeDescription
CrowdStrike.binservclientMsaPutFileResponse.errors.codeNumber
CrowdStrike.binservclientMsaPutFileResponse.errors.idString
CrowdStrike.binservclientMsaPutFileResponse.errors.messageString
CrowdStrike.binservclientMsaPutFileResponse.errors.codeNumber
CrowdStrike.binservclientMsaPutFileResponse.errors.idString
CrowdStrike.binservclientMsaPutFileResponse.errors.messageString

cs-rtr-list-sessions#


Get session metadata by session id.

Base Command#

cs-rtr-list-sessions

Input#

Argument NameDescriptionRequired
msa_idsrequest_idsRequired

Context Output#

PathTypeDescription
CrowdStrike.domainSessionResponseWrapper.errors.codeNumber
CrowdStrike.domainSessionResponseWrapper.errors.idString
CrowdStrike.domainSessionResponseWrapper.errors.messageString
CrowdStrike.domainSessionResponseWrapper.resources.cidString
CrowdStrike.domainSessionResponseWrapper.resources.commands_queuedBoolean
CrowdStrike.domainSessionResponseWrapper.resources.created_atString
CrowdStrike.domainSessionResponseWrapper.resources.deleted_atString
CrowdStrike.domainSessionResponseWrapper.resources.device_idString
CrowdStrike.domainSessionResponseWrapper.resources.durationUnknown
CrowdStrike.domainSessionResponseWrapper.resources.hostnameString
CrowdStrike.domainSessionResponseWrapper.resources.idString
CrowdStrike.domainSessionResponseWrapper.resources.logs.base_commandString
CrowdStrike.domainSessionResponseWrapper.resources.logs.cloud_request_idString
CrowdStrike.domainSessionResponseWrapper.resources.logs.command_stringString
CrowdStrike.domainSessionResponseWrapper.resources.logs.created_atString
CrowdStrike.domainSessionResponseWrapper.resources.logs.current_directoryString
CrowdStrike.domainSessionResponseWrapper.resources.logs.idNumber
CrowdStrike.domainSessionResponseWrapper.resources.logs.session_idString
CrowdStrike.domainSessionResponseWrapper.resources.logs.updated_atString
CrowdStrike.domainSessionResponseWrapper.resources.offline_queuedBoolean
CrowdStrike.domainSessionResponseWrapper.resources.originString
CrowdStrike.domainSessionResponseWrapper.resources.platform_idNumber
CrowdStrike.domainSessionResponseWrapper.resources.platform_nameString
CrowdStrike.domainSessionResponseWrapper.resources.pwdString
CrowdStrike.domainSessionResponseWrapper.resources.updated_atString
CrowdStrike.domainSessionResponseWrapper.resources.user_idString
CrowdStrike.domainSessionResponseWrapper.resources.user_uuidString
CrowdStrike.domainSessionResponseWrapper.errors.codeNumber
CrowdStrike.domainSessionResponseWrapper.errors.idString
CrowdStrike.domainSessionResponseWrapper.errors.messageString
CrowdStrike.domainSessionResponseWrapper.resources.cidString
CrowdStrike.domainSessionResponseWrapper.resources.commands_queuedBoolean
CrowdStrike.domainSessionResponseWrapper.resources.created_atString
CrowdStrike.domainSessionResponseWrapper.resources.deleted_atString
CrowdStrike.domainSessionResponseWrapper.resources.device_idString
CrowdStrike.domainSessionResponseWrapper.resources.durationUnknown
CrowdStrike.domainSessionResponseWrapper.resources.hostnameString
CrowdStrike.domainSessionResponseWrapper.resources.idString
CrowdStrike.domainSessionResponseWrapper.resources.logs.base_commandString
CrowdStrike.domainSessionResponseWrapper.resources.logs.cloud_request_idString
CrowdStrike.domainSessionResponseWrapper.resources.logs.command_stringString
CrowdStrike.domainSessionResponseWrapper.resources.logs.created_atString
CrowdStrike.domainSessionResponseWrapper.resources.logs.current_directoryString
CrowdStrike.domainSessionResponseWrapper.resources.logs.idNumber
CrowdStrike.domainSessionResponseWrapper.resources.logs.session_idString
CrowdStrike.domainSessionResponseWrapper.resources.logs.updated_atString
CrowdStrike.domainSessionResponseWrapper.resources.offline_queuedBoolean
CrowdStrike.domainSessionResponseWrapper.resources.originString
CrowdStrike.domainSessionResponseWrapper.resources.platform_idNumber
CrowdStrike.domainSessionResponseWrapper.resources.platform_nameString
CrowdStrike.domainSessionResponseWrapper.resources.pwdString
CrowdStrike.domainSessionResponseWrapper.resources.updated_atString
CrowdStrike.domainSessionResponseWrapper.resources.user_idString
CrowdStrike.domainSessionResponseWrapper.resources.user_uuidString

cs-rtr-pulse-session#


Refresh a session timeout on a single host.

Base Command#

cs-rtr-pulse-session

Input#

Argument NameDescriptionRequired
domain_initrequest_device_idRequired
domain_initrequest_originRequired
domain_initrequest_queue_offlineRequired

Context Output#

There is no context output for this command.

cs-rtr-update-scripts#


Upload a new scripts to replace an existing one.

Base Command#

cs-rtr-update-scripts

Input#

Argument NameDescriptionRequired
id_ID to update.Required
filecustom-script file to upload. These should be powershell scripts.Optional
descriptionFile description.Optional
nameFile name (if different than actual file name).Optional
comments_for_audit_logThe audit log comment.Optional
permission_typePermission for the custom-script. Valid permission values: - private, usable by only the user who uploaded it - group, usable by all RTR Admins - public, usable by all active-responders and RTR admins.Optional
contentThe script text that you want to use to upload.Optional
platformPlatforms for the file. Currently supports: windows, mac,.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString

cs-scan-samples#


Submit a volume of files for ml scanning. Time required for analysis increases with the number of samples in a volume but usually it should take less than 1 minute.

Base Command#

cs-scan-samples

Input#

Argument NameDescriptionRequired
mlscanner_samplesscanparameters_samplesRequired

Context Output#

PathTypeDescription
CrowdStrike.mlscannerQueryResponse.errors.codeNumber
CrowdStrike.mlscannerQueryResponse.errors.idString
CrowdStrike.mlscannerQueryResponse.errors.messageString
CrowdStrike.mlscannerQueryResponse.errors.codeNumber
CrowdStrike.mlscannerQueryResponse.errors.idString
CrowdStrike.mlscannerQueryResponse.errors.messageString

cs-set-device-control-policies-precedence#


Sets the precedence of Device Control Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.

Base Command#

cs-set-device-control-policies-precedence

Input#

Argument NameDescriptionRequired
requests_setpolicyprecedencereqv1_idsThe ids of all current prevention policies for the platform specified. The precedence will be set in the order the ids are specified.Required
requests_setpolicyprecedencereqv1_platform_nameThe name of the platform for which to set precedence. Possible values are: Windows, Mac, Linux.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-set-firewall-policies-precedence#


Sets the precedence of Firewall Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.

Base Command#

cs-set-firewall-policies-precedence

Input#

Argument NameDescriptionRequired
requests_setpolicyprecedencereqv1_idsThe ids of all current prevention policies for the platform specified. The precedence will be set in the order the ids are specified.Required
requests_setpolicyprecedencereqv1_platform_nameThe name of the platform for which to set precedence. Possible values are: Windows, Mac, Linux.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-set-prevention-policies-precedence#


Sets the precedence of Prevention Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.

Base Command#

cs-set-prevention-policies-precedence

Input#

Argument NameDescriptionRequired
requests_setpolicyprecedencereqv1_idsThe ids of all current prevention policies for the platform specified. The precedence will be set in the order the ids are specified.Required
requests_setpolicyprecedencereqv1_platform_nameThe name of the platform for which to set precedence. Possible values are: Windows, Mac, Linux.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-set-sensor-update-policies-precedence#


Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.

Base Command#

cs-set-sensor-update-policies-precedence

Input#

Argument NameDescriptionRequired
requests_setpolicyprecedencereqv1_idsThe ids of all current prevention policies for the platform specified. The precedence will be set in the order the ids are specified.Required
requests_setpolicyprecedencereqv1_platform_nameThe name of the platform for which to set precedence. Possible values are: Windows, Mac, Linux.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-setrt-response-policies-precedence#


Sets the precedence of Response Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.

Base Command#

cs-setrt-response-policies-precedence

Input#

Argument NameDescriptionRequired
requests_setpolicyprecedencereqv1_idsThe ids of all current prevention policies for the platform specified. The precedence will be set in the order the ids are specified.Required
requests_setpolicyprecedencereqv1_platform_nameThe name of the platform for which to set precedence. Possible values are: Windows, Mac, Linux.Required

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-submit#


Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.

Base Command#

cs-submit

Input#

Argument NameDescriptionRequired
falconx_submissionparametersv1_sandboxOptional
falconx_submissionparametersv1_user_tagsOptional

Context Output#

PathTypeDescription
CrowdStrike.falconxSubmissionV1Response.errors.codeNumber
CrowdStrike.falconxSubmissionV1Response.errors.idString
CrowdStrike.falconxSubmissionV1Response.errors.messageString
CrowdStrike.falconxSubmissionV1Response.resources.cidString
CrowdStrike.falconxSubmissionV1Response.resources.created_timestampString
CrowdStrike.falconxSubmissionV1Response.resources.idString
CrowdStrike.falconxSubmissionV1Response.resources.originString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.action_scriptString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.command_lineString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.document_passwordString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.enable_torBoolean
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.environment_idNumber
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.sha256String
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.submit_nameString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.system_dateString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.system_timeString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.urlString
CrowdStrike.falconxSubmissionV1Response.resources.stateString
CrowdStrike.falconxSubmissionV1Response.resources.user_idString
CrowdStrike.falconxSubmissionV1Response.resources.user_nameString
CrowdStrike.falconxSubmissionV1Response.resources.user_uuidString
CrowdStrike.falconxSubmissionV1Response.errors.codeNumber
CrowdStrike.falconxSubmissionV1Response.errors.idString
CrowdStrike.falconxSubmissionV1Response.errors.messageString
CrowdStrike.falconxSubmissionV1Response.resources.cidString
CrowdStrike.falconxSubmissionV1Response.resources.created_timestampString
CrowdStrike.falconxSubmissionV1Response.resources.idString
CrowdStrike.falconxSubmissionV1Response.resources.originString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.action_scriptString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.command_lineString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.document_passwordString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.enable_torBoolean
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.environment_idNumber
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.sha256String
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.submit_nameString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.system_dateString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.system_timeString
CrowdStrike.falconxSubmissionV1Response.resources.sandbox.urlString
CrowdStrike.falconxSubmissionV1Response.resources.stateString
CrowdStrike.falconxSubmissionV1Response.resources.user_idString
CrowdStrike.falconxSubmissionV1Response.resources.user_nameString
CrowdStrike.falconxSubmissionV1Response.resources.user_uuidString

cs-tokenscreate#


Creates a token.

Base Command#

cs-tokenscreate

Input#

Argument NameDescriptionRequired
api_tokencreaterequestv1_expires_timestampThe token's expiration time (RFC-3339). Null, if the token never expires.Optional
api_tokencreaterequestv1_labelThe token label.Optional
api_tokencreaterequestv1_typeThe token type.Optional

Context Output#

There is no context output for this command.

cs-tokensdelete#


Deletes a token immediately. To revoke a token, use PATCH /installation-tokens/entities/tokens/v1 instead.

Base Command#

cs-tokensdelete

Input#

Argument NameDescriptionRequired
idsThe token ids to delete.Required

Context Output#

PathTypeDescription
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString

cs-tokensquery#


Search for tokens by providing an FQL filter and paging details.

Base Command#

cs-tokensquery

Input#

Argument NameDescriptionRequired
offsetThe offset to start retrieving records from.Optional
limitThe maximum records to return. [1-1000]. Defaults to 50.Optional
sortThe property to sort by (e.g. created_timestamp.desc).Optional
filter_The filter expression that should be used to limit the results (e.g., status:'valid').Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-tokensread#


Gets the details of one or more tokens by id.

Base Command#

cs-tokensread

Input#

Argument NameDescriptionRequired
idsIDs of tokens to retrieve details for.Optional

Context Output#

PathTypeDescription
CrowdStrike.apitokenDetailsResponseV1.errors.codeNumber
CrowdStrike.apitokenDetailsResponseV1.errors.idString
CrowdStrike.apitokenDetailsResponseV1.errors.messageString
CrowdStrike.apitokenDetailsResponseV1.resources.created_timestampString
CrowdStrike.apitokenDetailsResponseV1.resources.expires_timestampString
CrowdStrike.apitokenDetailsResponseV1.resources.idString
CrowdStrike.apitokenDetailsResponseV1.resources.labelString
CrowdStrike.apitokenDetailsResponseV1.resources.last_used_timestampString
CrowdStrike.apitokenDetailsResponseV1.resources.revoked_timestampString
CrowdStrike.apitokenDetailsResponseV1.resources.statusString
CrowdStrike.apitokenDetailsResponseV1.resources.typeString
CrowdStrike.apitokenDetailsResponseV1.resources.valueString
CrowdStrike.apitokenDetailsResponseV1.errors.codeNumber
CrowdStrike.apitokenDetailsResponseV1.errors.idString
CrowdStrike.apitokenDetailsResponseV1.errors.messageString
CrowdStrike.apitokenDetailsResponseV1.resources.created_timestampString
CrowdStrike.apitokenDetailsResponseV1.resources.expires_timestampString
CrowdStrike.apitokenDetailsResponseV1.resources.idString
CrowdStrike.apitokenDetailsResponseV1.resources.labelString
CrowdStrike.apitokenDetailsResponseV1.resources.last_used_timestampString
CrowdStrike.apitokenDetailsResponseV1.resources.revoked_timestampString
CrowdStrike.apitokenDetailsResponseV1.resources.statusString
CrowdStrike.apitokenDetailsResponseV1.resources.typeString
CrowdStrike.apitokenDetailsResponseV1.resources.valueString

cs-tokensupdate#


Updates one or more tokens. Use this endpoint to edit labels, change expiration, revoke, or restore.

Base Command#

cs-tokensupdate

Input#

Argument NameDescriptionRequired
idsThe token ids to update.Required
api_tokenpatchrequestv1_expires_timestampThe token's expiration time (RFC-3339). Null, if the token never expires.Optional
api_tokenpatchrequestv1_labelThe token label.Optional
api_tokenpatchrequestv1_revokedSet to true to revoke the token, false to un-revoked it.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString
CrowdStrike.msaQueryResponse.errors.codeNumber
CrowdStrike.msaQueryResponse.errors.idString
CrowdStrike.msaQueryResponse.errors.messageString

cs-trigger-scan#


Triggers a dry run or a full scan of a customer's kubernetes footprint.

Base Command#

cs-trigger-scan

Input#

Argument NameDescriptionRequired
scan_typeScan Type to do. Possible values are: cluster-refresh, dry-run, full.Required

Context Output#

There is no context output for this command.

cs-update-actionv1#


Update an action for a monitoring rule.

Base Command#

cs-update-actionv1

Input#

Argument NameDescriptionRequired
domain_updateactionrequest_frequencyRequired
domain_updateactionrequest_idRequired
domain_updateactionrequest_recipientsRequired
domain_updateactionrequest_statusRequired

Context Output#

PathTypeDescription
CrowdStrike.domainActionEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainActionEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainActionEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainActionEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainActionEntitiesResponseV1.errors.idString
CrowdStrike.domainActionEntitiesResponseV1.errors.messageString
CrowdStrike.domainActionEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainActionEntitiesResponseV1.resources.cidStringThe ID of the customer who created the action.
CrowdStrike.domainActionEntitiesResponseV1.resources.created_timestampStringThe date when the action was created.
CrowdStrike.domainActionEntitiesResponseV1.resources.frequencyString
CrowdStrike.domainActionEntitiesResponseV1.resources.idStringThe ID of the action.
CrowdStrike.domainActionEntitiesResponseV1.resources.rule_idStringThe ID of the rule on which this action is attached.
CrowdStrike.domainActionEntitiesResponseV1.resources.statusStringThe action status. It can be either 'enabled' or 'muted'.
CrowdStrike.domainActionEntitiesResponseV1.resources.typeStringThe action type. The only type currently supported is 'email'.
CrowdStrike.domainActionEntitiesResponseV1.resources.updated_timestampStringThe date when the action was updated.
CrowdStrike.domainActionEntitiesResponseV1.resources.user_uuidStringThe UUID of the user who created the action.
CrowdStrike.domainActionEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainActionEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainActionEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainActionEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainActionEntitiesResponseV1.errors.idString
CrowdStrike.domainActionEntitiesResponseV1.errors.messageString
CrowdStrike.domainActionEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainActionEntitiesResponseV1.resources.cidStringThe ID of the customer who created the action.
CrowdStrike.domainActionEntitiesResponseV1.resources.created_timestampStringThe date when the action was created.
CrowdStrike.domainActionEntitiesResponseV1.resources.frequencyString
CrowdStrike.domainActionEntitiesResponseV1.resources.idStringThe ID of the action.
CrowdStrike.domainActionEntitiesResponseV1.resources.rule_idStringThe ID of the rule on which this action is attached.
CrowdStrike.domainActionEntitiesResponseV1.resources.statusStringThe action status. It can be either 'enabled' or 'muted'.
CrowdStrike.domainActionEntitiesResponseV1.resources.typeStringThe action type. The only type currently supported is 'email'.
CrowdStrike.domainActionEntitiesResponseV1.resources.updated_timestampStringThe date when the action was updated.
CrowdStrike.domainActionEntitiesResponseV1.resources.user_uuidStringThe UUID of the user who created the action.

cs-update-detects-by-idsv2#


Modify the state, assignee, and visibility of detections.

Base Command#

cs-update-detects-by-idsv2

Input#

Argument NameDescriptionRequired
domain_detectsentitiespatchrequest_assigned_to_uuidOptional
domain_detectsentitiespatchrequest_commentOptional
domain_detectsentitiespatchrequest_idsOptional
domain_detectsentitiespatchrequest_show_in_uiOptional
domain_detectsentitiespatchrequest_statusOptional

Context Output#

PathTypeDescription
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString
CrowdStrike.msaReplyMetaOnly.errors.codeNumber
CrowdStrike.msaReplyMetaOnly.errors.idString
CrowdStrike.msaReplyMetaOnly.errors.messageString

cs-update-device-control-policies#


Update Device Control Policies by specifying the ID of the policy and details to update.

Base Command#

cs-update-device-control-policies

Input#

Argument NameDescriptionRequired
requests_updatedevicecontrolpoliciesv1_resourcesA collection of policies to update.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesDeviceControlPoliciesV1.errors.codeNumber
CrowdStrike.responsesDeviceControlPoliciesV1.errors.idString
CrowdStrike.responsesDeviceControlPoliciesV1.errors.messageString
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesDeviceControlPoliciesV1.errors.codeNumber
CrowdStrike.responsesDeviceControlPoliciesV1.errors.idString
CrowdStrike.responsesDeviceControlPoliciesV1.errors.messageString
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesDeviceControlPoliciesV1.resources.platform_nameStringThe name of the platform.

cs-update-device-tags#


Append or remove one or more Falcon Grouping Tags on one or more hosts.

Base Command#

cs-update-device-tags

Input#

Argument NameDescriptionRequired
domain_updatedevicetagsrequestv1_actionRequired
domain_updatedevicetagsrequestv1_device_idsRequired
domain_updatedevicetagsrequestv1_tagsRequired

Context Output#

PathTypeDescription
CrowdStrike.msaEntitiesResponse.errors.codeNumber
CrowdStrike.msaEntitiesResponse.errors.idString
CrowdStrike.msaEntitiesResponse.errors.messageString
CrowdStrike.msaEntitiesResponse.errors.codeNumber
CrowdStrike.msaEntitiesResponse.errors.idString
CrowdStrike.msaEntitiesResponse.errors.messageString

cs-update-firewall-policies#


Update Firewall Policies by specifying the ID of the policy and details to update.

Base Command#

cs-update-firewall-policies

Input#

Argument NameDescriptionRequired
requests_updatefirewallpoliciesv1_resourcesA collection of policies to update.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesFirewallPoliciesV1.errors.codeNumber
CrowdStrike.responsesFirewallPoliciesV1.errors.idString
CrowdStrike.responsesFirewallPoliciesV1.errors.messageString
CrowdStrike.responsesFirewallPoliciesV1.resources.channel_versionNumberChannel file version for the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesFirewallPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesFirewallPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesFirewallPoliciesV1.resources.rule_set_idStringFirewall rule set id. This id combines several firewall rules and gets attached to the policy.
CrowdStrike.responsesFirewallPoliciesV1.errors.codeNumber
CrowdStrike.responsesFirewallPoliciesV1.errors.idString
CrowdStrike.responsesFirewallPoliciesV1.errors.messageString
CrowdStrike.responsesFirewallPoliciesV1.resources.channel_versionNumberChannel file version for the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesFirewallPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesFirewallPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesFirewallPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesFirewallPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesFirewallPoliciesV1.resources.rule_set_idStringFirewall rule set id. This id combines several firewall rules and gets attached to the policy.

cs-update-host-groups#


Update Host Groups by specifying the ID of the group and details to update.

Base Command#

cs-update-host-groups

Input#

Argument NameDescriptionRequired
requests_updategroupsv1_resourcesA collection of groups to update.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesHostGroupsV1.errors.codeNumber
CrowdStrike.responsesHostGroupsV1.errors.idString
CrowdStrike.responsesHostGroupsV1.errors.messageString
CrowdStrike.responsesHostGroupsV1.resources.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesHostGroupsV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesHostGroupsV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesHostGroupsV1.resources.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesHostGroupsV1.resources.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesHostGroupsV1.resources.idStringThe identifier of this host group.
CrowdStrike.responsesHostGroupsV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesHostGroupsV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesHostGroupsV1.resources.nameStringThe name of the group.
CrowdStrike.responsesHostGroupsV1.errors.codeNumber
CrowdStrike.responsesHostGroupsV1.errors.idString
CrowdStrike.responsesHostGroupsV1.errors.messageString
CrowdStrike.responsesHostGroupsV1.resources.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesHostGroupsV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesHostGroupsV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesHostGroupsV1.resources.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesHostGroupsV1.resources.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesHostGroupsV1.resources.idStringThe identifier of this host group.
CrowdStrike.responsesHostGroupsV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesHostGroupsV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesHostGroupsV1.resources.nameStringThe name of the group.

cs-update-notificationsv1#


Update notification status or assignee. Accepts bulk requests.

Base Command#

cs-update-notificationsv1

Input#

Argument NameDescriptionRequired
domain_updatenotificationrequestv1_assigned_to_uuidThe unique ID of the user who is assigned to this notification.Required
domain_updatenotificationrequestv1_idThe ID of the notifications.Required
domain_updatenotificationrequestv1_statusThe notification status. This can be one of: new, in-progress, closed-false-positive, closed-true-positive.Required

Context Output#

PathTypeDescription
CrowdStrike.domainNotificationEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.idString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.messageString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_uidStringThe email of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_usernameStringThe name of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_uuidStringThe unique ID of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.created_dateStringThe date when the notification was generated.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.idStringThe ID of the notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_dateStringTimestamp when the intelligence item is considered to have been posted.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_idStringID of the intelligence item which generated the match.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_typeStringType of intelligence item based on format, e.g. post, reply, botnet_config.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_idStringThe ID of the rule that generated this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_nameStringThe name of the rule that generated this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_priorityString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_topicString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.statusStringThe notification status. This can be one of: new, in-progress, closed-false-positive, closed-true-positive.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.updated_dateStringThe date when the notification was updated.
CrowdStrike.domainNotificationEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.idString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.messageString
CrowdStrike.domainNotificationEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_uidStringThe email of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_usernameStringThe name of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.assigned_to_uuidStringThe unique ID of the user who is assigned to this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.created_dateStringThe date when the notification was generated.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.idStringThe ID of the notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_dateStringTimestamp when the intelligence item is considered to have been posted.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_idStringID of the intelligence item which generated the match.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.item_typeStringType of intelligence item based on format, e.g. post, reply, botnet_config.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_idStringThe ID of the rule that generated this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_nameStringThe name of the rule that generated this notification.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_priorityString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.rule_topicString
CrowdStrike.domainNotificationEntitiesResponseV1.resources.statusStringThe notification status. This can be one of: new, in-progress, closed-false-positive, closed-true-positive.
CrowdStrike.domainNotificationEntitiesResponseV1.resources.updated_dateStringThe date when the notification was updated.

cs-update-prevention-policies#


Update Prevention Policies by specifying the ID of the policy and details to update.

Base Command#

cs-update-prevention-policies

Input#

Argument NameDescriptionRequired
requests_updatepreventionpoliciesv1_resourcesA collection of policies to update.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesPreventionPoliciesV1.errors.codeNumber
CrowdStrike.responsesPreventionPoliciesV1.errors.idString
CrowdStrike.responsesPreventionPoliciesV1.errors.messageString
CrowdStrike.responsesPreventionPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesPreventionPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesPreventionPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.nameStringThe name of the category.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.idStringThe id of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.
CrowdStrike.responsesPreventionPoliciesV1.errors.codeNumber
CrowdStrike.responsesPreventionPoliciesV1.errors.idString
CrowdStrike.responsesPreventionPoliciesV1.errors.messageString
CrowdStrike.responsesPreventionPoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesPreventionPoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesPreventionPoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesPreventionPoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesPreventionPoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.nameStringThe name of the category.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.idStringThe id of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesPreventionPoliciesV1.resources.prevention_settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.

cs-update-rulesv1#


Update monitoring rules.

Base Command#

cs-update-rulesv1

Input#

Argument NameDescriptionRequired
X_CS_USERUUIDUser UUID.Optional
domain_updaterulerequestv1_filterThe filter to be used for searching.Required
domain_updaterulerequestv1_idThe rule ID to be updated.Required
domain_updaterulerequestv1_nameThe name of a particular rule.Required
domain_updaterulerequestv1_permissionsThe permissions for a particular rule which specifies the rule's access by other users. Possible values: [private public].Required
domain_updaterulerequestv1_priorityThe priority for a particular rule. Possible values: [low medium high].Required

Context Output#

PathTypeDescription
CrowdStrike.domainRulesEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainRulesEntitiesResponseV1.errors.idString
CrowdStrike.domainRulesEntitiesResponseV1.errors.messageString
CrowdStrike.domainRulesEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainRulesEntitiesResponseV1.resources.cidString
CrowdStrike.domainRulesEntitiesResponseV1.resources.created_timestampStringThe creation time for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.filterStringThe FQL filter contained in a rule and used for searching.
CrowdStrike.domainRulesEntitiesResponseV1.resources.idStringThe ID of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.nameStringThe name for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.permissionsStringThe permissions of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.priorityStringThe priority of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.statusStringThe status of a rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.status_messageStringThe detailed status message.
CrowdStrike.domainRulesEntitiesResponseV1.resources.topicStringThe topic of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.updated_timestampStringThe last updated time for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_idStringThe user ID of the user that created a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_nameStringThe user name of the user that created a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_uuidStringThe UUID of the user that created a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.errors.codeNumber
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.fieldString
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.messageString
CrowdStrike.domainRulesEntitiesResponseV1.errors.details.message_keyString
CrowdStrike.domainRulesEntitiesResponseV1.errors.idString
CrowdStrike.domainRulesEntitiesResponseV1.errors.messageString
CrowdStrike.domainRulesEntitiesResponseV1.errors.message_keyString
CrowdStrike.domainRulesEntitiesResponseV1.resources.cidString
CrowdStrike.domainRulesEntitiesResponseV1.resources.created_timestampStringThe creation time for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.filterStringThe FQL filter contained in a rule and used for searching.
CrowdStrike.domainRulesEntitiesResponseV1.resources.idStringThe ID of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.nameStringThe name for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.permissionsStringThe permissions of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.priorityStringThe priority of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.statusStringThe status of a rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.status_messageStringThe detailed status message.
CrowdStrike.domainRulesEntitiesResponseV1.resources.topicStringThe topic of a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.updated_timestampStringThe last updated time for a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_idStringThe user ID of the user that created a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_nameStringThe user name of the user that created a given rule.
CrowdStrike.domainRulesEntitiesResponseV1.resources.user_uuidStringThe UUID of the user that created a given rule.

cs-update-sensor-update-policies#


Update Sensor Update Policies by specifying the ID of the policy and details to update.

Base Command#

cs-update-sensor-update-policies

Input#

Argument NameDescriptionRequired
requests_updatesensorupdatepoliciesv1_resourcesA collection of policies to update.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV1.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV1.resources.platform_nameStringThe name of the platform.

cs-update-sensor-update-policiesv2#


Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection.

Base Command#

cs-update-sensor-update-policiesv2

Input#

Argument NameDescriptionRequired
requests_updatesensorupdatepoliciesv2_resourcesA collection of policies to update.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.codeNumber
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.idString
CrowdStrike.responsesSensorUpdatePoliciesV2.errors.messageString
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.idStringThe unique id of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesSensorUpdatePoliciesV2.resources.platform_nameStringThe name of the platform.

cs-update-sensor-visibility-exclusionsv1#


Update the sensor visibility exclusions.

Base Command#

cs-update-sensor-visibility-exclusionsv1

Input#

Argument NameDescriptionRequired
requests_svexclusionupdatereqv1_commentOptional
requests_svexclusionupdatereqv1_groupsOptional
requests_svexclusionupdatereqv1_idRequired
requests_svexclusionupdatereqv1_valueOptional

Context Output#

PathTypeDescription
CrowdStrike.responsesSvExclusionRespV1.errors.codeNumber
CrowdStrike.responsesSvExclusionRespV1.errors.idString
CrowdStrike.responsesSvExclusionRespV1.errors.messageString
CrowdStrike.responsesSvExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesSvExclusionRespV1.resources.created_byString
CrowdStrike.responsesSvExclusionRespV1.resources.created_onString
CrowdStrike.responsesSvExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSvExclusionRespV1.resources.idString
CrowdStrike.responsesSvExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesSvExclusionRespV1.resources.modified_byString
CrowdStrike.responsesSvExclusionRespV1.resources.regexp_valueString
CrowdStrike.responsesSvExclusionRespV1.resources.valueString
CrowdStrike.responsesSvExclusionRespV1.resources.value_hashString
CrowdStrike.responsesSvExclusionRespV1.errors.codeNumber
CrowdStrike.responsesSvExclusionRespV1.errors.idString
CrowdStrike.responsesSvExclusionRespV1.errors.messageString
CrowdStrike.responsesSvExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesSvExclusionRespV1.resources.created_byString
CrowdStrike.responsesSvExclusionRespV1.resources.created_onString
CrowdStrike.responsesSvExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesSvExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesSvExclusionRespV1.resources.idString
CrowdStrike.responsesSvExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesSvExclusionRespV1.resources.modified_byString
CrowdStrike.responsesSvExclusionRespV1.resources.regexp_valueString
CrowdStrike.responsesSvExclusionRespV1.resources.valueString
CrowdStrike.responsesSvExclusionRespV1.resources.value_hashString

cs-update-user#


Modify an existing user's first or last name.

Base Command#

cs-update-user

Input#

Argument NameDescriptionRequired
user_uuidID of a user. Find a user's ID from /users/entities/user/v1.Required
domain_updateuserfields_firstnameOptional
domain_updateuserfields_lastnameOptional

Context Output#

PathTypeDescription
CrowdStrike.domainUserMetaDataResponse.errors.codeNumber
CrowdStrike.domainUserMetaDataResponse.errors.idString
CrowdStrike.domainUserMetaDataResponse.errors.messageString
CrowdStrike.domainUserMetaDataResponse.resources.customerString
CrowdStrike.domainUserMetaDataResponse.resources.firstNameString
CrowdStrike.domainUserMetaDataResponse.resources.lastNameString
CrowdStrike.domainUserMetaDataResponse.resources.uidString
CrowdStrike.domainUserMetaDataResponse.resources.uuidString
CrowdStrike.domainUserMetaDataResponse.errors.codeNumber
CrowdStrike.domainUserMetaDataResponse.errors.idString
CrowdStrike.domainUserMetaDataResponse.errors.messageString
CrowdStrike.domainUserMetaDataResponse.resources.customerString
CrowdStrike.domainUserMetaDataResponse.resources.firstNameString
CrowdStrike.domainUserMetaDataResponse.resources.lastNameString
CrowdStrike.domainUserMetaDataResponse.resources.uidString
CrowdStrike.domainUserMetaDataResponse.resources.uuidString

cs-update-user-groups#


Update existing User Group(s). User Group ID is expected for each User Group definition provided in request body. User Group member(s) remain unaffected.

Base Command#

cs-update-user-groups

Input#

Argument NameDescriptionRequired
domain_usergroupsrequestv1_resourcesRequired

Context Output#

PathTypeDescription
CrowdStrike.domainUserGroupsResponseV1.errors.codeNumber
CrowdStrike.domainUserGroupsResponseV1.errors.idString
CrowdStrike.domainUserGroupsResponseV1.errors.messageString
CrowdStrike.domainUserGroupsResponseV1.resources.cidString
CrowdStrike.domainUserGroupsResponseV1.resources.descriptionString
CrowdStrike.domainUserGroupsResponseV1.resources.nameString
CrowdStrike.domainUserGroupsResponseV1.resources.user_group_idString
CrowdStrike.domainUserGroupsResponseV1.errors.codeNumber
CrowdStrike.domainUserGroupsResponseV1.errors.idString
CrowdStrike.domainUserGroupsResponseV1.errors.messageString
CrowdStrike.domainUserGroupsResponseV1.resources.cidString
CrowdStrike.domainUserGroupsResponseV1.resources.descriptionString
CrowdStrike.domainUserGroupsResponseV1.resources.nameString
CrowdStrike.domainUserGroupsResponseV1.resources.user_group_idString

cs-updateaws-account#


Updates the AWS account per the query meters provided.

Base Command#

cs-updateaws-account

Input#

Argument NameDescriptionRequired
idsAWS Account ID.Required
regionDefault Region for Account Automation.Optional

Context Output#

PathTypeDescription
CrowdStrike.msaBaseEntitiesResponse.errors.codeNumber
CrowdStrike.msaBaseEntitiesResponse.errors.idString
CrowdStrike.msaBaseEntitiesResponse.errors.messageString
CrowdStrike.msaBaseEntitiesResponse.errors.codeNumber
CrowdStrike.msaBaseEntitiesResponse.errors.idString
CrowdStrike.msaBaseEntitiesResponse.errors.messageString

cs-updateaws-accounts#


Update AWS Accounts by specifying the ID of the account and details to update.

Base Command#

cs-updateaws-accounts

Input#

Argument NameDescriptionRequired
models_updateawsaccountsv1_resourcesRequired

Context Output#

PathTypeDescription
CrowdStrike.modelsAWSAccountsV1.errors.codeNumber
CrowdStrike.modelsAWSAccountsV1.errors.idString
CrowdStrike.modelsAWSAccountsV1.errors.messageString
CrowdStrike.modelsAWSAccountsV1.resources.aliasStringAlias/Name associated with the account. This is only updated once the account is in a registered state.
CrowdStrike.modelsAWSAccountsV1.resources.cidString
CrowdStrike.modelsAWSAccountsV1.resources.cloudformation_stack_idStringUnique identifier for the cloudformation stack id used for provisioning.
CrowdStrike.modelsAWSAccountsV1.resources.cloudformation_urlStringURL of the CloudFormation template to execute. This is returned when mode is to set 'cloudformation' when provisioning.
CrowdStrike.modelsAWSAccountsV1.resources.cloudtrail_bucket_owner_idStringThe 12 digit AWS account which is hosting the S3 bucket containing cloudtrail logs for this account. If this field is set, it takes precedence of the settings level field.
CrowdStrike.modelsAWSAccountsV1.resources.cloudtrail_bucket_regionStringRegion where the S3 bucket containing cloudtrail logs resides. This is only set if using cloudformation to provision and create the trail.
CrowdStrike.modelsAWSAccountsV1.resources.created_timestampStringTimestamp of when the account was first provisioned within CrowdStrike's system.'
CrowdStrike.modelsAWSAccountsV1.resources.external_idStringID assigned for use with cross account IAM role access.
CrowdStrike.modelsAWSAccountsV1.resources.iam_role_arnStringThe full arn of the IAM role created in this account to control access.
CrowdStrike.modelsAWSAccountsV1.resources.idString12 digit AWS provided unique identifier for the account.
CrowdStrike.modelsAWSAccountsV1.resources.last_modified_timestampStringTimestamp of when the account was last modified.
CrowdStrike.modelsAWSAccountsV1.resources.last_scanned_timestampStringTimestamp of when the account was scanned.
CrowdStrike.modelsAWSAccountsV1.resources.policy_versionStringCurrent version of permissions associated with IAM role and granted access.
CrowdStrike.modelsAWSAccountsV1.resources.provisioning_stateStringProvisioning state of the account. Values can be; initiated, registered, unregistered.
CrowdStrike.modelsAWSAccountsV1.resources.rate_limit_reqsNumberRate limiting setting to control the maximum number of requests that can be made within the rate_limit_time duration.
CrowdStrike.modelsAWSAccountsV1.resources.rate_limit_timeNumberRate limiting setting to control the number of seconds for which rate_limit_reqs applies.
CrowdStrike.modelsAWSAccountsV1.resources.template_versionStringCurrent version of cloudformation template used to manage access.
CrowdStrike.modelsAWSAccountsV1.errors.codeNumber
CrowdStrike.modelsAWSAccountsV1.errors.idString
CrowdStrike.modelsAWSAccountsV1.errors.messageString
CrowdStrike.modelsAWSAccountsV1.resources.aliasStringAlias/Name associated with the account. This is only updated once the account is in a registered state.
CrowdStrike.modelsAWSAccountsV1.resources.cidString
CrowdStrike.modelsAWSAccountsV1.resources.cloudformation_stack_idStringUnique identifier for the cloudformation stack id used for provisioning.
CrowdStrike.modelsAWSAccountsV1.resources.cloudformation_urlStringURL of the CloudFormation template to execute. This is returned when mode is to set 'cloudformation' when provisioning.
CrowdStrike.modelsAWSAccountsV1.resources.cloudtrail_bucket_owner_idStringThe 12 digit AWS account which is hosting the S3 bucket containing cloudtrail logs for this account. If this field is set, it takes precedence of the settings level field.
CrowdStrike.modelsAWSAccountsV1.resources.cloudtrail_bucket_regionStringRegion where the S3 bucket containing cloudtrail logs resides. This is only set if using cloudformation to provision and create the trail.
CrowdStrike.modelsAWSAccountsV1.resources.created_timestampStringTimestamp of when the account was first provisioned within CrowdStrike's system.'
CrowdStrike.modelsAWSAccountsV1.resources.external_idStringID assigned for use with cross account IAM role access.
CrowdStrike.modelsAWSAccountsV1.resources.iam_role_arnStringThe full arn of the IAM role created in this account to control access.
CrowdStrike.modelsAWSAccountsV1.resources.idString12 digit AWS provided unique identifier for the account.
CrowdStrike.modelsAWSAccountsV1.resources.last_modified_timestampStringTimestamp of when the account was last modified.
CrowdStrike.modelsAWSAccountsV1.resources.last_scanned_timestampStringTimestamp of when the account was scanned.
CrowdStrike.modelsAWSAccountsV1.resources.policy_versionStringCurrent version of permissions associated with IAM role and granted access.
CrowdStrike.modelsAWSAccountsV1.resources.provisioning_stateStringProvisioning state of the account. Values can be; initiated, registered, unregistered.
CrowdStrike.modelsAWSAccountsV1.resources.rate_limit_reqsNumberRate limiting setting to control the maximum number of requests that can be made within the rate_limit_time duration.
CrowdStrike.modelsAWSAccountsV1.resources.rate_limit_timeNumberRate limiting setting to control the number of seconds for which rate_limit_reqs applies.
CrowdStrike.modelsAWSAccountsV1.resources.template_versionStringCurrent version of cloudformation template used to manage access.

cs-updatecid-groups#


Update existing CID Group(s). CID Group ID is expected for each CID Group definition provided in request body. CID Group member(s) remain unaffected.

Base Command#

cs-updatecid-groups

Input#

Argument NameDescriptionRequired
domain_cidgroupsrequestv1_resourcesRequired

Context Output#

PathTypeDescription
CrowdStrike.domainCIDGroupsResponseV1.errors.codeNumber
CrowdStrike.domainCIDGroupsResponseV1.errors.idString
CrowdStrike.domainCIDGroupsResponseV1.errors.messageString
CrowdStrike.domainCIDGroupsResponseV1.resources.cidString
CrowdStrike.domainCIDGroupsResponseV1.resources.cid_group_idString
CrowdStrike.domainCIDGroupsResponseV1.resources.descriptionString
CrowdStrike.domainCIDGroupsResponseV1.resources.nameString
CrowdStrike.domainCIDGroupsResponseV1.errors.codeNumber
CrowdStrike.domainCIDGroupsResponseV1.errors.idString
CrowdStrike.domainCIDGroupsResponseV1.errors.messageString
CrowdStrike.domainCIDGroupsResponseV1.resources.cidString
CrowdStrike.domainCIDGroupsResponseV1.resources.cid_group_idString
CrowdStrike.domainCIDGroupsResponseV1.resources.descriptionString
CrowdStrike.domainCIDGroupsResponseV1.resources.nameString

cs-updatecspm-azure-tenant-default-subscriptionid#


Update an Azure default subscription_id in our system for given tenant_id.

Base Command#

cs-updatecspm-azure-tenant-default-subscriptionid

Input#

Argument NameDescriptionRequired
tenant_idTenant ID to update client ID for. Required if multiple tenants are registered.Optional
subscription_idDefault Subscription ID to patch for all subscriptions belonged to a tenant.Required

Context Output#

There is no context output for this command.

cs-updatecspm-policy-settings#


Updates a policy setting - can be used to override policy severity or to disable a policy entirely.

Base Command#

cs-updatecspm-policy-settings

Input#

Argument NameDescriptionRequired
registration_policyrequestextv1_resourcesRequired

Context Output#

PathTypeDescription
CrowdStrike.registrationPolicySettingsResponseV1.errors.codeNumber
CrowdStrike.registrationPolicySettingsResponseV1.errors.idString
CrowdStrike.registrationPolicySettingsResponseV1.errors.messageString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cidString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cis_benchmark.benchmark_shortString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cis_benchmark.idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.cis_benchmark.recommendation_numberString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cloud_serviceString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cloud_service_subtypeString
CrowdStrike.registrationPolicySettingsResponseV1.resources.default_severityString
CrowdStrike.registrationPolicySettingsResponseV1.resources.nameString
CrowdStrike.registrationPolicySettingsResponseV1.resources.nist_benchmark.benchmark_shortString
CrowdStrike.registrationPolicySettingsResponseV1.resources.nist_benchmark.idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.nist_benchmark.recommendation_numberString
CrowdStrike.registrationPolicySettingsResponseV1.resources.pci_benchmark.benchmark_shortString
CrowdStrike.registrationPolicySettingsResponseV1.resources.pci_benchmark.idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.pci_benchmark.recommendation_numberString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.account_idString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.enabledBoolean
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.severityString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.tag_excludedBoolean
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.tenant_idString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_timestampString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_typeString
CrowdStrike.registrationPolicySettingsResponseV1.errors.codeNumber
CrowdStrike.registrationPolicySettingsResponseV1.errors.idString
CrowdStrike.registrationPolicySettingsResponseV1.errors.messageString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cidString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cis_benchmark.benchmark_shortString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cis_benchmark.idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.cis_benchmark.recommendation_numberString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cloud_serviceString
CrowdStrike.registrationPolicySettingsResponseV1.resources.cloud_service_subtypeString
CrowdStrike.registrationPolicySettingsResponseV1.resources.default_severityString
CrowdStrike.registrationPolicySettingsResponseV1.resources.nameString
CrowdStrike.registrationPolicySettingsResponseV1.resources.nist_benchmark.benchmark_shortString
CrowdStrike.registrationPolicySettingsResponseV1.resources.nist_benchmark.idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.nist_benchmark.recommendation_numberString
CrowdStrike.registrationPolicySettingsResponseV1.resources.pci_benchmark.benchmark_shortString
CrowdStrike.registrationPolicySettingsResponseV1.resources.pci_benchmark.idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.pci_benchmark.recommendation_numberString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_idNumber
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.account_idString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.enabledBoolean
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.severityString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.tag_excludedBoolean
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_settings.tenant_idString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_timestampString
CrowdStrike.registrationPolicySettingsResponseV1.resources.policy_typeString

cs-updatecspm-scan-schedule#


Updates scan schedule configuration for one or more cloud platforms.

Base Command#

cs-updatecspm-scan-schedule

Input#

Argument NameDescriptionRequired
registration_scanscheduleupdaterequestv1_resourcesRequired

Context Output#

PathTypeDescription
CrowdStrike.registrationScanScheduleResponseV1.errors.codeNumber
CrowdStrike.registrationScanScheduleResponseV1.errors.idString
CrowdStrike.registrationScanScheduleResponseV1.errors.messageString
CrowdStrike.registrationScanScheduleResponseV1.resources.cloud_platformString
CrowdStrike.registrationScanScheduleResponseV1.resources.next_scan_timestampString
CrowdStrike.registrationScanScheduleResponseV1.resources.scan_scheduleString
CrowdStrike.registrationScanScheduleResponseV1.errors.codeNumber
CrowdStrike.registrationScanScheduleResponseV1.errors.idString
CrowdStrike.registrationScanScheduleResponseV1.errors.messageString
CrowdStrike.registrationScanScheduleResponseV1.resources.cloud_platformString
CrowdStrike.registrationScanScheduleResponseV1.resources.next_scan_timestampString
CrowdStrike.registrationScanScheduleResponseV1.resources.scan_scheduleString

cs-updateioa-exclusionsv1#


Update the IOA exclusions.

Base Command#

cs-updateioa-exclusionsv1

Input#

Argument NameDescriptionRequired
requests_ioaexclusionupdatereqv1_cl_regexRequired
requests_ioaexclusionupdatereqv1_commentOptional
requests_ioaexclusionupdatereqv1_descriptionRequired
requests_ioaexclusionupdatereqv1_detection_jsonRequired
requests_ioaexclusionupdatereqv1_groupsRequired
requests_ioaexclusionupdatereqv1_idRequired
requests_ioaexclusionupdatereqv1_ifn_regexRequired
requests_ioaexclusionupdatereqv1_nameRequired
requests_ioaexclusionupdatereqv1_pattern_idRequired
requests_ioaexclusionupdatereqv1_pattern_nameRequired

Context Output#

PathTypeDescription
CrowdStrike.responsesIoaExclusionRespV1.errors.codeNumber
CrowdStrike.responsesIoaExclusionRespV1.errors.idString
CrowdStrike.responsesIoaExclusionRespV1.errors.messageString
CrowdStrike.responsesIoaExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesIoaExclusionRespV1.resources.cl_regexString
CrowdStrike.responsesIoaExclusionRespV1.resources.created_byString
CrowdStrike.responsesIoaExclusionRespV1.resources.created_onString
CrowdStrike.responsesIoaExclusionRespV1.resources.descriptionString
CrowdStrike.responsesIoaExclusionRespV1.resources.detection_jsonString
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesIoaExclusionRespV1.resources.idString
CrowdStrike.responsesIoaExclusionRespV1.resources.ifn_regexString
CrowdStrike.responsesIoaExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesIoaExclusionRespV1.resources.modified_byString
CrowdStrike.responsesIoaExclusionRespV1.resources.nameString
CrowdStrike.responsesIoaExclusionRespV1.resources.pattern_idString
CrowdStrike.responsesIoaExclusionRespV1.resources.pattern_nameString
CrowdStrike.responsesIoaExclusionRespV1.errors.codeNumber
CrowdStrike.responsesIoaExclusionRespV1.errors.idString
CrowdStrike.responsesIoaExclusionRespV1.errors.messageString
CrowdStrike.responsesIoaExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesIoaExclusionRespV1.resources.cl_regexString
CrowdStrike.responsesIoaExclusionRespV1.resources.created_byString
CrowdStrike.responsesIoaExclusionRespV1.resources.created_onString
CrowdStrike.responsesIoaExclusionRespV1.resources.descriptionString
CrowdStrike.responsesIoaExclusionRespV1.resources.detection_jsonString
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesIoaExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesIoaExclusionRespV1.resources.idString
CrowdStrike.responsesIoaExclusionRespV1.resources.ifn_regexString
CrowdStrike.responsesIoaExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesIoaExclusionRespV1.resources.modified_byString
CrowdStrike.responsesIoaExclusionRespV1.resources.nameString
CrowdStrike.responsesIoaExclusionRespV1.resources.pattern_idString
CrowdStrike.responsesIoaExclusionRespV1.resources.pattern_nameString

cs-updateioc#


DEPRECATED Use the new IOC Management endpoint (PATCH /iocs/entities/indicators/v1). Update an IOC by providing a type and value.

Base Command#

cs-updateioc

Input#

Argument NameDescriptionRequired
api_iocviewrecord_batch_idOptional
api_iocviewrecord_created_byOptional
api_iocviewrecord_created_timestampOptional
api_iocviewrecord_descriptionOptional
api_iocviewrecord_expiration_daysOptional
api_iocviewrecord_expiration_timestampOptional
api_iocviewrecord_modified_byOptional
api_iocviewrecord_modified_timestampOptional
api_iocviewrecord_policyOptional
api_iocviewrecord_share_levelOptional
api_iocviewrecord_sourceOptional
api_iocviewrecord_typeOptional
api_iocviewrecord_valueOptional
type_The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length - min: 64, max: 64. md5: A hex-encoded md5 hash string. Length - min 32, max: 32. domain: A domain name. Length - min: 1, max: 200. ipv4: An IPv4 address. Must be a valid IP address. ipv6: An IPv6 address. Must be a valid IP address. .Required
valueThe string representation of the indicator.Required

Context Output#

PathTypeDescription
CrowdStrike.apiMsaReplyIOC.errors.codeNumber
CrowdStrike.apiMsaReplyIOC.errors.idString
CrowdStrike.apiMsaReplyIOC.errors.messageString
CrowdStrike.apiMsaReplyIOC.resources.batch_idString
CrowdStrike.apiMsaReplyIOC.resources.created_byString
CrowdStrike.apiMsaReplyIOC.resources.created_timestampString
CrowdStrike.apiMsaReplyIOC.resources.descriptionString
CrowdStrike.apiMsaReplyIOC.resources.expiration_daysNumber
CrowdStrike.apiMsaReplyIOC.resources.expiration_timestampString
CrowdStrike.apiMsaReplyIOC.resources.modified_byString
CrowdStrike.apiMsaReplyIOC.resources.modified_timestampString
CrowdStrike.apiMsaReplyIOC.resources.policyString
CrowdStrike.apiMsaReplyIOC.resources.share_levelString
CrowdStrike.apiMsaReplyIOC.resources.sourceString
CrowdStrike.apiMsaReplyIOC.resources.typeString
CrowdStrike.apiMsaReplyIOC.resources.valueString
CrowdStrike.apiMsaReplyIOC.errors.codeNumber
CrowdStrike.apiMsaReplyIOC.errors.idString
CrowdStrike.apiMsaReplyIOC.errors.messageString
CrowdStrike.apiMsaReplyIOC.resources.batch_idString
CrowdStrike.apiMsaReplyIOC.resources.created_byString
CrowdStrike.apiMsaReplyIOC.resources.created_timestampString
CrowdStrike.apiMsaReplyIOC.resources.descriptionString
CrowdStrike.apiMsaReplyIOC.resources.expiration_daysNumber
CrowdStrike.apiMsaReplyIOC.resources.expiration_timestampString
CrowdStrike.apiMsaReplyIOC.resources.modified_byString
CrowdStrike.apiMsaReplyIOC.resources.modified_timestampString
CrowdStrike.apiMsaReplyIOC.resources.policyString
CrowdStrike.apiMsaReplyIOC.resources.share_levelString
CrowdStrike.apiMsaReplyIOC.resources.sourceString
CrowdStrike.apiMsaReplyIOC.resources.typeString
CrowdStrike.apiMsaReplyIOC.resources.valueString

cs-updateml-exclusionsv1#


Update the ML exclusions.

Base Command#

cs-updateml-exclusionsv1

Input#

Argument NameDescriptionRequired
requests_svexclusionupdatereqv1_commentOptional
requests_svexclusionupdatereqv1_groupsOptional
requests_svexclusionupdatereqv1_idRequired
requests_svexclusionupdatereqv1_valueOptional

Context Output#

PathTypeDescription
CrowdStrike.responsesMlExclusionRespV1.errors.codeNumber
CrowdStrike.responsesMlExclusionRespV1.errors.idString
CrowdStrike.responsesMlExclusionRespV1.errors.messageString
CrowdStrike.responsesMlExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesMlExclusionRespV1.resources.created_byString
CrowdStrike.responsesMlExclusionRespV1.resources.created_onString
CrowdStrike.responsesMlExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesMlExclusionRespV1.resources.idString
CrowdStrike.responsesMlExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesMlExclusionRespV1.resources.modified_byString
CrowdStrike.responsesMlExclusionRespV1.resources.regexp_valueString
CrowdStrike.responsesMlExclusionRespV1.resources.valueString
CrowdStrike.responsesMlExclusionRespV1.resources.value_hashString
CrowdStrike.responsesMlExclusionRespV1.errors.codeNumber
CrowdStrike.responsesMlExclusionRespV1.errors.idString
CrowdStrike.responsesMlExclusionRespV1.errors.messageString
CrowdStrike.responsesMlExclusionRespV1.resources.applied_globallyBoolean
CrowdStrike.responsesMlExclusionRespV1.resources.created_byString
CrowdStrike.responsesMlExclusionRespV1.resources.created_onString
CrowdStrike.responsesMlExclusionRespV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesMlExclusionRespV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesMlExclusionRespV1.resources.idString
CrowdStrike.responsesMlExclusionRespV1.resources.last_modifiedString
CrowdStrike.responsesMlExclusionRespV1.resources.modified_byString
CrowdStrike.responsesMlExclusionRespV1.resources.regexp_valueString
CrowdStrike.responsesMlExclusionRespV1.resources.valueString
CrowdStrike.responsesMlExclusionRespV1.resources.value_hashString

cs-updatepolicycontainer#


Update an identified policy container.

Base Command#

cs-updatepolicycontainer

Input#

Argument NameDescriptionRequired
X_CS_USERNAMEThe user id.Required
fwmgr_api_policycontainerupsertrequestv1_default_inboundRequired
fwmgr_api_policycontainerupsertrequestv1_default_outboundRequired
fwmgr_api_policycontainerupsertrequestv1_enforceRequired
fwmgr_api_policycontainerupsertrequestv1_is_default_policyOptional
fwmgr_api_policycontainerupsertrequestv1_platform_idRequired
fwmgr_api_policycontainerupsertrequestv1_policy_idRequired
fwmgr_api_policycontainerupsertrequestv1_rule_group_idsRequired
fwmgr_api_policycontainerupsertrequestv1_test_modeRequired
fwmgr_api_policycontainerupsertrequestv1_trackingOptional

Context Output#

PathTypeDescription
CrowdStrike.fwmgrmsaReplyMetaOnly.errors.codeNumber
CrowdStrike.fwmgrmsaReplyMetaOnly.errors.idString
CrowdStrike.fwmgrmsaReplyMetaOnly.errors.messageString
CrowdStrike.fwmgrmsaReplyMetaOnly.errors.codeNumber
CrowdStrike.fwmgrmsaReplyMetaOnly.errors.idString
CrowdStrike.fwmgrmsaReplyMetaOnly.errors.messageString

cs-updatert-response-policies#


Update Response Policies by specifying the ID of the policy and details to update.

Base Command#

cs-updatert-response-policies

Input#

Argument NameDescriptionRequired
requests_updatertresponsepoliciesv1_resourcesA collection of policies to update.Required

Context Output#

PathTypeDescription
CrowdStrike.responsesRTResponsePoliciesV1.errors.codeNumber
CrowdStrike.responsesRTResponsePoliciesV1.errors.idString
CrowdStrike.responsesRTResponsePoliciesV1.errors.messageString
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesRTResponsePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.nameStringThe name of the category.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.idStringThe id of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.
CrowdStrike.responsesRTResponsePoliciesV1.errors.codeNumber
CrowdStrike.responsesRTResponsePoliciesV1.errors.idString
CrowdStrike.responsesRTResponsePoliciesV1.errors.messageString
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.descriptionStringThe description of a policy. Use this field to provide a high level summary of what this policy enforces.
CrowdStrike.responsesRTResponsePoliciesV1.resources.enabledBooleanIf a policy is enabled it will be used during the course of policy evaluation.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.assignment_ruleStringThe assignment rule of a group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_byStringThe email of the user which created the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.created_timestampStringThe time at which the policy was created.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.descriptionStringAn additional description of the group or the devices it targets.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.group_typeStringThe method by which this host group is managed.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.idStringThe identifier of this host group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.groups.nameStringThe name of the group.
CrowdStrike.responsesRTResponsePoliciesV1.resources.idStringThe unique id of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_byStringThe email of the user which last modified the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.modified_timestampStringThe time at which the policy was last modified.
CrowdStrike.responsesRTResponsePoliciesV1.resources.nameStringThe human readable name of the policy.
CrowdStrike.responsesRTResponsePoliciesV1.resources.platform_nameStringThe name of the platform.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.nameStringThe name of the category.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.descriptionStringThe human readable description of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.idStringThe id of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.nameStringThe name of the setting.
CrowdStrike.responsesRTResponsePoliciesV1.resources.settings.settings.typeStringThe type of the setting which can be used as a hint when displaying in the UI.

cs-updaterulegroup#


Update name, description, or enabled status of a rule group, or create, edit, delete, or reorder rules.

Base Command#

cs-updaterulegroup

Input#

Argument NameDescriptionRequired
X_CS_USERNAMEThe user id.Required
commentAudit log comment for this action.Optional
fwmgr_api_rulegroupmodifyrequestv1_diff_operationsRequired
fwmgr_api_rulegroupmodifyrequestv1_diff_typeRequired
fwmgr_api_rulegroupmodifyrequestv1_idRequired
fwmgr_api_rulegroupmodifyrequestv1_rule_idsRequired
fwmgr_api_rulegroupmodifyrequestv1_rule_versionsRequired
fwmgr_api_rulegroupmodifyrequestv1_trackingRequired

Context Output#

PathTypeDescription
CrowdStrike.fwmgrapiQueryResponse.errors.codeNumber
CrowdStrike.fwmgrapiQueryResponse.errors.idString
CrowdStrike.fwmgrapiQueryResponse.errors.messageString
CrowdStrike.fwmgrapiQueryResponse.errors.codeNumber
CrowdStrike.fwmgrapiQueryResponse.errors.idString
CrowdStrike.fwmgrapiQueryResponse.errors.messageString

cs-updaterulegroup-mixin0#


Update a rule group. The following properties can be modified: name, description, enabled.

Base Command#

cs-updaterulegroup-mixin0

Input#

Argument NameDescriptionRequired
api_rulegroupmodifyrequestv1_commentRequired
api_rulegroupmodifyrequestv1_descriptionRequired
api_rulegroupmodifyrequestv1_enabledRequired
api_rulegroupmodifyrequestv1_idRequired
api_rulegroupmodifyrequestv1_nameRequired
api_rulegroupmodifyrequestv1_rulegroup_versionRequired

Context Output#

PathTypeDescription
CrowdStrike.apiRuleGroupsResponse.errors.codeNumber
CrowdStrike.apiRuleGroupsResponse.errors.idString
CrowdStrike.apiRuleGroupsResponse.errors.messageString
CrowdStrike.apiRuleGroupsResponse.resources.commentString
CrowdStrike.apiRuleGroupsResponse.resources.committed_onString
CrowdStrike.apiRuleGroupsResponse.resources.created_byString
CrowdStrike.apiRuleGroupsResponse.resources.created_onString
CrowdStrike.apiRuleGroupsResponse.resources.customer_idString
CrowdStrike.apiRuleGroupsResponse.resources.deletedBoolean
CrowdStrike.apiRuleGroupsResponse.resources.descriptionString
CrowdStrike.apiRuleGroupsResponse.resources.enabledBoolean
CrowdStrike.apiRuleGroupsResponse.resources.idString
CrowdStrike.apiRuleGroupsResponse.resources.modified_byString
CrowdStrike.apiRuleGroupsResponse.resources.modified_onString
CrowdStrike.apiRuleGroupsResponse.resources.nameString
CrowdStrike.apiRuleGroupsResponse.resources.platformString
CrowdStrike.apiRuleGroupsResponse.resources.rules.action_labelString
CrowdStrike.apiRuleGroupsResponse.resources.rules.commentString
CrowdStrike.apiRuleGroupsResponse.resources.rules.committed_onString
CrowdStrike.apiRuleGroupsResponse.resources.rules.created_byString
CrowdStrike.apiRuleGroupsResponse.resources.rules.created_onString
CrowdStrike.apiRuleGroupsResponse.resources.rules.customer_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.deletedBoolean
CrowdStrike.apiRuleGroupsResponse.resources.rules.descriptionString
CrowdStrike.apiRuleGroupsResponse.resources.rules.disposition_idNumber
CrowdStrike.apiRuleGroupsResponse.resources.rules.enabledBoolean
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.final_valueString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.labelString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.nameString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.typeString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.valueString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.values.labelString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.values.valueString
CrowdStrike.apiRuleGroupsResponse.resources.rules.instance_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.instance_versionNumber
CrowdStrike.apiRuleGroupsResponse.resources.rules.magic_cookieNumber
CrowdStrike.apiRuleGroupsResponse.resources.rules.modified_byString
CrowdStrike.apiRuleGroupsResponse.resources.rules.modified_onString
CrowdStrike.apiRuleGroupsResponse.resources.rules.nameString
CrowdStrike.apiRuleGroupsResponse.resources.rules.pattern_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.pattern_severityString
CrowdStrike.apiRuleGroupsResponse.resources.rules.rulegroup_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.ruletype_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.ruletype_nameString
CrowdStrike.apiRuleGroupsResponse.resources.versionNumber
CrowdStrike.apiRuleGroupsResponse.errors.codeNumber
CrowdStrike.apiRuleGroupsResponse.errors.idString
CrowdStrike.apiRuleGroupsResponse.errors.messageString
CrowdStrike.apiRuleGroupsResponse.resources.commentString
CrowdStrike.apiRuleGroupsResponse.resources.committed_onString
CrowdStrike.apiRuleGroupsResponse.resources.created_byString
CrowdStrike.apiRuleGroupsResponse.resources.created_onString
CrowdStrike.apiRuleGroupsResponse.resources.customer_idString
CrowdStrike.apiRuleGroupsResponse.resources.deletedBoolean
CrowdStrike.apiRuleGroupsResponse.resources.descriptionString
CrowdStrike.apiRuleGroupsResponse.resources.enabledBoolean
CrowdStrike.apiRuleGroupsResponse.resources.idString
CrowdStrike.apiRuleGroupsResponse.resources.modified_byString
CrowdStrike.apiRuleGroupsResponse.resources.modified_onString
CrowdStrike.apiRuleGroupsResponse.resources.nameString
CrowdStrike.apiRuleGroupsResponse.resources.platformString
CrowdStrike.apiRuleGroupsResponse.resources.rules.action_labelString
CrowdStrike.apiRuleGroupsResponse.resources.rules.commentString
CrowdStrike.apiRuleGroupsResponse.resources.rules.committed_onString
CrowdStrike.apiRuleGroupsResponse.resources.rules.created_byString
CrowdStrike.apiRuleGroupsResponse.resources.rules.created_onString
CrowdStrike.apiRuleGroupsResponse.resources.rules.customer_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.deletedBoolean
CrowdStrike.apiRuleGroupsResponse.resources.rules.descriptionString
CrowdStrike.apiRuleGroupsResponse.resources.rules.disposition_idNumber
CrowdStrike.apiRuleGroupsResponse.resources.rules.enabledBoolean
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.final_valueString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.labelString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.nameString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.typeString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.valueString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.values.labelString
CrowdStrike.apiRuleGroupsResponse.resources.rules.field_values.values.valueString
CrowdStrike.apiRuleGroupsResponse.resources.rules.instance_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.instance_versionNumber
CrowdStrike.apiRuleGroupsResponse.resources.rules.magic_cookieNumber
CrowdStrike.apiRuleGroupsResponse.resources.rules.modified_byString
CrowdStrike.apiRuleGroupsResponse.resources.rules.modified_onString
CrowdStrike.apiRuleGroupsResponse.resources.rules.nameString
CrowdStrike.apiRuleGroupsResponse.resources.rules.pattern_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.pattern_severityString
CrowdStrike.apiRuleGroupsResponse.resources.rules.rulegroup_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.ruletype_idString
CrowdStrike.apiRuleGroupsResponse.resources.rules.ruletype_nameString
CrowdStrike.apiRuleGroupsResponse.resources.versionNumber

cs-updaterules#


Update rules within a rule group. Return the updated rules.

Base Command#

cs-updaterules

Input#

Argument NameDescriptionRequired
api_ruleupdatesrequestv1_commentRequired
api_ruleupdatesrequestv1_rule_updatesRequired
api_ruleupdatesrequestv1_rulegroup_idRequired
api_ruleupdatesrequestv1_rulegroup_versionRequired

Context Output#

PathTypeDescription
CrowdStrike.apiRulesResponse.errors.codeNumber
CrowdStrike.apiRulesResponse.errors.idString
CrowdStrike.apiRulesResponse.errors.messageString
CrowdStrike.apiRulesResponse.resources.action_labelString
CrowdStrike.apiRulesResponse.resources.commentString
CrowdStrike.apiRulesResponse.resources.committed_onString
CrowdStrike.apiRulesResponse.resources.created_byString
CrowdStrike.apiRulesResponse.resources.created_onString
CrowdStrike.apiRulesResponse.resources.customer_idString
CrowdStrike.apiRulesResponse.resources.deletedBoolean
CrowdStrike.apiRulesResponse.resources.descriptionString
CrowdStrike.apiRulesResponse.resources.disposition_idNumber
CrowdStrike.apiRulesResponse.resources.enabledBoolean
CrowdStrike.apiRulesResponse.resources.field_values.final_valueString
CrowdStrike.apiRulesResponse.resources.field_values.labelString
CrowdStrike.apiRulesResponse.resources.field_values.nameString
CrowdStrike.apiRulesResponse.resources.field_values.typeString
CrowdStrike.apiRulesResponse.resources.field_values.valueString
CrowdStrike.apiRulesResponse.resources.field_values.values.labelString
CrowdStrike.apiRulesResponse.resources.field_values.values.valueString
CrowdStrike.apiRulesResponse.resources.instance_idString
CrowdStrike.apiRulesResponse.resources.instance_versionNumber
CrowdStrike.apiRulesResponse.resources.magic_cookieNumber
CrowdStrike.apiRulesResponse.resources.modified_byString
CrowdStrike.apiRulesResponse.resources.modified_onString
CrowdStrike.apiRulesResponse.resources.nameString
CrowdStrike.apiRulesResponse.resources.pattern_idString
CrowdStrike.apiRulesResponse.resources.pattern_severityString
CrowdStrike.apiRulesResponse.resources.rulegroup_idString
CrowdStrike.apiRulesResponse.resources.ruletype_idString
CrowdStrike.apiRulesResponse.resources.ruletype_nameString
CrowdStrike.apiRulesResponse.errors.codeNumber
CrowdStrike.apiRulesResponse.errors.idString
CrowdStrike.apiRulesResponse.errors.messageString
CrowdStrike.apiRulesResponse.resources.action_labelString
CrowdStrike.apiRulesResponse.resources.commentString
CrowdStrike.apiRulesResponse.resources.committed_onString
CrowdStrike.apiRulesResponse.resources.created_byString
CrowdStrike.apiRulesResponse.resources.created_onString
CrowdStrike.apiRulesResponse.resources.customer_idString
CrowdStrike.apiRulesResponse.resources.deletedBoolean
CrowdStrike.apiRulesResponse.resources.descriptionString
CrowdStrike.apiRulesResponse.resources.disposition_idNumber
CrowdStrike.apiRulesResponse.resources.enabledBoolean
CrowdStrike.apiRulesResponse.resources.field_values.final_valueString
CrowdStrike.apiRulesResponse.resources.field_values.labelString
CrowdStrike.apiRulesResponse.resources.field_values.nameString
CrowdStrike.apiRulesResponse.resources.field_values.typeString
CrowdStrike.apiRulesResponse.resources.field_values.valueString
CrowdStrike.apiRulesResponse.resources.field_values.values.labelString
CrowdStrike.apiRulesResponse.resources.field_values.values.valueString
CrowdStrike.apiRulesResponse.resources.instance_idString
CrowdStrike.apiRulesResponse.resources.instance_versionNumber
CrowdStrike.apiRulesResponse.resources.magic_cookieNumber
CrowdStrike.apiRulesResponse.resources.modified_byString
CrowdStrike.apiRulesResponse.resources.modified_onString
CrowdStrike.apiRulesResponse.resources.nameString
CrowdStrike.apiRulesResponse.resources.pattern_idString
CrowdStrike.apiRulesResponse.resources.pattern_severityString
CrowdStrike.apiRulesResponse.resources.rulegroup_idString
CrowdStrike.apiRulesResponse.resources.ruletype_idString
CrowdStrike.apiRulesResponse.resources.ruletype_nameString

cs-upload-samplev2#


Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.

Base Command#

cs-upload-samplev2

Input#

Argument NameDescriptionRequired
X_CS_USERUUIDUser UUID.Optional
bodyContent of the uploaded sample in binary format. For example, use --data-binary @$FILE_PATH when using cURL. Max file size: 100 MB. Accepted file formats: - Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc. - Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub - PDF - APK - Executable JAR - Windows script component: .sct - Windows shortcut: .lnk - Windows help: .chm - HTML application: .hta - Windows script file: .wsf - Javascript: .js - Visual Basic: .vbs, .vbe - Shockwave Flash: .swf - Perl: .pl - Powershell: .ps1, .psd1, .psm1 - Scalable vector graphics: .svg - Python: .py - Linux ELF executables - Email files: MIME RFC 822 .eml, Outlook .msg.Required
upfileThe binary file.Required
file_nameName of the file.Required
commentA descriptive comment to identify the file for other users.Optional
is_confidentialDefines visibility of this file in Falcon MalQuery, either via the API or the Falcon console. - true: File is only shown to users within your customer account - false: File can be seen by other CrowdStrike customers Default: true.Optional

Context Output#

PathTypeDescription
CrowdStrike.samplestoreSampleMetadataResponseV2.errors.codeNumber
CrowdStrike.samplestoreSampleMetadataResponseV2.errors.idString
CrowdStrike.samplestoreSampleMetadataResponseV2.errors.messageString
CrowdStrike.samplestoreSampleMetadataResponseV2.resources.file_nameString
CrowdStrike.samplestoreSampleMetadataResponseV2.resources.sha256String
CrowdStrike.samplestoreSampleMetadataResponseV2.errors.codeNumber
CrowdStrike.samplestoreSampleMetadataResponseV2.errors.idString
CrowdStrike.samplestoreSampleMetadataResponseV2.errors.messageString
CrowdStrike.samplestoreSampleMetadataResponseV2.resources.file_nameString
CrowdStrike.samplestoreSampleMetadataResponseV2.resources.sha256String

cs-upload-samplev3#


Upload a file for further cloud analysis. After uploading, call the specific analysis API endpoint.

Base Command#

cs-upload-samplev3

Input#

Argument NameDescriptionRequired
X_CS_USERUUIDUser UUID.Optional
bodyContent of the uploaded sample in binary format. For example, use --data-binary @$FILE_PATH when using cURL. Max file size: 100 MB. Accepted file formats: - Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc. - Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub - PDF - APK - Executable JAR - Windows script component: .sct - Windows shortcut: .lnk - Windows help: .chm - HTML application: .hta - Windows script file: .wsf - Javascript: .js - Visual Basic: .vbs, .vbe - Shockwave Flash: .swf - Perl: .pl - Powershell: .ps1, .psd1, .psm1 - Scalable vector graphics: .svg - Python: .py - Linux ELF executables - Email files: MIME RFC 822 .eml, Outlook .msg.Required
upfileThe binary file.Required
file_nameName of the file.Required
commentA descriptive comment to identify the file for other users.Optional
is_confidentialDefines visibility of this file in Falcon MalQuery, either via the API or the Falcon console. - true: File is only shown to users within your customer account - false: File can be seen by other CrowdStrike customers Default: true.Optional

Context Output#

PathTypeDescription
CrowdStrike.samplestoreSampleMetadataResponseV2.errors.codeNumber
CrowdStrike.samplestoreSampleMetadataResponseV2.errors.idString
CrowdStrike.samplestoreSampleMetadataResponseV2.errors.messageString
CrowdStrike.samplestoreSampleMetadataResponseV2.resources.file_nameString
CrowdStrike.samplestoreSampleMetadataResponseV2.resources.sha256String
CrowdStrike.samplestoreSampleMetadataResponseV2.errors.codeNumber
CrowdStrike.samplestoreSampleMetadataResponseV2.errors.idString
CrowdStrike.samplestoreSampleMetadataResponseV2.errors.messageString
CrowdStrike.samplestoreSampleMetadataResponseV2.resources.file_nameString
CrowdStrike.samplestoreSampleMetadataResponseV2.resources.sha256String

cs-validate#


Validates field values and checks for matches if a test string is provided.

Base Command#

cs-validate

Input#

Argument NameDescriptionRequired
api_validationrequestv1_fieldsRequired

Context Output#

PathTypeDescription
CrowdStrike.apiValidationResponseV1.errors.codeNumber
CrowdStrike.apiValidationResponseV1.errors.idString
CrowdStrike.apiValidationResponseV1.errors.messageString
CrowdStrike.apiValidationResponseV1.resources.bytesString
CrowdStrike.apiValidationResponseV1.resources.errorString
CrowdStrike.apiValidationResponseV1.resources.matches_testBoolean
CrowdStrike.apiValidationResponseV1.resources.nameString
CrowdStrike.apiValidationResponseV1.resources.test_dataString
CrowdStrike.apiValidationResponseV1.resources.validBoolean
CrowdStrike.apiValidationResponseV1.resources.valueString
CrowdStrike.apiValidationResponseV1.errors.codeNumber
CrowdStrike.apiValidationResponseV1.errors.idString
CrowdStrike.apiValidationResponseV1.errors.messageString
CrowdStrike.apiValidationResponseV1.resources.bytesString
CrowdStrike.apiValidationResponseV1.resources.errorString
CrowdStrike.apiValidationResponseV1.resources.matches_testBoolean
CrowdStrike.apiValidationResponseV1.resources.nameString
CrowdStrike.apiValidationResponseV1.resources.test_dataString
CrowdStrike.apiValidationResponseV1.resources.validBoolean
CrowdStrike.apiValidationResponseV1.resources.valueString

cs-verifyaws-account-access#


Performs an Access Verification check on the specified AWS Account IDs.

Base Command#

cs-verifyaws-account-access

Input#

Argument NameDescriptionRequired
idsIDs of accounts to verify access on.Required

Context Output#

PathTypeDescription
CrowdStrike.modelsVerifyAccessResponseV1.errors.codeNumber
CrowdStrike.modelsVerifyAccessResponseV1.errors.idString
CrowdStrike.modelsVerifyAccessResponseV1.errors.messageString
CrowdStrike.modelsVerifyAccessResponseV1.resources.idString
CrowdStrike.modelsVerifyAccessResponseV1.resources.reasonString
CrowdStrike.modelsVerifyAccessResponseV1.resources.successfulBoolean
CrowdStrike.modelsVerifyAccessResponseV1.errors.codeNumber
CrowdStrike.modelsVerifyAccessResponseV1.errors.idString
CrowdStrike.modelsVerifyAccessResponseV1.errors.messageString
CrowdStrike.modelsVerifyAccessResponseV1.resources.idString
CrowdStrike.modelsVerifyAccessResponseV1.resources.reasonString
CrowdStrike.modelsVerifyAccessResponseV1.resources.successfulBoolean

cs-get-device-login-history#


Retrieve details about recent login sessions for a set of devices.

Base Command#

cs-get-device-login-history

Input#

Argument NameDescriptionRequired
idsIDs of devices to get the login history for.Required

Context Output#

PathTypeDescription
CrowdStrike.deviceHistoryLogin.errors.codeNumber
CrowdStrike.deviceHistoryLogin.errors.idString
CrowdStrike.deviceHistoryLogin.errors.messageString
CrowdStrike.deviceHistoryLogin.resources.device_idString
CrowdStrike.deviceHistoryLogin.resources.recent_logins.login_timeString
CrowdStrike.deviceHistoryLogin.resources.recent_logins.user_nameString
CrowdStrike.deviceHistoryLogin.meta.powered_byString
CrowdStrike.deviceHistoryLogin.meta.trace_idString
CrowdStrike.deviceHistoryLogin.meta.query_timeNumber
CrowdStrike.deviceHistoryLogin.meta.writesUnknown

cs-get-device-network-history#


Retrieve history of IP and MAC addresses of devices.

Base Command#

cs-get-device-network-history

Input#

Argument NameDescriptionRequired
idsIDs of devices to get the network adres history for.Required

Context Output#

PathTypeDescription
CrowdStrike.deviceNetworkHistory.error.codeNumber
CrowdStrike.deviceNetworkHistory.errors.idString
CrowdStrike.deviceNetworkHistory.errors.messageString
CrowdStrike.deviceNetworkHistory.meta.powered_byString
CrowdStrike.deviceNetworkHistory.meta.trace_idString
CrowdStrike.deviceNetworkHistory.meta.query_timeNumber
CrowdStrike.deviceNetworkHistory.meta.writesUnknown
CrowdStrike.deviceNetworkHistory.resources.device_idString
CrowdStrike.deviceNetworkHistory.resources.cidString
CrowdStrike.deviceNetworkHistory.resources.history.ip_addressString
CrowdStrike.deviceNetworkHistory.resources.history.mac_addressString
CrowdStrike.deviceNetworkHistory.resources.history.timestampString