CrowdStrike Falcon
CrowdStrike Falcon Pack.#
This Integration is part of theThe CrowdStrike Falcon OAuth 2 API integration (formerly Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.
#
Configure Crowdstrike Falcon on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for CrowdstrikeFalcon.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Server URL (e.g., https://api.crowdstrike.com) True Client ID True Secret True First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) False Max incidents per fetch False Detections fetch query False Incidents fetch query False Fetch incidents False Incident type False Mirroring Direction Choose the direction to mirror the detection: Incoming (from CrowdStrike Falcon to XSOAR), Outgoing (from XSOAR to CrowdStrike Falcon), or Incoming and Outgoing (to/from CrowdStrike Falcon and XSOAR). False Trust any certificate (not secure) False Use system proxy settings False Close Mirrored XSOAR Incident When selected, closes the CrowdStrike Falcon incident or detection, which is mirrored in Cortex XSOAR. False Close Mirrored CrowdStrike Falcon Incident or Detection When selected, closes the XSOAR incident, which is mirrored in CrowdStrike Falcon. False Fetch types Choose what to fetch - incidents, detections, or both. False Advanced: Minutes to look back when fetching Use this parameter to determine how far back to look in the search for incidents that were created before the last run time and did not match the query when they were created. False
- Click Test to validate the URLs, token, and connection.
#
Required API client scopeIn order to use the CrowdStrike Falcon integration, your API client must be provisioned with the following scope and permissions:
- Real Time Response - Read and Write
- Alerts - Read and Write
- Hosts - Read
- IOC Manager - Read and Write
#
Incident MirroringYou can enable incident mirroring between Cortex XSOAR incidents and CrowdStrike Falcon incidents or detections (available from Cortex XSOAR version 6.0.0).
To setup the mirroring follow these instructions:
- Navigate to Settings > Integrations > Servers & Services.
- Search for CrowdStrike Falcon and select your integration instance.
- Enable Fetches incidents.
- In the Fetch types integration parameter, select what to mirror - incidents or detections or both.
- Optional: You can go to the Incidents fetch query or Detections fetch query parameter and select the query to fetch the incidents or detections from CrowdStrike Falcon.
- In the Mirroring Direction integration parameter, select in which direction the incidents should be mirrored:
- Incoming - Any changes in CrowdStrike Falcon incidents (
state
,status
,tactics
,techniques
,objectives
,tags
,hosts.hostname
) or detections (status
,severity
,behaviors.tactic
,behaviors.scenario
,behaviors.objective
,behaviors.technique
,device.hostname
) will be reflected in XSOAR incidents. - Outgoing - Any changes in XSOAR incidents will be reflected in CrowdStrike Falcon incidents (
tags
,status
) or detections (status
). - Incoming And Outgoing - Changes in XSOAR incidents and CrowdStrike Falcon incidents or detections will be reflected in both directions.
- None - Turns off incident mirroring.
- Incoming - Any changes in CrowdStrike Falcon incidents (
- Optional: Check the Close Mirrored XSOAR Incident integration parameter to close the Cortex XSOAR incident when the corresponding incident or detection is closed in CrowdStrike Falcon.
- Optional: Check the Close Mirrored CrowdStrike Falcon Incident or Detection integration parameter to close the CrowdStrike Falcon incident or detection when the corresponding Cortex XSOAR incident is closed.
Newly fetched incidents or detections will be mirrored in the chosen direction. However, this selection does not affect existing incidents.
Important Notes
- To ensure the mirroring works as expected, mappers are required, both for incoming and outgoing, to map the expected fields in XSOAR and CrowdStrike Falcon.
- When mirroring in incidents from CrowdStrike Falcon to XSOAR:
- For the
tags
field, tags can only be added from the remote system. - When enabling the Close Mirrored XSOAR Incident integration parameter, the field in CrowdStrike Falcon that determines whether the incident was closed is the
status
field. - In case the look-back parameter is initialized with a certain value and during a time that incidents were fetched, if changing the lookback to a number that is greater than the previous value, then in the initial incident fetching there will be incidents duplications. If the integration was already set with lookback > 0, and the lookback is not being increased at any point of time, then those incident duplications would not occur.
- For the
#
1. Search for a deviceSearches for devices that match the query.
#
Base Commandcs-falcon-search-device
#
InputArgument Name | Description | Required |
---|---|---|
filter | The query by which to filter the device. | Optional |
ids | A comma-separated list of device IDs by which to limit the results. | Optional |
status | The status of the device. Possible values are: "Normal", "containment_pending", "contained", and "lift_containment_pending". | Optional |
hostname | The host name of the device. | Optional |
platform_name | The platform name of the device. Possible values are: "Windows","Mac", and "Linux". | Optional |
site_name | The site name of the device. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Device.ID | String | The ID of the device. |
CrowdStrike.Device.LocalIP | String | The local IP address of the device. |
CrowdStrike.Device.ExternalIP | String | The external IP address of the device. |
CrowdStrike.Device.Hostname | String | The host name of the device. |
CrowdStrike.Device.OS | String | The operating system of the device. |
CrowdStrike.Device.MacAddress | String | The MAC address of the device. |
CrowdStrike.Device.FirstSeen | String | The first time the device was seen. |
CrowdStrike.Device.LastSeen | String | The last time the device was seen. |
CrowdStrike.Device.PolicyType | String | The policy type of the device. |
CrowdStrike.Device.Status | String | The device status which might be Online, Offline or Unknown. |
Endpoint.Hostname | String | The endpoint's hostname. |
Endpoint.OS | String | The endpoint's operation system. |
Endpoint.OSVersion | String | The endpoint's operation system version. |
Endpoint.IPAddress | String | The endpoint's IP address. |
Endpoint.ID | String | The endpoint's ID. |
Endpoint.Status | String | The endpoint's status. |
Endpoint.IsIsolated | String | The endpoint's isolation status. |
Endpoint.MACAddress | String | The endpoint's MAC address. |
Endpoint.Vendor | String | The integration name of the endpoint vendor. |
#
Command Example!cs-falcon-search-device ids=336474ea6a524e7c68575f6508d84781,459146dbe524472e73751a43c63324f3
#
Context Example#
Human Readable Output#
Devices
ID Hostname OS Mac Address Local IP External IP First Seen Last Seen Status 336474ea6a524e7c68575f6508d84781 154.132.82-test-co.in-addr.arpa Mojave (10.14) 8c-85-90-3d-ed-3e 192.168.1.76 94.188.164.68 2017-12-28T22:38:11Z 2019-03-28T02:36:41Z contained 459146dbe524472e73751a43c63324f3 154.132.82-test-co.in-addr.arpa Mojave (10.14) f0-18-98-74-8c-31 172.22.14.237 94.188.164.68 2017-12-10T11:01:20Z 2019-03-17T10:03:17Z contained
#
2. Get a behaviorSearches for and fetches the behavior that matches the query.
#
Base Commandcs-falcon-get-behavior
#
InputArgument Name | Description | Required |
---|---|---|
behavior_id | The ID of the behavior. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Behavior.FileName | String | The file name of the behavior. |
CrowdStrike.Behavior.Scenario | String | The scenario name of the behavior. |
CrowdStrike.Behavior.MD5 | String | The MD5 hash of the IOC in the behavior. |
CrowdStrike.Behavior.SHA256 | String | The SHA256 hash of the IOC in the behavior. |
CrowdStrike.Behavior.IOCType | String | The type of the indicator of compromise. |
CrowdStrike.Behavior.IOCValue | String | The value of the IOC. |
CrowdStrike.Behavior.CommandLine | String | The command line executed in the behavior. |
CrowdStrike.Behavior.UserName | String | The user name related to the behavior. |
CrowdStrike.Behavior.SensorID | String | The sensor ID related to the behavior. |
CrowdStrike.Behavior.ParentProcessID | String | The ID of the parent process. |
CrowdStrike.Behavior.ProcessID | String | The process ID of the behavior. |
CrowdStrike.Behavior.ID | String | The ID of the behavior. |
#
Command Example!cs-falcon-get-behavior behavior_id=3206
#
Context Example#
Human Readable Output#
Behavior ID: 3206
ID File Name Command Line Scenario IOC Type IOC Value User Name SHA256 MD5 Process ID 3206 spokeshave.jn /Library/spokeshave.jn/spokeshave.jn.app/Contents/MacOS/spokeshave.jn known_malware sha256 df8896dbe70a16419103be954ef2cdbbb1cecd2a865df5a0a2847d9a9fe7a266 user@u-MacBook-Pro-2.local df8896dbe70a16419103be954ef2cdbbb1cecd2a865df5a0a2847d9a9fe7a266 b41d753a4b61c9fe4486190c3b78e124 197949010450449117 3206 xSf ./xSf known_malware sha256 791d88ca295847bb6dd174e0ebad62f01f0cae56c157b7a11fd70bb457c97d9b root@u-MacBook-Pro-2.local 791d88ca295847bb6dd174e0ebad62f01f0cae56c157b7a11fd70bb457c97d9b 06dc9ff1857dcd4cdcd125b277955134 197949016741905142
#
3. Search for detectionsSearch for details of specific detections, either using a filter query, or by providing the IDs of the detections.
#
Base Commandcs-falcon-search-detection
#
InputArgument Name | Description | Required |
---|---|---|
ids | The IDs of the detections to search. If provided, will override other arguments. | Optional |
filter | Filter detections using a query in Falcon Query Language (FQL). e.g., filter="device.hostname:'CS-SE-TG-W7-01'" For a full list of valid filter options, see: https://falcon.crowdstrike.com/support/documentation/2/query-api-reference#detectionsearch | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Detection.Behavior.FileName | String | The file name of the behavior. |
CrowdStrike.Detection.Behavior.Scenario | String | The scenario name of the behavior. |
CrowdStrike.Detection.Behavior.MD5 | String | The MD5 hash of the IOC of the behavior. |
CrowdStrike.Detection.Behavior.SHA256 | String | The SHA256 hash of the IOC of the behavior. |
CrowdStrike.Detection.Behavior.IOCType | String | The type of the IOC. |
CrowdStrike.Detection.Behavior.IOCValue | String | The value of the IOC. |
CrowdStrike.Detection.Behavior.CommandLine | String | The command line executed in the behavior. |
CrowdStrike.Detection.Behavior.UserName | String | The user name related to the behavior. |
CrowdStrike.Detection.Behavior.SensorID | String | The sensor ID related to the behavior. |
CrowdStrike.Detection.Behavior.ParentProcessID | String | The ID of the parent process. |
CrowdStrike.Detection.Behavior.ProcessID | String | The process ID of the behavior. |
CrowdStrike.Detection.Behavior.ID | String | The ID of the behavior. |
CrowdStrike.Detection.System | String | The system name of the detection. |
CrowdStrike.Detection.CustomerID | String | The ID of the customer (CID). |
CrowdStrike.Detection.MachineDomain | String | The name of the domain of the detection machine. |
CrowdStrike.Detection.ID | String | The detection ID. |
CrowdStrike.Detection.ProcessStartTime | Date | The start time of the process that generated the detection. |
#
Command Example!cs-falcon-search-detection ids=ldt:07893fedd2604bc66c3f7de8d1f537e3:1898376850347,ldt:68b5432856c1496d7547947fc7d1aae4:1092318056279064902
#
Context Example#
Human Readable Output#
Detections Found:
ID Status System Process Start Time Customer ID Max Severity ldt:07893fedd2604bc66c3f7de8d1f537e3:1898376850347 false_positive DESKTOP-S49VMIL 2019-03-21T20:32:55.654489974Z ed33ec93d2444d38abd3925803938a75 70 ldt:68b5432856c1496d7547947fc7d1aae4:1092318056279064902 new u-MacBook-Pro-2.local 2019-02-04T07:05:57.083205971Z ed33ec93d2444d38abd3925803938a75 30
#
4. Resolve a detectionResolves and updates a detection using the provided arguments. At least one optional argument must be passed, otherwise no change will take place.
#
Base Commandcs-falcon-resolve-detection
#
InputArgument Name | Description | Required |
---|---|---|
ids | A comma-separated list of one or more IDs to resolve. | Required |
status | The status to which to transition a detection. Possible values are: "new", "in_progress", "true_positive", "false_positive", and "ignored". | Optional |
assigned_to_uuid | A user ID, for example: 1234567891234567891. username and assigned_to_uuid are mutually exclusive. | Optional |
comment | Optional comment to add to the detection. Comments are displayed with the detection in Falcon and are usually used to provide context or notes for other Falcon users. | Optional |
show_in_ui | If true, displays the detection in the UI. | Optional |
username | Username to assign the detections to. (This is usually the user’s email address, but may vary based on your configuration). username and assigned_to_uuid are mutually exclusive. | Optional |
#
Context OutputThere is no context output for this command.
#
5. Contain a hostContains containment for a specified host. When contained, a host can only communicate with the CrowdStrike cloud and any IPs specified in your containment policy.
#
Base Commandcs-falcon-contain-host
#
InputArgument Name | Description | Required |
---|---|---|
ids | The host agent ID (AID) of the host to contain. Get an agent ID from a detection. Can also be a comma separated list of IDs. | Required |
#
Context OutputThere is no context output for this command.
#
6. Lift the containment for a hostLifts containment from a host, which returns its network communications to normal.
#
Base Commandcs-falcon-lift-host-containment
#
InputArgument Name | Description | Required |
---|---|---|
ids | The host agent ID (AID) of the host to contain. Get an agent ID from a detection | Required |
#
Context OutputThere is no context output for this command.
#
7. cs-falcon-run-commandSends commands to hosts.
#
Base Commandcs-falcon-run-command
#
InputArgument Name | Description | Required |
---|---|---|
host_ids | A comma-separated list of host agent IDs for which to run commands. (Can be retrieved by running the 'cs-falcon-search-device' command.) | Required |
command_type | The type of command to run. | Required |
full_command | The full command to run. | Required |
scope | The scope for which to run the command. Possible values are: "read", "write", and "admin". Default is "read". (NOTE: In order to run the CrowdStrike RTR put command, it is necessary to pass scope=admin .) | Optional |
target | The target for which to run the command. Possible values are: "single" and "batch". Default is "batch". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.HostID | String | The ID of the host for which the command was running. |
CrowdStrike.Command.SessionID | string | The ID of the session of the host. |
CrowdStrike.Command.Stdout | String | The standard output of the command. |
CrowdStrike.Command.Stderr | String | The standard error of the command. |
CrowdStrike.Command.BaseCommand | String | The base command. |
CrowdStrike.Command.FullCommand | String | The full command. |
CrowdStrike.Command.TaskID | string | (For single host) The ID of the command request which has been accepted. |
CrowdStrike.Command.Complete | boolean | (For single host) True if the command completed. |
CrowdStrike.Command.NextSequenceID | number | (For single host) The next sequence ID. |
#
Command Examplecs-falcon-run-command host_ids=284771ee197e422d5176d6634a62b934 command_type=ls full_command="ls C:\\"
#
Context Example#
Human Readable Output#
Command ls C:\ results
BaseCommand Command HostID Stderr Stdout ls ls C:\ 284771ee197e422d5176d6634a62b934 Directory listing for C:\ -
Name Type Size (bytes) Size (MB) Last Modified (UTC-5) Created (UTC-5)
---- ---- ------------ --------- --------------------- ---------------
$Recycle.Bin <Directory> -- -- 11/27/2018 10:54:44 AM 9/15/2017 3:33:40 AM
ITAYDI <Directory> -- -- 11/19/2018 1:31:42 PM 11/19/2018 1:31:42 PM
#
8. cs-falcon-upload-scriptUploads a script to Falcon.
#
Base Commandcs-falcon-upload-script
#
InputArgument Name | Description | Required |
---|---|---|
name | The script name to upload. | Required |
permission_type | The permission type for the custom script. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins. Default is "private". | Optional |
content | The content of the PowerShell script. | Required |
#
Command Example!cs-falcon-upload-script name=greatscript content="Write-Output 'Hello, World!'"
#
Human Readable OutputThe script was uploaded successfully.
#
9. cs-falcon-upload-fileUploads a file to the CrowdStrike cloud. (Can be used for the RTR put
command.)
#
Base Commandcs-falcon-upload-file
#
InputArgument Name | Description | Required |
---|---|---|
entry_id | The file entry ID to upload. | Required |
#
Command Example!cs-falcon-upload-file entry_id=4@4
#
Human Readable OutputThe file was uploaded successfully.
#
10. cs-falcon-delete-fileDeletes a file based on the provided ID. Can delete only one file at a time.
#
Base Commandcs-falcon-delete-file
#
InputArgument Name | Description | Required |
---|---|---|
file_id | The ID of the file to delete. (The ID of the file can be retrieved by running the 'cs-falcon-list-files' command.). | Required |
#
Command Example!cs-falcon-delete-file file_id=le10098bf0e311e989190662caec3daa_94cc8c55556741faa1d82bd1faabfb4a
#
Human Readable OutputFile le10098bf0e311e989190662caec3daa_94cc8c55556741faa1d82bd1faabfb4a was deleted successfully.
#
11. cs-falcon-get-fileReturns files based on the IDs given. These are used for the RTR put
command.
#
Base Commandcs-falcon-get-file
#
InputArgument Name | Description | Required |
---|---|---|
file_id | A comma-separated list of file IDs to get. (The list of file IDs can be retrieved by running the 'cs-falcon-list-files' command.) | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.File.ID | String | The ID of the file. |
CrowdStrike.File.CreatedBy | String | The email address of the user who created the file. |
CrowdStrike.File.CreatedTime | Date | The date and time the file was created. |
CrowdStrike.File.Description | String | The description of the file. |
CrowdStrike.File.Type | String | The type of the file. For example, script. |
CrowdStrike.File.ModifiedBy | String | The email address of the user who modified the file. |
CrowdStrike.File.ModifiedTime | Date | The date and time the file was modified. |
CrowdStrike.File.Name | String | The full name of the file. |
CrowdStrike.File.Permission | String | The permission type of the file. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins |
CrowdStrike.File.SHA256 | String | The SHA-256 hash of the file. |
File.Type | String | The file type. |
File.Name | String | The full name of the file. |
File.SHA256 | String | The SHA-256 hash of the file. |
File.Size | Number | The size of the file in bytes. |
#
Command Example!cs-falcon-get-file file_id=le10098bf0e311e989190662caec3daa_94cc8c55556741faa1d82bd1faabfb4a
#
Context Example#
Human Readable Output#
CrowdStrike Falcon file le10098bf0e311e989190662caec3daa_94cc8c55556741faa1d82bd1faabfb4a
CreatedBy CreatedTime Description ID ModifiedBy ModifiedTime Name Permission SHA256 Type spongobob@demisto.com 2019-10-17T13:41:48.487520845Z Demisto le10098bf0e311e989190662caec3daa_94cc8c55556741faa1d82bd1faabfb4a spongobob@demisto.com 2019-10-17T13:41:48.487521161Z Demisto private 5a4440f2b9ce60b070e98c304370050446a2efa4b3850550a99e4d7b8f447fcc script
#
12. cs-falcon-list-filesReturns Returns a list of put-file ID's that are available for the user in the put
command.
#
Base Commandcs-falcon-list-files
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.File.ID | String | The ID of the file. |
CrowdStrike.File.CreatedBy | String | The email address of the user who created the file. |
CrowdStrike.File.CreatedTime | Date | The date and time the file was created. |
CrowdStrike.File.Description | String | The description of the file. |
CrowdStrike.File.Type | String | The type of the file. For example, script. |
CrowdStrike.File.ModifiedBy | String | The email address of the user who modified the file. |
CrowdStrike.File.ModifiedTime | Date | The date and time the file was modified. |
CrowdStrike.File.Name | String | The full name of the file. |
CrowdStrike.File.Permission | String | The permission type of the file. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins. |
CrowdStrike.File.SHA256 | String | The SHA-256 hash of the file. |
File.Type | String | The file type. |
File.Name | String | The full name of the file. |
File.SHA256 | String | The SHA-256 hash of the file. |
File.Size | Number | The size of the file in bytes. |
#
Command Example!cs-falcon-list-files
#
Context Example#
Human Readable Output#
CrowdStrike Falcon files
CreatedBy CreatedTime Description ID ModifiedBy ModifiedTime Name Permission SHA256 Type spongobob@demisto.com 2019-10-17T13:41:48.487520845Z Demisto le10098bf0e311e989190662caec3daa_94cc8c55556741faa1d82bd1faabfb4a spongobob@demisto.com 2019-10-17T13:41:48.487521161Z Demisto private 5a4440f2b9ce60b070e98c304370050446a2efa4b3850550a99e4d7b8f447fcc script
#
13. cs-falcon-get-scriptReturn custom scripts based on the ID. Used for the RTR runscript
command.
#
Base Commandcs-falcon-get-script
#
InputArgument Name | Description | Required |
---|---|---|
script_id | A comma-separated list of script IDs to return. (The script IDs can be retrieved by running the 'cs-falcon-list-scripts' command.) | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Script.ID | String | The ID of the script. |
CrowdStrike.Script.CreatedBy | String | The email address of the user who created the script. |
CrowdStrike.Script.CreatedTime | Date | The date and time the script was created. |
CrowdStrike.Script.Description | String | The description of the script. |
CrowdStrike.Script.ModifiedBy | String | The email address of the user who modified the script. |
CrowdStrike.Script.ModifiedTime | Date | The date and time the script was modified. |
CrowdStrike.Script.Name | String | The script name. |
CrowdStrike.Script.Permission | String | Permission type of the script. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins. |
CrowdStrike.Script.SHA256 | String | The SHA-256 hash of the script file. |
CrowdStrike.Script.RunAttemptCount | Number | The number of times the script attempted to run. |
CrowdStrike.Script.RunSuccessCount | Number | The number of times the script ran successfully. |
CrowdStrike.Script.Platform | String | The list of operating system platforms on which the script can run. For example, Windows. |
CrowdStrike.Script.WriteAccess | Boolean | Whether the user has write access to the script. |
#
Command Example!cs-falcon-get-script file_id=le10098bf0e311e989190662caec3daa_94cc8c55556741faa1d82bd1faabfb4a
#
Context Example#
Human Readable Output#
CrowdStrike Falcon script le10098bf0e311e989190662caec3daa_94cc8c55556741faa1d82bd1faabfb4a
CreatedBy CreatedTime Description ID ModifiedBy ModifiedTime Name Permission SHA256 spongobob@demisto.com 2019-10-17T13:41:48.487520845Z Demisto le10098bf0e311e989190662caec3daa_94cc8c55556741faa1d82bd1faabfb4a spongobob@demisto.com 2019-10-17T13:41:48.487521161Z Demisto private 5a4440f2b9ce60b070e98c304370050446a2efa4b3850550a99e4d7b8f447fcc
#
14. cs-falcon-delete-scriptDeletes a script based on the ID given. Can delete only one script at a time.
#
Base Commandcs-falcon-delete-script
#
InputArgument Name | Description | Required |
---|---|---|
script_id | Script ID to delete. (Script IDs can be retrieved by running the 'cs-falcon-list-scripts' command.) | Required |
#
Command Example!cs-falcon-delete-script script_id=le10098bf0e311e989190662caec3daa_94cc8c55556741faa1d82bd1faabfb4a
#
Human Readable OutputScript le10098bf0e311e989190662caec3daa_94cc8c55556741faa1d82bd1faabfb4a was deleted successfully.
#
15. cs-falcon-list-scriptsReturns a list of custom script IDs that are available for the user in the runscript
command.
#
Base Commandcs-falcon-list-scripts
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Script.ID | String | The ID of the script. |
CrowdStrike.Script.CreatedBy | String | The email address of the user who created the script. |
CrowdStrike.Script.CreatedTime | Date | The date and time the script was created. |
CrowdStrike.Script.Description | String | The description of the script. |
CrowdStrike.Script.ModifiedBy | String | The email address of the user who modified the script. |
CrowdStrike.Script.ModifiedTime | Date | The date and time the script was modified. |
CrowdStrike.Script.Name | String | The script name. |
CrowdStrike.Script.Permission | String | Permission type of the script. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins. |
CrowdStrike.Script.SHA256 | String | The SHA-256 hash of the script file. |
CrowdStrike.Script.RunAttemptCount | Number | The number of times the script attempted to run. |
CrowdStrike.Script.RunSuccessCount | Number | The number of times the script ran successfully. |
CrowdStrike.Script.Platform | String | The list of operating system platforms on which the script can run. For example, Windows. |
CrowdStrike.Script.WriteAccess | Boolean | Whether the user has write access to the script. |
#
Command Example!cs-falcon-list-scripts
#
Context Example#
Human Readable Output#
CrowdStrike Falcon scripts
CreatedBy CreatedTime Description ID ModifiedBy ModifiedTime Name Permission SHA256 spongobob@demisto.com 2019-10-17T13:41:48.487520845Z Demisto le10098bf0e311e989190662caec3daa_94cc8c55556741faa1d82bd1faabfb4a spongobob@demisto.com 2019-10-17T13:41:48.487521161Z Demisto private 5a4440f2b9ce60b070e98c304370050446a2efa4b3850550a99e4d7b8f447fcc
#
16. cs-falcon-run-scriptRuns a script on the agent host.
#
Base Commandcs-falcon-run-script
#
InputArgument Name | Description | Required |
---|---|---|
script_name | The name of the script to run. | Optional |
host_ids | A comma-separated list of host agent IDs to run commands. (The list of host agent IDs can be retrieved by running the 'cs-falcon-search-device' command.) | Required |
raw | The PowerShell script code to run. | Optional |
timeout | The amount of time to wait before the request times out (in seconds). Maximum is 600 (10 minutes). Default value is 30. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.HostID | String | The ID of the host for which the command was running. |
CrowdStrike.Command.SessionID | String | The ID of the session of the host. |
CrowdStrike.Command.Stdout | String | The standard output of the command. |
CrowdStrike.Command.Stderr | String | The standard error of the command. |
CrowdStrike.Command.BaseCommand | String | The base command. |
CrowdStrike.Command.FullCommand | String | The full command. |
#
Command Examplecs-falcon-run-script host_ids=284771ee197e422d5176d6634a62b934 raw="Write-Output 'Hello, World!"
#
Context Example#
Human Readable Output#
Command runscript -Raw=Write-Output 'Hello, World! results
BaseCommand Command HostID Stderr Stdout runscript runscript -Raw=Write-Output 'Hello, World! 284771ee197e422d5176d6634a62b934 Hello, World!
#
17. cs-falcon-run-get-commandBatch executes get
command across hosts to retrieve files.
The running status you requested the get
command can be checked with cs-falcon-status-get-command
.
#
Base Commandcs-falcon-run-get-command
#
InputArgument Name | Description | Required |
---|---|---|
host_ids | List of host agent IDs on which to run the RTR command. | Required |
file_path | Full path to the file that will be retrieved from each host in the batch. | Required |
optional_hosts | List of a subset of hosts on which to run the command. | Optional |
timeout | The number of seconds to wait for the request before it times out. In ISO time format. For example: 2019-10-17T13:41:48.487520845Z. | Optional |
timeout_duration | The amount of time to wait for the request before it times out. In duration syntax. For example: 10s. Valid units are: ns, us, ms, s, m, h. Maximum value is 10 minutes. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.HostID | string | The ID of the host on which the command was running. |
CrowdStrike.Command.Stdout | string | The standard output of the command. |
CrowdStrike.Command.Stderr | string | The standard error of the command. |
CrowdStrike.Command.BaseCommand | string | The base command. |
CrowdStrike.Command.TaskID | string | The ID of the command that was running on the host. |
CrowdStrike.Command.GetRequestID | string | The ID of the command request that was accepted. |
CrowdStrike.Command.Complete | boolean | True if the command completed. |
CrowdStrike.Command.FilePath | string | The file path. |
#
Command Examplecs-falcon-run-get-command host_ids=edfd6a04ad134c4344f8fb119a3ad88e file_path="""c:\Windows\notepad.exe"""
#
Context Example#
Human Readable Output#
Get command has requested for a file c:\Windows\notepad.exe
BaseCommand Complete FilePath GetRequestID HostID Stderr Stdout TaskID get true c:\Windows\notepad.exe 107199bc-544c-4b0c-8f20-3094c062a115 edfd6a04ad134c4344f8fb119a3ad88e C:\Windows\notepad.exe 9c820b97-6a60-4238-bc23-f63513970ec8
#
18. cs-falcon-status-get-commandRetrieves the status of the batch get command which you requested at cs-falcon-run-get-command
.
#
Base Commandcs-falcon-status-get-command
#
InputArgument Name | Description | Required |
---|---|---|
request_ids | The list of IDs of the command requested. | Required |
timeout | The number of seconds to wait for the request before it times out. In ISO time format. For example: 2019-10-17T13:41:48.487520845Z. | Optional |
timeout_duration | The amount of time to wait for the request before it times out. In duration syntax. For example: 10s. Valid units are: ns, us, ms, s, m, h. Maximum value is 10 minutes. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.File.ID | string | The ID of the file. |
CrowdStrike.File.TaskID | string | The ID of the command that is running. |
CrowdStrike.File.CreatedAt | date | The date the file was created. |
CrowdStrike.File.DeletedAt | date | The date the file was deleted. |
CrowdStrike.File.UpdatedAt | date | The date the file was last updated. |
CrowdStrike.File.Name | string | The full name of the file. |
CrowdStrike.File.SHA256 | string | The SHA256 hash of the file. |
CrowdStrike.File.Size | number | The size of the file in bytes. |
File.Size | number | The size of the file in bytes. |
File.SHA256 | string | The SHA256 hash of the file. |
#
Command Example!cs-falcon-status-get-command request_ids="84ee4d50-f499-482e-bac6-b0e296149bbf"
#
Context Example#
Human Readable Output#
CrowdStrike Falcon files
CreatedAt DeletedAt ID Name SHA256 Size TaskID UpdatedAt 2020-05-01T16:09:00Z 185596 \Device\HarddiskVolume2\Windows\notepad.exe f1d62648ef915d85cb4fc140359e925395d315c70f3566b63bb3e21151cb2ce3 0 b5c8f140-280b-43fd-8501-9900f837510b 2020-05-01T16:09:00Z
#
19. cs-falcon-status-commandGet status of an executed command on a host
#
Base Commandcs-falcon-status-command
#
InputArgument Name | Description | Required |
---|---|---|
request_id | The ID of the command requested. | Required |
sequence_id | The sequence ID in chunk requests. | Optional |
scope | The scope for which to run the command. Possible values are: "read", "write", or "admin". Default is "read". | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.TaskID | string | The ID of the command request that was accepted. |
CrowdStrike.Command.Stdout | string | The standard output of the command. |
CrowdStrike.Command.Stderr | string | The standard error of the command. |
CrowdStrike.Command.BaseCommand | string | The base command. |
CrowdStrike.Command.Complete | boolean | True if the command completed. |
CrowdStrike.Command.SequenceID | number | The sequence ID in the current request. |
CrowdStrike.Command.NextSequenceID | number | The sequence ID for the next request in the chunk request. |
#
Command Example!cs-falcon-status-command request_id="ae323961-5aa8-442e-8461-8d05c4541d7d"
#
Context Example#
Human Readable Output#
Command status results
BaseCommand Complete Stdout TaskID ls true Directory listing for C:\ ...... ae323961-5aa8-442e-8461-8d05c4541d7d
#
20. cs-falcon-get-extracted-fileGet RTR extracted file contents for specified session and sha256.
#
Base Commandcs-falcon-get-extracted-file
#
InputArgument Name | Description | Required |
---|---|---|
host_id | The host agent ID. | Required |
sha256 | The SHA256 hash of the file. | Required |
filename | The filename to use for the archive name and the file within the archive. | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!cs-falcon-get-extracted-file host_id="edfd6a04ad134c4344f8fb119a3ad88e" sha256="f1d62648ef915d85cb4fc140359e925395d315c70f3566b63bb3e21151cb2ce3"
#
Context ExampleThere is no context output for this command.
#
Human Readable OutputThere is no human readable for this command.
#
21. cs-falcon-list-host-filesGet a list of files for the specified RTR session on a host.
#
Base Commandcs-falcon-list-host-files
#
InputArgument Name | Description | Required |
---|---|---|
host_id | The ID of the host agent that lists files in the session. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.HostID | string | The ID of the host for which the command was running. |
CrowdStrike.Command.TaskID | string | The ID of the command request that was accepted. |
CrowdStrike.Command.SessionID | string | The ID of the session of the host. |
CrowdStrike.File.ID | string | The ID of the file. |
CrowdStrike.File.CreatedAt | date | The date the file was created. |
CrowdStrike.File.DeletedAt | date | The date the file was deleted. |
CrowdStrike.File.UpdatedAt | date | The date the file was last updated. |
CrowdStrike.File.Name | string | The full name of the file. |
CrowdStrike.File.SHA256 | string | The SHA256 hash of the file. |
CrowdStrike.File.Size | number | The size of the file in bytes. |
File.Name | string | The full name of the file. |
File.Size | number | The size of the file in bytes. |
File.SHA256 | string | The SHA256 hash of the file. |
#
Command Example!cs-falcon-list-host-files host_id="edfd6a04ad134c4344f8fb119a3ad88e"
#
Context Example#
Human Readable Output#
CrowdStrike Falcon files
CreatedAt DeletedAt ID Name SHA256 Size Stderr Stdout UpdatedAt 2020-05-01T17:57:42Z 186811 \Device\HarddiskVolume2\Windows\notepad.exe f1d62648ef915d85cb4fc140359e925395d315c70f3566b63bb3e21151cb2ce3 0 2020-05-01T17:57:42Z
#
22. cs-falcon-refresh-sessionRefresh a session timeout on a single host.
#
Base Commandcs-falcon-refresh-session
#
InputArgument Name | Description | Required |
---|---|---|
host_id | The ID of the host for which to extend the session. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.HostID | string | The ID of the host for which the command was running. |
CrowdStrike.Command.TaskID | string | The ID of the command request which has been accepted. |
CrowdStrike.Command.SessionID | string | The ID of the session of the host. |
CrowdStrike.File.ID | string | The ID of the file. |
CrowdStrike.File.CreatedAt | date | The creation date of the file. |
CrowdStrike.File.DeletedAt | date | The deletion date of the file. |
CrowdStrike.File.UpdatedAt | date | The last updated date of the file. |
CrowdStrike.File.Name | string | The full file name. |
CrowdStrike.File.SHA256 | string | The SHA-256 hash of the file. |
CrowdStrike.File.Size | number | The size of the file in bytes. |
File.Name | string | The full file name. |
File.Size | number | The size of the file in bytes. |
File.SHA256 | string | The SHA-256 hash of the file. |
#
Command Example!cs-falcon-refresh-session host_id=edfd6a04ad134c4344f8fb119a3ad88e
#
Context ExampleThere is no context output for this command.
#
Human Readable OutputCrowdStrike Session Refreshed: fdd6408f-6688-441b-8659-41bcad25441c
#
23. cs-falcon-search-iocsDeprecated. Use the cs-falcon-search-custom-iocs command instead.
#
Base Commandcs-falcon-search-iocs
#
InputArgument Name | Description | Required |
---|---|---|
types | A comma-separated list of indicator types. Valid types are: "sha256", "sha1", "md5", "domain", "ipv4", "ipv6". | Optional |
values | A comma-separated list of indicator values. | Optional |
policies | A comma-separated list of indicator policies. | Optional |
share_levels | The level at which the indicator will be shared. Only "red" share level (not shared) is supported, which indicates that the IOC is not shared with other Falcon Host customers. | Optional |
sources | A comma-separated list of IOC sources. | Optional |
from_expiration_date | Start of date range in which to search (YYYY-MM-DD format). | Optional |
to_expiration_date | End of date range in which to search (YYYY-MM-DD format). | Optional |
limit | The maximum number of records to return. The minimum is 1 and the maximum is 500. Default is 100. | Optional |
sort | The order in which the results are returned. Possible values are: "type.asc", "type.desc", "value.asc", "value.desc", "policy.asc", "policy.desc", "share_level.asc", "share_level.desc", "expiration_timestamp.asc", and "expiration_timestamp.desc". | Optional |
offset | The offset to begin the list from. For example, start from the 10th record and return the list. Default is 0. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.Policy | string | The policy of the indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.ShareLevel | string | The level at which the indicator will be shared. |
CrowdStrike.IOC.Expiration | string | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | string | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | string | The datetime the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command Example!cs-falcon-search-iocs types="domain"
#
Context Example#
Human Readable Output#
Indicators of Compromise
CreatedTime Expiration ID ModifiedTime Policy ShareLevel Type Value 2020-09-30T10:59:37Z 2020-10-30T00:00:00Z domain:value 2020-09-30T10:59:37Z none red domain value
#
24. cs-falcon-get-iocDeprecated. Use the cs-falcon-get-custom-ioc command instead.
#
Base Commandcs-falcon-get-ioc
#
InputArgument Name | Description | Required |
---|---|---|
type | The IOC type to retrieve. Possible values are: "sha256", "sha1", "md5", "domain", "ipv4", and "ipv6". | Required |
value | The string representation of the indicator. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.Policy | string | The policy of the indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.ShareLevel | string | The level at which the indicator will be shared. |
CrowdStrike.IOC.Expiration | string | The date and time when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | string | The date and time the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | string | The datetime the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command Example!cs-falcon-get-ioc type="domain" value="test.domain.com"
#
Context Example#
Human Readable Output#
Indicator of Compromise
CreatedTime Description Expiration ID ModifiedTime Policy ShareLevel Source Type Value 2020-10-02T13:55:26Z Test ioc 2020-11-01T00:00:00Z domain:test.domain.com 2020-10-02T13:55:26Z none red Demisto playbook domain test.domain.com
#
25. cs-falcon-upload-iocDeprecated. Use the cs-falcon-upload-custom-ioc command instead.
#
Base Commandcs-falcon-upload-ioc
#
InputArgument Name | Description | Required |
---|---|---|
ioc_type | The type of the indicator. Possible values are: "sha256", "md5", "domain", "ipv4", and "ipv6". | Required |
value | The string representation of the indicator. | Required |
policy | The policy to enact when the value is detected on a host. Possible values are: "detect" and "none". A value of "none" is equivalent to turning the indicator off. Default is "detect". | Optional |
share_level | The level at which the indicator will be shared. Only "red" share level (not shared) is supported, which indicates that the IOC is not shared with other Falcon Host customers. | Optional |
expiration_days | The number of days for which the indicator should be valid. This only applies to domain, ipv4, and ipv6 types. Default is 30. | Optional |
source | The source where this indicator originated. This can be used for tracking where this indicator was defined. Limited to 200 characters. | Optional |
description | A meaningful description of the indicator. Limited to 200 characters. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.Policy | string | The policy of the indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.ShareLevel | string | The level at which the indicator will be shared. |
CrowdStrike.IOC.Expiration | string | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | string | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | string | The date and time the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command Example!cs-falcon-upload-ioc ioc_type="domain" value="test.domain.com" policy="none" share_level="red" source="Demisto playbook" description="Test ioc"
#
Context Example#
Human Readable Output#
Custom IOC was created successfully
CreatedTime Description Expiration ID ModifiedTime Policy ShareLevel Source Type Value 2020-10-02T13:55:26Z Test ioc 2020-11-01T00:00:00Z domain:test.domain.com 2020-10-02T13:55:26Z none red Demisto playbook domain test.domain.com
#
26. cs-falcon-update-iocDeprecated. Use the cs-falcon-update-custom-ioc command instead.
#
Base Commandcs-falcon-update-ioc
#
InputArgument Name | Description | Required |
---|---|---|
ioc_type | The type of the indicator. Possible values are: "sha256", "md5", "sha1", "domain", "ipv4", and "ipv6". | Required |
value | The string representation of the indicator. | Required |
policy | The policy to enact when the value is detected on a host. Possible values are: "detect" and "none". A value of "none" is equivalent to turning the indicator off. Default is "detect". | Optional |
share_level | The level at which the indicator will be shared. Only "red" share level (not shared) is supported, which indicates that the IOC is not shared with other Falcon Host customers. | Optional |
expiration_days | The number of days for which the indicator should be valid. This only applies to domain, ipv4, and ipv6 types. Default is 30. | Optional |
source | The source where this indicator originated. This can be used for tracking where this indicator was defined. Limited to 200 characters. | Optional |
description | A meaningful description of the indicator. Limited to 200 characters. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.Policy | string | The policy of the indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.ShareLevel | string | The level at which the indicator will be shared. |
CrowdStrike.IOC.Expiration | string | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | string | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | string | The date and time the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command Example!cs-falcon-update-ioc ioc_type="domain" value="test.domain.com" policy="detect" description="Benign domain IOC"
#
Context Example#
Human Readable Output#
Custom IOC was created successfully
CreatedTime Description Expiration ID ModifiedTime Policy ShareLevel Source Type Value 2020-10-02T13:55:26Z Benign domain IOC 2020-11-01T00:00:00Z domain:test.domain.com 2020-10-02T13:55:33Z detect red Demisto playbook domain test.domain.com
#
27. cs-falcon-delete-iocDeprecated. Use the cs-falcon-delete-custom-ioc command instead.
#
Base Commandcs-falcon-delete-ioc
#
InputArgument Name | Description | Required |
---|---|---|
type | The IOC type to delete. Possible values are: "sha256", "sha1", "md5", "domain", "ipv4", and "ipv6". | Required |
value | The string representation of the indicator to delete. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cs-falcon-delete-ioc type="domain" value="test.domain.com"
#
Human Readable OutputCustom IOC domain:test.domain.com was successfully deleted.
#
28. cs-falcon-device-count-iocNumber of hosts that observed the given IOC.
#
Base Commandcs-falcon-device-count-ioc
#
InputArgument Name | Description | Required |
---|---|---|
type | The IOC type. Possible values are: "sha256", "sha1", "md5", "domain", "ipv4", and "ipv6". | Required |
value | The string representation of the indicator. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.DeviceCount | number | The number of devices the IOC ran on. |
#
Command Example!cs-falcon-device-count-ioc type="domain" value="value"
#
Context Example#
Human Readable OutputIndicator of Compromise domain:value device count: 1
#
29. cs-falcon-processes-ran-onGet processes associated with a given IOC.
#
Base Commandcs-falcon-processes-ran-on
#
InputArgument Name | Description | Required |
---|---|---|
type | The IOC type. Possible values are: "sha256", "sha1", "md5", "domain", "ipv4", and "ipv6". | Required |
value | The string representation of the indicator. | Required |
device_id | The device ID to check against. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.Process.ID | number | The processes IDs associated with the given IOC. |
CrowdStrike.IOC.Process.DeviceID | number | The device the process ran on. |
#
Command Example!cs-falcon-processes-ran-on device_id=15dbb9d8f06b45fe9f61eb46e829d986 type=domain value=value
#
Context Example#
Human Readable Output#
Processes with custom IOC domain:value on device device_id.
Process ID pid:pid:650164094720
#
30. cs-falcon-process-detailsRetrieves the details of a process, according to process ID, that is running or that previously ran.
#
Base Commandcs-falcon-process-details
#
Input#
InputArgument Name | Description | Required |
---|---|---|
ids | A comma-separated list of process IDs. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Process.process_id | String | The process ID. |
CrowdStrike.Process.process_id_local | String | Local ID of the process. |
CrowdStrike.Process.device_id | String | The device the process ran on. |
CrowdStrike.Process.file_name | String | The path of the file that ran the process. |
CrowdStrike.Process.command_line | String | The command line command execution. |
CrowdStrike.Process.start_timestamp_raw | String | The start datetime of the process in Unix epoch time format. For example: 132460167512852140. |
CrowdStrike.Process.start_timestamp | String | The start datetime of the process in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
CrowdStrike.Process.stop_timestamp_raw | Date | The stop datetime of the process in Unix epoch time format. For example: 132460167512852140. |
CrowdStrike.Process.stop_timestamp | Date | The stop datetime of the process in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
#
Command Example!cs-falcon-process-details ids="pid:pid:pid"
#
Context Example#
Human Readable Output#
Details for process: pid:pid:pid.
command_line device_id file_name process_id process_id_local start_timestamp start_timestamp_raw stop_timestamp stop_timestamp_raw "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" deviceId \Device\HarddiskVolume1\Program Files (x86)\Google\Chrome\Application\chrome.exe device_id:pid pid 2020-10-01T09:05:51Z 132460167512852140 2020-10-02T06:43:45Z 132460946259334768
#
31. cs-falcon-device-ran-onReturns a list of device IDs on which an indicator ran.
#
Base Commandcs-falcon-device-ran-on
#
InputArgument Name | Description | Required |
---|---|---|
type | The type of indicator. Possible values are: "domain", "ipv4", "ipv6", "md5", "sha1", or "sha256". | Required |
value | The string representation of the indicator. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.DeviceID | string | Device IDs on which an indicator ran. |
#
Command Example!cs-falcon-device-ran-on type=domain value=value
#
Context Example#
Human Readable Output#
Devices that encountered the IOC domain:value
Device ID 15dbb9d8f06b45fe9f61eb46e829d986
#
32. cs-falcon-list-detection-summariesLists detection summaries.
#
Base Commandcs-falcon-list-detection-summaries
#
InputArgument Name | Description | Required |
---|---|---|
fetch_query | The query used to filter the results. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Detections.cid | String | The organization's customer ID (CID). |
CrowdStrike.Detections.created_timestamp | Date | The datetime when the detection occurred in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
CrowdStrike.Detections.detection_id | String | The ID of the detection. |
CrowdStrike.Detections.device.device_id | String | The device ID as seen by CrowdStrike. |
CrowdStrike.Detections.device.cid | String | The CrowdStrike Customer ID (CID) to which the device belongs. |
CrowdStrike.Detections.device.agent_load_flags | String | The CrowdStrike agent load flags. |
CrowdStrike.Detections.device.agent_local_time | Date | The local time of the sensor. |
CrowdStrike.Detections.device.agent_version | String | The version of the agent that the device is running. For example: 5.32.11406.0. |
CrowdStrike.Detections.device.bios_manufacturer | String | The BIOS manufacturer. |
CrowdStrike.Detections.device.bios_version | String | The device's BIOS version. |
CrowdStrike.Detections.device.config_id_base | String | The base of the sensor that the device is running. |
CrowdStrike.Detections.device.config_id_build | String | The version of the sensor that the device is running. For example: 11406. |
CrowdStrike.Detections.device.config_id_platform | String | The platform ID of the sensor that the device is running. |
CrowdStrike.Detections.device.external_ip | String | The external IP address of the device. |
CrowdStrike.Detections.device.hostname | String | The host name of the device. |
CrowdStrike.Detections.device.first_seen | Date | The datetime when the host was first seen by CrowdStrike. |
CrowdStrike.Detections.device.last_seen | Date | The datetime when the host was last seen by CrowdStrike. |
CrowdStrike.Detections.device.local_ip | String | The local IP address of the device. |
CrowdStrike.Detections.device.mac_address | String | The MAC address of the device. |
CrowdStrike.Detections.device.major_version | String | The major version of the operating system. |
CrowdStrike.Detections.device.minor_version | String | The minor version of the operating system. |
CrowdStrike.Detections.device.os_version | String | The operating system of the device. |
CrowdStrike.Detections.device.platform_id | String | The platform ID of the device that runs the sensor. |
CrowdStrike.Detections.device.platform_name | String | The platform name of the device. |
CrowdStrike.Detections.device.product_type_desc | String | The value indicating the product type. For example, 1 = Workstation, 2 = Domain Controller, 3 = Server. |
CrowdStrike.Detections.device.status | String | The containment status of the machine. Possible values are: "normal", "containment_pending", "contained", and "lift_containment_pending". |
CrowdStrike.Detections.device.system_manufacturer | String | The system manufacturer of the device. |
CrowdStrike.Detections.device.system_product_name | String | The product name of the system. |
CrowdStrike.Detections.device.modified_timestamp | Date | The datetime the device was last modified in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
CrowdStrike.Detections.behaviors.device_id | String | The ID of the device associated with the behavior. |
CrowdStrike.Detections.behaviors.timestamp | Date | The datetime the behavior detection occurred in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
CrowdStrike.Detections.behaviors.behavior_id | String | The ID of the behavior. |
CrowdStrike.Detections.behaviors.filename | String | The file name of the triggering process. |
CrowdStrike.Detections.behaviors.alleged_filetype | String | The file extension of the behavior's filename. |
CrowdStrike.Detections.behaviors.cmdline | String | The command line of the triggering process. |
CrowdStrike.Detections.behaviors.scenario | String | The name of the scenario to which the behavior belongs. |
CrowdStrike.Detections.behaviors.objective | String | The name of the objective associated with the behavior. |
CrowdStrike.Detections.behaviors.tactic | String | The name of the tactic associated with the behavior. |
CrowdStrike.Detections.behaviors.technique | String | The name of the technique associated with the behavior. |
CrowdStrike.Detections.behaviors.severity | Number | The severity rating for the behavior. The value can be any integer between 1-100. |
CrowdStrike.Detections.behaviors.confidence | Number | The true positive confidence rating for the behavior. The value can be any integer between 1-100. |
CrowdStrike.Detections.behaviors.ioc_type | String | The type of the triggering IOC. Possible values are: "hash_sha256", "hash_md5", "domain", "filename", "registry_key", "command_line", and "behavior". |
CrowdStrike.Detections.behaviors.ioc_value | String | The IOC value. |
CrowdStrike.Detections.behaviors.ioc_source | String | The source that triggered an IOC detection. Possible values are: "library_load", "primary_module", "file_read", and "file_write". |
CrowdStrike.Detections.behaviors.ioc_description | String | The IOC description. |
CrowdStrike.Detections.behaviors.user_name | String | The user name. |
CrowdStrike.Detections.behaviors.user_id | String | The Security Identifier (SID) of the user in Windows. |
CrowdStrike.Detections.behaviors.control_graph_id | String | The behavior hit key for the Threat Graph API. |
CrowdStrike.Detections.behaviors.triggering_process_graph_id | String | The ID of the process that triggered the behavior detection. |
CrowdStrike.Detections.behaviors.sha256 | String | The SHA256 of the triggering process. |
CrowdStrike.Detections.behaviors.md5 | String | The MD5 of the triggering process. |
CrowdStrike.Detections.behaviors.parent_details.parent_sha256 | String | The SHA256 hash of the parent process. |
CrowdStrike.Detections.behaviors.parent_details.parent_md5 | String | The MD5 hash of the parent process. |
CrowdStrike.Detections.behaviors.parent_details.parent_cmdline | String | The command line of the parent process. |
CrowdStrike.Detections.behaviors.parent_details.parent_process_graph_id | String | The process graph ID of the parent process. |
CrowdStrike.Detections.behaviors.pattern_disposition | Number | The pattern associated with the action performed on the behavior. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.indicator | Boolean | Whether the detection behavior is similar to an indicator. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.detect | Boolean | Whether this behavior is detected. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.inddet_mask | Boolean | Whether this behavior is an inddet mask. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.sensor_only | Boolean | Whether this detection is sensor only. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.rooting | Boolean | Whether this behavior is rooting. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.kill_process | Boolean | Whether this detection kills the process. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.kill_subprocess | Boolean | Whether this detection kills the subprocess. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.quarantine_machine | Boolean | Whether this detection was on a quarantined machine. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.quarantine_file | Boolean | Whether this detection was on a quarantined file. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.policy_disabled | Boolean | Whether this policy is disabled. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.kill_parent | Boolean | Whether this detection kills the parent process. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.operation_blocked | Boolean | Whether the operation is blocked. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.process_blocked | Boolean | Whether the process is blocked. |
CrowdStrike.Detections.behaviors.pattern_disposition_details.registry_operation_blocked | Boolean | Whether the registry operation is blocked. |
CrowdStrike.Detections.email_sent | Boolean | Whether an email is sent about this detection. |
CrowdStrike.Detections.first_behavior | Date | The datetime of the first behavior. |
CrowdStrike.Detections.last_behavior | Date | The datetime of the last behavior. |
CrowdStrike.Detections.max_confidence | Number | The highest confidence value of all behaviors. The value can be any integer between 1-100. |
CrowdStrike.Detections.max_severity | Number | The highest severity value of all behaviors. Value can be any integer between 1-100. |
CrowdStrike.Detections.max_severity_displayname | String | The name used in the UI to determine the severity of the detection. Possible values are: "Critical", "High", "Medium", and "Low". |
CrowdStrike.Detections.show_in_ui | Boolean | Whether the detection displays in the UI. |
CrowdStrike.Detections.status | String | The status of detection. |
CrowdStrike.Detections.assigned_to_uid | String | The UID of the user for whom the detection is assigned. |
CrowdStrike.Detections.assigned_to_name | String | The human-readable name of the user to whom the detection is currently assigned. |
CrowdStrike.Detections.hostinfo.domain | String | The domain of the Active Directory. |
CrowdStrike.Detections.seconds_to_triaged | Number | The amount of time it took to move a detection from "new" to "in_progress". |
CrowdStrike.Detections.seconds_to_resolved | Number | The amount of time it took to move a detection from new to a resolved state ("true_positive", "false_positive", and "ignored"). |
#
Command Example!cs-falcon-list-detection-summaries
#
Context Example#
Human Readable Output#
CrowdStrike Detections
detection_id created_time status max_severity ldt:ldt:ldt 2020-07-06T08:10:55.538668036Z new Low
#
33. cs-falcon-list-incident-summariesLists incident summaries.
#
Base Commandcs-falcon-list-incident-summaries
#
InputArgument Name | Description | Required |
---|---|---|
fetch_query | The query used to filter the results. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Incidents.incident_id | String | The ID of the incident. |
CrowdStrike.Incidents.cid | String | The organization's customer ID (CID). |
CrowdStrike.Incidents.host_ids | String | The device IDs of all the hosts on which the incident occurred. |
CrowdStrike.Incidents.hosts.device_id | String | The device ID as seen by CrowdStrike. |
CrowdStrike.Incidents.hosts.cid | String | The host's organization's customer ID (CID). |
CrowdStrike.Incidents.hosts.agent_load_flags | String | The CrowdStrike agent load flags. |
CrowdStrike.Incidents.hosts.agent_local_time | Date | The local time of the sensor. |
CrowdStrike.Incidents.hosts.agent_version | String | The version of the agent that the device is running. For example: 5.32.11406.0. |
CrowdStrike.Incidents.hosts.bios_manufacturer | String | The BIOS manufacturer. |
CrowdStrike.Incidents.hosts.bios_version | String | The BIOS version of the device. |
CrowdStrike.Incidents.hosts.config_id_base | String | The base of the sensor that the device is running. |
CrowdStrike.Incidents.hosts.config_id_build | String | The version of the sensor that the device is running. For example: 11406. |
CrowdStrike.Incidents.hosts.config_id_platform | String | The platform ID of the sensor that the device is running. |
CrowdStrike.Incidents.hosts.external_ip | String | The external IP address of the host. |
CrowdStrike.Incidents.hosts.hostname | String | The name of the host. |
CrowdStrike.Incidents.hosts.first_seen | Date | The date and time when the host was first seen by CrowdStrike. |
CrowdStrike.Incidents.hosts.last_seen | Date | The date and time when the host was last seen by CrowdStrike. |
CrowdStrike.Incidents.hosts.local_ip | String | The device's local IP address. |
CrowdStrike.Incidents.hosts.mac_address | String | The device's MAC address. |
CrowdStrike.Incidents.hosts.major_version | String | The major version of the operating system. |
CrowdStrike.Incidents.hosts.minor_version | String | The minor version of the operating system. |
CrowdStrike.Incidents.hosts.os_version | String | The operating system of the host. |
CrowdStrike.Incidents.hosts.platform_id | String | The platform ID of the device that runs the sensor. |
CrowdStrike.Incidents.hosts.platform_name | String | The platform name of the host. |
CrowdStrike.Incidents.hosts.product_type_desc | String | The value indicating the product type. For example, 1 = Workstation, 2 = Domain Controller, 3 = Server. |
CrowdStrike.Incidents.hosts.status | String | The incident status as a number. For example, 20 = New, 25 = Reopened, 30 = In Progress, 40 = Closed. |
CrowdStrike.Incidents.hosts.system_manufacturer | String | The system manufacturer of the device. |
CrowdStrike.Incidents.hosts.system_product_name | String | The product name of the system. |
CrowdStrike.Incidents.hosts.modified_timestamp | Date | The datetime when a user modified the incident in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
CrowdStrike.Incidents.created | Date | The time that the incident was created. |
CrowdStrike.Incidents.start | Date | The recorded time of the earliest incident. |
CrowdStrike.Incidents.end | Date | The recorded time of the latest incident. |
CrowdStrike.Incidents.state | String | The state of the incident. |
CrowdStrike.Incidents.status | Number | The status of the incident. |
CrowdStrike.Incidents.name | String | The name of the incident. |
CrowdStrike.Incidents.description | String | The description of the incident. |
CrowdStrike.Incidents.tags | String | The tags of the incident. |
CrowdStrike.Incidents.fine_score | Number | The incident score. |
#
Command Example!cs-falcon-list-incident-summaries
#
34. EndpointLists incident summaries.
#
Base Commandendpoint
#
InputArgument Name | Description | Required |
---|---|---|
id | Endpoint ID. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Endpoint.Hostname | String | The endpoint's hostname. |
Endpoint.OS | String | The endpoint's operation system. |
Endpoint.OSVersion | String | The endpoint's operation system version. |
Endpoint.IPAddress | String | The endpoint's IP address. |
Endpoint.ID | String | The endpoint's ID. |
Endpoint.Status | String | The endpoint's status. |
Endpoint.IsIsolated | String | The endpoint's isolation status. |
Endpoint.MACAddress | String | The endpoint's MAC address. |
Endpoint.Vendor | String | The integration name of the endpoint vendor. |
#
Command Example!endpoint id=15dbb9d5fe9f61eb46e829d986
#
Context Example#
Human Readable Output#
Endpoints
ID IPAddress OS OSVersion Hostname Status MACAddress Vendor 15dbb9d8f06b45fe9f61eb46e829d986 1.1.1.1 Windows Windows Server 2019 Hostname Online 1-1-1-1 CrowdStrike Falcon
#
35. cs-falcon-create-host-groupCreate a host group
#
Base Commandcs-falcon-create-host-group
#
InputArgument Name | Description | Required |
---|---|---|
name | The name of the host. | Required |
group_type | The group type of the group. Can be 'static' or 'dynamic'. Possible values are: static, dynamic. | Optional |
description | The description of the host. | Optional |
assignment_rule | The assignment rule. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.HostGroup.id | String | The ID of the host group. |
CrowdStrike.HostGroup.group_type | String | The group type of the host group. |
CrowdStrike.HostGroup.name | String | The name of the host group. |
CrowdStrike.HostGroup.description | String | The description of the host group. |
CrowdStrike.HostGroup.created_by | String | The client that created the host group. |
CrowdStrike.HostGroup.created_timestamp | Date | 'The datetime when the host group was created in ISO time format. For example: 2019-10-17T13:41:48.487520845Z.' |
CrowdStrike.HostGroup.modified_by | String | The client that modified the host group. |
CrowdStrike.HostGroup.modified_timestamp | Date | 'The datetime when the host group was last modified in ISO time format. For example: 2019-10-17T13:41:48.487520845Z.' |
#
Command Example!cs-falcon-create-host-group name="test_name_1" description="test_description" group_type=static
#
Context Example#
Human Readable Output#
Results
created_by created_timestamp description group_type id modified_by modified_timestamp name api-client-id:2bf188d347e44e08946f2e61ef590c24 2021-08-25T08:02:02.060242909Z test_description static f82edc8a565d432a8114ebdbf255f5b2 api-client-id:2bf188d347e44e08946f2e61ef590c24 2021-08-25T08:02:02.060242909Z test_name_1
#
36. cs-falcon-update-host-groupUpdate a host group.
#
Base Commandcs-falcon-update-host-group
#
InputArgument Name | Description | Required |
---|---|---|
host_group_id | The ID of the host group. | Required |
name | The name of the host group. | Optional |
description | The description of the host group. | Optional |
assignment_rule | The assignment rule. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.HostGroup.id | String | The ID of the host group. |
CrowdStrike.HostGroup.group_type | String | The group type of the host group. |
CrowdStrike.HostGroup.name | String | The name of the host group. |
CrowdStrike.HostGroup.description | String | The description of the host group. |
CrowdStrike.HostGroup.created_by | String | The client that created the host group. |
CrowdStrike.HostGroup.created_timestamp | Date | 'The datetime when the host group was created in ISO time format. For |
example: 2019-10-17T13:41:48.487520845Z.' | ||
CrowdStrike.HostGroup.modified_by | String | The client that modified the host group. |
CrowdStrike.HostGroup.modified_timestamp | Date | 'The datetime when the host group was last modified in ISO time format. |
For example: 2019-10-17T13:41:48.487520845Z.' |
#
Command Example!cs-falcon-update-host-group host_group_id=4902d5686bed41ba88a37439f38913ba name="test_name_update_1" description="test_description_update"
#
Context Example#
Human Readable Output#
Results
assignment_rule created_by created_timestamp description group_type id modified_by modified_timestamp name device_id:[''],hostname:[''] api-client-id:2bf188d347e44e08946f2e61ef590c24 2021-08-22T07:48:35.111070562Z test_description_update static 4902d5686bed41ba88a37439f38913ba api-client-id:2bf188d347e44e08946f2e61ef590c24 2021-08-25T08:02:05.295663156Z test_name_update_1
#
37. cs-falcon-list-host-group-membersGet the list of host group members.
#
Base Commandcs-falcon-list-host-group-members
#
InputArgument Name | Description | Required |
---|---|---|
host_group_id | The ID of the host group. | Optional |
filter | The query by which to filter the devices that belong to the host group. | Optional |
offset | Page offset. | Optional |
limit | Maximum number of results on a page. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Device.ID | String | The ID of the device. |
CrowdStrike.Device.LocalIP | String | The local IP address of the device. |
CrowdStrike.Device.ExternalIP | String | The external IP address of the device. |
CrowdStrike.Device.Hostname | String | The host name of the device. |
CrowdStrike.Device.OS | String | The operating system of the device. |
CrowdStrike.Device.MacAddress | String | The MAC address of the device. |
CrowdStrike.Device.FirstSeen | String | The first time the device was seen. |
CrowdStrike.Device.LastSeen | String | The last time the device was seen. |
CrowdStrike.Device.Status | String | The device status. |
#
Command Example!cs-falcon-list-host-group-members
#
Context Example#
Human Readable Output#
Devices
ID External IP Local IP Hostname OS Mac Address First Seen Last Seen Status 0bde2c4645294245aca522971ccc44c4 35.224.136.145 10.128.0.19 falcon-crowdstrike-sensor-centos7 CentOS 7.9 42-01-0a-80-00-13 2021-08-08T11:33:21Z 2021-08-25T07:50:47Z normal
#
38. cs-falcon-add-host-group-membersAdd host group members.
#
Base Commandcs-falcon-add-host-group-members
#
InputArgument Name | Description | Required |
---|---|---|
host_group_id | The ID of the host group. | Required |
host_ids | A comma-separated list of host agent IDs to run commands.(The list of host agent IDs can be retrieved by running the 'cs-falcon-search-device' command.) | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.HostGroup.id | String | The ID of the host group. |
CrowdStrike.HostGroup.group_type | String | The group type of the host group. |
CrowdStrike.HostGroup.name | String | The name of the host group. |
CrowdStrike.HostGroup.description | String | The description of the host group. |
CrowdStrike.HostGroup.created_by | String | The client that created the host group. |
CrowdStrike.HostGroup.created_timestamp | Date | 'The datetime when the host group was created in ISO time format. For |
example: 2019-10-17T13:41:48.487520845Z.' | ||
CrowdStrike.HostGroup.modified_by | String | The client that modified the host group. |
CrowdStrike.HostGroup.modified_timestamp | Date | 'The datetime when the host group was last modified in ISO time format. |
For example: 2019-10-17T13:41:48.487520845Z.' |
#
Command Example!cs-falcon-add-host-group-members host_group_id="4902d5686bed41ba88a37439f38913ba" host_ids="0bde2c4645294245aca522971ccc44c4"
#
Context Example#
Human Readable Output#
Results
assignment_rule created_by created_timestamp description group_type id modified_by modified_timestamp name device_id:[''],hostname:['falcon-crowdstrike-sensor-centos7',''] api-client-id:2bf188d347e44e08946f2e61ef590c24 2021-08-22T07:48:35.111070562Z test_description_update static 4902d5686bed41ba88a37439f38913ba api-client-id:2bf188d347e44e08946f2e61ef590c24 2021-08-25T08:02:05.295663156Z test_name_update_1
#
39. cs-falcon-remove-host-group-membersRemove host group members.
#
Base Commandcs-falcon-remove-host-group-members
#
InputArgument Name | Description | Required |
---|---|---|
host_group_id | The ID of the host group. | Required |
host_ids | A comma-separated list of host agent IDs to run commands. (The list of host agent IDs can be retrieved by running the 'cs-falcon-search-device' command.) | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.HostGroup.id | String | The ID of the host group. |
CrowdStrike.HostGroup.group_type | String | The group type of the host group. |
CrowdStrike.HostGroup.name | String | The name of the host group. |
CrowdStrike.HostGroup.description | String | The description of the host group. |
CrowdStrike.HostGroup.created_by | String | The client that created the host group. |
CrowdStrike.HostGroup.created_timestamp | Date | 'The datetime when the host group was created in ISO time format. For |
example: 2019-10-17T13:41:48.487520845Z.' | ||
CrowdStrike.HostGroup.modified_by | String | The client that modified the host group. |
CrowdStrike.HostGroup.modified_timestamp | Date | 'The datetime when the host group was last modified in ISO time format. |
For example: 2019-10-17T13:41:48.487520845Z.' |
#
Command Example!cs-falcon-remove-host-group-members host_group_id="4902d5686bed41ba88a37439f38913ba" host_ids="0bde2c4645294245aca522971ccc44c4"
#
Context Example#
Human Readable Output#
Results
assignment_rule created_by created_timestamp description group_type id modified_by modified_timestamp name device_id:[''],hostname:[''] api-client-id:2bf188d347e44e08946f2e61ef590c24 2021-08-22T07:48:35.111070562Z test_description_update static 4902d5686bed41ba88a37439f38913ba api-client-id:2bf188d347e44e08946f2e61ef590c24 2021-08-25T08:02:05.295663156Z test_name_update_1
#
40. cs-falcon-resolve-incidentResolve incidents
#
Base Commandcs-falcon-resolve-incident
#
InputArgument Name | Description | Required |
---|---|---|
ids | A comma-separated list of incident IDs. | Required |
status | The new status of the incident. Can be "New", "In Progress", "Reopened", "Closed". Possible values are: New, In Progress, Reopened, Closed. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cs-falcon-resolve-incident ids="inc:0bde2c4645294245aca522971ccc44c4:f3825bf7df684237a1eb62b39124ebef,inc:07007dd3f95c4d628fb097072bf7f7f3:ecd5c5acd4f042e59be2f990e9ada258" status="Closed"
#
Human Readable Outputinc:0bde2c4645294245aca522971ccc44c4:f3825bf7df684237a1eb62b39124ebef changed successfully to Closed inc:07007dd3f95c4d628fb097072bf7f7f3:ecd5c5acd4f042e59be2f990e9ada258 changed successfully to Closed
#
41. cs-falcon-list-host-groupsList the available host groups.
#
Base Commandcs-falcon-list-host-groups
#
InputArgument Name | Description | Required |
---|---|---|
filter | The query by which to filter the devices that belong to the host group. | Optional |
offset | Page offset. | Optional |
limit | Maximum number of results on a page. Default is 50. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.HostGroup.id | String | The ID of the host group. |
CrowdStrike.HostGroup.group_type | String | The group type of the host group. |
CrowdStrike.HostGroup.name | String | The name of the host group. |
CrowdStrike.HostGroup.description | String | The description of the host group. |
CrowdStrike.HostGroup.created_by | String | The client that created the host group. |
CrowdStrike.HostGroup.created_timestamp | Date | The datetime when the host group was created in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
CrowdStrike.HostGroup.modified_by | String | The client that modified the host group. |
CrowdStrike.HostGroup.modified_timestamp | Date | The datetime when the host group was last modified in ISO time format. For example: 2019-10-17T13:41:48.487520845Z. |
#
Command Example!cs-falcon-list-host-groups
#
Context Example#
Human Readable Output#
Results
assignment_rule created_by created_timestamp description group_type id modified_by modified_timestamp name device_id:[''],hostname:[''] api-client-id:2bf188d347e44e08946f2e61ef590c24 2021-08-26T10:02:50.175530821Z description2 static 29ae859b9a01409d83bf7fb7f7a04c69 api-client-id:2bf188d347e44e08946f2e61ef590c24 2021-08-26T10:02:52.026307768Z test_16299721694081629972169408
#
42. cs-falcon-delete-host-groupsDelete the requested host groups.
#
Base Commandcs-falcon-delete-host-groups
#
InputArgument Name | Description | Required |
---|---|---|
host_group_id | A comma-separated list of the IDs of the host groups to be deleted. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cs-falcon-delete-host-groups host_group_id=29ae859b9a01409d83bf7fb7f7a04c69,9a7291431c3046ccb7b750240f924854
#
Human Readable Outputhost group id 29ae859b9a01409d83bf7fb7f7a04c69 deleted successfully host group id 9a7291431c3046ccb7b750240f924854 deleted successfully
#
43. cs-falcon-search-custom-iocsReturns a list of your uploaded IOCs that match the search criteria.
#
Base Commandcs-falcon-search-custom-iocs
#
InputArgument Name | Description | Required |
---|---|---|
types | A comma-separated list of indicator types. Valid types are: "sha256", "sha1", "md5", "domain", "ipv4", "ipv6". | Optional |
values | A comma-separated list of indicator values. | Optional |
sources | A comma-separated list of IOC sources. | Optional |
expiration | The date on which the indicator will become inactive (ISO 8601 format, i.e. YYYY-MM-DDThh:mm:ssZ). | Optional |
limit | The maximum number of records to return. The minimum is 1 and the maximum is 500. Default is 50. | Optional |
sort | The order in which the results are returned. Possible values are: "type.asc", "type.desc", "value.asc", "value.desc", "policy.asc", "policy.desc", "share_level.asc", "share_level.desc", "expiration_timestamp.asc", and "expiration_timestamp.desc". | Optional |
offset | The offset to begin the list from. For example, start from the 10th record and return the list. Default is 0. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator. |
CrowdStrike.IOC.Severity | string | The severity level to apply to this indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.Action | string | Action to take when a host observes the custom IOC. |
CrowdStrike.IOC.Expiration | date | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | date | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | date | The datetime the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command example!cs-falcon-search-custom-iocs limit=2
#
Context Example#
Human Readable Output#
Indicators of Compromise
ID Action Severity Type Value Expiration CreatedBy CreatedTime Description ModifiedBy ModifiedTime Platforms Policy ShareLevel Source Tags 04b48fadfacbd68a397904ea164955be605c76694aa652a548f5d773095e4ec1 no_action informational ipv4 1.1.8.9 2022-02-17T13:47:57Z 2bf188d347e44e08946f2e61ef590c24 2022-02-16T17:17:25.992164453Z test 2bf188d347e44e08946f2e61ef590c24 2022-02-16T17:17:25.992164453Z mac Cortex XSOAR 54f12e3a1ef5af0612714f6acea8f34f18c5dc6be117ade949974633f949f412 no_action informational ipv4 4.1.8.9 2022-02-17T13:47:57Z 2bf188d347e44e08946f2e61ef590c24 2022-02-16T17:16:44.514398876Z test 2bf188d347e44e08946f2e61ef590c24 2022-02-16T17:16:44.514398876Z mac Cortex XSOAR
#
44. cs-falcon-get-custom-iocGets the full definition of one or more indicators that you are watching.
#
Base Commandcs-falcon-get-custom-ioc
#
InputArgument Name | Description | Required |
---|---|---|
type | The IOC type to retrieve. Possible values are: "sha256", "sha1", "md5", "domain", "ipv4", and "ipv6". Either ioc_id or ioc_type and value must be provided. | Optional |
value | The string representation of the indicator. Either ioc_id or ioc_type and value must be provided. | Optional |
ioc_id | The ID of the IOC to get. Can be retrieved by running the cs-falcon-search-custom-iocs command. Either ioc_id or ioc_type and value must be provided. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator. |
CrowdStrike.IOC.Severity | string | The severity level to apply to this indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.Action | string | Action to take when a host observes the custom IOC. |
CrowdStrike.IOC.Expiration | date | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | date | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | date | The datetime the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command example!cs-falcon-get-custom-ioc type=ipv4 value=7.5.9.8
#
Context Example#
Human Readable Output#
Indicator of Compromise
ID Action Severity Type Value Expiration CreatedBy CreatedTime Description ModifiedBy ModifiedTime Platforms Policy ShareLevel Source Tags 04b48fadfacbd68a397904ea164955be605c76694aa652a548f5d773095e4e12 no_action informational ipv4 7.5.9.8 2022-02-17T17:55:09Z 2bf188d347e44e08946f2e61ef590c24 2022-02-16T14:25:22.968603813Z 2bf188d347e44e08946f2e61ef590c24 2022-02-16T14:25:22.968603813Z linux cortex xsoar test,
test1
#
45. cs-falcon-upload-custom-iocUploads an indicator for CrowdStrike to monitor.
#
Base Commandcs-falcon-upload-custom-ioc
#
InputArgument Name | Description | Required |
---|---|---|
ioc_type | The type of the indicator. Possible values are: "sha256", "md5", "domain", "ipv4", and "ipv6". | Required |
value | A comma separated list of indicators. More than one value can be supplied in order to upload multiple IOCs of the same type but with different values. Note that the uploaded IOCs will have the same properties (as supplied in other arguments). | Required |
action | Action to take when a host observes the custom IOC. Possible values are: no_action - Save the indicator for future use, but take no action. No severity required. allow - Applies to hashes only. Allow the indicator and do not detect it. Severity does not apply and should not be provided. prevent_no_ui - Applies to hashes only. Block and detect the indicator, but hide it from Activity > Detections. Has a default severity value. prevent - Applies to hashes only. Block the indicator and show it as a detection at the selected severity. detect - Enable detections for the indicator at the selected severity. | Required |
platforms | The platforms that the indicator applies to. You can enter multiple platform names, separated by commas. Possible values are: mac, windows and linux. | Required |
severity | The severity level to apply to this indicator. Possible values are: informational, low, medium, high and critical. | Required for the prevent and detect actions. Optional for no_action. |
expiration | The date on which the indicator will become inactive (ISO 8601 format, i.e. YYYY-MM-DDThh:mm:ssZ). | Optional |
source | The source where this indicator originated. This can be used for tracking where this indicator was defined. Limited to 200 characters. | Optional |
description | A meaningful description of the indicator. Limited to 200 characters. | Optional |
applied_globally | Whether the indicator is applied globally. Either applied_globally or host_groups must be provided. Possible values are: true, false. | Optional |
host_groups | List of host group IDs that the indicator applies to. Can be retrieved by running the cs-falcon-list-host-groups command. Either applied_globally or host_groups must be provided. | Optional |
tags | List of tags to apply to the indicator. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator. |
CrowdStrike.IOC.Severity | string | The severity level to apply to this indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.Action | string | Action to take when a host observes the custom IOC. |
CrowdStrike.IOC.Expiration | date | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | date | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | date | The datetime the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
CrowdStrike.IOC.Tags | Unknown | The tags of the IOC. |
CrowdStrike.IOC.Platforms | Unknown | The platforms of the IOC. |
#
Command Example!cs-falcon-upload-custom-ioc ioc_type="domain" value="test.domain.com" action="prevent" severity="high" source="Demisto playbook" description="Test ioc" platforms="mac"
#
Context Example#
Human Readable Output#
Custom IOC was created successfully
CreatedTime Description Expiration ID ModifiedTime Action Severity Source Type Value 2020-10-02T13:55:26Z Test ioc 2020-11-01T00:00:00Z 4f8c43311k1801ca4359fc07t319610482c2003mcde8934d5412b1781e841e9r 2020-10-02T13:55:26Z prevent high Demisto playbook domain test.domain.com
#
46. cs-falcon-update-custom-iocUpdates an indicator for CrowdStrike to monitor.
#
Base Commandcs-falcon-update-custom-ioc
#
InputArgument Name | Description | Required |
---|---|---|
ioc_id | The ID of the IOC to delete. Can be retrieved by running the cs-falcon-search-custom-iocs command. | Required |
action | Action to take when a host observes the custom IOC. Possible values are: no_action - Save the indicator for future use, but take no action. No severity required. allow - Applies to hashes only. Allow the indicator and do not detect it. Severity does not apply and should not be provided. prevent_no_ui - Applies to hashes only. Block and detect the indicator, but hide it from Activity > Detections. Has a default severity value. prevent - Applies to hashes only. Block the indicator and show it as a detection at the selected severity. detect - Enable detections for the indicator at the selected severity. | Optional |
platforms | The platforms that the indicator applies to. You can enter multiple platform names, separated by commas. Possible values are: mac, windows and linux. | Optional |
severity | The severity level to apply to this indicator. Possible values are: informational, low, medium, high and critical. | Required for the prevent and detect actions. Optional for no_action. |
expiration | The date on which the indicator will become inactive (ISO 8601 format, i.e. YYYY-MM-DDThh:mm:ssZ). | Optional |
source | The source where this indicator originated. This can be used for tracking where this indicator was defined. Limited to 200 characters. | Optional |
description | A meaningful description of the indicator. Limited to 200 characters. | Optional |
applied_globally | Whether the indicator is applied globally. Possible values are: true and false. Either applied_globally or host_groups must be provided. | Optional |
host_groups | List of host group IDs that the indicator applies to. Can be retrieved by running the cs-falcon-list-host-groups command. Either applied_globally or host_groups must be provided. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator (type:value). |
CrowdStrike.IOC.Policy | string | The policy of the indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.ShareLevel | string | The level at which the indicator will be shared. |
CrowdStrike.IOC.Expiration | string | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | string | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | string | The date and time the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
#
Command Example!cs-falcon-update-custom-ioc ioc_id="4f8c43311k1801ca4359fc07t319610482c2003mcde8934d5412b1781e841e9r" severity="high"
#
Context Example#
Human Readable Output#
Custom IOC was updated successfully
CreatedTime Description Expiration ID ModifiedTime Action Severity Source Type Value 2020-10-02T13:55:26Z Test ioc 2020-11-01T00:00:00Z 4f8c43311k1801ca4359fc07t319610482c2003mcde8934d5412b1781e841e9r 2020-10-02T13:55:26Z prevent high Demisto playbook domain test.domain.com
#
47. cs-falcon-delete-custom-iocDeletes a monitored indicator.
#
Base Commandcs-falcon-delete-custom-ioc
#
InputArgument Name | Description | Required |
---|---|---|
ioc_id | The ID of the IOC to delete. Can be retrieved by running the cs-falcon-search-custom-iocs command. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!cs-falcon-delete-custom-ioc ioc_id="4f8c43311k1801ca4359fc07t319610482c2003mcde8934d5412b1781e841e9r"
#
Human Readable OutputCustom IOC 4f8c43311k1801ca4359fc07t319610482c2003mcde8934d5412b1781e841e9r was successfully deleted.
#
48. cs-falcon-batch-upload-custom-iocUploads a batch of indicators.
#
Base Commandcs-falcon-batch-upload-custom-ioc
#
InputArgument Name | Description | Required |
---|---|---|
multiple_indicators_json | A JSON object with list of CS Falcon indicators to upload. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IOC.Type | string | The type of the IOC. |
CrowdStrike.IOC.Value | string | The string representation of the indicator. |
CrowdStrike.IOC.ID | string | The full ID of the indicator. |
CrowdStrike.IOC.Severity | string | The severity level to apply to this indicator. |
CrowdStrike.IOC.Source | string | The source of the IOC. |
CrowdStrike.IOC.Action | string | Action to take when a host observes the custom IOC. |
CrowdStrike.IOC.Expiration | string | The datetime when the indicator will expire. |
CrowdStrike.IOC.Description | string | The description of the IOC. |
CrowdStrike.IOC.CreatedTime | date | The datetime the IOC was created. |
CrowdStrike.IOC.CreatedBy | string | The identity of the user/process who created the IOC. |
CrowdStrike.IOC.ModifiedTime | date | The datetime the indicator was last modified. |
CrowdStrike.IOC.ModifiedBy | string | The identity of the user/process who last updated the IOC. |
CrowdStrike.IOC.Tags | Unknown | The tags of the IOC. |
CrowdStrike.IOC.Platforms | Unknown | The platforms of the IOC. |
#
Command example!cs-falcon-batch-upload-custom-ioc multiple_indicators_json=`[{"description": "test", "expiration": "2022-02-17T13:47:57Z", "type": "ipv4", "severity": "Informational", "value": "1.1.8.9", "action": "no_action", "platforms": ["mac"], "source": "Cortex XSOAR", "applied_globally": true}]`
#
Context Example#
Human Readable Output#
Custom IOC 1.1.8.9 was created successfully
Action CreatedBy CreatedTime Description Expiration ID ModifiedBy ModifiedTime Platforms Severity Source Type Value no_action 2bf188d347e44e08946f2e61ef590c24 2022-02-16T17:17:25.992164453Z test 2022-02-17T13:47:57Z "04b48fadfacbd68a397904ea164955be605c76694aa652a548f5d773095e4e12 2bf188d347e44e08946f2e61ef590c24 2022-02-16T17:17:25.992164453Z mac informational Cortex XSOAR ipv4 1.1.8.9
#
49. cs-falcon-rtr-kill-processExecute an active responder kill command on a single host.
#
Base Commandcs-falcon-rtr-kill-process
#
InputArgument Name | Description | Required |
---|---|---|
host_id | The host ID in which you would like to kill the given process. | Required |
process_ids | A comma-separated list of process IDs to kill. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.kill.ProcessID | String | The process ID that was killed. |
CrowdStrike.Command.kill.Error | String | The error message raised if the command was failed. |
CrowdStrike.Command.kill.HostID | String | The host ID. |
#
Command example!cs-falcon-rtr-kill-process host_id=15dbb9d8f06b45fe9f61eb46e829d986 process_ids=5260,123
#
Context Example#
Human Readable Output#
CrowdStrike Falcon kill command on host 15dbb9d8f06b45fe9f61eb46e829d986:
ProcessID Error 123 Cannot find a process with the process identifier 123. 5260 Success Note: you don't see the following IDs in the results as the request was failed for them. ID 123 failed as it was not found.
#
50. cs-falcon-rtr-remove-fileBatch executes an RTR active-responder remove file across the hosts mapped to the given batch ID.
#
Base Commandcs-falcon-rtr-remove-file
#
InputArgument Name | Description | Required |
---|---|---|
host_ids | A comma-separated list of the hosts IDs in which you would like to remove the file. | Required |
file_path | The path to a file or a directoty that you would like to remove. | Required |
os | The operatin system of the hosts given. As the revome command is different in each operatin system, you can choose only one operating system. Possible values are: Windows, Linux, Mac. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.rm.HostID | String | The host ID. |
CrowdStrike.Command.rm.Error | String | The error message raised if the command was failed. |
#
Command example!cs-falcon-rtr-remove-file file_path="c:\\testfolder" host_ids=15dbb9d8f06b45fe9f61eb46e829d986 os=Windows
#
Context Example#
Human Readable Output#
CrowdStrike Falcon rm over the file: c:\testfolder
HostID Error 15dbb9d8f06b45fe9f61eb46e829d986 Success
#
51. cs-falcon-rtr-list-processesExecutes an RTR active-responder ps command to get a list of active processes across the given host.
#
Base Commandcs-falcon-rtr-list-processes
#
InputArgument Name | Description | Required |
---|---|---|
host_id | The host ID in which you would like to get the processes list from. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.ps.Filename | String | The the name of the result file to be returned. |
#
Command example!cs-falcon-rtr-list-processes host_id=15dbb9d8f06b45fe9f61eb46e829d986
#
Context Example#
Human Readable Output#
CrowdStrike Falcon ps command on host 15dbb9d8f06b45fe9f61eb46e829d986:
Stdout TOO MUCH INFO TO DISPLAY
#
52. cs-falcon-rtr-list-network-statsExecutes an RTR active-responder netstat command to get a list of network status and protocol statistics across the given host.
#
Base Commandcs-falcon-rtr-list-network-stats
#
InputArgument Name | Description | Required |
---|---|---|
host_id | The host ID in which you would like to get the network status and protocol statistics list from. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Command.netstat.Filename | String | The the name of the result file to be returned. |
#
Command example!cs-falcon-rtr-list-network-stats host_id=15dbb9d8f06b45fe9f61eb46e829d986
#
Context Example#
Human Readable Output#
CrowdStrike Falcon netstat command on host 15dbb9d8f06b45fe9f61eb46e829d986:
Stdout TOO MUCH INFO TO DISPLAY
#
53. cs-falcon-rtr-read-registryExecutes an RTR active-responder read registry keys command across the given hosts. This command is valid only for Windows hosts.
#
Base Commandcs-falcon-rtr-read-registry
#
InputArgument Name | Description | Required |
---|---|---|
host_ids | A comma-separated list of the hosts IDs in which you would like to get the registry keys from. | Required |
registry_keys | A comma-separated list of the registy keys, subkeys or value to get. | Required |
#
Context OutputThere is no context output for this command.
#
Command example``!cs-falcon-rtr-read-registry host_ids=15dbb9d8f06b45fe9f61eb46e829d986 registry_keys=
HKEY_LOCAL_MACHINE,HKEY_USERS````
#
Context Example#
Human Readable Output#
CrowdStrike Falcon reg command on hosts ['15dbb9d8f06b45fe9f61eb46e829d986']:
FileName Stdout reg-15dbb9d8f06b45fe9f61eb46e829d986HKEY_USERS TOO MUCH INFO TO DISPLAY reg-15dbb9d8f06b45fe9f61eb46e829d986HKEY_LOCAL_MACHINE TOO MUCH INFO TO DISPLAY
#
54. cs-falcon-rtr-list-scheduled-tasksExecutes an RTR active-responder netstat command to get a list of scheduled tasks across the given host. This command is valid only for Windows hosts.
#
Base Commandcs-falcon-rtr-list-scheduled-tasks
#
InputArgument Name | Description | Required |
---|---|---|
host_ids | A comma-separated list of the hosts IDs in which you would like to get the list of scheduled tasks from. | Required |
#
Context OutputThere is no context output for this command.
#
Command example!cs-falcon-rtr-list-scheduled-tasks host_ids=15dbb9d8f06b45fe9f61eb46e829d986
#
Context Example#
Human Readable Output#
CrowdStrike Falcon runscript command on host 15dbb9d8f06b45fe9f61eb46e829d986:
Stdout TOO MUCH INFO TO DISPLAY
#
55. cs-falcon-rtr-retrieve-fileGets the RTR extracted file contents for the specified file path.
#
Base Commandcs-falcon-rtr-retrieve-file
#
InputArgument Name | Description | Required |
---|---|---|
host_ids | A comma-separated list of the hosts IDs in which you would like to get file from. | Required |
file_path | The file path of the required file to extract. | Required |
filename | The filename to use for the archive name and the file within the archive. | Optional |
interval_in_seconds | interval between polling. Default is 60 seconds. Must be higher than 10. | Optional |
hosts_and_requests_ids | This is an internal argument used for the polling process, not to be used by the user. | Optional |
SHA256 | This is an internal argument used for the polling process, not to be used by the user. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.File.FileName | String | The file name. |
CrowdStrike.File.HostID | String | The hosd ID. |
File.Size | Number | The size of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.SHA512 | String | The SHA512 hash of the file. |
File.Name | String | The name of the file. |
File.SSDeep | String | The SSDeep hash of the file. |
File.EntryID | String | EntryID of the file |
File.Info | String | Information about the file. |
File.Type | String | The file type. |
File.MD5 | String | The MD5 hash of the file. |
File.Extension | String | The extension of the file. |
#
Command example!cs-falcon-rtr-retrieve-file file_path=`C:\Windows\System32\Windows.Media.FaceAnalysis.dll` host_ids=15dbb9d8f06b45fe9f61eb46e829d986,046761c46ec84f40b27b6f79ce7cd32c
#
Human Readable OutputWaiting for the polling execution
#
56. cs-falcon-get-detections-for-incidentGets the detections for a specific incident.
#
Base Commandcs-falcon-get-detections-for-incident
#
InputArgument Name | Description | Required |
---|---|---|
incident_id | The incident's id to get detections for. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.IncidentDetection.incident_id | String | The incident id. |
CrowdStrike.IncidentDetection.behavior_id | String | The behavior id connected to the incident. |
CrowdStrike.IncidentDetection.detection_ids | String | A list of detection ids connected to the incident. |
#
Command example``!cs-falcon-get-detections-for-incident incident_id=
inc:0bde2c4645294245aca522971ccc44c4:1a1eb17d1f9e4d82a9e8ba73d1095593````
#
Context Example#
Human Readable Output#
Detection For Incident
behavior_id detection_ids incident_id ind:0bde2c4645294245aca522971ccc44c4:162590282130-10303-6707968 ldt:0bde2c4645294245aca522971ccc44c4:38656254663 inc:0bde2c4645294245aca522971ccc44c4:1a1eb17d1f9e4d82a9e8ba73d1095593 ind:0bde2c4645294245aca522971ccc44c4:162596456872-10303-6710016 ldt:0bde2c4645294245aca522971ccc44c4:38657629548 inc:0bde2c4645294245aca522971ccc44c4:1a1eb17d1f9e4d82a9e8ba73d1095593 ind:0bde2c4645294245aca522971ccc44c4:162597577534-10305-6712576 ldt:0bde2c4645294245aca522971ccc44c4:38658614774 inc:0bde2c4645294245aca522971ccc44c4:1a1eb17d1f9e4d82a9e8ba73d1095593 ind:0bde2c4645294245aca522971ccc44c4:162589633341-10303-6705920 ldt:0bde2c4645294245aca522971ccc44c4:38655034604 inc:0bde2c4645294245aca522971ccc44c4:1a1eb17d1f9e4d82a9e8ba73d1095593
#
17. cs-falcon-update-incident-commentUpdates CrowdStrike Incident with the comment.
#
Base Commandcs-falcon-update-incident-comment
#
InputArgument Name | Description | Required |
---|---|---|
ids | A comma-separated list of incident IDs. | Required |
comment | A comment added to the CrowdStrike incident. | Required |
#
Context Output#
Command Examplecs-falcon-update-incident-comment ids=284771ee197e422d5176d6634a62b934 comment="Some comment"
#
Spotlight#
Using Spotlight APIsSpotlight identifies and gives info about specific vulnerabilities on your hosts using the Falcon sensor.
#
Required API client scopeTo access the Spotlight API, your API client must be assigned the spotlight-vulnerabilities:read scope.
#
Validating API dataThe Falcon sensor continuously monitors hosts for any changes and reports them as they occur. Depending on the timing of requests, Spotlight APIs can return values that are different from those shown by the Falcon console or an external source. There are other factors that can cause differences between API responses and other data sources.
#
API query syntaxIf an API query doesn’t exactly match the query used on the Spotlight Vulnerabilities page, the values might differ.
#
Expired vulnerabilities in Spotlight APIsIf a host is deleted or inactive for 45 days, the status of vulnerabilities on that host changes to expired. Expired vulnerabilities are removed from Spotlight after 3 days. Expired vulnerabilities are only visible in API responses and are not included in reports or the Falcon console. An external data source might not use the same data retention policy, which can lead to discrepancies with Spotlight APIs. For more info, see Data retention in Spotlight [https://falcon.crowdstrike.com/login/?next=%2Fdocumentation%2F43%2Ffalcon-spotlight-overview#data-retention-in-spotlight].
#
The following commands uses the Spotlight API:#
cs-falcon-spotlight-search-vulnerabilityRetrieve vulnerability details according to the selected filter. Each request requires at least one filter parameter. Supported with the CrowdStrike Spotlight license.
#
Base Commandcs-falcon-spotlight-search-vulnerability
#
InputArgument Name | Description | Required |
---|---|---|
filter | Limit the vulnerabilities returned to specific properties. Each value must be enclosed in single quotes and placed immediately after the colon with no space. | Optional |
aid | Unique agent identifier (AID) of a sensor | Optional |
cve_id | Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD). This filter supports multiple values and negation | Optional |
cve_severity | Severity of the CVE. The possible values are: CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN, or NONE. | Optional |
tags | Name of a tag assigned to a host. Retrieve tags from Host Tags APIs | Optional |
status | Status of a vulnerability. This filter supports multiple values and negation. The possible values are: open, closed, reopen, expired. | Optional |
platform_name | Operating system platform. This filter supports negation. The possible values are: Windows, Mac, Linux. | Optional |
host_group | Unique system-assigned ID of a host group. Retrieve the host group ID from Host Group APIs | Optional |
host_type | Type of host a sensor is running on | Optional |
last_seen_within | Filter for vulnerabilities based on the number of days since a host last connected to CrowdStrike Falcon | Optional |
is_suppressed | Indicates if the vulnerability is suppressed by a suppression rule | Optional |
display_remediation_info | Display remediation information type of data to be returned for each vulnerability entity | Optional |
display_evaluation_logic_info | Whether to return logic information type of data for each vulnerability entity | Optional |
display_host_info | Whether to return host information type of data for each vulnerability entity | Optional |
limit | Maximum number of items to return (1-5000) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.Vulnerability.id | String | Unique system-assigned ID of the vulnerability. |
CrowdStrike.Vulnerability.cid | String | Unique system-generated customer identifier (CID) of the account |
CrowdStrike.Vulnerability.aid | String | Unique agent identifier (AID) of the sensor where the vulnerability was found |
CrowdStrike.Vulnerability.created_timestamp | String | UTC date and time that the vulnerability was created in Spotlight |
CrowdStrike.Vulnerability.updated_timestamp | String | UTC date and time of the last update made on the vulnerability |
CrowdStrike.Vulnerability.status | String | Vulnerability's current status. Possible values are: open, closed, reopen, or expired |
CrowdStrike.Vulnerability.apps.product_name_version | String | Name and version of the product associated with the vulnerability |
CrowdStrike.Vulnerability.apps.sub_status | String | Status of each product associated with the vulnerability. Possible values are: open, closed, or reopen |
CrowdStrike.Vulnerability.apps.remediation.ids | String | Remediation ID of each product associated with the vulnerability |
CrowdStrike.Vulnerability.host_info.hostname | String | Name of the machine |
CrowdStrike.Vulnerability.host_info.instance_id | String | Cloud instance ID of the host |
CrowdStrike.Vulnerability.host_info.service_provider_account_id | String | Cloud service provider account ID for the host |
CrowdStrike.Vulnerability.host_info.service_provider | String | Cloud service provider for the host |
CrowdStrike.Vulnerability.host_info.os_build | String | Operating system build |
CrowdStrike.Vulnerability.host_info.product_type_desc | String | Type of host a sensor is running on |
CrowdStrike.Vulnerability.host_info.local_ip | String | Device's local IP address |
CrowdStrike.Vulnerability.host_info.machine_domain | String | Active Directory domain name |
CrowdStrike.Vulnerability.host_info.os_version | String | Operating system version |
CrowdStrike.Vulnerability.host_info.ou | String | Active directory organizational unit name |
CrowdStrike.Vulnerability.host_info.site_name | String | Active directory site name |
CrowdStrike.Vulnerability.host_info.system_manufacturer | String | Name of the system manufacturer |
CrowdStrike.Vulnerability.host_info.groups.id | String | Array of host group IDs that the host is assigned to |
CrowdStrike.Vulnerability.host_info.groups.name | String | Array of host group names that the host is assigned to |
CrowdStrike.Vulnerability.host_info.tags | String | Name of a tag assigned to a host |
CrowdStrike.Vulnerability.host_info.platform | String | Operating system platform |
CrowdStrike.Vulnerability.remediation.entities.id | String | Unique ID of the remediation |
CrowdStrike.Vulnerability.remediation.entities.reference | String | Relevant reference for the remediation that can be used to get additional details for the remediation |
CrowdStrike.Vulnerability.remediation.entities.title | String | Short description of the remediation |
CrowdStrike.Vulnerability.remediation.entities.action | String | Expanded description of the remediation |
CrowdStrike.Vulnerability.remediation.entities.link | String | Link to the remediation page for the vendor |
CrowdStrike.Vulnerability.cve.id | String | Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD) |
CrowdStrike.Vulnerability.cve.base_score | String | Base score of the CVE (float value between 1 and 10) |
CrowdStrike.Vulnerability.cve.severity | String | CVSS severity rating of the vulnerability |
CrowdStrike.Vulnerability.cve.exploit_status | String | Numeric value of the most severe known exploit |
CrowdStrike.Vulnerability.cve.exprt_rating | String | ExPRT rating assigned by CrowdStrike's predictive AI rating system |
CrowdStrike.Vulnerability.cve.description | String | Brief explanation of the CVE |
CrowdStrike.Vulnerability.cve.published_date | String | UTC timestamp with the date and time the vendor published the CVE |
CrowdStrike.Vulnerability.cve.vendor_advisory | String | Link to the vendor page where the CVE was disclosed |
CrowdStrike.Vulnerability.cve.exploitability_score | String | Exploitability score of the CVE (float values from 1-4) |
CrowdStrike.Vulnerability.cve.impact_score | String | Impact score of the CVE (float values from 1-6) |
CrowdStrike.Vulnerability.cve.vector | String | Textual representation of the metric values used to score the vulnerability |
CrowdStrike.Vulnerability.cve.remediation_level | String | CVSS remediation level of the vulnerability (U = Unavailable, or O = Official fix) |
CrowdStrike.Vulnerability.cve.cisa_info.is_cisa_kev | String | Whether to filter for vulnerabilities that are in the CISA Known Exploited Vulnerabilities (KEV) catalog |
CrowdStrike.Vulnerability.cve.cisa_info.due_date | String | Date before which CISA mandates subject organizations to patch the vulnerability |
CrowdStrike.Vulnerability.cve.spotlight_published_date | String | UTC timestamp with the date and time Spotlight enabled coverage for the vulnerability |
CrowdStrike.Vulnerability.cve.actors | String | Adversaries associated with the vulnerability |
CrowdStrike.Vulnerability.cve.name | String | The vulnerability name |
#
Command examplecs-falcon-spotlight-search-vulnerability filter=status:['open','closed'] cve_id=CVE-2021-2222 cve_severity='LOW,HIGH' display_host_info=false display_evaluation_logic_info=false display_remediation_info=false limit=1
#
Context ExampleCVE ID | CVE Severity | CVE Base Score | CVE Published Date | CVE Impact Score | CVE Exploitability Score | CVE Vector |
---|---|---|---|---|---|---|
CVE-2021-2222 | LOW | 5.5 | 2021-05-10T17:08:00Z | 3.6 | 0 | vendor |
#
cs-falcon-spotlight-list-host-by-vulnerabilityRetrieve vulnerability details for a specific ID and host. Supported with the CrowdStrike Spotlight license.
#
Base Commandcs-falcon-spotlight-list-host-by-vulnerability
#
InputArgument Name | Description | Required |
---|---|---|
cve_ids | Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD). This filter supports multiple values and negation | Required |
limit | Maximum number of items to return (1-5000) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CrowdStrike.VulnerabilityHost.id | String | Unique system-assigned ID of the vulnerability. |
CrowdStrike.VulnerabilityHost.cid | String | Unique system-generated customer identifier (CID) of the account |
CrowdStrike.VulnerabilityHost.aid | String | Unique agent identifier (AID) of the sensor where the vulnerability was found |
CrowdStrike.VulnerabilityHost.created_timestamp | String | UTC date and time that the vulnerability was created in Spotlight |
CrowdStrike.VulnerabilityHost.updated_timestamp | String | UTC date and time of the last update made on the vulnerability |
CrowdStrike.VulnerabilityHost.status | String | Vulnerability's current status. Possible values are: open, closed, reopen, or expired. |
CrowdStrike.VulnerabilityHost.apps.product_name_version | String | Name and version of the product associated with the vulnerability |
CrowdStrike.VulnerabilityHost.apps.sub_status | String | Status of each product associated with the vulnerability |
CrowdStrike.VulnerabilityHost.apps.remediation.ids | String | Remediation ID of each product associated with the vulnerability |
CrowdStrike.VulnerabilityHost.apps.evaluation_logic.id | String | Unique system-assigned ID of the vulnerability evaluation logic |
CrowdStrike.VulnerabilityHost.suppression_info.is_suppressed | String | Indicates if the vulnerability is suppressed by a suppression rule |
CrowdStrike.VulnerabilityHost.host_info.hostname | String | Name of the machine |
CrowdStrike.VulnerabilityHost.host_info.instance_id | String | Cloud service provider account ID for the host |
CrowdStrike.VulnerabilityHost.host_info.service_provider_account_id | String | Cloud service provider for the host |
CrowdStrike.VulnerabilityHost.host_info.service_provider | String | Operating system build |
CrowdStrike.VulnerabilityHost.host_info.os_build | String | Operating system build |
CrowdStrike.VulnerabilityHost.host_info.product_type_desc | String | Type of host a sensor is running on |
CrowdStrike.VulnerabilityHost.host_info.local_ip | String | Device's local IP address |
CrowdStrike.VulnerabilityHost.host_info.machine_domain | String | Active Directory domain name |
CrowdStrike.VulnerabilityHost.host_info.os_version | String | Operating system version |
CrowdStrike.VulnerabilityHost.host_info.ou | String | Active directory organizational unit name |
CrowdStrike.VulnerabilityHost.host_info.site_name | String | Active directory site name |
CrowdStrike.VulnerabilityHost.host_info.system_manufacturer | String | Name of the system manufacturer |
CrowdStrike.VulnerabilityHost.host_info.groups.id | String | Array of host group IDs that the host is assigned to |
CrowdStrike.VulnerabilityHost.host_info.groups.name | String | Array of host group names that the host is assigned to |
CrowdStrike.VulnerabilityHost.host_info.tags | String | Name of a tag assigned to a host |
CrowdStrike.VulnerabilityHost.host_info.platform | String | Operating system platform |
CrowdStrike.VulnerabilityHost.cve.id | String | Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD) |
#
Command examplecs-falcon-spotlight-list-host-by-vulnerability cve_ids=CVE-2021-2222
#
Context Example#
Human Readable OutputCVE ID | Host Info hostname | Host Info os Version | Host Info Product Type Desc | Host Info Local IP | Host Info ou | Host Info Machine Domain | Host Info Site Name | CVE Exploitability Score | CVE Vector |
---|---|---|---|---|---|---|---|---|---|
CVE-20212-2222 | host | 1 | Server | ip | site | 5.5 |
#
cveRetrieve vulnerability details according to the selected filter. Each request requires at least one filter parameter. Supported with the CrowdStrike Spotlight license.
#
Base Commandcve
#
InputArgument Name | Description | Required |
---|---|---|
cve_id | Unique identifier for a vulnerability as cataloged in the National Vulnerability Database (NVD). This filter supports multiple values and negation | Required |
#
Command examplecve cve_id=CVE-2021-2222
#
Human Readable OutputID | Severity | Published Date | Base Score |
---|---|---|---|
CVE-2021-2222 | HIGH | 2021-09-16T15:12:42Z | 1 |