Skip to main content

CrowdStrike Falcon - Search Endpoints By Hash

This Playbook is part of the CrowdStrike Falcon Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook searches across the organization for other endpoints associated with a specific SHA256/MD5/SHA1 hash.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.






  • cs-falcon-device-count-ioc
  • cs-falcon-device-ran-on
  • endpoint

Playbook Inputs#

NameDescriptionDefault ValueRequired
FileSha256The SHA256 file hash to search for.Optional
HostIdThe ID of the host that originated the detection.Optional
SHA1The SHA1 file hash to search for.Optional
MD5The MD5 file hash to search for.Optional

Playbook Outputs#

EndpointAdditional hosts that have the hash present.string
CrowdStrike.IOC.DeviceCountThe number of devices the IOC ran on.number
Endpoint.HostnameThe endpoint's hostname.unknown
CrowdStrike.IOC.TypeThe type of the IOC.unknown
Endpoint.IPAddressThe endpoint's IP address.unknown
CrowdStrike.IOC.ValueThe string representation of the indicator.unknown
Endpoint.OSThe endpoint operation system.unknown
Endpoint.StatusThe endpoint status.unknown
Endpoint.IsIsolatedThe endpoint isolation status.unknown
CrowdStrike.DeviceIDDevice IDs an indicator ran on.unknown

Playbook Image#

CrowdStrike Falcon - Search Endpoints By Hash