CrowdStrike Falcon
CrowdStrike Falcon Pack.#
This Integration is part of theThe CrowdStrike Falcon OAuth 2 API integration (formerly Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.
#
Configure Crowdstrike Falcon on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for CrowdstrikeFalcon.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server URL (e.g., https://api.crowdstrike.com) True Client ID True Secret True First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) False Max incidents per fetch False Detections fetch query False Incidents fetch query False Fetch incidents False Incident type False Mirroring Direction Choose the direction to mirror the detection: Incoming (from CrowdStrike Falcon to XSOAR), Outgoing (from XSOAR to CrowdStrike Falcon), or Incoming and Outgoing (to/from CrowdStrike Falcon and XSOAR). False Trust any certificate (not secure) False Use system proxy settings False Close Mirrored XSOAR Incident When selected, closes the CrowdStrike Falcon incident or detection, which is mirrored in Cortex XSOAR. False Close Mirrored CrowdStrike Falcon Incident or Detection When selected, closes the XSOAR incident, which is mirrored in CrowdStrike Falcon. False Fetch types Choose what to fetch - incidents, detections, or both. False Advanced: Minutes to look back when fetching Use this parameter to determine how far back to look in the search for incidents that were created before the last run time and did not match the query when they were created. False
- Click Test to validate the URLs, token, and connection.
#
Required API client scopeIn order to use the CrowdStrike Falcon integration, your API client must be provisioned with the following scope and permissions:
- Real Time Response - Read and Write
- Alerts - Read and Write
- IOC Manager - Read and Write
- IOCs - Read and Write
- IOA Exclusions - Read and Write
- Machine Learning Exclusions - Read and Write
- Detections - Read and Write
- Hosts - Read and Write
- Host Groups - Read and Write
- Incidents - Read and Write
- Spotlight Vulnerabilities - Read
- User Management - Read
- On-Demand Scans (ODS) - Read and Write
- Identity Protection Entities - Read and Write
- Identity Protection Detections - Read and Write
- Identity Protection Timeline - Read
- Identity Protection Assessment - Read
#
Incident MirroringYou can enable incident mirroring between Cortex XSOAR incidents and CrowdStrike Falcon incidents or detections (available from Cortex XSOAR version 6.0.0).
To setup the mirroring follow these instructions:
- Navigate to Settings > Integrations > Servers & Services.
- Search for CrowdStrike Falcon and select your integration instance.
- Enable Fetches incidents.
- In the Fetch types integration parameter, select what to mirror - incidents or detections or both.
- Optional: You can go to the Incidents fetch query or Detections fetch query parameter and select the query to fetch the incidents or detections from CrowdStrike Falcon.
- In the Mirroring Direction integration parameter, select in which direction the incidents should be mirrored:
- Incoming - Any changes in CrowdStrike Falcon incidents (
state
,status
,tactics
,techniques
,objectives
,tags
,hosts.hostname
) or detections (status
,severity
,behaviors.tactic
,behaviors.scenario
,behaviors.objective
,behaviors.technique
,device.hostname
) will be reflected in XSOAR incidents. - Outgoing - Any changes in XSOAR incidents will be reflected in CrowdStrike Falcon incidents (
tags
,status
) or detections (status
). - Incoming And Outgoing - Changes in XSOAR incidents and CrowdStrike Falcon incidents or detections will be reflected in both directions.
- None - Turns off incident mirroring.
- Incoming - Any changes in CrowdStrike Falcon incidents (
- Optional: Check the Close Mirrored XSOAR Incident integration parameter to close the Cortex XSOAR incident when the corresponding incident or detection is closed in CrowdStrike Falcon.
- Optional: Check the Close Mirrored CrowdStrike Falcon Incident or Detection integration parameter to close the CrowdStrike Falcon incident or detection when the corresponding Cortex XSOAR incident is closed.
Newly fetched incidents or detections will be mirrored in the chosen direction. However, this selection does not affect existing incidents.
Important Notes
- To ensure the mirroring works as expected, mappers are required, both for incoming and outgoing, to map the expected fields in Cortex XSOAR and CrowdStrike Falcon.
- When mirroring in incidents from CrowdStrike Falcon to Cortex XSOAR:
- For the
tags
field, tags can only be added from the remote system. - When enabling the Close Mirrored XSOAR Incident integration parameter, the field in CrowdStrike Falcon that determines whether the incident was closed is the
status
field. - In case the look-back parameter is initialized with a certain value and during a time that incidents were fetched, if changing the lookback to a number that is greater than the previous value, then in the initial incident fetching there will be incidents duplications. If the integration was already set with lookback > 0, and the lookback is not being increased at any point of time, then those incident duplications would not occur.
- For the
#
1. Search for a deviceSearches for devices that match the query.
#
Base Commandcs-falcon-search-device
#
InputArgument Name | Description | Required |
---|---|---|
filter | The query by which to filter the device. | Optional |
ids | A comma-separated list of device IDs by which to limit the results. | Optional |
status | The status of the device. Possible values are: "Normal", "containment_pending", "contained", and "lift_containment_pending". | Optional |
hostname | The host name of the device. | Optional |
platform_name | The platform name of the device. Possible values are: "Windows","Mac", and "Linux". | Optional |
site_name | The site name of the device. | Optional |
extended_data | Whether or not to get additional data about the device. Possible values are: "Yes", "No". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Device.ID | String | The ID of the device. |
CrowdStrike.Device.LocalIP | String | The local IP address of the device. |
CrowdStrike.Device.ExternalIP | String | The external IP address of the device. |
CrowdStrike.Device.Hostname | String | The host name of the device. |
CrowdStrike.Device.OS | String | The operating system of the device. |
CrowdStrike.Device.MacAddress | String | The MAC address of the device. |
CrowdStrike.Device.FirstSeen | String | The first time the device was seen. |
CrowdStrike.Device.LastSeen | String | The last time the device was seen. |
CrowdStrike.Device.PolicyType | String | The policy type of the device. |
CrowdStrike.Device.Status | String | The device status which might be Online, Offline or Unknown. |
Endpoint.Hostname | String | The endpoint's hostname. |
Endpoint.OS | String | The endpoint's operation system. |
Endpoint.OSVersion | String | The endpoint's operation system version. |
Endpoint.IPAddress | String | The endpoint's IP address. |
Endpoint.ID | String | The endpoint's ID. |
Endpoint.Status | String | The endpoint's status. |
Endpoint.IsIsolated | String | The endpoint's isolation status. |
Endpoint.MACAddress | String | The endpoint's MAC address. |
Endpoint.Vendor | String | The integration name of the endpoint vendor. |
#
Command Example!cs-falcon-search-device ids=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1,a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
Context Example#
Human Readable Output#
Devices
ID Hostname OS Mac Address Local IP External IP First Seen Last Seen Status a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 154.132.82-test-co.in-addr.arpa Mojave (10.14) 8c-85-90-3d-ed-3e 192.168.1.76 94.188.164.68 2017-12-28T22:38:11Z 2019-03-28T02:36:41Z contained a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 154.132.82-test-co.in-addr.arpa Mojave (10.14) f0-18-98-74-8c-31 172.22.14.237 94.188.164.68 2017-12-10T11:01:20Z 2019-03-17T10:03:17Z contained
#
2. Get a behaviorSearches for and fetches the behavior that matches the query.
#
Base Commandcs-falcon-get-behavior
#
InputArgument Name | Description | Required |
---|---|---|
behavior_id | The ID of the behavior. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Behavior.FileName | String | The file name of the behavior. |
CrowdStrike.Behavior.Scenario | String | The scenario name of the behavior. |
CrowdStrike.Behavior.MD5 | String | The MD5 hash of the IOC in the behavior. |
CrowdStrike.Behavior.SHA256 | String | The SHA256 hash of the IOC in the behavior. |
CrowdStrike.Behavior.IOCType | String | The type of the indicator of compromise. |
CrowdStrike.Behavior.IOCValue | String | The value of the IOC. |
CrowdStrike.Behavior.CommandLine | String | The command line executed in the behavior. |
CrowdStrike.Behavior.UserName | String | The user name related to the behavior. |
CrowdStrike.Behavior.SensorID | String | The sensor ID related to the behavior. |
CrowdStrike.Behavior.ParentProcessID | String | The ID of the parent process. |
CrowdStrike.Behavior.ProcessID | String | The process ID of the behavior. |
CrowdStrike.Behavior.ID | String | The ID of the behavior. |
#
Command Example!cs-falcon-get-behavior behavior_id=3206
#
Context Example#
Human Readable Output#
Behavior ID: 3206
ID File Name Command Line Scenario IOC Type IOC Value User Name SHA256 MD5 Process ID 3206 spokeshave.jn /Library/spokeshave.jn/spokeshave.jn.app/Contents/MacOS/spokeshave.jn known_malware sha256 a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 user@u-MacBook-Pro-2.local a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 197949010450449117 3206 xSf ./xSf known_malware sha256 a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 root@u-MacBook-Pro-2.local a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 197949016741905142
#
3. Search for detectionsSearch for details of specific detections, either using a filter query, or by providing the IDs of the detections.
#
Base Commandcs-falcon-search-detection
#
InputArgument Name | Description | Required |
---|---|---|
ids | The IDs of the detections to search. If provided, will override other arguments. | Optional |
filter | Filter detections using a query in Falcon Query Language (FQL). e.g., filter="device.hostname:'CS-SE-TG-W7-01'" For a full list of valid filter options, see: https://falcon.crowdstrike.com/support/documentation/2/query-api-reference#detectionsearch | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Detection.Behavior.FileName | String | The file name of the behavior. |
CrowdStrike.Detection.Behavior.Scenario | String | The scenario name of the behavior. |
CrowdStrike.Detection.Behavior.MD5 | String | The MD5 hash of the IOC of the behavior. |
CrowdStrike.Detection.Behavior.SHA256 | String | The SHA256 hash of the IOC of the behavior. |
CrowdStrike.Detection.Behavior.IOCType | String | The type of the IOC. |
CrowdStrike.Detection.Behavior.IOCValue | String | The value of the IOC. |
CrowdStrike.Detection.Behavior.CommandLine | String | The command line executed in the behavior. |
CrowdStrike.Detection.Behavior.UserName | String | The user name related to the behavior. |
CrowdStrike.Detection.Behavior.SensorID | String | The sensor ID related to the behavior. |
CrowdStrike.Detection.Behavior.ParentProcessID | String | The ID of the parent process. |
CrowdStrike.Detection.Behavior.ProcessID | String | The process ID of the behavior. |
CrowdStrike.Detection.Behavior.ID | String | The ID of the behavior. |
CrowdStrike.Detection.System | String | The system name of the detection. |
CrowdStrike.Detection.CustomerID | String | The ID of the customer (CID). |
CrowdStrike.Detection.MachineDomain | String | The name of the domain of the detection machine. |
CrowdStrike.Detection.ID | String | The detection ID. |
CrowdStrike.Detection.ProcessStartTime | Date | The start time of the process that generated the detection. |
#
Command Example!cs-falcon-search-detection ids=ldt:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:1898376850347,ldt:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:1092318056279064902
#
Context Example#
Human Readable Output#
Detections Found:
ID Status System Process Start Time Customer ID Max Severity ldt:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:1898376850347 false_positive DESKTOP-S49VMIL 2019-03-21T20:32:55.654489974Z a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 70 ldt:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:1092318056279064902 new u-MacBook-Pro-2.local 2019-02-04T07:05:57.083205971Z a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 30
#
4. Resolve a detectionResolves and updates a detection using the provided arguments. At least one optional argument must be passed, otherwise no change will take place. Note: IDP detections are not supported.
#
Base Commandcs-falcon-resolve-detection
#
InputArgument Name | Description | Required |
---|---|---|
ids | A comma-separated list of one or more IDs to resolve. | Required |
status | The status to which to transition a detection. Possible values are: "new", "in_progress", "true_positive", "false_positive", and "ignored". | Optional |
assigned_to_uuid | A user ID, for example: 1234567891234567891. username and assigned_to_uuid are mutually exclusive. | Optional |
comment | Optional comment to add to the detection. Comments are displayed with the detection in Falcon and are usually used to provide context or notes for other Falcon users. | Optional |
show_in_ui | If true, displays the detection in the UI. | Optional |
username | Username to assign the detections to. (This is usually the user’s email address, but may vary based on your configuration). username and assigned_to_uuid are mutually exclusive. | Optional |
#
Context OutputThere is no context output for this command.
#
5. Contain a hostContains containment for a specified host. When contained, a host can only communicate with the CrowdStrike cloud and any IPs specified in your containment policy.
#
Base Commandcs-falcon-contain-host
#
InputArgument Name | Description | Required |
---|---|---|
ids | The host agent ID (AID) of the host to contain. Get an agent ID from a detection. Can also be a comma separated list of IDs. | Required |
#
Context OutputThere is no context output for this command.
#
6. Lift the containment for a hostLifts containment from a host, which returns its network communications to normal.
#
Base Commandcs-falcon-lift-host-containment
#
InputArgument Name | Description | Required |
---|---|---|
ids | The host agent ID (AID) of the host to contain. Get an agent ID from a detection | Required |
#
Context OutputThere is no context output for this command.
#
7. cs-falcon-run-commandSends commands to hosts.
#
Base Commandcs-falcon-run-command
#
InputArgument Name | Description | Required |
---|---|---|
host_ids | A comma-separated list of host agent IDs for which to run commands. (Can be retrieved by running the 'cs-falcon-search-device' command.) | Required |
command_type | The type of command to run. | Required |
full_command | The full command to run. | Required |
scope | The scope for which to run the command. Possible values are: "read", "write", and "admin". Default is "read". (NOTE: In order to run the CrowdStrike RTR put command, it is necessary to pass scope=admin .) | Optional |
target | The target for which to run the command. Possible values are: "single" and "batch". Default is "batch". | Optional |
queue_offline | Any commands run against an offline-queued session will be queued up and executed when the host comes online. | Optional |
timeout | The amount of time (in seconds) that a request will wait for a client to establish a connection to a remote machine before a timeout occurs. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.HostID | String | The ID of the host for which the command was running. |
CrowdStrike.Command.SessionID | string | The ID of the session of the host. |
CrowdStrike.Command.Stdout | String | The standard output of the command. |
CrowdStrike.Command.Stderr | String | The standard error of the command. |
CrowdStrike.Command.BaseCommand | String | The base command. |
CrowdStrike.Command.FullCommand | String | The full command. |
CrowdStrike.Command.TaskID | string | (For single host) The ID of the command request which has been accepted. |
CrowdStrike.Command.Complete | boolean | (For single host) True if the command completed. |
CrowdStrike.Command.NextSequenceID | number | (For single host) The next sequence ID. |
#
Command Examplecs-falcon-run-command host_ids=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 command_type=ls full_command="ls C:\\"
#
Context Example#
Human Readable Output#
Command ls C:\ results
BaseCommand Command HostID Stderr Stdout ls ls C:\ a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 Directory listing for C:\ -
Name Type Size (bytes) Size (MB) Last Modified (UTC-5) Created (UTC-5)
---- ---- ------------ --------- --------------------- ---------------
$Recycle.Bin <Directory> -- -- 11/27/2018 10:54:44 AM 9/15/2017 3:33:40 AM
ITAYDI <Directory> -- -- 11/19/2018 1:31:42 PM 11/19/2018 1:31:42 PM
#
8. cs-falcon-upload-scriptUploads a script to Falcon.
#
Base Commandcs-falcon-upload-script
#
InputArgument Name | Description | Required |
---|---|---|
name | The script name to upload. | Required |
permission_type | The permission type for the custom script. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins. Default is "private". | Optional |
content | The content of the PowerShell script. | Required |
#
Command Example!cs-falcon-upload-script name=greatscript content="Write-Output 'Hello, World!'"
#
Human Readable OutputThe script was uploaded successfully.
#
9. cs-falcon-upload-fileUploads a file to the CrowdStrike cloud. (Can be used for the RTR put
command.)
#
Base Commandcs-falcon-upload-file
#
InputArgument Name | Description | Required |
---|---|---|
entry_id | The file entry ID to upload. | Required |
#
Command Example!cs-falcon-upload-file entry_id=4@4
#
Human Readable OutputThe file was uploaded successfully.
#
10. cs-falcon-delete-fileDeletes a file based on the provided ID. Can delete only one file at a time.
#
Base Commandcs-falcon-delete-file
#
InputArgument Name | Description | Required |
---|---|---|
file_id | The ID of the file to delete. (The ID of the file can be retrieved by running the 'cs-falcon-list-files' command.). | Required |
#
Command Example!cs-falcon-delete-file file_id=le10098bf0e311e989190662caec3daa_a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
Human Readable OutputFile le10098bf0e311e989190662caec3daa_a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 was deleted successfully.
#
11. cs-falcon-get-fileReturns files based on the IDs given. These are used for the RTR put
command.
#
Base Commandcs-falcon-get-file
#
InputArgument Name | Description | Required |
---|---|---|
file_id | A comma-separated list of file IDs to get. (The list of file IDs can be retrieved by running the 'cs-falcon-list-files' command.) | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.File.ID | String | The ID of the file. |
CrowdStrike.File.CreatedBy | String | The email address of the user who created the file. |
CrowdStrike.File.CreatedTime | Date | The date and time the file was created. |
CrowdStrike.File.Description | String | The description of the file. |
CrowdStrike.File.Type | String | The type of the file. For example, script. |
CrowdStrike.File.ModifiedBy | String | The email address of the user who modified the file. |
CrowdStrike.File.ModifiedTime | Date | The date and time the file was modified. |
CrowdStrike.File.Name | String | The full name of the file. |
CrowdStrike.File.Permission | String | The permission type of the file. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins |
CrowdStrike.File.SHA256 | String | The SHA-256 hash of the file. |
File.Type | String | The file type. |
File.Name | String | The full name of the file. |
File.SHA256 | String | The SHA-256 hash of the file. |
File.Size | Number | The size of the file in bytes. |
#
Command Example!cs-falcon-get-file file_id=le10098bf0e311e989190662caec3daa_a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
Context Example#
Human Readable Output#
CrowdStrike Falcon file le10098bf0e311e989190662caec3daa_a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
CreatedBy CreatedTime Description ID ModifiedBy ModifiedTime Name Permission SHA256 Type spongobob@demisto.com 2019-10-17T13:41:48.487520845Z Demisto le10098bf0e311e989190662caec3daa_a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 spongobob@demisto.com 2019-10-17T13:41:48.487521161Z Demisto private a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 script
#
12. cs-falcon-list-filesReturns a list of put-file ID's that are available for the user in the put
command.
#
Base Commandcs-falcon-list-files
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.File.ID | String | The ID of the file. |
CrowdStrike.File.CreatedBy | String | The email address of the user who created the file. |
CrowdStrike.File.CreatedTime | Date | The date and time the file was created. |
CrowdStrike.File.Description | String | The description of the file. |
CrowdStrike.File.Type | String | The type of the file. For example, script. |
CrowdStrike.File.ModifiedBy | String | The email address of the user who modified the file. |
CrowdStrike.File.ModifiedTime | Date | The date and time the file was modified. |
CrowdStrike.File.Name | String | The full name of the file. |
CrowdStrike.File.Permission | String | The permission type of the file. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins. |
CrowdStrike.File.SHA256 | String | The SHA-256 hash of the file. |
File.Type | String | The file type. |
File.Name | String | The full name of the file. |
File.SHA256 | String | The SHA-256 hash of the file. |
File.Size | Number | The size of the file in bytes. |
#
Command Example!cs-falcon-list-files
#
Context Example#
Human Readable Output#
CrowdStrike Falcon files
CreatedBy CreatedTime Description ID ModifiedBy ModifiedTime Name Permission SHA256 Type spongobob@demisto.com 2019-10-17T13:41:48.487520845Z Demisto le10098bf0e311e989190662caec3daa_a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 spongobob@demisto.com 2019-10-17T13:41:48.487521161Z Demisto private a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 script
#
13. cs-falcon-get-scriptReturn custom scripts based on the ID. Used for the RTR runscript
command.
#
Base Commandcs-falcon-get-script
#
InputArgument Name | Description | Required |
---|---|---|
script_id | A comma-separated list of script IDs to return. (The script IDs can be retrieved by running the 'cs-falcon-list-scripts' command.) | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Script.ID | String | The ID of the script. |
CrowdStrike.Script.CreatedBy | String | The email address of the user who created the script. |
CrowdStrike.Script.CreatedTime | Date | The date and time the script was created. |
CrowdStrike.Script.Description | String | The description of the script. |
CrowdStrike.Script.ModifiedBy | String | The email address of the user who modified the script. |
CrowdStrike.Script.ModifiedTime | Date | The date and time the script was modified. |
CrowdStrike.Script.Name | String | The script name. |
CrowdStrike.Script.Permission | String | Permission type of the script. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins. |
CrowdStrike.Script.SHA256 | String | The SHA-256 hash of the script file. |
CrowdStrike.Script.RunAttemptCount | Number | The number of times the script attempted to run. |
CrowdStrike.Script.RunSuccessCount | Number | The number of times the script ran successfully. |
CrowdStrike.Script.Platform | String | The list of operating system platforms on which the script can run. For example, Windows. |
CrowdStrike.Script.WriteAccess | Boolean | Whether the user has write access to the script. |
#
Command Example!cs-falcon-get-script file_id=le10098bf0e311e989190662caec3daa_a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
Context Example#
Human Readable Output#
CrowdStrike Falcon script le10098bf0e311e989190662caec3daa_a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
CreatedBy CreatedTime Description ID ModifiedBy ModifiedTime Name Permission SHA256 spongobob@demisto.com 2019-10-17T13:41:48.487520845Z Demisto le10098bf0e311e989190662caec3daa_a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 spongobob@demisto.com 2019-10-17T13:41:48.487521161Z Demisto private a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
14. cs-falcon-delete-scriptDeletes a script based on the ID given. Can delete only one script at a time.
#
Base Commandcs-falcon-delete-script
#
InputArgument Name | Description | Required |
---|---|---|
script_id | Script ID to delete. (Script IDs can be retrieved by running the 'cs-falcon-list-scripts' command.) | Required |
#
Command Example!cs-falcon-delete-script script_id=le10098bf0e311e989190662caec3daa_a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
Human Readable OutputScript le10098bf0e311e989190662caec3daa_a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 was deleted successfully.
#
15. cs-falcon-list-scriptsReturns a list of custom script IDs that are available for the user in the runscript
command.
#
Base Commandcs-falcon-list-scripts
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Script.ID | String | The ID of the script. |
CrowdStrike.Script.CreatedBy | String | The email address of the user who created the script. |
CrowdStrike.Script.CreatedTime | Date | The date and time the script was created. |
CrowdStrike.Script.Description | String | The description of the script. |
CrowdStrike.Script.ModifiedBy | String | The email address of the user who modified the script. |
CrowdStrike.Script.ModifiedTime | Date | The date and time the script was modified. |
CrowdStrike.Script.Name | String | The script name. |
CrowdStrike.Script.Permission | String | Permission type of the script. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins. |
CrowdStrike.Script.SHA256 | String | The SHA-256 hash of the script file. |
CrowdStrike.Script.RunAttemptCount | Number | The number of times the script attempted to run. |
CrowdStrike.Script.RunSuccessCount | Number | The number of times the script ran successfully. |
CrowdStrike.Script.Platform | String | The list of operating system platforms on which the script can run. For example, Windows. |
CrowdStrike.Script.WriteAccess | Boolean | Whether the user has write access to the script. |
#
Command Example!cs-falcon-list-scripts
#
Context Example#
Human Readable Output#
CrowdStrike Falcon scripts
CreatedBy CreatedTime Description ID ModifiedBy ModifiedTime Name Permission SHA256 spongobob@demisto.com 2019-10-17T13:41:48.487520845Z Demisto le10098bf0e311e989190662caec3daa_a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 spongobob@demisto.com 2019-10-17T13:41:48.487521161Z Demisto private a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
16. cs-falcon-run-scriptRuns a script on the agent host.
#
Base Commandcs-falcon-run-script
#
InputArgument Name | Description | Required |
---|---|---|
script_name | The name of the script to run. | Optional |
host_ids | A comma-separated list of host agent IDs to run commands. (The list of host agent IDs can be retrieved by running the 'cs-falcon-search-device' command.) | Required |
raw | The PowerShell script code to run. | Optional |
timeout | The amount of time to wait before the request times out (in seconds). Maximum is 600 (10 minutes). Default value is 30. | Optional |
queue_offline | Whether the command will run against an offline-queued session and be queued for execution when the host comes online. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.HostID | String | The ID of the host for which the command was running. |
CrowdStrike.Command.SessionID | String | The ID of the session of the host. |
CrowdStrike.Command.Stdout | String | The standard output of the command. |
CrowdStrike.Command.Stderr | String | The standard error of the command. |
CrowdStrike.Command.BaseCommand | String | The base command. |
CrowdStrike.Command.FullCommand | String | The full command. |
#
Command Examplecs-falcon-run-script host_ids=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 raw="Write-Output 'Hello, World!"
#
Context Example#
Human Readable Output#
Command runscript -Raw=Write-Output 'Hello, World! results
BaseCommand Command HostID Stderr Stdout runscript runscript -Raw=Write-Output 'Hello, World! a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 Hello, World!
#
17. cs-falcon-run-get-commandBatch executes get
command across hosts to retrieve files.
The running status you requested the get
command can be checked with cs-falcon-status-get-command
.
#
Base Commandcs-falcon-run-get-command
#
InputArgument Name | Description | Required |
---|---|---|
host_ids | List of host agent IDs on which to run the RTR command. | Required |
file_path | Full path to the file that will be retrieved from each host in the batch. | Required |
optional_hosts | List of a subset of hosts on which to run the command. | Optional |
timeout | The number of seconds to wait for the request before it times out. In ISO time format. For example: 2019-10-17T13:41:48.487520845Z. | Optional |
timeout_duration | The amount of time to wait for the request before it times out. In duration syntax. For example: 10s. Valid units are: ns, us, ms, s, m, h. Maximum value is 10 minutes. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.HostID | string | The ID of the host on which the command was running. |
CrowdStrike.Command.Stdout | string | The standard output of the command. |
CrowdStrike.Command.Stderr | string | The standard error of the command. |
CrowdStrike.Command.BaseCommand | string | The base command. |
CrowdStrike.Command.TaskID | string | The ID of the command that was running on the host. |
CrowdStrike.Command.GetRequestID | string | The ID of the command request that was accepted. |
CrowdStrike.Command.Complete | boolean | True if the command completed. |
CrowdStrike.Command.FilePath | string | The file path. |
#
Command Examplecs-falcon-run-get-command host_ids=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 file_path="""c:\Windows\notepad.exe"""
#
Context Example#
Human Readable Output#
Get command has requested for a file c:\Windows\notepad.exe
BaseCommand Complete FilePath GetRequestID HostID Stderr Stdout TaskID get true c:\Windows\notepad.exe 107199bc-544c-4b0c-8f20-3094c062a115 a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 C:\Windows\notepad.exe 9c820b97-6a60-4238-bc23-f63513970ec8
#
18. cs-falcon-status-get-commandRetrieves the status of the batch get command which you requested at cs-falcon-run-get-command
.
#
Base Commandcs-falcon-status-get-command
#
InputArgument Name | Description | Required |
---|---|---|
request_ids | The list of IDs of the command requested. | Required |
timeout | The number of seconds to wait for the request before it times out. In ISO time format. For example: 2019-10-17T13:41:48.487520845Z. | Optional |
timeout_duration | The amount of time to wait for the request before it times out. In duration syntax. For example: 10s. Valid units are: ns, us, ms, s, m, h. Maximum value is 10 minutes. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.File.ID | string | The ID of the file. |
CrowdStrike.File.TaskID | string | The ID of the command that is running. |
CrowdStrike.File.CreatedAt | date | The date the file was created. |
CrowdStrike.File.DeletedAt | date | The date the file was deleted. |
CrowdStrike.File.UpdatedAt | date | The date the file was last updated. |
CrowdStrike.File.Name | string | The full name of the file. |
CrowdStrike.File.SHA256 | string | The SHA256 hash of the file. |
CrowdStrike.File.Size | number | The size of the file in bytes. |
File.Size | number | The size of the file in bytes. |
File.SHA256 | string | The SHA256 hash of the file. |
#
Command Example!cs-falcon-status-get-command request_ids="84ee4d50-f499-482e-bac6-b0e296149bbf"
#
Context Example#
Human Readable Output#
CrowdStrike Falcon files
CreatedAt DeletedAt ID Name SHA256 Size TaskID UpdatedAt 2020-05-01T16:09:00Z 185596 \Device\HarddiskVolume2\Windows\notepad.exe a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 0 b5c8f140-280b-43fd-8501-9900f837510b 2020-05-01T16:09:00Z
#
19. cs-falcon-status-commandGet status of an executed command on a host
#
Base Commandcs-falcon-status-command
#
InputArgument Name | Description | Required |
---|---|---|
request_id | The ID of the command requested. | Required |
sequence_id | The sequence ID in chunk requests. | Optional |
scope | The scope for which to run the command. Possible values are: "read", "write", or "admin". Default is "read". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.TaskID | string | The ID of the command request that was accepted. |
CrowdStrike.Command.Stdout | string | The standard output of the command. |
CrowdStrike.Command.Stderr | string | The standard error of the command. |
CrowdStrike.Command.BaseCommand | string | The base command. |
CrowdStrike.Command.Complete | boolean | True if the command completed. |
CrowdStrike.Command.SequenceID | number | The sequence ID in the current request. |
CrowdStrike.Command.NextSequenceID | number | The sequence ID for the next request in the chunk request. |
#
Command Example!cs-falcon-status-command request_id="ae323961-5aa8-442e-8461-8d05c4541d7d"
#
Context Example#
Human Readable Output#
Command status results
BaseCommand Complete Stdout TaskID ls true Directory listing for C:\ ...... ae323961-5aa8-442e-8461-8d05c4541d7d
#
20. cs-falcon-get-extracted-fileGet RTR extracted file contents for specified session and sha256.
#
Base Commandcs-falcon-get-extracted-file
#
InputArgument Name | Description | Required |
---|---|---|
host_id | The host agent ID. | Required |
sha256 | The SHA256 hash of the file. | Required |
filename | The filename to use for the archive name and the file within the archive. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!cs-falcon-get-extracted-file host_id="a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1" sha256="a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1"
#
Context ExampleThere is no context output for this command.
#
Human Readable OutputThere is no human readable for this command.
#
21. cs-falcon-list-host-filesGet a list of files for the specified RTR session on a host.
#
Base Commandcs-falcon-list-host-files
#
InputArgument Name | Description | Required |
---|---|---|
host_id | The ID of the host agent that lists files in the session. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.HostID | string | The ID of the host for which the command was running. |
CrowdStrike.Command.TaskID | string | The ID of the command request that was accepted. |
CrowdStrike.Command.SessionID | string | The ID of the session of the host. |
CrowdStrike.File.ID | string | The ID of the file. |
CrowdStrike.File.CreatedAt | date | The date the file was created. |
CrowdStrike.File.DeletedAt | date | The date the file was deleted. |
CrowdStrike.File.UpdatedAt | date | The date the file was last updated. |
CrowdStrike.File.Name | string | The full name of the file. |
CrowdStrike.File.SHA256 | string | The SHA256 hash of the file. |
CrowdStrike.File.Size | number | The size of the file in bytes. |
File.Name | string | The full name of the file. |
File.Size | number | The size of the file in bytes. |
File.SHA256 | string | The SHA256 hash of the file. |
#
Command Example!cs-falcon-list-host-files host_id="a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1"
#
Context Example#
Human Readable Output#
CrowdStrike Falcon files
CreatedAt DeletedAt ID Name SHA256 Size Stderr Stdout UpdatedAt 2020-05-01T17:57:42Z 186811 \Device\HarddiskVolume2\Windows\notepad.exe a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 0 2020-05-01T17:57:42Z
#
22. cs-falcon-refresh-sessionRefresh a session timeout on a single host.
#
Base Commandcs-falcon-refresh-session
#
InputArgument Name | Description | Required |
---|---|---|
host_id | The ID of the host for which to extend the session. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.HostID | string | The ID of the host for which the command was running. |
CrowdStrike.Command.TaskID | string | The ID of the command request which has been accepted. |
CrowdStrike.Command.SessionID | string | The ID of the session of the host. |
CrowdStrike.File.ID | string | The ID of the file. |
CrowdStrike.File.CreatedAt | date | The creation date of the file. |
CrowdStrike.File.DeletedAt | date | The deletion date of the file. |
CrowdStrike.File.UpdatedAt | date | The last updated date of the file. |
CrowdStrike.File.Name | string | The full file name. |
CrowdStrike.File.SHA256 | string | The SHA-256 hash of the file. |
CrowdStrike.File.Size | number | The size of the file in bytes. |
File.Name | string | The full file name. |
File.Size | number | The size of the file in bytes. |
File.SHA256 | string | The SHA-256 hash of the file. |
#
Command Example!cs-falcon-refresh-session host_id=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
Context ExampleThere is no context output for this command.
#
Human Readable OutputCrowdStrike Session Refreshed: fdd6408f-6688-441b-8659-41bcad25441c
#
23. cs-falcon-search-iocsDeprecated. Use the cs-falcon-search-custom-iocs command instead.
#
Base Commandcs-falcon-search-iocs
#
InputArgument Name | Description | Required |
---|---|---|
types | A comma-separated list of indicator types. Valid types are: "sha256", "sha1", "md5", "domain", "ipv4", "ipv6". | Optional |
values | A comma-separated list of indicator values. | Optional |
policies | A comma-separated list of indicator policies. | Optional |
share_levels | The level at which the indicator will be shared. Only "red" share level (not shared) is supported, which indicates that the IOC is not shared with other Falcon Host customers. | Optional |
sources | A comma-separated list of IOC sources. | Optional |
from_expiration_date | Start of date range in which to search (YYYY-MM-DD format). | Optional |
to_expiration_date | End of date range in which to search (YYYY-MM-DD format). | Optional |
limit | The maximum number of records to return. The minimum is 1 and the maximum is 500. Default is 100. | Optional |
sort | The order in which the results are returned. Possible values are: "type.asc", "type.desc", "value.asc", "value.desc", "policy.asc", "policy.desc", "share_level.asc", "share_level.desc", "expiration_timestamp.asc", and "expiration_timestamp.desc". | Optional |
offset | The offset to begin the list from. For example, start from the 10th record and return the list. Default is 0. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.Policy | string | The policy of the indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.ShareLevel | string | The level at which the indicator will be shared. |
CrowdStrike.IOC.Expiration | string | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | string | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | string | The datetime the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command Example!cs-falcon-search-iocs types="domain"
#
Context Example#
Human Readable Output#
Indicators of Compromise
CreatedTime Expiration ID ModifiedTime Policy ShareLevel Type Value 2020-09-30T10:59:37Z 2020-10-30T00:00:00Z domain:value 2020-09-30T10:59:37Z none red domain value
#
24. cs-falcon-get-iocDeprecated. Use the cs-falcon-get-custom-ioc command instead.
#
Base Commandcs-falcon-get-ioc
#
InputArgument Name | Description | Required |
---|---|---|
type | The IOC type to retrieve. Possible values are: "sha256", "sha1", "md5", "domain", "ipv4", and "ipv6". | Required |
value | The string representation of the indicator. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.Policy | string | The policy of the indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.ShareLevel | string | The level at which the indicator will be shared. |
CrowdStrike.IOC.Expiration | string | The date and time when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | string | The date and time the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | string | The datetime the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command Example!cs-falcon-get-ioc type="domain" value="test.domain.com"
#
Context Example#
Human Readable Output#
Indicator of Compromise
CreatedTime Description Expiration ID ModifiedTime Policy ShareLevel Source Type Value 2020-10-02T13:55:26Z Test ioc 2020-11-01T00:00:00Z domain:test.domain.com 2020-10-02T13:55:26Z none red Demisto playbook domain test.domain.com
#
25. cs-falcon-upload-iocDeprecated. Use the cs-falcon-upload-custom-ioc command instead.
#
Base Commandcs-falcon-upload-ioc
#
InputArgument Name | Description | Required |
---|---|---|
ioc_type | The type of the indicator. Possible values are: "sha256", "md5", "domain", "ipv4", and "ipv6". | Required |
value | The string representation of the indicator. | Required |
policy | The policy to enact when the value is detected on a host. Possible values are: "detect" and "none". A value of "none" is equivalent to turning the indicator off. Default is "detect". | Optional |
share_level | The level at which the indicator will be shared. Only "red" share level (not shared) is supported, which indicates that the IOC is not shared with other Falcon Host customers. | Optional |
expiration_days | The number of days for which the indicator should be valid. This only applies to domain, ipv4, and ipv6 types. Default is 30. | Optional |
source | The source where this indicator originated. This can be used for tracking where this indicator was defined. Limited to 200 characters. | Optional |
description | A meaningful description of the indicator. Limited to 200 characters. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.Policy | string | The policy of the indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.ShareLevel | string | The level at which the indicator will be shared. |
CrowdStrike.IOC.Expiration | string | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | string | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | string | The date and time the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command Example!cs-falcon-upload-ioc ioc_type="domain" value="test.domain.com" policy="none" share_level="red" source="Demisto playbook" description="Test ioc"
#
Context Example#
Human Readable Output#
Custom IOC was created successfully
CreatedTime Description Expiration ID ModifiedTime Policy ShareLevel Source Type Value 2020-10-02T13:55:26Z Test ioc 2020-11-01T00:00:00Z domain:test.domain.com 2020-10-02T13:55:26Z none red Demisto playbook domain test.domain.com
#
26. cs-falcon-update-iocDeprecated. Use the cs-falcon-update-custom-ioc command instead.
#
Base Commandcs-falcon-update-ioc
#
InputArgument Name | Description | Required |
---|---|---|
ioc_type | The type of the indicator. Possible values are: "sha256", "md5", "sha1", "domain", "ipv4", and "ipv6". | Required |
value | The string representation of the indicator. | Required |
policy | The policy to enact when the value is detected on a host. Possible values are: "detect" and "none". A value of "none" is equivalent to turning the indicator off. Default is "detect". | Optional |
share_level | The level at which the indicator will be shared. Only "red" share level (not shared) is supported, which indicates that the IOC is not shared with other Falcon Host customers. | Optional |
expiration_days | The number of days for which the indicator should be valid. This only applies to domain, ipv4, and ipv6 types. Default is 30. | Optional |
source | The source where this indicator originated. This can be used for tracking where this indicator was defined. Limited to 200 characters. | Optional |
description | A meaningful description of the indicator. Limited to 200 characters. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.Policy | string | The policy of the indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.ShareLevel | string | The level at which the indicator will be shared. |
CrowdStrike.IOC.Expiration | string | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | string | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | string | The date and time the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command Example!cs-falcon-update-ioc ioc_type="domain" value="test.domain.com" policy="detect" description="Benign domain IOC"
#
Context Example#
Human Readable Output#
Custom IOC was created successfully
CreatedTime Description Expiration ID ModifiedTime Policy ShareLevel Source Type Value 2020-10-02T13:55:26Z Benign domain IOC 2020-11-01T00:00:00Z domain:test.domain.com 2020-10-02T13:55:33Z detect red Demisto playbook domain test.domain.com
#
27. cs-falcon-delete-iocDeprecated. Use the cs-falcon-delete-custom-ioc command instead.
#
Base Commandcs-falcon-delete-ioc
#
InputArgument Name | Description | Required |
---|---|---|
type | The IOC type to delete. Possible values are: "sha256", "sha1", "md5", "domain", "ipv4", and "ipv6". | Required |
value | The string representation of the indicator to delete. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cs-falcon-delete-ioc type="domain" value="test.domain.com"
#
Human Readable OutputCustom IOC domain:test.domain.com was successfully deleted.
#
28. cs-falcon-device-count-iocNumber of hosts that observed the given IOC.
#
Base Commandcs-falcon-device-count-ioc
#
InputArgument Name | Description | Required |
---|---|---|
type | The IOC type. Possible values are: "sha256", "sha1", "md5", "domain", "ipv4", and "ipv6". | Required |
value | The string representation of the indicator. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.DeviceCount | number | The number of devices the IOC ran on. |
#
Command Example!cs-falcon-device-count-ioc type="domain" value="value"
#
Context Example#
Human Readable OutputIndicator of Compromise domain:value device count: 1
#
29. cs-falcon-processes-ran-onGet processes associated with a given IOC.
#
Base Commandcs-falcon-processes-ran-on
#
InputArgument Name | Description | Required |
---|---|---|
type | The IOC type. Possible values are: "sha256", "sha1", "md5", "domain", "ipv4", and "ipv6". | Required |
value | The string representation of the indicator. | Required |
device_id | The device ID to check against. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.Process.ID | number | The processes IDs associated with the given IOC. |
CrowdStrike.IOC.Process.DeviceID | number | The device the process ran on. |
#
Command Example!cs-falcon-processes-ran-on device_id=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 type=domain value=value
#
Context Example#
Human Readable Output#
Processes with custom IOC domain:value on device device_id.
Process ID pid:pid:650164094720
#
30. cs-falcon-process-detailsRetrieves the details of a process, according to process ID, that is running or that previously ran.
#
Base Commandcs-falcon-process-details
#
Input#
InputArgument Name | Description | Required |
---|---|---|
ids | A comma-separated list of process IDs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Process.process_id | String | The process ID. |
CrowdStrike.Process.process_id_local | String | Local ID of the process. |
CrowdStrike.Process.device_id | String | The device the process ran on. |
CrowdStrike.Process.file_name | String | The path of the file that ran the process. |
CrowdStrike.Process.command_line | String | The command line command execution. |
CrowdStrike.Process.start_timestamp_raw | String | The start datetime of the process in Unix epoch time format. For example: 132460167512852140. |
CrowdStrike.Process.start_timestamp | String | The start datetime of the process in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
CrowdStrike.Process.stop_timestamp_raw | Date | The stop datetime of the process in Unix epoch time format. For example: 132460167512852140. |
CrowdStrike.Process.stop_timestamp | Date | The stop datetime of the process in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
#
Command Example!cs-falcon-process-details ids="pid:pid:pid"
#
Context Example#
Human Readable Output#
Details for process: pid:pid:pid.
command_line device_id file_name process_id process_id_local start_timestamp start_timestamp_raw stop_timestamp stop_timestamp_raw "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" deviceId \Device\HarddiskVolume1\Program Files (x86)\Google\Chrome\Application\chrome.exe device_id:pid pid 2020-10-01T09:05:51Z 132460167512852140 2020-10-02T06:43:45Z 132460946259334768
#
31. cs-falcon-device-ran-onReturns a list of device IDs on which an indicator ran.
#
Base Commandcs-falcon-device-ran-on
#
InputArgument Name | Description | Required |
---|---|---|
type | The type of indicator. Possible values are: "domain", "ipv4", "ipv6", "md5", "sha1", or "sha256". | Required |
value | The string representation of the indicator. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.DeviceID | string | Device IDs on which an indicator ran. |
#
Command Example!cs-falcon-device-ran-on type=domain value=value
#
Context Example#
Human Readable Output#
Devices that encountered the IOC domain:value
Device ID a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
32. cs-falcon-list-detection-summariesLists detection summaries.
#
Base Commandcs-falcon-list-detection-summaries
#
InputArgument Name | Description | Required |
---|---|---|
fetch_query | The query used to filter the results. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Detections.cid | String | The organization's customer ID (CID). |
CrowdStrike.Detections.created_timestamp | Date | The datetime when the detection occurred in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
CrowdStrike.Detections.detection_id | String | The ID of the detection. |
CrowdStrike.Detections.device.device_id | String | The device ID as seen by CrowdStrike. |
CrowdStrike.Detections.device.cid | String | The CrowdStrike Customer ID (CID) to which the device belongs. |
CrowdStrike.Detections.device.agent_load_flags | String | The CrowdStrike agent load flags. |
CrowdStrike.Detections.device.agent_local_time | Date | The local time of the sensor. |
CrowdStrike.Detections.device.agent_version | String | The version of the agent that the device is running. For example: 5.32.11406.0. |
CrowdStrike.Detections.device.bios_manufacturer | String | The BIOS manufacturer. |
CrowdStrike.Detections.device.bios_version | String | The device's BIOS version. |
CrowdStrike.Detections.device.config_id_base | String | The base of the sensor that the device is running. |
CrowdStrike.Detections.device.config_id_build | String | The version of the sensor that the device is running. For example: 11406. |
CrowdStrike.Detections.device.config_id_platform | String | The platform ID of the sensor that the device is running. |
CrowdStrike.Detections.device.external_ip | String | The external IP address of the device. |
CrowdStrike.Detections.device.hostname | String | The host name of the device. |
CrowdStrike.Detections.device.first_seen | Date | The datetime when the host was first seen by CrowdStrike. |
CrowdStrike.Detections.device.last_seen | Date | The datetime when the host was last seen by CrowdStrike. |
CrowdStrike.Detections.device.local_ip | String | The local IP address of the device. |
CrowdStrike.Detections.device.mac_address | String | The MAC address of the device. |
CrowdStrike.Detections.device.major_version | String | The major version of the operating system. |
CrowdStrike.Detections.device.minor_version | String | The minor version of the operating system. |
CrowdStrike.Detections.device.os_version | String | The operating system of the device. |
CrowdStrike.Detections.device.platform_id | String | The platform ID of the device that runs the sensor. |
CrowdStrike.Detections.device.platform_name | String | The platform name of the device. |
CrowdStrike.Detections.device.product_type_desc | String | The value indicating the product type. For example, 1 = Workstation, 2 = Domain Controller, 3 = Server. |
CrowdStrike.Detections.device.status | String | The containment status of the machine. Possible values are: "normal", "containment_pending", "contained", and "lift_containment_pending". |
CrowdStrike.Detections.device.system_manufacturer | String | The system manufacturer of the device. |
CrowdStrike.Detections.device.system_product_name | String | The product name of the system. |
CrowdStrike.Detections.device.modified_timestamp | Date | The datetime the device was last modified in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
CrowdStrike.Detections.behaviors.device_id | String | The ID of the device associated with the behavior. |
CrowdStrike.Detections.behaviors.timestamp | Date | The datetime the behavior detection occurred in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
CrowdStrike.Detections.behaviors.behavior_id | String | The ID of the behavior. |
CrowdStrike.Detections.behaviors.filename | String | The file name of the triggering process. |
CrowdStrike.Detections.behaviors.alleged_filetype | String | The file extension of the behavior's filename. |
CrowdStrike.Detections.behaviors.cmdline | String | The command line of the triggering process. |
CrowdStrike.Detections.behaviors.scenario | String | The name of the scenario to which the behavior belongs. |
CrowdStrike.Detections.behaviors.objective | String | The name of the objective associated with the behavior. |
CrowdStrike.Detections.behaviors.tactic | String | The name of the tactic associated with the behavior. |
CrowdStrike.Detections.behaviors.technique | String | The name of the technique associated with the behavior. |
CrowdStrike.Detections.behaviors.severity | Number | The severity rating for the behavior. The value can be any integer between 1-100. |
CrowdStrike.Detections.behaviors.confidence | Number | The true positive confidence rating for the behavior. The value can be any integer between 1-100. |
CrowdStrike.Detections.behaviors.ioc_type | String | The type of the triggering IOC. Possible values are: "hash_sha256", "hash_md5", "domain", "filename", "registry_key", "command_line", and "behavior". |
CrowdStrike.Detections.behaviors.ioc_value | String | The IOC value. |
CrowdStrike.Detections.behaviors.ioc_source | String | The source that triggered an IOC detection. Possible values are: "library_load", "primary_module", "file_read", and "file_write". |
CrowdStrike.Detections.behaviors.ioc_description | String | The IOC description. |
CrowdStrike.Detections.behaviors.user_name | String | The user name. |
CrowdStrike.Detections.behaviors.user_id | String | The Security Identifier (SID) of the user in Windows. |
CrowdStrike.Detections.behaviors.control_graph_id | String | The behavior hit key for the Threat Graph API. |
CrowdStrike.Detections.behaviors.triggering_process_graph_id | String | The ID of the process that triggered the behavior detection. |
CrowdStrike.Detections.behaviors.sha256 | String | The SHA256 of the triggering process. |
CrowdStrike.Detections.behaviors.md5 | String | The MD5 of the triggering process. |
CrowdStrike.Detections.behaviors.parent_details.parent_sha256 | String | The SHA256 hash of the parent process. |
CrowdStrike.Detections.behaviors.parent_details.parent_md5 | String | The MD5 hash of the parent process. |
CrowdStrike.Detections.behaviors.parent_details.parent_cmdline | String | The command line of the parent process. |
CrowdStrike.Detections.behaviors.parent_details.parent_process_graph_id | String | The process graph ID of the parent process. |
CrowdStrike.Detections.behaviors.pattern_disposition | Number | The pattern associated with the action performed on the behavior. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.indicator | Boolean | Whether the detection behavior is similar to an indicator. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.detect | Boolean | Whether this behavior is detected. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.inddet_mask | Boolean | Whether this behavior is an inddet mask. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.sensor_only | Boolean | Whether this detection is sensor only. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.rooting | Boolean | Whether this behavior is rooting. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.kill_process | Boolean | Whether this detection kills the process. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.kill_subprocess | Boolean | Whether this detection kills the subprocess. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.quarantine_machine | Boolean | Whether this detection was on a quarantined machine. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.quarantine_file | Boolean | Whether this detection was on a quarantined file. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.policy_disabled | Boolean | Whether this policy is disabled. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.kill_parent | Boolean | Whether this detection kills the parent process. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.operation_blocked | Boolean | Whether the operation is blocked. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.process_blocked | Boolean | Whether the process is blocked. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.registry_operation_blocked | Boolean | Whether the registry operation is blocked. |
CrowdStrike.Detections.email_sent | Boolean | Whether an email is sent about this detection. |
CrowdStrike.Detections.first_behavior | Date | The datetime of the first behavior. |
CrowdStrike.Detections.last_behavior | Date | The datetime of the last behavior. |
CrowdStrike.Detections.max_confidence | Number | The highest confidence value of all behaviors. The value can be any integer between 1-100. |
CrowdStrike.Detections.max_severity | Number | The highest severity value of all behaviors. Value can be any integer between 1-100. |
CrowdStrike.Detections.max_severity_displayname | String | The name used in the UI to determine the severity of the detection. Possible values are: "Critical", "High", "Medium", and "Low". |
CrowdStrike.Detections.show_in_ui | Boolean | Whether the detection displays in the UI. |
CrowdStrike.Detections.status | String | The status of detection. |
CrowdStrike.Detections.assigned_to_uid | String | The UID of the user for whom the detection is assigned. |
CrowdStrike.Detections.assigned_to_name | String | The human-readable name of the user to whom the detection is currently assigned. |
CrowdStrike.Detections.hostinfo.domain | String | The domain of the Active Directory. |
CrowdStrike.Detections.seconds_to_triaged | Number | The amount of time it took to move a detection from "new" to "in_progress". |
CrowdStrike.Detections.seconds_to_resolved | Number | The amount of time it took to move a detection from new to a resolved state ("true_positive", "false_positive", and "ignored"). |
#
Command Example!cs-falcon-list-detection-summaries
#
Context Example#
Human Readable Output#
CrowdStrike Detections
detection_id created_time status max_severity ldt:ldt:ldt 2020-07-06T08:10:55.538668036Z new Low
#
33. cs-falcon-list-incident-summariesLists incident summaries.
#
Base Commandcs-falcon-list-incident-summaries
#
InputArgument Name | Description | Required |
---|---|---|
fetch_query | The query used to filter the results. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Incidents.incident_id | String | The ID of the incident. |
CrowdStrike.Incidents.cid | String | The organization's customer ID (CID). |
CrowdStrike.Incidents.host_ids | String | The device IDs of all the hosts on which the incident occurred. |
CrowdStrike.Incidents.hosts.device_id | String | The device ID as seen by CrowdStrike. |
CrowdStrike.Incidents.hosts.cid | String | The host's organization's customer ID (CID). |
CrowdStrike.Incidents.hosts.agent_load_flags | String | The CrowdStrike agent load flags. |
CrowdStrike.Incidents.hosts.agent_local_time | Date | The local time of the sensor. |
CrowdStrike.Incidents.hosts.agent_version | String | The version of the agent that the device is running. For example: 5.32.11406.0. |
CrowdStrike.Incidents.hosts.bios_manufacturer | String | The BIOS manufacturer. |
CrowdStrike.Incidents.hosts.bios_version | String | The BIOS version of the device. |
CrowdStrike.Incidents.hosts.config_id_base | String | The base of the sensor that the device is running. |
CrowdStrike.Incidents.hosts.config_id_build | String | The version of the sensor that the device is running. For example: 11406. |
CrowdStrike.Incidents.hosts.config_id_platform | String | The platform ID of the sensor that the device is running. |
CrowdStrike.Incidents.hosts.external_ip | String | The external IP address of the host. |
CrowdStrike.Incidents.hosts.hostname | String | The name of the host. |
CrowdStrike.Incidents.hosts.first_seen | Date | The date and time when the host was first seen by CrowdStrike. |
CrowdStrike.Incidents.hosts.last_seen | Date | The date and time when the host was last seen by CrowdStrike. |
CrowdStrike.Incidents.hosts.local_ip | String | The device's local IP address. |
CrowdStrike.Incidents.hosts.mac_address | String | The device's MAC address. |
CrowdStrike.Incidents.hosts.major_version | String | The major version of the operating system. |
CrowdStrike.Incidents.hosts.minor_version | String | The minor version of the operating system. |
CrowdStrike.Incidents.hosts.os_version | String | The operating system of the host. |
CrowdStrike.Incidents.hosts.platform_id | String | The platform ID of the device that runs the sensor. |
CrowdStrike.Incidents.hosts.platform_name | String | The platform name of the host. |
CrowdStrike.Incidents.hosts.product_type_desc | String | The value indicating the product type. For example, 1 = Workstation, 2 = Domain Controller, 3 = Server. |
CrowdStrike.Incidents.hosts.status | String | The incident status as a number. For example, 20 = New, 25 = Reopened, 30 = In Progress, 40 = Closed. |
CrowdStrike.Incidents.hosts.system_manufacturer | String | The system manufacturer of the device. |
CrowdStrike.Incidents.hosts.system_product_name | String | The product name of the system. |
CrowdStrike.Incidents.hosts.modified_timestamp | Date | The datetime when a user modified the incident in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
CrowdStrike.Incidents.created | Date | The time that the incident was created. |
CrowdStrike.Incidents.start | Date | The recorded time of the earliest incident. |
CrowdStrike.Incidents.end | Date | The recorded time of the latest incident. |
CrowdStrike.Incidents.state | String | The state of the incident. |
CrowdStrike.Incidents.status | Number | The status of the incident. |
CrowdStrike.Incidents.name | String | The name of the incident. |
CrowdStrike.Incidents.description | String | The description of the incident. |
CrowdStrike.Incidents.tags | String | The tags of the incident. |
CrowdStrike.Incidents.fine_score | Number | The incident score. |
#
Command Example!cs-falcon-list-incident-summaries
#
34. EndpointReturns information about an endpoint, does not support regex.
#
Base Commandendpoint
#
InputArgument Name | Description | Required |
---|---|---|
id | Endpoint ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Endpoint.Hostname | String | The endpoint's hostname. |
Endpoint.OS | String | The endpoint's operation system. |
Endpoint.OSVersion | String | The endpoint's operation system version. |
Endpoint.IPAddress | String | The endpoint's IP address. |
Endpoint.ID | String | The endpoint's ID. |
Endpoint.Status | String | The endpoint's status. |
Endpoint.IsIsolated | String | The endpoint's isolation status. |
Endpoint.MACAddress | String | The endpoint's MAC address. |
Endpoint.Vendor | String | The integration name of the endpoint vendor. |
#
Command Example!endpoint id=15dbb9d5fe9f61eb46e829d986
#
Context Example#
Human Readable Output#
Endpoints
ID IPAddress OS OSVersion Hostname Status MACAddress Vendor a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 1.1.1.1 Windows Windows Server 2019 Hostname Online 1-1-1-1 CrowdStrike Falcon
#
35. cs-falcon-create-host-groupCreate a host group
#
Base Commandcs-falcon-create-host-group
#
InputArgument Name | Description | Required |
---|---|---|
name | The name of the host. | Required |
group_type | The group type of the group. Can be 'static' or 'dynamic'. Possible values are: static, dynamic. | Optional |
description | The description of the host. | Optional |
assignment_rule | The assignment rule. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.HostGroup.id | String | The ID of the host group. |
CrowdStrike.HostGroup.group_type | String | The group type of the host group. |
CrowdStrike.HostGroup.name | String | The name of the host group. |
CrowdStrike.HostGroup.description | String | The description of the host group. |
CrowdStrike.HostGroup.created_by | String | The client that created the host group. |
CrowdStrike.HostGroup.created_timestamp | Date | 'The datetime when the host group was created in ISO time format. For example: 2019-10-17T13:41:48.487520845Z.' |
CrowdStrike.HostGroup.modified_by | String | The client that modified the host group. |
CrowdStrike.HostGroup.modified_timestamp | Date | 'The datetime when the host group was last modified in ISO time format. For example: 2019-10-17T13:41:48.487520845Z.' |
#
Command Example!cs-falcon-create-host-group name="test_name_1" description="test_description" group_type=static
#
Context Example#
Human Readable Output#
Results
created_by created_timestamp description group_type id modified_by modified_timestamp name api-client-id:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2021-08-25T08:02:02.060242909Z test_description static a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 api-client-id:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2021-08-25T08:02:02.060242909Z test_name_1
#
36. cs-falcon-update-host-groupUpdate a host group.
#
Base Commandcs-falcon-update-host-group
#
InputArgument Name | Description | Required |
---|---|---|
host_group_id | The ID of the host group. | Required |
name | The name of the host group. | Optional |
description | The description of the host group. | Optional |
assignment_rule | The assignment rule. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.HostGroup.id | String | The ID of the host group. |
CrowdStrike.HostGroup.group_type | String | The group type of the host group. |
CrowdStrike.HostGroup.name | String | The name of the host group. |
CrowdStrike.HostGroup.description | String | The description of the host group. |
CrowdStrike.HostGroup.created_by | String | The client that created the host group. |
CrowdStrike.HostGroup.created_timestamp | Date | 'The datetime when the host group was created in ISO time format. For |
example: 2019-10-17T13:41:48.487520845Z.' | ||
CrowdStrike.HostGroup.modified_by | String | The client that modified the host group. |
CrowdStrike.HostGroup.modified_timestamp | Date | 'The datetime when the host group was last modified in ISO time format. |
For example: 2019-10-17T13:41:48.487520845Z.' |
#
Command Example!cs-falcon-update-host-group host_group_id=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 name="test_name_update_1" description="test_description_update"
#
Context Example#
Human Readable Output#
Results
assignment_rule created_by created_timestamp description group_type id modified_by modified_timestamp name device_id:[''],hostname:[''] api-client-id:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2021-08-22T07:48:35.111070562Z test_description_update static a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 api-client-id:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2021-08-25T08:02:05.295663156Z test_name_update_1
#
37. cs-falcon-list-host-group-membersGet the list of host group members.
#
Base Commandcs-falcon-list-host-group-members
#
InputArgument Name | Description | Required |
---|---|---|
host_group_id | The ID of the host group. | Optional |
filter | The query by which to filter the devices that belong to the host group. | Optional |
offset | Page offset. | Optional |
limit | Maximum number of results on a page. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Device.ID | String | The ID of the device. |
CrowdStrike.Device.LocalIP | String | The local IP address of the device. |
CrowdStrike.Device.ExternalIP | String | The external IP address of the device. |
CrowdStrike.Device.Hostname | String | The host name of the device. |
CrowdStrike.Device.OS | String | The operating system of the device. |
CrowdStrike.Device.MacAddress | String | The MAC address of the device. |
CrowdStrike.Device.FirstSeen | String | The first time the device was seen. |
CrowdStrike.Device.LastSeen | String | The last time the device was seen. |
CrowdStrike.Device.Status | String | The device status. |
#
Command Example!cs-falcon-list-host-group-members
#
Context Example#
Human Readable Output#
Devices
ID External IP Local IP Hostname OS Mac Address First Seen Last Seen Status a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 35.224.136.145 10.128.0.19 falcon-crowdstrike-sensor-centos7 CentOS 7.9 42-01-0a-80-00-13 2021-08-08T11:33:21Z 2021-08-25T07:50:47Z normal
#
38. cs-falcon-add-host-group-membersAdd host group members.
#
Base Commandcs-falcon-add-host-group-members
#
InputArgument Name | Description | Required |
---|---|---|
host_group_id | The ID of the host group. | Required |
host_ids | A comma-separated list of host agent IDs to run commands.(The list of host agent IDs can be retrieved by running the 'cs-falcon-search-device' command.) | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.HostGroup.id | String | The ID of the host group. |
CrowdStrike.HostGroup.group_type | String | The group type of the host group. |
CrowdStrike.HostGroup.name | String | The name of the host group. |
CrowdStrike.HostGroup.description | String | The description of the host group. |
CrowdStrike.HostGroup.created_by | String | The client that created the host group. |
CrowdStrike.HostGroup.created_timestamp | Date | 'The datetime when the host group was created in ISO time format. For |
example: 2019-10-17T13:41:48.487520845Z.' | ||
CrowdStrike.HostGroup.modified_by | String | The client that modified the host group. |
CrowdStrike.HostGroup.modified_timestamp | Date | 'The datetime when the host group was last modified in ISO time format. |
For example: 2019-10-17T13:41:48.487520845Z.' |
#
Command Example!cs-falcon-add-host-group-members host_group_id="a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1" host_ids="a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1"
#
Context Example#
Human Readable Output#
Results
assignment_rule created_by created_timestamp description group_type id modified_by modified_timestamp name device_id:[''],hostname:['falcon-crowdstrike-sensor-centos7',''] api-client-id:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2021-08-22T07:48:35.111070562Z test_description_update static a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 api-client-id:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2021-08-25T08:02:05.295663156Z test_name_update_1
#
39. cs-falcon-remove-host-group-membersRemove host group members.
#
Base Commandcs-falcon-remove-host-group-members
#
InputArgument Name | Description | Required |
---|---|---|
host_group_id | The ID of the host group. | Required |
host_ids | A comma-separated list of host agent IDs to run commands. (The list of host agent IDs can be retrieved by running the 'cs-falcon-search-device' command.) | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.HostGroup.id | String | The ID of the host group. |
CrowdStrike.HostGroup.group_type | String | The group type of the host group. |
CrowdStrike.HostGroup.name | String | The name of the host group. |
CrowdStrike.HostGroup.description | String | The description of the host group. |
CrowdStrike.HostGroup.created_by | String | The client that created the host group. |
CrowdStrike.HostGroup.created_timestamp | Date | 'The datetime when the host group was created in ISO time format. For |
example: 2019-10-17T13:41:48.487520845Z.' | ||
CrowdStrike.HostGroup.modified_by | String | The client that modified the host group. |
CrowdStrike.HostGroup.modified_timestamp | Date | 'The datetime when the host group was last modified in ISO time format. |
For example: 2019-10-17T13:41:48.487520845Z.' |
#
Command Example!cs-falcon-remove-host-group-members host_group_id="a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1" host_ids="a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1"
#
Context Example#
Human Readable Output#
Results
assignment_rule created_by created_timestamp description group_type id modified_by modified_timestamp name device_id:[''],hostname:[''] api-client-id:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2021-08-22T07:48:35.111070562Z test_description_update static a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 api-client-id:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2021-08-25T08:02:05.295663156Z test_name_update_1
#
40. cs-falcon-resolve-incidentResolve incidents
#
Base Commandcs-falcon-resolve-incident
#
InputArgument Name | Description | Required |
---|---|---|
ids | A comma-separated list of incident IDs. | Required |
status | The new status of the incident. Can be "New", "In Progress", "Reopened", "Closed". Possible values are: New, In Progress, Reopened, Closed. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cs-falcon-resolve-incident ids="inc:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1,inc:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1" status="Closed"
#
Human Readable Outputinc:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 changed successfully to Closed inc:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 changed successfully to Closed
#
41. cs-falcon-list-host-groupsList the available host groups.
#
Base Commandcs-falcon-list-host-groups
#
InputArgument Name | Description | Required |
---|---|---|
filter | The query by which to filter the devices that belong to the host group. | Optional |
offset | Page offset. | Optional |
limit | Maximum number of results on a page. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.HostGroup.id | String | The ID of the host group. |
CrowdStrike.HostGroup.group_type | String | The group type of the host group. |
CrowdStrike.HostGroup.name | String | The name of the host group. |
CrowdStrike.HostGroup.description | String | The description of the host group. |
CrowdStrike.HostGroup.created_by | String | The client that created the host group. |
CrowdStrike.HostGroup.created_timestamp | Date | The datetime when the host group was created in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
CrowdStrike.HostGroup.modified_by | String | The client that modified the host group. |
CrowdStrike.HostGroup.modified_timestamp | Date | The datetime when the host group was last modified in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
#
Command Example!cs-falcon-list-host-groups
#
Context Example#
Human Readable Output#
Results
assignment_rule created_by created_timestamp description group_type id modified_by modified_timestamp name device_id:[''],hostname:[''] api-client-id:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2021-08-26T10:02:50.175530821Z description2 static a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 api-client-id:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2021-08-26T10:02:52.026307768Z test_16299721694081629972169408
#
42. cs-falcon-delete-host-groupsDelete the requested host groups.
#
Base Commandcs-falcon-delete-host-groups
#
InputArgument Name | Description | Required |
---|---|---|
host_group_id | A comma-separated list of the IDs of the host groups to be deleted. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cs-falcon-delete-host-groups host_group_id=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1,a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
Human Readable Outputhost group id a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 deleted successfully host group id a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 deleted successfully
#
43. cs-falcon-search-custom-iocsReturns a list of your uploaded IOCs that match the search criteria.
#
Base Commandcs-falcon-search-custom-iocs
#
InputArgument Name | Description | Required |
---|---|---|
types | A comma-separated list of indicator types. Valid types are: "sha256", "sha1", "md5", "domain", "ipv4", "ipv6". | Optional |
values | A comma-separated list of indicator values. | Optional |
sources | A comma-separated list of IOC sources. | Optional |
expiration | The date on which the indicator will become inactive (ISO 8601 format, i.e. YYYY-MM-DDThh:mm:ssZ). | Optional |
limit | The maximum number of records to return. The minimum is 1 and the maximum is 500. Default is 50. | Optional |
sort | The order in which the results are returned. Possible values are: "type.asc", "type.desc", "value.asc", "value.desc", "policy.asc", "policy.desc", "share_level.asc", "share_level.desc", "expiration_timestamp.asc", and "expiration_timestamp.desc". | Optional |
offset | The offset to begin the list from. For example, start from the 10th record and return the list. Default is 0. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator. |
CrowdStrike.IOC.Severity | string | The severity level to apply to this indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.Action | string | Action to take when a host observes the custom IOC. |
CrowdStrike.IOC.Expiration | date | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | date | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | date | The datetime the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command example!cs-falcon-search-custom-iocs limit=2
#
Context Example#
Human Readable Output#
Indicators of Compromise
ID Action Severity Type Value Expiration CreatedBy CreatedTime Description ModifiedBy ModifiedTime Platforms Policy ShareLevel Source Tags a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 no_action informational ipv4 1.1.8.9 2022-02-17T13:47:57Z a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2022-02-16T17:17:25.992164453Z test a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2022-02-16T17:17:25.992164453Z mac Cortex XSOAR a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 no_action informational ipv4 4.1.8.9 2022-02-17T13:47:57Z a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2022-02-16T17:16:44.514398876Z test a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2022-02-16T17:16:44.514398876Z mac Cortex XSOAR
#
44. cs-falcon-get-custom-iocGets the full definition of one or more indicators that you are watching.
#
Base Commandcs-falcon-get-custom-ioc
#
InputArgument Name | Description | Required |
---|---|---|
type | The IOC type to retrieve. Possible values are: "sha256", "sha1", "md5", "domain", "ipv4", and "ipv6". Either ioc_id or ioc_type and value must be provided. | Optional |
value | The string representation of the indicator. Either ioc_id or ioc_type and value must be provided. | Optional |
ioc_id | The ID of the IOC to get. Can be retrieved by running the cs-falcon-search-custom-iocs command. Either ioc_id or ioc_type and value must be provided. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator. |
CrowdStrike.IOC.Severity | string | The severity level to apply to this indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.Action | string | Action to take when a host observes the custom IOC. |
CrowdStrike.IOC.Expiration | date | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | date | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | date | The datetime the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command example!cs-falcon-get-custom-ioc type=ipv4 value=7.5.9.8
#
Context Example#
Human Readable Output#
Indicator of Compromise
ID Action Severity Type Value Expiration CreatedBy CreatedTime Description ModifiedBy ModifiedTime Platforms Policy ShareLevel Source Tags a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 no_action informational ipv4 7.5.9.8 2022-02-17T17:55:09Z a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2022-02-16T14:25:22.968603813Z a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2022-02-16T14:25:22.968603813Z linux cortex xsoar test,
test1
#
45. cs-falcon-upload-custom-iocUploads an indicator for CrowdStrike to monitor.
#
Base Commandcs-falcon-upload-custom-ioc
#
InputArgument Name | Description | Required |
---|---|---|
ioc_type | The type of the indicator. Possible values are: "sha256", "md5", "domain", "ipv4", and "ipv6". | Required |
value | A comma separated list of indicators. More than one value can be supplied in order to upload multiple IOCs of the same type but with different values. Note that the uploaded IOCs will have the same properties (as supplied in other arguments). | Required |
action | Action to take when a host observes the custom IOC. Possible values are: no_action - Save the indicator for future use, but take no action. No severity required. allow - Applies to hashes only. Allow the indicator and do not detect it. Severity does not apply and should not be provided. prevent_no_ui - Applies to hashes only. Block and detect the indicator, but hide it from Activity > Detections. Has a default severity value. prevent - Applies to hashes only. Block the indicator and show it as a detection at the selected severity. detect - Enable detections for the indicator at the selected severity. | Required |
platforms | The platforms that the indicator applies to. You can enter multiple platform names, separated by commas. Possible values are: mac, windows and linux. | Required |
severity | The severity level to apply to this indicator. Possible values are: informational, low, medium, high and critical. | Required for the prevent and detect actions. Optional for no_action. |
expiration | The date on which the indicator will become inactive (ISO 8601 format, i.e. YYYY-MM-DDThh:mm:ssZ). | Optional |
source | The source where this indicator originated. This can be used for tracking where this indicator was defined. Limited to 200 characters. | Optional |
description | A meaningful description of the indicator. Limited to 200 characters. | Optional |
applied_globally | Whether the indicator is applied globally. Either applied_globally or host_groups must be provided. Possible values are: true, false. | Optional |
host_groups | List of host group IDs that the indicator applies to. Can be retrieved by running the cs-falcon-list-host-groups command. Either applied_globally or host_groups must be provided. | Optional |
tags | List of tags to apply to the indicator. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator. |
CrowdStrike.IOC.Severity | string | The severity level to apply to this indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.Action | string | Action to take when a host observes the custom IOC. |
CrowdStrike.IOC.Expiration | date | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | date | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | date | The datetime the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
CrowdStrike.IOC.Tags | Unknown | The tags of the IOC. |
CrowdStrike.IOC.Platforms | Unknown | The platforms of the IOC. |
#
Command Example!cs-falcon-upload-custom-ioc ioc_type="domain" value="test.domain.com" action="prevent" severity="high" source="Demisto playbook" description="Test ioc" platforms="mac"
#
Context Example#
Human Readable Output#
Custom IOC was created successfully
CreatedTime Description Expiration ID ModifiedTime Action Severity Source Type Value 2020-10-02T13:55:26Z Test ioc 2020-11-01T00:00:00Z 4f8c43311k1801ca4359fc07t319610482c2003mcde8934d5412b1781e841e9r 2020-10-02T13:55:26Z prevent high Demisto playbook domain test.domain.com
#
46. cs-falcon-update-custom-iocUpdates an indicator for CrowdStrike to monitor.
#
Base Commandcs-falcon-update-custom-ioc
#
InputArgument Name | Description | Required |
---|---|---|
ioc_id | The ID of the IOC to delete. Can be retrieved by running the cs-falcon-search-custom-iocs command. | Required |
action | Action to take when a host observes the custom IOC. Possible values are: no_action - Save the indicator for future use, but take no action. No severity required. allow - Applies to hashes only. Allow the indicator and do not detect it. Severity does not apply and should not be provided. prevent_no_ui - Applies to hashes only. Block and detect the indicator, but hide it from Activity > Detections. Has a default severity value. prevent - Applies to hashes only. Block the indicator and show it as a detection at the selected severity. detect - Enable detections for the indicator at the selected severity. | Optional |
platforms | The platforms that the indicator applies to. You can enter multiple platform names, separated by commas. Possible values are: mac, windows and linux. | Optional |
severity | The severity level to apply to this indicator. Possible values are: informational, low, medium, high and critical. | Required for the prevent and detect actions. Optional for no_action. |
expiration | The date on which the indicator will become inactive (ISO 8601 format, i.e. YYYY-MM-DDThh:mm:ssZ). | Optional |
source | The source where this indicator originated. This can be used for tracking where this indicator was defined. Limited to 200 characters. | Optional |
description | A meaningful description of the indicator. Limited to 200 characters. | Optional |
applied_globally | Whether the indicator is applied globally. Possible values are: true and false. Either applied_globally or host_groups must be provided. | Optional |
host_groups | List of host group IDs that the indicator applies to. Can be retrieved by running the cs-falcon-list-host-groups command. Either applied_globally or host_groups must be provided. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.Policy | string | The policy of the indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.ShareLevel | string | The level at which the indicator will be shared. |
CrowdStrike.IOC.Expiration | string | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | string | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | string | The date and time the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command Example!cs-falcon-update-custom-ioc ioc_id="4f8c43311k1801ca4359fc07t319610482c2003mcde8934d5412b1781e841e9r" severity="high"
#
Context Example#
Human Readable Output#
Custom IOC was updated successfully
CreatedTime Description Expiration ID ModifiedTime Action Severity Source Type Value 2020-10-02T13:55:26Z Test ioc 2020-11-01T00:00:00Z 4f8c43311k1801ca4359fc07t319610482c2003mcde8934d5412b1781e841e9r 2020-10-02T13:55:26Z prevent high Demisto playbook domain test.domain.com
#
47. cs-falcon-delete-custom-iocDeletes a monitored indicator.
#
Base Commandcs-falcon-delete-custom-ioc
#
InputArgument Name | Description | Required |
---|---|---|
ioc_id | The ID of the IOC to delete. Can be retrieved by running the cs-falcon-search-custom-iocs command. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cs-falcon-delete-custom-ioc ioc_id="4f8c43311k1801ca4359fc07t319610482c2003mcde8934d5412b1781e841e9r"
#
Human Readable OutputCustom IOC 4f8c43311k1801ca4359fc07t319610482c2003mcde8934d5412b1781e841e9r was successfully deleted.
#
48. cs-falcon-batch-upload-custom-iocUploads a batch of indicators.
#
Base Commandcs-falcon-batch-upload-custom-ioc
#
InputArgument Name | Description | Required |
---|---|---|
multiple_indicators_json | A JSON object with list of CS Falcon indicators to upload. | Required |
timeout | The amount of time (in seconds) that a request will wait for a client to establish a connection to a remote machine before a timeout occurs. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator. |
CrowdStrike.IOC.Severity | string | The severity level to apply to this indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.Action | string | Action to take when a host observes the custom IOC. |
CrowdStrike.IOC.Expiration | string | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | date | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | date | The datetime the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
CrowdStrike.IOC.Tags | Unknown | The tags of the IOC. |
CrowdStrike.IOC.Platforms | Unknown | The platforms of the IOC. |
#
Command example!cs-falcon-batch-upload-custom-ioc multiple_indicators_json=`[{"description": "test", "expiration": "2022-02-17T13:47:57Z", "type": "ipv4", "severity": "Informational", "value": "1.1.8.9", "action": "no_action", "platforms": ["mac"], "source": "Cortex XSOAR", "applied_globally": true}]`
#
Context Example#
Human Readable Output#
Custom IOC 1.1.8.9 was created successfully
Action CreatedBy CreatedTime Description Expiration ID ModifiedBy ModifiedTime Platforms Severity Source Type Value no_action a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2022-02-16T17:17:25.992164453Z test 2022-02-17T13:47:57Z "a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2022-02-16T17:17:25.992164453Z mac informational Cortex XSOAR ipv4 1.1.8.9
#
49. cs-falcon-rtr-kill-processExecute an active responder kill command on a single host.
#
Base Commandcs-falcon-rtr-kill-process
#
InputArgument Name | Description | Required |
---|---|---|
host_id | The host ID in which you would like to kill the given process. | Required |
process_ids | A comma-separated list of process IDs to kill. | Required |
queue_offline | Whether the command will run against an offline-queued session and be queued for execution when the host comes online. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.kill.ProcessID | String | The process ID that was killed. |
CrowdStrike.Command.kill.Error | String | The error message raised if the command was failed. |
CrowdStrike.Command.kill.HostID | String | The host ID. |
#
Command example!cs-falcon-rtr-kill-process host_id=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 process_ids=5260,123
#
Context Example#
Human Readable Output#
CrowdStrike Falcon kill command on host a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:
ProcessID Error 123 Cannot find a process with the process identifier 123. 5260 Success Note: you don't see the following IDs in the results as the request was failed for them. ID 123 failed as it was not found.
#
50. cs-falcon-rtr-remove-fileBatch executes an RTR active-responder remove file across the hosts mapped to the given batch ID.
#
Base Commandcs-falcon-rtr-remove-file
#
InputArgument Name | Description | Required |
---|---|---|
host_ids | A comma-separated list of the hosts IDs in which you would like to remove the file. | Required |
file_path | The path to a file or a directoty that you would like to remove. | Required |
os | The operatin system of the hosts given. As the revome command is different in each operatin system, you can choose only one operating system. Possible values are: Windows, Linux, Mac. | Required |
queue_offline | Whether the command will run against an offline-queued session and be queued for execution when the host comes online. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.rm.HostID | String | The host ID. |
CrowdStrike.Command.rm.Error | String | The error message raised if the command was failed. |
#
Command example!cs-falcon-rtr-remove-file file_path="c:\\testfolder" host_ids=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 os=Windows
#
Context Example#
Human Readable Output#
CrowdStrike Falcon rm over the file: c:\testfolder
HostID Error a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 Success
#
51. cs-falcon-rtr-list-processesExecutes an RTR active-responder ps command to get a list of active processes across the given host.
#
Base Commandcs-falcon-rtr-list-processes
#
InputArgument Name | Description | Required |
---|---|---|
host_id | The host ID in which you would like to get the processes list from. | Required |
queue_offline | Whether the command will run against an offline-queued session and be queued for execution when the host comes online. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.ps.Filename | String | The the name of the result file to be returned. |
#
Command example!cs-falcon-rtr-list-processes host_id=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
Context Example#
Human Readable Output#
CrowdStrike Falcon ps command on host a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:
Stdout TOO MUCH INFO TO DISPLAY
#
52. cs-falcon-rtr-list-network-statsExecutes an RTR active-responder netstat command to get a list of network status and protocol statistics across the given host.
#
Base Commandcs-falcon-rtr-list-network-stats
#
InputArgument Name | Description | Required |
---|---|---|
host_id | The host ID in which you would like to get the network status and protocol statistics list from. | Required |
queue_offline | Whether the command will run against an offline-queued session and be queued for execution when the host comes online. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.netstat.Filename | String | The the name of the result file to be returned. |
#
Command example!cs-falcon-rtr-list-network-stats host_id=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
Context Example#
Human Readable Output#
CrowdStrike Falcon netstat command on host a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:
Stdout TOO MUCH INFO TO DISPLAY
#
53. cs-falcon-rtr-read-registryExecutes an RTR active-responder read registry keys command across the given hosts. This command is valid only for Windows hosts.
#
Base Commandcs-falcon-rtr-read-registry
#
InputArgument Name | Description | Required |
---|---|---|
host_ids | A comma-separated list of the hosts IDs in which you would like to get the registry keys from. | Required |
registry_keys | A comma-separated list of the registy keys, subkeys or value to get. | Required |
queue_offline | Whether the command will run against an offline-queued session and be queued for execution when the host comes online. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example``!cs-falcon-rtr-read-registry host_ids=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 registry_keys=
HKEY_LOCAL_MACHINE,HKEY_USERS````
#
Context Example#
Human Readable Output#
CrowdStrike Falcon reg command on hosts ['a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1']:
FileName Stdout reg-a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1HKEY_USERS TOO MUCH INFO TO DISPLAY reg-a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1HKEY_LOCAL_MACHINE TOO MUCH INFO TO DISPLAY
#
54. cs-falcon-rtr-list-scheduled-tasksExecutes an RTR active-responder netstat command to get a list of scheduled tasks across the given host. This command is valid only for Windows hosts.
#
Base Commandcs-falcon-rtr-list-scheduled-tasks
#
InputArgument Name | Description | Required |
---|---|---|
host_ids | A comma-separated list of the hosts IDs in which you would like to get the list of scheduled tasks from. | Required |
queue_offline | Whether the command will run against an offline-queued session and be queued for execution when the host comes online. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!cs-falcon-rtr-list-scheduled-tasks host_ids=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
Context Example#
Human Readable Output#
CrowdStrike Falcon runscript command on host a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:
Stdout TOO MUCH INFO TO DISPLAY
#
55. cs-falcon-rtr-retrieve-fileGets the RTR extracted file contents for the specified file path.
#
Base Commandcs-falcon-rtr-retrieve-file
#
InputArgument Name | Description | Required |
---|---|---|
host_ids | A comma-separated list of the hosts IDs in which you would like to get file from. | Required |
file_path | The file path of the required file to extract. | Required |
filename | The filename to use for the archive name and the file within the archive. | Optional |
interval_in_seconds | interval between polling. Default is 60 seconds. Must be higher than 10. | Optional |
hosts_and_requests_ids | This is an internal argument used for the polling process, not to be used by the user. | Optional |
SHA256 | This is an internal argument used for the polling process, not to be used by the user. | Optional |
queue_offline | Whether the command will run against an offline-queued session and be queued for execution when the host comes online. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.File.FileName | String | The file name. |
CrowdStrike.File.HostID | String | The hosd ID. |
File.Size | Number | The size of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.SHA512 | String | The SHA512 hash of the file. |
File.Name | String | The name of the file. |
File.SSDeep | String | The SSDeep hash of the file. |
File.EntryID | String | EntryID of the file |
File.Info | String | Information about the file. |
File.Type | String | The file type. |
File.MD5 | String | The MD5 hash of the file. |
File.Extension | String | The extension of the file. |
#
Command example!cs-falcon-rtr-retrieve-file file_path=`C:\Windows\System32\Windows.Media.FaceAnalysis.dll` host_ids=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1,a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
Human Readable OutputWaiting for the polling execution
#
56. cs-falcon-get-detections-for-incidentGets the detections for a specific incident.
#
Base Commandcs-falcon-get-detections-for-incident
#
InputArgument Name | Description | Required |
---|---|---|
incident_id | The incident's id to get detections for. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IncidentDetection.incident_id | String | The incident id. |
CrowdStrike.IncidentDetection.behavior_id | String | The behavior id connected to the incident. |
CrowdStrike.IncidentDetection.detection_ids | String | A list of detection ids connected to the incident. |
#
Command example``!cs-falcon-get-detections-for-incident incident_id=
inc:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1````
#
Context Example#
Human Readable Output#
Detection For Incident
behavior_id detection_ids incident_id ind:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:162590282130-10303-6707968 ldt:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:38656254663 inc:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 ind:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:162596456872-10303-6710016 ldt:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:38657629548 inc:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 ind:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:162597577534-10305-6712576 ldt:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:38658614774 inc:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 ind:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:162589633341-10303-6705920 ldt:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:38655034604 inc:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1:a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
17. cs-falcon-update-incident-commentUpdates CrowdStrike Incident with the comment.
#
Base Commandcs-falcon-update-incident-comment
#
InputArgument Name | Description | Required |
---|---|---|
ids | A comma-separated list of incident IDs. | Required |
comment | A comment added to the CrowdStrike incident. | Required |
#
Context Output#
Command Examplecs-falcon-update-incident-comment ids=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 comment="Some comment"
#
Spotlight#
Using Spotlight APIsSpotlight identifies and gives info about specific vulnerabilities on your hosts using the Falcon sensor.
#
Required API client scopeTo access the Spotlight API, your API client must be assigned the spotlight-vulnerabilities:read scope.
#
Validating API dataThe Falcon sensor continuously monitors hosts for any changes and reports them as they occur. Depending on the timing of requests, Spotlight APIs can return values that are different from those shown by the Falcon console or an external source. There are other factors that can cause differences between API responses and other data sources.
#
API query syntaxIf an API query doesn’t exactly match the query used on the Spotlight Vulnerabilities page, the values might differ.
#
Expired vulnerabilities in Spotlight APIsIf a host is deleted or inactive for 45 days, the status of vulnerabilities on that host changes to expired. Expired vulnerabilities are removed from Spotlight after 3 days. Expired vulnerabilities are only visible in API responses and are not included in reports or the Falcon console. An external data source might not use the same data retention policy, which can lead to discrepancies with Spotlight APIs. For more info, see Data retention in Spotlight [https://falcon.crowdstrike.com/login/?next=%2Fdocumentation%2F43%2Ffalcon-spotlight-overview#data-retention-in-spotlight].
#
The following commands uses the Spotlight API:#
cs-falcon-spotlight-search-vulnerabilityRetrieve vulnerability details according to the selected filter. Each request requires at least one filter parameter. Supported with the CrowdStrike Spotlight license.
#
Base Commandcs-falcon-spotlight-search-vulnerability
#
InputArgument Name | Description | Required |
---|---|---|
filter | Limit the vulnerabilities returned to specific properties. Each value must be enclosed in single quotes and placed immediately after the colon with no space. | Optional |
aid | Unique agent identifier (AID) of a sensor | Optional |
cve_id | Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD). This filter supports multiple values and negation | Optional |
cve_severity | Severity of the CVE. The possible values are: CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN, or NONE. | Optional |
tags | Name of a tag assigned to a host. Retrieve tags from Host Tags APIs | Optional |
status | Status of a vulnerability. This filter supports multiple values and negation. The possible values are: open, closed, reopen, expired. | Optional |
platform_name | Operating system platform. This filter supports negation. The possible values are: Windows, Mac, Linux. | Optional |
host_group | Unique system-assigned ID of a host group. Retrieve the host group ID from Host Group APIs | Optional |
host_type | Type of host a sensor is running on | Optional |
last_seen_within | Filter for vulnerabilities based on the number of days since a host last connected to CrowdStrike Falcon | Optional |
is_suppressed | Indicates if the vulnerability is suppressed by a suppression rule | Optional |
display_remediation_info | Display remediation information type of data to be returned for each vulnerability entity | Optional |
display_evaluation_logic_info | Whether to return logic information type of data for each vulnerability entity | Optional |
display_host_info | Whether to return host information type of data for each vulnerability entity | Optional |
limit | Maximum number of items to return (1-5000) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Vulnerability.id | String | Unique system-assigned ID of the vulnerability. |
CrowdStrike.Vulnerability.cid | String | Unique system-generated customer identifier (CID) of the account |
CrowdStrike.Vulnerability.aid | String | Unique agent identifier (AID) of the sensor where the vulnerability was found |
CrowdStrike.Vulnerability.created_timestamp | String | UTC date and time that the vulnerability was created in Spotlight |
CrowdStrike.Vulnerability.updated_timestamp | String | UTC date and time of the last update made on the vulnerability |
CrowdStrike.Vulnerability.status | String | Vulnerability's current status. Possible values are: open, closed, reopen, or expired |
CrowdStrike.Vulnerability.apps.product_name_version | String | Name and version of the product associated with the vulnerability |
CrowdStrike.Vulnerability.apps.sub_status | String | Status of each product associated with the vulnerability. Possible values are: open, closed, or reopen |
CrowdStrike.Vulnerability.apps.remediation.ids | String | Remediation ID of each product associated with the vulnerability |
CrowdStrike.Vulnerability.host_info.hostname | String | Name of the machine |
CrowdStrike.Vulnerability.host_info.instance_id | String | Cloud instance ID of the host |
CrowdStrike.Vulnerability.host_info.service_provider_account_id | String | Cloud service provider account ID for the host |
CrowdStrike.Vulnerability.host_info.service_provider | String | Cloud service provider for the host |
CrowdStrike.Vulnerability.host_info.os_build | String | Operating system build |
CrowdStrike.Vulnerability.host_info.product_type_desc | String | Type of host a sensor is running on |
CrowdStrike.Vulnerability.host_info.local_ip | String | Device's local IP address |
CrowdStrike.Vulnerability.host_info.machine_domain | String | Active Directory domain name |
CrowdStrike.Vulnerability.host_info.os_version | String | Operating system version |
CrowdStrike.Vulnerability.host_info.ou | String | Active directory organizational unit name |
CrowdStrike.Vulnerability.host_info.site_name | String | Active directory site name |
CrowdStrike.Vulnerability.host_info.system_manufacturer | String | Name of the system manufacturer |
CrowdStrike.Vulnerability.host_info.groups.id | String | Array of host group IDs that the host is assigned to |
CrowdStrike.Vulnerability.host_info.groups.name | String | Array of host group names that the host is assigned to |
CrowdStrike.Vulnerability.host_info.tags | String | Name of a tag assigned to a host |
CrowdStrike.Vulnerability.host_info.platform | String | Operating system platform |
CrowdStrike.Vulnerability.remediation.entities.id | String | Unique ID of the remediation |
CrowdStrike.Vulnerability.remediation.entities.reference | String | Relevant reference for the remediation that can be used to get additional details for the remediation |
CrowdStrike.Vulnerability.remediation.entities.title | String | Short description of the remediation |
CrowdStrike.Vulnerability.remediation.entities.action | String | Expanded description of the remediation |
CrowdStrike.Vulnerability.remediation.entities.link | String | Link to the remediation page for the vendor |
CrowdStrike.Vulnerability.cve.id | String | Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD) |
CrowdStrike.Vulnerability.cve.base_score | String | Base score of the CVE (float value between 1 and 10) |
CrowdStrike.Vulnerability.cve.severity | String | CVSS severity rating of the vulnerability |
CrowdStrike.Vulnerability.cve.exploit_status | String | Numeric value of the most severe known exploit |
CrowdStrike.Vulnerability.cve.exprt_rating | String | ExPRT rating assigned by CrowdStrike's predictive AI rating system |
CrowdStrike.Vulnerability.cve.description | String | Brief explanation of the CVE |
CrowdStrike.Vulnerability.cve.published_date | String | UTC timestamp with the date and time the vendor published the CVE |
CrowdStrike.Vulnerability.cve.vendor_advisory | String | Link to the vendor page where the CVE was disclosed |
CrowdStrike.Vulnerability.cve.exploitability_score | String | Exploitability score of the CVE (float values from 1-4) |
CrowdStrike.Vulnerability.cve.impact_score | String | Impact score of the CVE (float values from 1-6) |
CrowdStrike.Vulnerability.cve.vector | String | Textual representation of the metric values used to score the vulnerability |
CrowdStrike.Vulnerability.cve.remediation_level | String | CVSS remediation level of the vulnerability (U = Unavailable, or O = Official fix) |
CrowdStrike.Vulnerability.cve.cisa_info.is_cisa_kev | String | Whether to filter for vulnerabilities that are in the CISA Known Exploited Vulnerabilities (KEV) catalog |
CrowdStrike.Vulnerability.cve.cisa_info.due_date | String | Date before which CISA mandates subject organizations to patch the vulnerability |
CrowdStrike.Vulnerability.cve.spotlight_published_date | String | UTC timestamp with the date and time Spotlight enabled coverage for the vulnerability |
CrowdStrike.Vulnerability.cve.actors | String | Adversaries associated with the vulnerability |
CrowdStrike.Vulnerability.cve.name | String | The vulnerability name |
#
Command examplecs-falcon-spotlight-search-vulnerability filter=status:['open','closed'] cve_id=CVE-2021-2222 cve_severity='LOW,HIGH' display_host_info=false display_evaluation_logic_info=false display_remediation_info=false limit=1
#
Context ExampleCVE ID | CVE Severity | CVE Base Score | CVE Published Date | CVE Impact Score | CVE Exploitability Score | CVE Vector |
---|---|---|---|---|---|---|
CVE-2021-2222 | LOW | 5.5 | 2021-05-10T17:08:00Z | 3.6 | 0 | vendor |
#
cs-falcon-spotlight-list-host-by-vulnerabilityRetrieve vulnerability details for a specific ID and host. Supported with the CrowdStrike Spotlight license.
#
Base Commandcs-falcon-spotlight-list-host-by-vulnerability
#
InputArgument Name | Description | Required |
---|---|---|
cve_ids | Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD). This filter supports multiple values and negation | Required |
limit | Maximum number of items to return (1-5000) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.VulnerabilityHost.id | String | Unique system-assigned ID of the vulnerability. |
CrowdStrike.VulnerabilityHost.cid | String | Unique system-generated customer identifier (CID) of the account |
CrowdStrike.VulnerabilityHost.aid | String | Unique agent identifier (AID) of the sensor where the vulnerability was found |
CrowdStrike.VulnerabilityHost.created_timestamp | String | UTC date and time that the vulnerability was created in Spotlight |
CrowdStrike.VulnerabilityHost.updated_timestamp | String | UTC date and time of the last update made on the vulnerability |
CrowdStrike.VulnerabilityHost.status | String | Vulnerability's current status. Possible values are: open, closed, reopen, or expired. |
CrowdStrike.VulnerabilityHost.apps.product_name_version | String | Name and version of the product associated with the vulnerability |
CrowdStrike.VulnerabilityHost.apps.sub_status | String | Status of each product associated with the vulnerability |
CrowdStrike.VulnerabilityHost.apps.remediation.ids | String | Remediation ID of each product associated with the vulnerability |
CrowdStrike.VulnerabilityHost.apps.evaluation_logic.id | String | Unique system-assigned ID of the vulnerability evaluation logic |
CrowdStrike.VulnerabilityHost.suppression_info.is_suppressed | String | Indicates if the vulnerability is suppressed by a suppression rule |
CrowdStrike.VulnerabilityHost.host_info.hostname | String | Name of the machine |
CrowdStrike.VulnerabilityHost.host_info.instance_id | String | Cloud service provider account ID for the host |
CrowdStrike.VulnerabilityHost.host_info.service_provider_account_id | String | Cloud service provider for the host |
CrowdStrike.VulnerabilityHost.host_info.service_provider | String | Operating system build |
CrowdStrike.VulnerabilityHost.host_info.os_build | String | Operating system build |
CrowdStrike.VulnerabilityHost.host_info.product_type_desc | String | Type of host a sensor is running on |
CrowdStrike.VulnerabilityHost.host_info.local_ip | String | Device's local IP address |
CrowdStrike.VulnerabilityHost.host_info.machine_domain | String | Active Directory domain name |
CrowdStrike.VulnerabilityHost.host_info.os_version | String | Operating system version |
CrowdStrike.VulnerabilityHost.host_info.ou | String | Active directory organizational unit name |
CrowdStrike.VulnerabilityHost.host_info.site_name | String | Active directory site name |
CrowdStrike.VulnerabilityHost.host_info.system_manufacturer | String | Name of the system manufacturer |
CrowdStrike.VulnerabilityHost.host_info.groups.id | String | Array of host group IDs that the host is assigned to |
CrowdStrike.VulnerabilityHost.host_info.groups.name | String | Array of host group names that the host is assigned to |
CrowdStrike.VulnerabilityHost.host_info.tags | String | Name of a tag assigned to a host |
CrowdStrike.VulnerabilityHost.host_info.platform | String | Operating system platform |
CrowdStrike.VulnerabilityHost.cve.id | String | Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD) |
#
Command examplecs-falcon-spotlight-list-host-by-vulnerability cve_ids=CVE-2021-2222
#
Context Example#
Human Readable OutputCVE ID | Host Info hostname | Host Info os Version | Host Info Product Type Desc | Host Info Local IP | Host Info ou | Host Info Machine Domain | Host Info Site Name | CVE Exploitability Score | CVE Vector |
---|---|---|---|---|---|---|---|---|---|
CVE-20212-2222 | host | 1 | Server | ip | site | 5.5 |
#
cveRetrieve vulnerability details according to the selected filter. Each request requires at least one filter parameter. Supported with the CrowdStrike Spotlight license.
#
Base Commandcve
#
InputArgument Name | Description | Required |
---|---|---|
cve_id | Deprecated. Use cve instead. | Optional |
cve | Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD). This filter supports multiple values and negation | Optional |
#
Command examplecve cve_id=CVE-2021-2222
#
Human Readable OutputID | Severity | Published Date | Base Score |
---|---|---|---|
CVE-2021-2222 | HIGH | 2021-09-16T15:12:42Z | 1 |
#
cs-falcon-create-ml-exclusionCreate an ML exclusion.
#
Base Commandcs-falcon-create-ml-exclusion
#
InputArgument Name | Description | Required |
---|---|---|
value | Value to match for exclusion. | Required |
excluded_from | A comma-separated list from where to exclude the exclusion. Possible values are: blocking, extraction. | Required |
comment | Comment describing why the exclusions were created. | Optional |
groups | A comma-separated list of group ID(s) impacted by the exclusion OR all if empty. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.MLExclusion.id | String | The ML exclusion ID. |
CrowdStrike.MLExclusion.value | String | The ML exclusion value. |
CrowdStrike.MLExclusion.regexp_value | String | A regular expression for matching the excluded value. |
CrowdStrike.MLExclusion.value_hash | String | An hash of the value field. |
CrowdStrike.MLExclusion.excluded_from | String | What the exclusion applies to (e.g., a specific ML model). |
CrowdStrike.MLExclusion.groups.id | String | Group's ID that the exclusion rule is associated with. |
CrowdStrike.MLExclusion.groups.group_type | String | Groups type that the exclusion rule is associated with. |
CrowdStrike.MLExclusion.groups.name | String | Groups name that the exclusion rule is associated with. |
CrowdStrike.MLExclusion.groups.description | String | Groups description that the exclusion rule is associated with. |
CrowdStrike.MLExclusion.groups.assignment_rule | String | Groups assignment rule that the exclusion is associated with. |
CrowdStrike.MLExclusion.groups.created_by | String | Indicate who created the group. |
CrowdStrike.MLExclusion.groups.created_timestamp | Date | The date when the group was created. |
CrowdStrike.MLExclusion.groups.modified_by | String | Indicate who last modified the group. |
CrowdStrike.MLExclusion.groups.modified_timestamp | Date | The date when the group was last modified. |
CrowdStrike.MLExclusion.applied_globally | Boolean | Whether the exclusion rule applies globally or only to specific entities. |
CrowdStrike.MLExclusion.last_modified | Date | The date when the exclusion rule was last modified. |
CrowdStrike.MLExclusion.modified_by | String | Indicate who last modified the rule. |
CrowdStrike.MLExclusion.created_on | Date | Indicate who created the rule. |
CrowdStrike.MLExclusion.created_by | String | The date when the exclusion rule was created. |
#
Command example!cs-falcon-create-ml-exclusion value=/demo-test excluded_from=blocking groups=999999
#
Context Example#
Human Readable Output#
CrowdStrike Falcon machine learning exclusion
Id Value RegexpValue ValueHash ExcludedFrom Groups AppliedGlobally LastModified ModifiedBy CreatedOn CreatedBy 123456 /demo-test \/demo-test abcdef123456 values: blocking - id: 999999
group_type: static
name: Lab env
description:
assignment_rule: device_id:
created_by: admin@test.com
created_timestamp: 2023-01-23T15:01:11.846726918Z
modified_by: admin@test.com
modified_timestamp: 2023-01-23T15:18:52.316882546Z2023-03-06T13:57:14.853546312Z api-client-id:123456 2023-03-06T13:57:14.853546312Z api-client-id:123456
#
cs-falcon-update-ml-exclusionUpdates an ML exclusion. At least one argument is required in addition to the ID argument.
#
Base Commandcs-falcon-update-ml-exclusion
#
InputArgument Name | Description | Required |
---|---|---|
id | The ID of the exclusion to update. | Required |
value | Value to match for the exclusion (the exclusion pattern). | Optional |
comment | Comment describing why the exclusions were created. | Optional |
groups | A comma-separated list of group ID(s) impacted by the exclusion. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.MLExclusion.id | String | The ML exclusion ID. |
CrowdStrike.MLExclusion.value | String | The ML exclusion value. |
CrowdStrike.MLExclusion.regexp_value | String | A regular expression for matching the excluded value. |
CrowdStrike.MLExclusion.value_hash | String | An hash of the value field. |
CrowdStrike.MLExclusion.excluded_from | String | What the exclusion applies to (e.g., a specific ML model). |
CrowdStrike.MLExclusion.groups.id | String | Groups ID that the exclusion rule is associated with. |
CrowdStrike.MLExclusion.groups.group_type | String | Groups type that the exclusion rule is associated with. |
CrowdStrike.MLExclusion.groups.name | String | Groups name that the exclusion rule is associated with. |
CrowdStrike.MLExclusion.groups.description | String | Groups description that the exclusion rule is associated with. |
CrowdStrike.MLExclusion.groups.assignment_rule | String | Groups assignment rule that the exclusion is associated with. |
CrowdStrike.MLExclusion.groups.created_by | String | Indicate who created the group. |
CrowdStrike.MLExclusion.groups.created_timestamp | Date | The date when the group was created. |
CrowdStrike.MLExclusion.groups.modified_by | String | Indicate who last modified the group. |
CrowdStrike.MLExclusion.groups.modified_timestamp | Date | The date when the group was last modified. |
CrowdStrike.MLExclusion.applied_globally | Boolean | Whether the exclusion rule applies globally or only to specific entities. |
CrowdStrike.MLExclusion.last_modified | Date | The date when the exclusion rule was last modified. |
CrowdStrike.MLExclusion.modified_by | String | Indicate who last modified the rule. |
CrowdStrike.MLExclusion.created_on | Date | Indicate who created the rule. |
CrowdStrike.MLExclusion.created_by | String | The date when the exclusion rule was created. |
#
Command example!cs-falcon-update-ml-exclusion id=a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 comment=demo-comment
#
Context Example#
Human Readable Output#
CrowdStrike Falcon machine learning exclusion
Id Value RegexpValue ValueHash ExcludedFrom Groups AppliedGlobally LastModified ModifiedBy CreatedOn CreatedBy a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 /demo \/demo a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 values: extraction, blocking - id: 999999
group_type: static
name: Lab env
description:
assignment_rule: device_id:
created_by: admin@test.com
created_timestamp: 2023-01-23T15:01:11.846726918Z
modified_by: admin@test.com
modified_timestamp: 2023-01-23T15:18:52.316882546Z2023-03-06T13:57:21.57829431Z api-client-id:123456 2023-03-06T13:56:25.940685483Z api-client-id:123456
#
cs-falcon-delete-ml-exclusionDelete the ML exclusions by ID.
#
Base Commandcs-falcon-delete-ml-exclusion
#
InputArgument Name | Description | Required |
---|---|---|
ids | A comma-separated list of exclusion IDs to delete. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cs-falcon-delete-ml-exclusion ids=123456
#
Human Readable Output'The machine learning exclusions with IDs '123456' was successfully deleted.'
#
cs-falcon-search-ml-exclusionGet a list of ML exclusions by specifying their IDs, value, or a specific filter.
#
Base Command#
cs-falcon-search-ml-exclusionGet a list of ML exclusions by specifying their IDs, value, or a specific filter.
#
Base Commandcs-falcon-search-ml-exclusion
#
InputArgument Name | Description | Required |
---|---|---|
filter | A custom filter by which the exclusions should be filtered. The syntax follows the pattern <property>:[operator]'<value>' for example: value:'test'.Available filters: applied_globally, created_by, created_on, last_modified, modified_by, value. For more information, see: https://www.falconpy.io/Service-Collections/Falcon-Query-Language. | Optional |
value | The value by which the exclusions should be filtered. | Optional |
ids | A comma-separated list of exclusion IDs to retrieve. The IDs overwrite the filter and value. | Optional |
limit | The maximum number of records to return. [1-500]. Applies only if the IDs argument is not supplied. | Optional |
offset | The offset to start retrieving records from. Applies only if the IDs argument is not supplied. | Optional |
sort | How to sort the retrieved exclusions. Possible values are: applied_globally.asc, applied_globally.desc, created_by.asc, created_by.desc, created_on.asc, created_on.desc, last_modified.asc, last_modified.desc, modified_by.asc, modified_by.desc, value.asc, value.desc. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.MLExclusion.id | String | The ML exclusion ID. |
CrowdStrike.MLExclusion.value | String | The ML exclusion value. |
CrowdStrike.MLExclusion.regexp_value | String | A regular expression for matching the excluded value. |
CrowdStrike.MLExclusion.value_hash | String | A hash of the value field. |
CrowdStrike.MLExclusion.excluded_from | String | What the exclusion applies to (e.g., a specific ML model). |
CrowdStrike.MLExclusion.groups.id | String | Groups ID that the exclusion rule is associated with. |
CrowdStrike.MLExclusion.groups.group_type | String | Groups type that the exclusion rule is associated with. |
CrowdStrike.MLExclusion.groups.name | String | Groups name that the exclusion rule is associated with. |
CrowdStrike.MLExclusion.groups.description | String | Groups description that the exclusion rule is associated with. |
CrowdStrike.MLExclusion.groups.assignment_rule | String | Groups assignment rule that the exclusion is associated with. |
CrowdStrike.MLExclusion.groups.created_by | String | Indicate who created the group. |
CrowdStrike.MLExclusion.groups.created_timestamp | Date | The date when the group was created. |
CrowdStrike.MLExclusion.groups.modified_by | String | Indicate who last modified the group. |
CrowdStrike.MLExclusion.groups.modified_timestamp | Date | The date when the group was last modified. |
CrowdStrike.MLExclusion.applied_globally | Boolean | Whether the exclusion rule applies globally or only to specific entities. |
CrowdStrike.MLExclusion.last_modified | Date | The date when the exclusion rule was last modified. |
CrowdStrike.MLExclusion.modified_by | String | Indicate who last modified the rule. |
CrowdStrike.MLExclusion.created_on | Date | Indicate who created the rule. |
CrowdStrike.MLExclusion.created_by | String | The date when the exclusion rule was created. |
#
Command example!cs-falcon-search-ml-exclusion limit=1
#
Context Example#
Human Readable Output#
CrowdStrike Falcon machine learning exclusions
Id Value RegexpValue ValueHash ExcludedFrom Groups AppliedGlobally LastModified ModifiedBy CreatedOn CreatedBy 123456 /MosheTest2-432 \/MosheTest2-432 abcdef123456 values: blocking - id: 999999
group_type: static
name: Lab env
description:
assignment_rule: device_id
created_by: admin@test.com
created_timestamp: 2023-01-23T15:01:11.846726918Z
modified_by: admin@test.com
modified_timestamp: 2023-01-23T15:18:52.316882546Z2023-03-01T18:51:07.196018144Z api-client-id:123456 2023-03-01T18:51:07.196018144Z api-client-id:123456
#
cs-falcon-create-ioa-exclusionCreate an IOA exclusion.
#
Base Commandcs-falcon-create-ioa-exclusion
#
InputArgument Name | Description | Required |
---|---|---|
exclusion_name | Name of the exclusion. | Required |
pattern_name | Name of the exclusion pattern. | Optional |
pattern_id | ID of the exclusion pattern. | Required |
cl_regex | Command line regular expression. | Required |
ifn_regex | Image file name regular expression. | Required |
comment | Comment describing why the exclusions were created. | Optional |
description | Exclusion description. | Optional |
detection_json | JSON formatted detection template. | Optional |
groups | A comma-separated list of group ID(s) impacted by the exclusion OR all if empty. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOAExclusion.id | String | A unique identifier for the IOA exclusion. |
CrowdStrike.IOAExclusion.name | String | The name of the IOA exclusion. |
CrowdStrike.IOAExclusion.description | String | A description of the IOA exclusion. |
CrowdStrike.IOAExclusion.pattern_id | String | The identifier of the pattern associated with the IOA exclusion. |
CrowdStrike.IOAExclusion.pattern_name | String | The name of the pattern associated with the IOA exclusion. |
CrowdStrike.IOAExclusion.ifn_regex | String | A regular expression used for file name matching. |
CrowdStrike.IOAExclusion.cl_regex | String | A regular expression used for command line matching. |
CrowdStrike.IOAExclusion.detection_json | String | A JSON string that describes the detection logic for the IOA exclusion. |
CrowdStrike.IOAExclusion.groups.id | String | Groups ID that the exclusion rule is associated with. |
CrowdStrike.IOAExclusion.groups.group_type | String | Groups type that the exclusion rule is associated with. |
CrowdStrike.IOAExclusion.groups.name | String | Groups name that the exclusion rule is associated with. |
CrowdStrike.IOAExclusion.groups.description | String | Groups description that the exclusion rule is associated with. |
CrowdStrike.IOAExclusion.groups.assignment_rule | String | Groups assignment rule that the exclusion is associated with. |
CrowdStrike.IOAExclusion.groups.created_by | String | Indicate who created the group. |
CrowdStrike.IOAExclusion.groups.created_timestamp | Date | The date when the group was created. |
CrowdStrike.IOAExclusion.groups.modified_by | String | Indicate who last modified the group. |
CrowdStrike.IOAExclusion.groups.modified_timestamp | Date | The date when the group was last modified. |
CrowdStrike.IOAExclusion.applied_globally | Boolean | Whether the exclusion rule applies globally or only to specific entities. |
CrowdStrike.IOAExclusion.last_modified | Date | The date when the exclusion rule was last modified. |
CrowdStrike.IOAExclusion.modified_by | String | Indicate who last modified the rule. |
CrowdStrike.IOAExclusion.created_on | Date | Indicate who created the rule. |
CrowdStrike.IOAExclusion.created_by | String | The date when the exclusion rule was created. |
#
Command example!cs-falcon-create-ioa-exclusion exclusion_name=demo-test pattern_id=101010 cl_regex=.* ifn_regex="c:\\\\windows\\\\system32\\\\test.exe" groups=999999
#
Context Example#
Human Readable Output#
CrowdStrike Falcon IOA exclusion
Id Name PatternId IfnRegex ClRegex Groups AppliedGlobally LastModified ModifiedBy CreatedOn CreatedBy 123456 demo-test 101010 c:\windows\system32\poqexec.exe .* - id: 999999
group_type: static
name: Lab env
description:
assignment_rule: device_id
created_by: admin@test.com
created_timestamp: 2023-01-23T15:01:11.846726918Z
modified_by: admin@test.com
modified_timestamp: 2023-01-23T15:18:52.316882546Z2023-03-06T13:57:41.746172897Z api-client-id:123456 2023-03-06T13:57:41.746172897Z api-client-id:123456
#
cs-falcon-update-ioa-exclusionUpdates an IOA exclusion. At least one argument is required in addition to the ID argument.
#
Base Commandcs-falcon-update-ioa-exclusion
#
InputArgument Name | Description | Required |
---|---|---|
id | ID of the exclusion to update. | Required |
exclusion_name | Name of the exclusion. | Optional |
pattern_id | ID of the exclusion pattern to update. | Optional |
pattern_name | Name of the exclusion pattern. | Optional |
cl_regex | Command line regular expression. | Optional |
ifn_regex | Image file name regular expression. | Optional |
comment | Comment describing why the exclusions was created. | Optional |
description | Exclusion description. | Optional |
detection_json | JSON formatted detection template. | Optional |
groups | A comma-separated list of group ID(s) impacted by the exclusion. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOAExclusion.id | String | A unique identifier for the IOA exclusion. |
CrowdStrike.IOAExclusion.name | String | The name of the IOA exclusion. |
CrowdStrike.IOAExclusion.description | String | A description of the IOA exclusion. |
CrowdStrike.IOAExclusion.pattern_id | String | The identifier of the pattern associated with the IOA exclusion. |
CrowdStrike.IOAExclusion.pattern_name | String | The name of the pattern associated with the IOA exclusion. |
CrowdStrike.IOAExclusion.ifn_regex | String | A regular expression used for file name matching. |
CrowdStrike.IOAExclusion.cl_regex | String | A regular expression used for command line matching. |
CrowdStrike.IOAExclusion.detection_json | String | A JSON string that describes the detection logic for the IOA exclusion. |
CrowdStrike.IOAExclusion.groups.id | String | Groups ID that the exclusion rule is associated with. |
CrowdStrike.IOAExclusion.groups.group_type | String | Groups type that the exclusion rule is associated with. |
CrowdStrike.IOAExclusion.groups.name | String | Groups name that the exclusion rule is associated with. |
CrowdStrike.IOAExclusion.groups.description | String | Groups description that the exclusion rule is associated with. |
CrowdStrike.IOAExclusion.groups.assignment_rule | String | Groups assignment rule that the exclusion is associated with. |
CrowdStrike.IOAExclusion.groups.created_by | String | Indicate who created the group. |
CrowdStrike.IOAExclusion.groups.created_timestamp | Date | The date when the group was created. |
CrowdStrike.IOAExclusion.groups.modified_by | String | Indicate who last modified the group. |
CrowdStrike.IOAExclusion.groups.modified_timestamp | Date | The date when the group was last modified. |
CrowdStrike.IOAExclusion.applied_globally | Boolean | Whether the exclusion rule applies globally or only to specific entities. |
CrowdStrike.IOAExclusion.last_modified | Date | The date when the exclusion rule was last modified. |
CrowdStrike.IOAExclusion.modified_by | String | Indicate who last modified the rule. |
CrowdStrike.IOAExclusion.created_on | Date | Indicate who created the rule. |
CrowdStrike.IOAExclusion.created_by | String | The date when the exclusion rule was created. |
#
Command example!cs-falcon-update-ioa-exclusion id=123456 description=demo-description
#
Context Example#
Human Readable Output#
CrowdStrike Falcon IOA exclusion
Id Name Description PatternId IfnRegex ClRegex Groups AppliedGlobally LastModified ModifiedBy CreatedOn CreatedBy 123456 demo demo-description 101010 c:\windows\system32\poqexec.exe .* - id: 999999
group_type: static
name: Lab env
description:
assignment_rule: device_id
created_by: admin@test.com
created_timestamp: 2023-01-23T15:01:11.846726918Z
modified_by: admin@test.com
modified_timestamp: 2023-01-23T15:18:52.316882546Z2023-03-06T13:57:49.086458198Z api-client-id:123456 2023-03-06T13:46:58.137122925Z api-client-id:123456
#
cs-falcon-delete-ioa-exclusionDelete the IOA exclusions by ID.
#
Base Commandcs-falcon-delete-ioa-exclusion
#
InputArgument Name | Description | Required |
---|---|---|
ids | A comma-separated list of exclusion IDs to delete. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cs-falcon-delete-ioa-exclusion ids=123456
#
Human Readable Output'The IOA exclusions with IDs '123456' was successfully deleted.'
#
cs-falcon-search-ioa-exclusionGet a list of IOA exclusions by specifying their IDs or a filter.
#
Base Commandcs-falcon-search-ioa-exclusion
#
InputArgument Name | Description | Required |
---|---|---|
filter | A custom filter by which the exclusions should be filtered. The syntax follows the pattern <property>:[operator]'<value>' for example: name:'test'.Available filters: applied_globally, created_by, created_on, name, last_modified, modified_by, value, pattern. For more information, see: https://www.falconpy.io/Service-Collections/Falcon-Query-Language. | Optional |
name | The name by which the exclusions should be filtered. | Optional |
ids | A comma-separated list of exclusion IDs to retrieve. The IDs overwrite the filter and name. | Optional |
limit | The limit of how many exclusions to retrieve. Default is 50. Applies only if the IDs argument is not supplied. | Optional |
offset | The offset of how many exclusions to skip. Default is 0. Applies only if the IDs argument is not supplied. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOAExclusion.id | String | A unique identifier for the IOA exclusion. |
CrowdStrike.IOAExclusion.name | String | The name of the IOA exclusion. |
CrowdStrike.IOAExclusion.description | String | A description of the IOA exclusion. |
CrowdStrike.IOAExclusion.pattern_id | String | The identifier of the pattern associated with the IOA exclusion. |
CrowdStrike.IOAExclusion.pattern_name | String | The name of the pattern associated with the IOA exclusion. |
CrowdStrike.IOAExclusion.ifn_regex | String | A regular expression used for file name matching. |
CrowdStrike.IOAExclusion.cl_regex | String | A regular expression used for command line matching. |
CrowdStrike.IOAExclusion.detection_json | String | A JSON string that describes the detection logic for the IOA exclusion. |
CrowdStrike.IOAExclusion.groups.id | String | Groups ID that the exclusion rule is associated with. |
CrowdStrike.IOAExclusion.groups.group_type | String | Groups type that the exclusion rule is associated with. |
CrowdStrike.IOAExclusion.groups.name | String | Groups name that the exclusion rule is associated with. |
CrowdStrike.IOAExclusion.groups.description | String | Groups description that the exclusion rule is associated with. |
CrowdStrike.IOAExclusion.groups.assignment_rule | String | Groups assignment rule that the exclusion is associated with. |
CrowdStrike.IOAExclusion.groups.created_by | String | Indicate who created the group. |
CrowdStrike.IOAExclusion.groups.created_timestamp | Date | The date when the group was created. |
CrowdStrike.IOAExclusion.groups.modified_by | String | Indicate who last modified the group. |
CrowdStrike.IOAExclusion.groups.modified_timestamp | Date | The date when the group was last modified. |
CrowdStrike.IOAExclusion.applied_globally | Boolean | Whether the exclusion rule applies globally or only to specific entities. |
CrowdStrike.IOAExclusion.last_modified | Date | The date when the exclusion rule was last modified. |
CrowdStrike.IOAExclusion.modified_by | String | Indicate who last modified the rule. |
CrowdStrike.IOAExclusion.created_on | Date | Indicate who created the rule. |
CrowdStrike.IOAExclusion.created_by | String | The date when the exclusion rule was created. |
#
Command example!cs-falcon-search-ioa-exclusion limit=1
#
Context Example#
Human Readable Output#
CrowdStrike Falcon IOA exclusions
Id Name Description PatternId PatternName IfnRegex ClRegex AppliedGlobally LastModified ModifiedBy CreatedOn CreatedBy 123456 My IOA Exclusion demo description 101010 P_name .*\Windows\System32\choice.exe choice\s+/m\s+crowdstrike_sample_detection 2023-02-26T15:30:04.554767735Z api-client-id:123456 2023-02-06T16:42:19.29906839Z user@test.com
#
cs-falcon-list-quarantined-fileGet quarantine file metadata by specified IDs or filter.
#
Base Commandcs-falcon-list-quarantined-file
#
InputArgument Name | Description | Required |
---|---|---|
ids | A comma-separated list of quarantined file IDs to retrieve. | Optional |
filter | A custom filter by which the retrieve quarantined file should be filtered. | Optional |
sha256 | A comma-separated list of SHA256 hash of the files to retrieve. | Optional |
filename | A comma-separated list of the name of the files to retrieve. | Optional |
state | Filter the retrieved files by state. | Optional |
hostname | A comma-separated list of the hostnames of the files to retrieve. | Optional |
username | A comma-separated list of the usernames of the files to retrieve. | Optional |
limit | Maximum number of IDs to return. Max 5000. Default 50. | Optional |
offset | Starting index of the overall result set from which to return IDs. Default 0. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.QuarantinedFile.id | String | A unique identifier for the quarantined file. |
CrowdStrike.QuarantinedFile.aid | String | The agent identifier of the agent that quarantined the file. |
CrowdStrike.QuarantinedFile.cid | String | The unique identifier for the customer that who the agent. |
CrowdStrike.QuarantinedFile.sha256 | String | The SHA256 hash value of the quarantined file. |
CrowdStrike.QuarantinedFile.paths.path | String | The full path of the quarantined file. |
CrowdStrike.QuarantinedFile.paths.filename | String | The name of the quarantined file. |
CrowdStrike.QuarantinedFile.paths.state | String | The current state of the quarantined file path (e.g., "purged"). |
CrowdStrike.QuarantinedFile.state | String | The current state of the quarantined file (e.g., "unrelease_pending"). |
CrowdStrike.QuarantinedFile.detect_ids | String | The detection identifiers associated with the quarantined file. |
CrowdStrike.QuarantinedFile.hostname | String | The hostname of the agent that quarantined the file. |
CrowdStrike.QuarantinedFile.username | String | The username associated with the quarantined file. |
CrowdStrike.QuarantinedFile.date_updated | Date | The date the quarantined file was last updated. |
CrowdStrike.QuarantinedFile.date_created | Date | The date the quarantined file was created. |
#
Command example!cs-falcon-list-quarantined-file limit=1
#
Context Example#
Human Readable Output#
CrowdStrike Falcon Quarantined File
Id Aid Cid Sha256 Paths State DetectIds Hostname Username DateUpdated DateCreated a123456_sha123456 a123456 c123456 sha123456 - path: \Device\HarddiskVolume3\Users\admin\Downloads\hamuzim\netcat-1.11\nc.exe
filename: nc.exe
state: quarantineddeleted values: ldt:a123456:456789 INSTANCE-1 admin 2023-03-06T13:47:30Z 2022-12-13T14:23:49Z
#
cs-falcon-apply-quarantine-file-actionApply action to quarantined file by file IDs or filter.
#
Base Commandcs-falcon-apply-quarantine-file-action
#
InputArgument Name | Description | Required |
---|---|---|
ids | A comma-separated list of quarantined file IDs to update. | Optional |
action | Action to perform against the quarantined file. Possible values are: delete, release, unrelease. | Required |
comment | Comment to appear along with the action taken. | Required |
filter | Update files based on a custom filter. | Optional |
sha256 | A comma-separated list of quarantined files SHA256 to update. | Optional |
filename | A comma-separated list of quarantined file names to update. | Optional |
state | Update files based on the state. | Optional |
hostname | A comma-separated list of quarantined file hostnames to update. | Optional |
username | A comma-separated list of quarantined files username to update. | Optional |
#
Context OutputThere is no context output for this command.
#
Command example!cs-falcon-apply-quarantine-file-action filename=nc.exe action=delete comment=demo-comment
#
Human Readable OutputThe Quarantined File with IDs ['a123456_sha123456'] was successfully updated.
#
cs-falcon-ods-query-scanRetrieve ODS scan details.
#
Base Commandcs-falcon-ods-query-scan
#
InputArgument Name | Description | Required |
---|---|---|
filter | Valid CS-Falcon-FQL filter to query with. | Optional |
ids | Comma-separated list of scan IDs to retrieve details about. If set, will override all other arguments. | Optional |
initiated_from | Comma-separated list of scan initiation sources to filter by. | Optional |
status | Comma-separated list of scan statuses to filter by. | Optional |
severity | Comma-separated list of scan severities to filter by. | Optional |
scan_started_on | UTC-format time of scan start to filter by. | Optional |
scan_completed_on | UTC-format time of the scan completion to filter by. | Optional |
offset | Starting index of overall result set from which to return IDs. | Optional |
limit | Maximum number of resources to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.ODSScan.id | String | A unique identifier for the scan event. |
CrowdStrike.ODSScan.cid | String | A unique identifier for the client that triggered the scan. |
CrowdStrike.ODSScan.profile_id | String | A unique identifier for the scan profile used in the scan. |
CrowdStrike.ODSScan.description | String | The ID of the description of the scan. |
CrowdStrike.ODSScan.scan_inclusions | String | The files or folders included in the scan. |
CrowdStrike.ODSScan.initiated_from | String | The source of the scan initiation. |
CrowdStrike.ODSScan.quarantine | Boolean | Whether the scan was set to quarantine. |
CrowdStrike.ODSScan.cpu_priority | Number | The CPU priority for the scan (1-5). |
CrowdStrike.ODSScan.preemption_priority | Number | The preemption priority for the scan. |
CrowdStrike.ODSScan.metadata.host_id | String | A unique identifier for the host that was scanned. |
CrowdStrike.ODSScan.metadata.host_scan_id | String | A unique identifier for the scan that was performed on the host. |
CrowdStrike.ODSScan.metadata.scan_host_metadata_id | String | A unique identifier for the metadata associated with the host scan. |
CrowdStrike.ODSScan.metadata.filecount.scanned | Number | The number of files that were scanned. |
CrowdStrike.ODSScan.metadata.filecount.malicious | Number | The number of files that were identified as malicious. |
CrowdStrike.ODSScan.metadata.filecount.quarantined | Number | The number of files that were quarantined. |
CrowdStrike.ODSScan.metadata.filecount.skipped | Number | The number of files that were skipped during the scan. |
CrowdStrike.ODSScan.metadata.filecount.traversed | Number | The number of files that were traversed during the scan. |
CrowdStrike.ODSScan.metadata.status | String | The status of the scan on this host (e.g., "pending", "running", "completed", or "failed"). |
CrowdStrike.ODSScan.metadata.started_on | Date | The date and time that the scan started. |
CrowdStrike.ODSScan.metadata.completed_on | Date | The date and time that the scan completed. |
CrowdStrike.ODSScan.metadata.last_updated | Date | The date and time that the metadata was last updated. |
CrowdStrike.ODSScan.status | String | The status of the scan (e.g., "pending", "running", "completed", or "failed"). |
CrowdStrike.ODSScan.hosts | String | A list of the host IDs that were scanned. |
CrowdStrike.ODSScan.endpoint_notification | Boolean | A boolean value indicating whether endpoint notifications are enabled. |
CrowdStrike.ODSScan.pause_duration | Number | The number of minutes to pause between scanning each file in hours. |
CrowdStrike.ODSScan.max_duration | Number | The maximum amount of time to allow for the scan job in hours. |
CrowdStrike.ODSScan.max_file_size | Number | The maximum file size (in MB) to scan. |
CrowdStrike.ODSScan.sensor_ml_level_detection | Number | The level of detection sensitivity for the local sensor machine learning model. |
CrowdStrike.ODSScan.sensor_ml_level_prevention | Number | The level of prevention sensitivity for the local sensor machine learning model. |
CrowdStrike.ODSScan.cloud_ml_level_detection | Number | The level of detection sensitivity for the cloud machine learning model. |
CrowdStrike.ODSScan.cloud_ml_level_prevention | Number | The level of prevention sensitivity for the cloud machine learning model. |
CrowdStrike.ODSScan.policy_setting | Number | A list of policy setting IDs for the scan job (these correspond to specific policy settings in the Falcon console). |
CrowdStrike.ODSScan.scan_started_on | Date | The timestamp when the scan was started. |
CrowdStrike.ODSScan.scan_completed_on | Date | The timestamp when the scan was completed. |
CrowdStrike.ODSScan.created_on | Date | The timestamp when the scan was created. |
CrowdStrike.ODSScan.created_by | String | The ID of the user who created the scan job. |
CrowdStrike.ODSScan.last_updated | Date | The timestamp when the scan job was last updated. |
#
Command example!cs-falcon-ods-query-scan initiated_from=some_admin_name severity=high scan_started_on=2023-02-27T09:51:33.91608286Z
#
Context Example#
Human Readable Output#
CrowdStrike Falcon ODS Scans
ID Status Severity File Count Description Hosts/Host groups End time Start time Run by a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 failed scanned: 0
malicious: 0
quarantined: 0
skipped: 0
traversed: 518464desc3456346 a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2023-02-27T09:51:33.91608286Z a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 failed scanned: 0
malicious: 0
quarantined: 0
skipped: 0
traversed: 518511a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2023-03-13T14:50:26.259846586Z 2023-02-27T09:51:33.91608286Z someone@email.com
#
cs-falcon-ods-query-scheduled-scanRetrieve ODS scheduled scan details.
#
Base Commandcs-falcon-ods-query-scheduled-scan
#
InputArgument Name | Description | Required |
---|---|---|
filter | Valid CS-Falcon-FQL filter to query with. | Optional |
ids | Comma-separated list of scan IDs to retrieve details about. If set. will override all other arguments. | Optional |
initiated_from | Comma-separated list of scan initiation sources to filter by. | Optional |
status | Comma-separated list of scan statuses to filter by. | Optional |
created_on | UTC-format time of scan creation to filter by. | Optional |
created_by | UTC-format time of scan creator to filter by. | Optional |
start_timestamp | UTC-format time of scan start to filter by. | Optional |
deleted | Deleted scans only. | Optional |
offset | Starting index of overall result set from which to return IDs. | Optional |
limit | Maximum number of resources to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.ODSScheduledScan.id | String | Unique identifier for the scan. |
CrowdStrike.ODSScheduledScan.cid | String | Identifier for the customer or organization that owns the scan. |
CrowdStrike.ODSScheduledScan.description | String | The ID of the description of the scan. |
CrowdStrike.ODSScheduledScan.file_paths | String | The file or folder paths scanned. |
CrowdStrike.ODSScheduledScan.scan_exclusions | String | The file or folder exclusions from the scan. |
CrowdStrike.ODSScheduledScan.initiated_from | String | The source of the scan initiation. |
CrowdStrike.ODSScheduledScan.cpu_priority | Number | The CPU priority for the scan (1-5). |
CrowdStrike.ODSScheduledScan.preemption_priority | Number | The preemption priority for the scan. |
CrowdStrike.ODSScheduledScan.status | String | The status of the scan, whether it's "scheduled", "running", "completed", etc. |
CrowdStrike.ODSScheduledScan.host_groups | String | The host groups targeted by the scan. |
CrowdStrike.ODSScheduledScan.endpoint_notification | Boolean | Whether notifications of the scan were sent to endpoints. |
CrowdStrike.ODSScheduledScan.pause_duration | Number | The pause duration of scan in hours. |
CrowdStrike.ODSScheduledScan.max_duration | Number | The max duration of scan in hours. |
CrowdStrike.ODSScheduledScan.max_file_size | Number | The maximum file size that the scan can handle in MB. |
CrowdStrike.ODSScheduledScan.sensor_ml_level_detection | Number | The machine learning detection level for the sensor. |
CrowdStrike.ODSScheduledScan.cloud_ml_level_detection | Number | The machine learning detection level for the cloud. |
CrowdStrike.ODSScheduledScan.schedule.start_timestamp | Date | The timestamp when the first scan was created. |
CrowdStrike.ODSScheduledScan.schedule.interval | Number | The interval between scans. |
CrowdStrike.ODSScheduledScan.created_on | Date | The timestamp when the scan was created. |
CrowdStrike.ODSScheduledScan.created_by | String | The user who created the scan. |
CrowdStrike.ODSScheduledScan.last_updated | Date | The timestamp when the scan was last updated. |
CrowdStrike.ODSScheduledScan.deleted | Boolean | Whether the scan has been deleted. |
CrowdStrike.ODSScheduledScan.quarantine | Boolean | Whether the scan was set to quarantine. |
CrowdStrike.ODSScheduledScan.metadata.host_id | String | Scan host IDs. |
CrowdStrike.ODSScheduledScan.metadata.last_updated | Date | The date and time when the detection event was last updated. |
CrowdStrike.ODSScheduledScan.sensor_ml_level_prevention | Number | The cloud machine learning prevention level for the sensor. |
CrowdStrike.ODSScheduledScan.cloud_ml_level_prevention | Number | The cloud machine learning prevention level for the cloud. |
#
Command example!cs-falcon-ods-query-scheduled-scan ids=123456789
#
Context Example#
Human Readable Output#
CrowdStrike Falcon ODS Scheduled Scans
ID Hosts targeted Description Host groups Start time Created by 123456789 1 a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1 2023-05-20T06:49 a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1a1
#
cs-falcon-ods-query-scan-hostRetrieve ODS scan host details.
#
Base Commandcs-falcon-ods-query-scan-host
#
InputArgument Name | Description | Required |
---|---|---|
filter | Valid CS-Falcon-FQL filter to query with. | Optional |
host_ids | Comma-separated list of host IDs to filter by. | Optional |
scan_ids | Comma-separated list of scan IDs to filter by. | Optional |
status | Comma-separated list of scan statuses to filter by. | Optional |
started_on | UTC-format time of scan start to filter by. | Optional |
completed_on | UTC-format time of scan completion to filter by. | Optional |
offset | Starting index of overall result set from which to return IDs. | Optional |
limit | Maximum number of resources to return. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.ODSScanHost.id | String | A unique identifier for the scan event. |
CrowdStrike.ODSScanHost.cid | String | A unique identifier for the client that triggered the scan. |
CrowdStrike.ODSScanHost.scan_id | String | A unique identifier for the scan. |
CrowdStrike.ODSScanHost.profile_id | String | A unique identifier for the scan profile used in the scan. |
CrowdStrike.ODSScanHost.host_id | String | A unique identifier for the host that was scanned |
CrowdStrike.ODSScanHost.host_scan_id | String | A unique identifier for the scan that was performed on the host. |
CrowdStrike.ODSScanHost.filecount.scanned | Number | The number of files that were scanned during the scan. |
CrowdStrike.ODSScanHost.file |