Fortinet black logo

CrowdStrike Falcon

CrowdStrike Falcon v2.0.0

Copy Link
Copy Doc ID a76ef34d-edbd-11ea-96b9-00505692583a:57

About the connector

The CrowdStrike Falcon® platform is pioneering cloud-delivered endpoint protection. It both delivers and unifies IT Hygiene, next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence — all delivered via a single lightweight agent.

This document provides information about the CrowdStrike Falcon connector, which facilitates automated interactions with CrowdStrike Falcon using FortiSOAR™ playbooks. Add the CrowdStrike Falcon connector as a step in FortiSOAR™ playbooks and perform automated investigative operations on endpoints and manage IOC for CrowdStrike Falcon, operations include creating an IOC on CrowdStrike Falcon and hunting a file or domain on CrowdStrike Falcon using a specified filehash or a specific domain.

Version information

Connector Version: 2.0.0

FortiSOAR™ Versions Tested on: 6.4.1-2133

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the CrowdStrike Falcon connector in version 2.0.0:

  • Added support for OAuth2-based authentication.
  • Added support for executing actions in a segmented network environment using FortiSOAR™ (FSR) Agents.
  • Changed the configuration parameters.
  • Added the following operations and playbooks:
    • Contain the Host
    • Remove Containment
  • Added the following run-time operations and playbooks:
    • Run Admin Command
    • Get Admin Command Result
    • Download Session File List
    • Download Session File
    • Get Scripts List
    • Get Scripts Details by IDs
    • Get Executables Details by IDs
  • Added the following incident-related operations and playbooks:
    • Search Incidents
    • Get Incident Details
    • Get Incidents Crowdstrike Score

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-crowd-strike-falcon

Prerequisites to configuring the connector

  • You must have the URL of a CrowdStrike Falcon server to which you will connect and perform automated operations and the credentials (username and API Key pair) to access that server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the CrowdStrike Falcon connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the CrowdStrike Falcon server to which you will connect and perform the automated operations.
Client ID Client ID used to access the CrowdStrike Falcon APIs and perform automated operations.
Client Secret Client Secret used to access the CrowdStrike Falcon APIs and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Create IOC Creates an indicator on CrowdStrike Falcon based on the IOC type and value, policy, and other input parameters you have specified. create_ioc
Investigation
Get IOCs Retrieves a list of all IOCs or specific IOCs based on the input parameters you have specified from CrowdStrike Falcon get_iocs
Investigation
Get IOC Details Retrieves details of a specific IOC from CrowdStrike Falcon, based on the IOC type and value you have specified. get_ioc
Investigation
Update IOC Updates an indicator on CrowdStrike Falcon, based on the IOC type and value and other input parameters you have specified. update_ioc
Investigation
Delete IOC Deletes an indicator on CrowdStrike Falcon, based on the IOC type and value you have specified. delete_ioc
Remediation
Hunt File Hunts a file on CrowdStrike Falcon using the filehash type and value you have specified. hunt_file
Investigation
Hunt Domain Hunts a domain on CrowdStrike Falcon using the domain value you have specified. This operation retrieves a list of device IDs from CrowdStrike Falcon on which the domain was observed. hunt_domain
Investigation
Get Processes Related to IOC Retrieves a list of processes from CrowdStrike Falcon which are associated with the specified IOC on a given device based on the IOC type and value, device ID, and other input parameters you have specified. get_processes
Investigation
Get Process Details Retrieves details of a specific process from CrowdStrike Falcon, based on the process ID you have specified. search_process
Investigation
Get Device Details Retrieves details of a specific device from CrowdStrike Falcon, based on the device ID you have specified. search_endpoint
Investigation
Get Endpoint List Retrieves a list of all the all endpoints or specific endpoints based on the input parameters you have specified configured on a device on CrowdStrike Falcon. get_endpoints
Investigation
Get Detection Details Retrieves details of a specific detection from CrowdStrike Falcon, based on the detection IDs you have specified. get_detection
Investigation
Contain the Host Prevents a potentially compromised host from communicating across the network that contains the host based on the device IDs you have specified. list_endpoint
Investigation
Remove Containment Removes the containment on a host that has been contained and returns its network communications to normal based on the device IDs you have specified. list_endpoint
Investigation
Detection Search Retrieves a list of all detection IDs or specific detection IDs based on the input parameters you have specified configured on a device on CrowdStrike Falcon. get_detection
Investigation
Detection Aggregates Retrieves a count of detections by a query from CrowdStrike Falcon based on the aggregate query name and type, the field used to compute the aggregation and other input parameters you have specified. detection_aggregates
Investigation
Set Detection State Sets the state of specific detections on CrowdStrike Falcon, based on the detection IDs you have specified. set_state
Investigation
Search Incidents Searches for incidents in CrowdStrike Falcon based on the FQL filter, sorting, and pagination details you have specified. incidents_query
Investigation
Get Incident Details Retrieves details for incidents from CrowdStrike Falcon based on the incident IDs you have specified. incidents_get_details
Investigation
Get Incidents Crowdstrike Score Returns entity (incident) data by querying the complete CrowdStrike Score environment based on the timestamp and CrowdStrike you have specified. get_crowdstrikescore_incident
Investigation
Run Admin Command Executes admin commands on a specific device in CrowdStrike Falcon based on the device ID, commands, and optionally command parameters you have specified. run_cmd
Investigation
Get Admin Command Result Retrieves the result of the status of the admin command executed on a specific device from CrowdStrike Falcon Real-Time Response (RTR) based on the cloud request ID and sequence ID you have specified. get_result
Investigation
Download Session File List Retrieves the list of the session files available for the download using CrowdStrike Falcon RTR based on the device ID you have specified. list_files
Investigation
Download Session File Downloads a specific session file using CrowdStrike Falcon RTR based on the device ID, the file's SHA256 values, and other input parameters you have specified. download_file
Investigation
Get Scripts List Retrieves a list of PowerShell scripts available for the "runscript" command from CrowdStrike Falcon. These scripts can then be run on devices using CrowdStrike Falcon RTR. list_files
Investigation
Get Scripts Details by IDs Retrieves the PowerShell scripts available for the "runscript" command from CrowdStrike Falcon based on the script ID you have specified. These scripts can then be run on devices using CrowdStrike Falcon RTR. get_file
Investigation
Get Executable List Retrieves a list of Executable available for the "runscript" command from CrowdStrike Falcon. These executables can then be run on devices using CrowdStrike Falcon RTR. list_executable
Investigation
Get Executables Details by IDs Retrieves the executables available for the "runscript" command from CrowdStrike Falcon based on the executable file ID you have specified. These executables can then be run on devices using CrowdStrike Falcon RTR. get_file
Investigation

operation: Create IOC

Input parameters

Parameter Description
IOC Type Type of indicator that you want to create on CrowdStrike Falcon.
Valid types include: IPv4, IPv6, Domain, MD5, SHA1, and SHA256.
IOC Value String representation of the indicator that you want to create on CrowdStrike Falcon.
The value that you specify will be based on the IOC Type you have chosen.
Policy Policy that should be enacted when the IOC value is detected on a host.
Following is the list of policies:
  • detect: Sends a notification when the particular indicator has been detected on a host.
  • none: Take no action when the particular indicator has been detected on a host. This is equivalent to turning the indicator off.
Indicator Share Level (Optional) Level the indicator will be shared.
Currently, only the red share level (i.e., the indicator is not shared) is supported, which signifies that the IOC is not shared with other FH customers.
Time To Live (Optional) Days until when the indicator remains valid.
Note: This parameter only applies to Domain, IPv4, and IPv6 IOC types.
Indicator Source (Optional) Source of origination of the indicator that you want to create on CrowdStrike Falcon. This can be used for tracking where this indicator was defined.
Note: The indicator source is limited to 200 characters.
Indicator Description (Optional) Description of the indicator that you want to create on CrowdStrike Falcon.
Note: The description is limited to 200 characters.

Output

The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}

operation: Get IOCs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
IOC Type List containing the types of indicators whose IOC list you want to retrieve from CrowdStrike Falcon. You can select multiple indicator types.
Valid types include: IPv4, IPv6, Domain, MD5, SHA1, and SHA256.
IOC Value List of indicator values based on the types that you have selected in the IOC Type field whose IOC list you want to retrieve from CrowdStrike Falcon.
Policy List of indicator policies whose associated IOCs you want to retrieve from CrowdStrike Falcon.
Indicator Share Level (Optional) Level the indicator will be shared.
Currently, only red share level (i.e., the indicator is not shared) is supported, which signifies that the IOC is not shared with other FH customers.
Indicator Source (Optional) List of IOC sources you want to retrieve from CrowdStrike Falcon.
Note: The indicator source is limited to 200 characters.
Earliest Expiration Date (Optional) RFC3339 DateTime that represents the starting date range to search for IOCs on CrowdStrike Falcon by their expiration timestamp.
Latest Expiration Date (Optional) RFC3339 DateTime that represents the ending date range to search for IOCs on CrowdStrike Falcon by their expiration timestamp.
Record Count (Optional) Number of items to be returned in a single request.
Note: You can specify the minimum number as 1 and the maximum number of 500.
Offset (Optional) Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.
For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list.

Output

The output contains the following populated JSON schema:
{
"iocs_found": ""
}

operation: Get IOC Details

Input parameters

Parameter Description
IOC Type Type of the indicator whose details you want to retrieve from CrowdStrike Falcon.
Valid types include: IPv4, IPv6, Domain, MD5, SHA1, and SHA256.
IOC Value String representation of the indicator whose details you want to retrieve from CrowdStrike Falcon.
The value that you specify will be based on the IOC Type you have chosen.

Output

The output contains the following populated JSON schema:
{
"ioc_details": {
"errors": [],
"meta": {
"query_time": "",
"trace_id": ""
},
"resources": [
{
"source": "",
"created_by": "",
"share_level": "",
"policy": "",
"expiration_timestamp": "",
"description": "",
"modified_timestamp": "",
"value": "",
"created_timestamp": "",
"modified_by": "",
"type": ""
}
]
}
}

operation: Update IOC

Input parameters

Parameter Description
IOC Type Type of indicator that you want to update on CrowdStrike Falcon.
Valid types include: IPv4, IPv6, Domain, MD5, SHA1, and SHA256.
IOC Value String representation of the indicator that you want to update on CrowdStrike Falcon.
The value that you specify will be based on the IOC Type you have chosen.
Policy (Optional) Policy that should be enacted when the IOC value is detected on a host.
Following is the list of policies:
  • detect: Sends a notification when the particular indicator has been detected on a host.
  • none: Take no action when the particular indicator has been detected on a host. This is equivalent to turning the indicator off.
Indicator Share Level (Optional) Level the indicator will be shared.
Currently, only the red share level (i.e., the indicator is not shared) is supported, which signifies that the IOC is not shared with other FH customers.
Time To Live (Optional) Days until when the indicator remains valid.
Note: This parameter only applies to Domain, IPv4, and IPv6 IOC types.
Indicator Source (Optional) Source of origination of the indicator that you want to update on CrowdStrike Falcon. This can be used for tracking where this indicator was defined.
Note: The indicator source is limited to 200 characters.
Indicator Description (Optional) Description of the indicator that you want to update on CrowdStrike Falcon.
Note: The description is limited to 200 characters.

Output

The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}

operation: Delete IOC

Input parameters

Parameter Description
IOC Type Type of indicator that you want to delete from CrowdStrike Falcon.
Valid types include: IPv4, IPv6, Domain, MD5, SHA1, and SHA256.
IOC Value String representation of the indicator that you want to delete from CrowdStrike Falcon.
The value that you specify will be based on the IOC Type you have chosen.

Output

The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}

operation: Hunt File

Input parameters

Parameter Description
Filehash Type Type of the filehash that you want to hunt for on CrowdStrike Falcon.
Filehash Value Value of the filehash that you want to hunt for on CrowdStrike Falcon.
Get Device Count Only If you select this parameter, i.e., set it to True, then the response will contain only the number of devices found for that Filehash and value on CrowdStrike Falcon. For example, "device_count": 13
If you clear this parameter, i.e., set it to False, then the response contains the list of device IDs found for that Filehash and value. For example, "resources": [ "1081290fbf104a1465cc0c91ca4ebe36", "739e412d9ff341a549a75e5c8107b0f3"])
By default, this parameter is cleared, i.e., set as False.

Output

The output contains the following populated JSON schema:
{
"device_count": ""
}

operation: Hunt Domain

Input parameters

Parameter Description
Domain Value of the domain that you want to hunt for on CrowdStrike Falcon.
Get Device Count Only If you select this parameter, i.e., set it to True, then the response will contain only the number of devices found for that domain on CrowdStrike Falcon.
If you clear this parameter, i.e., set it to False, then the response contains the list of device IDs found for that domain on CrowdStrike Falcon.
By default, this parameter is cleared, i.e., set as False.

Output

The output contains the following populated JSON schema:
{
"device_count": ""
}

operation: Get Processes Related to IOC

Input parameters

Parameter Description
IOC Type Type of indicator whose associated processes you want to retrieve from CrowdStrike Falcon.
Valid types include: IPv4, IPv6, Domain, MD5, SHA1, and SHA256.
IOC Value String representation of the indicator whose associated processes you want to retrieve from CrowdStrike Falcon.
The value that you specify will be based on the IOC Type you have chosen.
Device ID ID of the device against which you want to check for IOCs and associated processes on CrowdStrike Falcon.
Record Count (Optional) Number of items to be returned in a single request.
Note: You can specify the minimum number as 1 and the maximum number of 500.
Offset (Optional) Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.

Output

The output contains the following populated JSON schema:
{
"process_ids": [],
"process_count": ""
}

operation: Get Process Details

Input parameters

Parameter Description
Process ID ID of the process whose details you want to retrieve from CrowdStrike Falcon.
This parameter allows you to send multiple IDs to the endpoint to allow for more efficient multi-get type operations.

Output

The output contains the following populated JSON schema:
{
"process_details": {
"meta": {
"query_time": "",
"trace_id": ""
},
"errors": [],
"resources": [
{
"device_id": "",
"stop_timestamp": "",
"process_id_local": "",
"file_name": "",
"process_id": "",
"start_timestamp_raw": "",
"command_line": "",
"start_timestamp": "",
"stop_timestamp_raw": ""
}
]
}
}

operation: Get Device Details

Input parameters

Parameter Description
Device ID ID of the device whose details you want to retrieve from CrowdStrike Falcon.

Output

The output contains the following populated JSON schema:
{
"system_info": {
"meta": {
"powered_by": "",
"trace_id": "",
"query_time": ""
},
"errors": [],
"resources": [
{
"device_id": "",
"config_id_build": "",
"minor_version": "",
"agent_load_flags": "",
"first_seen": "",
"major_version": "",
"policies": [
{
"assigned_date": "",
"policy_type": "",
"settings_hash": "",
"policy_id": "",
"applied": "",
"applied_date": ""
}
],
"modified_timestamp": "",
"system_manufacturer": "",
"config_id_base": "",
"cid": "",
"agent_version": "",
"mac_address": "",
"bios_manufacturer": "",
"machine_domain": "",
"last_seen": "",
"product_type_desc": "",
"platform_name": "",
"product_type": "",
"agent_local_time": "",
"platform_id": "",
"device_policies": {
"sensor_update": {
"assigned_date": "",
"policy_type": "",
"settings_hash": "",
"policy_id": "",
"applied": "",
"applied_date": ""
},
"prevention": {
"assigned_date": "",
"policy_type": "",
"settings_hash": "",
"policy_id": "",
"applied": "",
"applied_date": ""
}
},
"system_product_name": "",
"config_id_platform": "",
"os_version": "",
"bios_version": "",
"external_ip": "",
"site_name": "",
"hostname": "",
"local_ip": "",
"status": "",
"meta": {
"version": ""
}
}
]
}
}

operation: Get Endpoint List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Query String Filter conditions based on which you want to filter the list of endpoints retrieved from CrowdStrike Falcon.
All parameters listed under Detection Search API > Parameters can be used as filters.
Offset Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.
Record Count Number of items to be returned in a single request.
Note: You can specify the minimum number as 1 and the maximum number of 500.

Output

The output contains the following populated JSON schema:
{
"list_of_endpoints": [],
"endpoint_count": ""
}

operation: Contain the Host

Input parameters

Parameter Description
Device ID Comma-separated device IDs that need to be quarantined from the network, i.e., the devices will now not be able to communicate across the network.

Output

The output contains the following populated JSON schema:
{
"resources": [
{
"path": "",
"id": ""
}
],
"errors": [],
"meta": {
"trace_id": "",
"query_time": "",
"powered_by": ""
}
}

operation: Remove Containment

Input parameters

Parameter Description
Device ID Comma-separated device IDs that need to be un-quarantined from the network, i.e., the devices will now be able to communicate across the network.

Output

The output contains the following populated JSON schema:
{
"resources": [
{
"path": "",
"id": ""
}
],
"errors": [],
"meta": {
"trace_id": "",
"query_time": "",
"powered_by": ""
}
}

operation: Get Detection Details

Input parameters

Parameter Description
Detection ID Comma-separated detection IDs or list of detection IDs whose details you want to retrieve from CrowdStrike Falcon.

Output

The output contains the following populated JSON schema:
{
"errors": [],
"meta": {
"powered_by": "",
"query_time": "",
"trace_id": ""
},
"resources": []
}

operation: Detection Search

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Severity Name used in the UI to determine the severity of the detection that you want to search on CrowdStrike Falcon. You can select multiple options.
Valid values include: Critical, High, Medium, Low, and Informational.
Tactic Tactic for detection filtration on CrowdStrike Falcon.
Technique Technique for detection filtration on CrowdStrike Falcon.
Time Time, based on which you want to search for detections on CrowdStrike Falcon.
You can choose from the following values: Last Hour, Last Day, Last Week, Last 30 days, and Last 90 days.
Status Current status of the detection that you want to search on CrowdStrike Falcon. You can select multiple options.
Valid values include: New, In Progress, True Positive, False Positive, and Ignored.
Detection ID ID of the detection that you want to search on CrowdStrike Falcon.
This ID can be used in conjunction with other APIs, such as the Detection Details API, or the Resolve Detection API.
Confidence When a detection has more than one associated behavior with varying confidence levels, this field captures the highest confidence value of all behaviors.
You can specify any integer between 1-100 in this parameter.
Sort By Sorts detection records by any of the following values: Date Updated, Last Behaviour Descending, and Last Behaviour Ascending.
Triggering File Name of the file that has triggered the process.
Assigned to Human-readable name of the user to whom the detection is currently assigned.
General Search Full-text search for detections across all metadata fields on CrowdStrike Falcon.
Query String Filter conditions based on which you want to filter the list of detections retrieved from CrowdStrike Falcon.
All parameters listed under Detection Search API > Parameters can be used as filters.
Record Count Number of term buckets to be returned in a single request.
Note: You can specify the minimum number as 1 and the maximum number of 500.
Offset (Optional) Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.

Output

The output contains the following populated JSON schema:
{
"errors": [],
"meta": {
"pagination": {
"total": "",
"limit": "",
"offset": ""
},
"powered_by": "",
"query_time": "",
"trace_id": ""
},
"resources": []
}

operation: Detection Aggregates

Input parameters

Parameter Description
Name Name of the aggregate query, as specified by the user.
The name parameter is used to identify the results returned to you.
Aggregate Type Type of aggregation whose count you want to retrieve from CrowdStrike Falcon.
Valid values include: Date Histogram, Date Range, Terms, Cardinality, Max, and Min.
Field Field on which you want to compute the aggregation of detections.
All parameters listed under Detection Search API > Parameters can be used as fields for computing aggregations.
Time Interval Time interval for date histogram aggregations.
Valid values include: Year, Month, Week, Day, Hour, and Minute.
Query Filter String Filter conditions based on which you want to filter the list of detections retrieved from CrowdStrike Falcon.
All parameters listed under Detection Search API > Parameters can be used as filters.
General Search Full-text search for detections across all metadata fields on CrowdStrike Falcon.
Ranges Applies to range aggregations. Ranges values that you can specify will depend on the field that you have specified.
For example, if max_severity is used, ranges can look like [{"From": 0,"To": 70},{"From": 70,"To": 100}]
Date Ranges Applies to date_range aggregations.
For example, [{"from": "2016-05-28T09:00:31Z","to": "2016-05- 30T09:00:31Z"},{"from": "2016-06-01T09:00:31Z","to": "2016-06-10T09:00:31Z"}]
Missing Missing is the value to be used when the aggregation field is missing from the object/document. In other words, the missing parameter defines how documents that are missing the value should be treated.
By default, they will be ignored, but it is also possible to treat them as if they had a value.
Min Doc Count Only return term buckets if values are greater than or equal to the value that you have specified in this parameter.
Record Count Number of term buckets to be returned in a single request.
Note: You can specify the minimum number as 1 and the maximum number of 500.
Sort By Sort detection aggregations based on the value specified in this parameter.
Sub Aggregates Nested aggregation. You can specify a maximum of 3 nested aggregations per request.
For example, "sub_aggregates" :[{"name": "max_first_behavior","type": "max","field": "first_behavior"}]"

Output

The output contains the following populated JSON schema:
{
"errors": [],
"meta": {
"powered_by": "",
"query_time": "",
"trace_id": ""
},
"resources": []
}

operation: Set Detection State

Input parameters

Parameter Description
Detection ID IDs of the detections whose state you want to set on CrowdStrike Falcon.:
Note: v2 of the CrowdStrike API, the CrowdStrike detection IDs are in the following format: ldt:[first field]:[second field] e.g. ldt:cf54bb61f92e4d3e75bf4f7c11fc8f74:4295536142
State Status to which you want to transition the specific detections.
Valid values include: New, In Progress, True Positive, False Positive, and Ignored.

Output

The output contains the following populated JSON schema:
{
"result": {
"meta": {
"writes": {
"resources_affected": ""
},
"query_time": "",
"trace_id": ""
}
},
"status": ""
}

operation: Search Incidents

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Query String Filter conditions based on which you want to filter the list of incidents retrieved from CrowdStrike Falcon.
Sort By Sort query that is used to perform the sorting operation over the result. In the sort query, specify the property to sort the results, followed by a dot (.), and then followed by the sort direction, either "asc" or "desc".
Record Count Number of items to be returned in a single request.
Note: You can specify the minimum number as 1 and the maximum number of 500.
Offset Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list.

Output

The output contains a non-dictionary value.

operation: Get Incident Details

Input parameters

Parameter Description
Incident IDs Comma-separated incident IDs or a list of incident IDs whose details you want to retrieve from CrowdStrike Falcon.

Output

The output contains the following populated JSON schema:
{
"resources": [
{
"visibility": "",
"assigned_to_name": "",
"cid": "",
"techniques": [],
"modified_timestamp": "",
"name": "",
"events_histogram": [
{
"timestamp_max": "",
"has_prevented": "",
"has_overwatch": "",
"has_detect": "",
"timestamp_min": "",
"count": ""
}
],
"objectives": [],
"assigned_to": "",
"incident_type": "",
"created": "",
"fine_score": "",
"status": "",
"description": "",
"tactics": [],
"start": "",
"lm_host_ids": [],
"incident_id": "",
"users": [],
"end": "",
"tags": [],
"hosts": [
{
"release_group": "",
"site_name": "",
"config_id_platform": "",
"bios_version": "",
"cid": "",
"external_ip": "",
"last_login_user": "",
"bios_manufacturer": "",
"product_type_desc": "",
"last_login_timestamp": "",
"modified_timestamp": "",
"product_type": "",
"status": "",
"groups": [],
"last_seen": "",
"agent_version": "",
"device_id": "",
"config_id_base": "",
"ou": [],
"local_ip": "",
"first_login_timestamp": "",
"agent_load_flags": "",
"minor_version": "",
"platform_name": "",
"machine_domain": "",
"mac_address": "",
"system_product_name": "",
"notes": [],
"config_id_build": "",
"agent_local_time": "",
"os_version": "",
"platform_id": "",
"hostname": "",
"system_manufacturer": "",
"first_login_user": "",
"first_seen": "",
"major_version": "",
"tags": []
}
],
"host_ids": [],
"state": "",
"lm_hosts_capped": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"trace_id": "",
"writes": {
"resources_affected": ""
},
"pagination": {
"total": "",
"offset": "",
"limit": ""
},
"query_time": "",
"powered_by": ""
}
}

operation: Get Incidents Crowdstrike Score

Input parameters

Parameter Description
Timestamp Time at which the CrowdStrike score was calculated based on which you want to retrieve information about the incidents.
CrowdStrike Score Value of the CrowdStrike Score based on which you want to retrieve information about the incidents.

Output

The output contains a non-dictionary value.

operation: Run Admin Command

Input parameters

Parameter Description
Device ID ID of the device on which you want to execute the specified admin command using CrowdStrike Falcon Real-Time Response (RTR).
Command Valid commands that you want to execute on the specified device.
Command Argument Command arguments that can be added to the specified commands as additional parameters.

Output

The output contains a non-dictionary value.

operation: Get Admin Command Result

Input parameters

Parameter Description
Cloud Request ID ID of the request that is returned when you run the admin command on a specific device.
Sequence ID ID of the sequence returned in the result content.

Output

The output contains a non-dictionary value.

operation: Download Session File List

Input parameters

Parameter Description
Device ID ID of the device whose associated session file list you want to download using CrowdStrike Falcon RTR.

Output

The output contains a non-dictionary value.

operation: Download Session File

Input parameters

Parameter Description
Device ID ID of the device whose associated session file you want to download using CrowdStrike Falcon RTR.
File's SHA256 Value SHA256 value of the file that you want to download.
Download File Name Name to be given to the downloaded file. The filename specified here will also be used to upload the file to the FortiSOAR™ "Attachments" module.
Additional Filter Parameters (Optional) Additional filter parameters that can be specified to search for the session file.

Output

The output contains a non-dictionary value.

operation: Get Scripts List

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Input parameters

Parameter Description
Filter FQL Filter based on which you want to filter PowerShell scripts. Based on the filter, this operation retrieves a list of PowerShell scripts from CrowdStrike Falcon.
Offset Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.
For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list.
Limit

(Optional) Limits the number of results to be returned in a single request.

Sort By Sort query that is used to perform the sorting operation over the result. In the sort query, specify the property to sort the results, followed by a dot (.), and then followed by the sort direction, either "asc" or "desc".

Output

The output contains a non-dictionary value.

operation: Get Scripts Details by IDs

Input parameters

Parameter Description
Script File IDs ID of the script files whose details you want to retrieve from CrowdStrike Falcon and which you want to run using the "runscript" command from CrowdStrike Falcon RTR.

Output

The output contains a non-dictionary value.

operation: Get Executable List

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Input parameters

Parameter Description
Filter FQL Filter based on which you want to filter Executable scripts. Based on the filter, this operation retrieves a list of Executable scripts from CrowdStrike Falcon.
Offset Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.
For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list.
Limit Limits the number of results to be returned in a single request.
Sort By Sort query that is used to perform the sorting operation over the result. In the sort query, specify the property to sort the results, followed by a dot (.), and then followed by the sort direction, either "asc" or "desc".

Output

The output contains a non-dictionary value.

operation: Get Executables Details by IDs

Input parameters

Parameter Description
Executable File IDs ID of the executable files whose details you want to retrieve from CrowdStrike Falcon and which you want to run using the "runscript" command from CrowdStrike Falcon RTR.

The output contains a non-dictionary value.

Included playbooks

The Sample - CrowdStrike Falcon - 2.0.0 playbook collection comes bundled with the CrowdStrike Falcon connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon connector.

  • Contain the Host
  • Create IOC
  • Delete IOC
  • Detection Aggregates
  • Detection Search
  • Download Session File
  • Download Session File List
  • Get Admin Command Result
  • Get Detection Details
  • Get Device Details
  • Get Endpoint List
  • Get Executables Details by IDs
  • Get Executable List
  • Get Incident Details
  • Get Incidents Crowdstrike Score
  • Get IOC Details
  • Get IOCs
  • Get Process Details
  • Get Processes Related to IOC
  • Get Scripts Details by IDs
  • Get Scripts List
  • Hunt Domain
  • Hunt File
  • Remove Containment
  • Run Admin Command
  • Search Incidents
  • Set Detection State
  • Update IOC

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next

About the connector

The CrowdStrike Falcon® platform is pioneering cloud-delivered endpoint protection. It both delivers and unifies IT Hygiene, next-generation antivirus, endpoint detection and response (EDR), managed threat hunting, and threat intelligence — all delivered via a single lightweight agent.

This document provides information about the CrowdStrike Falcon connector, which facilitates automated interactions with CrowdStrike Falcon using FortiSOAR™ playbooks. Add the CrowdStrike Falcon connector as a step in FortiSOAR™ playbooks and perform automated investigative operations on endpoints and manage IOC for CrowdStrike Falcon, operations include creating an IOC on CrowdStrike Falcon and hunting a file or domain on CrowdStrike Falcon using a specified filehash or a specific domain.

Version information

Connector Version: 2.0.0

FortiSOAR™ Versions Tested on: 6.4.1-2133

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the CrowdStrike Falcon connector in version 2.0.0:

Installing the connector

From FortiSOAR™ 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:

yum install cyops-connector-crowd-strike-falcon

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here

Configuration parameters

In FortiSOAR™, on the Connectors page, click the CrowdStrike Falcon connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server URL URL of the CrowdStrike Falcon server to which you will connect and perform the automated operations.
Client ID Client ID used to access the CrowdStrike Falcon APIs and perform automated operations.
Client Secret Client Secret used to access the CrowdStrike Falcon APIs and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Create IOC Creates an indicator on CrowdStrike Falcon based on the IOC type and value, policy, and other input parameters you have specified. create_ioc
Investigation
Get IOCs Retrieves a list of all IOCs or specific IOCs based on the input parameters you have specified from CrowdStrike Falcon get_iocs
Investigation
Get IOC Details Retrieves details of a specific IOC from CrowdStrike Falcon, based on the IOC type and value you have specified. get_ioc
Investigation
Update IOC Updates an indicator on CrowdStrike Falcon, based on the IOC type and value and other input parameters you have specified. update_ioc
Investigation
Delete IOC Deletes an indicator on CrowdStrike Falcon, based on the IOC type and value you have specified. delete_ioc
Remediation
Hunt File Hunts a file on CrowdStrike Falcon using the filehash type and value you have specified. hunt_file
Investigation
Hunt Domain Hunts a domain on CrowdStrike Falcon using the domain value you have specified. This operation retrieves a list of device IDs from CrowdStrike Falcon on which the domain was observed. hunt_domain
Investigation
Get Processes Related to IOC Retrieves a list of processes from CrowdStrike Falcon which are associated with the specified IOC on a given device based on the IOC type and value, device ID, and other input parameters you have specified. get_processes
Investigation
Get Process Details Retrieves details of a specific process from CrowdStrike Falcon, based on the process ID you have specified. search_process
Investigation
Get Device Details Retrieves details of a specific device from CrowdStrike Falcon, based on the device ID you have specified. search_endpoint
Investigation
Get Endpoint List Retrieves a list of all the all endpoints or specific endpoints based on the input parameters you have specified configured on a device on CrowdStrike Falcon. get_endpoints
Investigation
Get Detection Details Retrieves details of a specific detection from CrowdStrike Falcon, based on the detection IDs you have specified. get_detection
Investigation
Contain the Host Prevents a potentially compromised host from communicating across the network that contains the host based on the device IDs you have specified. list_endpoint
Investigation
Remove Containment Removes the containment on a host that has been contained and returns its network communications to normal based on the device IDs you have specified. list_endpoint
Investigation
Detection Search Retrieves a list of all detection IDs or specific detection IDs based on the input parameters you have specified configured on a device on CrowdStrike Falcon. get_detection
Investigation
Detection Aggregates Retrieves a count of detections by a query from CrowdStrike Falcon based on the aggregate query name and type, the field used to compute the aggregation and other input parameters you have specified. detection_aggregates
Investigation
Set Detection State Sets the state of specific detections on CrowdStrike Falcon, based on the detection IDs you have specified. set_state
Investigation
Search Incidents Searches for incidents in CrowdStrike Falcon based on the FQL filter, sorting, and pagination details you have specified. incidents_query
Investigation
Get Incident Details Retrieves details for incidents from CrowdStrike Falcon based on the incident IDs you have specified. incidents_get_details
Investigation
Get Incidents Crowdstrike Score Returns entity (incident) data by querying the complete CrowdStrike Score environment based on the timestamp and CrowdStrike you have specified. get_crowdstrikescore_incident
Investigation
Run Admin Command Executes admin commands on a specific device in CrowdStrike Falcon based on the device ID, commands, and optionally command parameters you have specified. run_cmd
Investigation
Get Admin Command Result Retrieves the result of the status of the admin command executed on a specific device from CrowdStrike Falcon Real-Time Response (RTR) based on the cloud request ID and sequence ID you have specified. get_result
Investigation
Download Session File List Retrieves the list of the session files available for the download using CrowdStrike Falcon RTR based on the device ID you have specified. list_files
Investigation
Download Session File Downloads a specific session file using CrowdStrike Falcon RTR based on the device ID, the file's SHA256 values, and other input parameters you have specified. download_file
Investigation
Get Scripts List Retrieves a list of PowerShell scripts available for the "runscript" command from CrowdStrike Falcon. These scripts can then be run on devices using CrowdStrike Falcon RTR. list_files
Investigation
Get Scripts Details by IDs Retrieves the PowerShell scripts available for the "runscript" command from CrowdStrike Falcon based on the script ID you have specified. These scripts can then be run on devices using CrowdStrike Falcon RTR. get_file
Investigation
Get Executable List Retrieves a list of Executable available for the "runscript" command from CrowdStrike Falcon. These executables can then be run on devices using CrowdStrike Falcon RTR. list_executable
Investigation
Get Executables Details by IDs Retrieves the executables available for the "runscript" command from CrowdStrike Falcon based on the executable file ID you have specified. These executables can then be run on devices using CrowdStrike Falcon RTR. get_file
Investigation

operation: Create IOC

Input parameters

Parameter Description
IOC Type Type of indicator that you want to create on CrowdStrike Falcon.
Valid types include: IPv4, IPv6, Domain, MD5, SHA1, and SHA256.
IOC Value String representation of the indicator that you want to create on CrowdStrike Falcon.
The value that you specify will be based on the IOC Type you have chosen.
Policy Policy that should be enacted when the IOC value is detected on a host.
Following is the list of policies:
  • detect: Sends a notification when the particular indicator has been detected on a host.
  • none: Take no action when the particular indicator has been detected on a host. This is equivalent to turning the indicator off.
Indicator Share Level (Optional) Level the indicator will be shared.
Currently, only the red share level (i.e., the indicator is not shared) is supported, which signifies that the IOC is not shared with other FH customers.
Time To Live (Optional) Days until when the indicator remains valid.
Note: This parameter only applies to Domain, IPv4, and IPv6 IOC types.
Indicator Source (Optional) Source of origination of the indicator that you want to create on CrowdStrike Falcon. This can be used for tracking where this indicator was defined.
Note: The indicator source is limited to 200 characters.
Indicator Description (Optional) Description of the indicator that you want to create on CrowdStrike Falcon.
Note: The description is limited to 200 characters.

Output

The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}

operation: Get IOCs

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
IOC Type List containing the types of indicators whose IOC list you want to retrieve from CrowdStrike Falcon. You can select multiple indicator types.
Valid types include: IPv4, IPv6, Domain, MD5, SHA1, and SHA256.
IOC Value List of indicator values based on the types that you have selected in the IOC Type field whose IOC list you want to retrieve from CrowdStrike Falcon.
Policy List of indicator policies whose associated IOCs you want to retrieve from CrowdStrike Falcon.
Indicator Share Level (Optional) Level the indicator will be shared.
Currently, only red share level (i.e., the indicator is not shared) is supported, which signifies that the IOC is not shared with other FH customers.
Indicator Source (Optional) List of IOC sources you want to retrieve from CrowdStrike Falcon.
Note: The indicator source is limited to 200 characters.
Earliest Expiration Date (Optional) RFC3339 DateTime that represents the starting date range to search for IOCs on CrowdStrike Falcon by their expiration timestamp.
Latest Expiration Date (Optional) RFC3339 DateTime that represents the ending date range to search for IOCs on CrowdStrike Falcon by their expiration timestamp.
Record Count (Optional) Number of items to be returned in a single request.
Note: You can specify the minimum number as 1 and the maximum number of 500.
Offset (Optional) Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.
For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list.

Output

The output contains the following populated JSON schema:
{
"iocs_found": ""
}

operation: Get IOC Details

Input parameters

Parameter Description
IOC Type Type of the indicator whose details you want to retrieve from CrowdStrike Falcon.
Valid types include: IPv4, IPv6, Domain, MD5, SHA1, and SHA256.
IOC Value String representation of the indicator whose details you want to retrieve from CrowdStrike Falcon.
The value that you specify will be based on the IOC Type you have chosen.

Output

The output contains the following populated JSON schema:
{
"ioc_details": {
"errors": [],
"meta": {
"query_time": "",
"trace_id": ""
},
"resources": [
{
"source": "",
"created_by": "",
"share_level": "",
"policy": "",
"expiration_timestamp": "",
"description": "",
"modified_timestamp": "",
"value": "",
"created_timestamp": "",
"modified_by": "",
"type": ""
}
]
}
}

operation: Update IOC

Input parameters

Parameter Description
IOC Type Type of indicator that you want to update on CrowdStrike Falcon.
Valid types include: IPv4, IPv6, Domain, MD5, SHA1, and SHA256.
IOC Value String representation of the indicator that you want to update on CrowdStrike Falcon.
The value that you specify will be based on the IOC Type you have chosen.
Policy (Optional) Policy that should be enacted when the IOC value is detected on a host.
Following is the list of policies:
  • detect: Sends a notification when the particular indicator has been detected on a host.
  • none: Take no action when the particular indicator has been detected on a host. This is equivalent to turning the indicator off.
Indicator Share Level (Optional) Level the indicator will be shared.
Currently, only the red share level (i.e., the indicator is not shared) is supported, which signifies that the IOC is not shared with other FH customers.
Time To Live (Optional) Days until when the indicator remains valid.
Note: This parameter only applies to Domain, IPv4, and IPv6 IOC types.
Indicator Source (Optional) Source of origination of the indicator that you want to update on CrowdStrike Falcon. This can be used for tracking where this indicator was defined.
Note: The indicator source is limited to 200 characters.
Indicator Description (Optional) Description of the indicator that you want to update on CrowdStrike Falcon.
Note: The description is limited to 200 characters.

Output

The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}

operation: Delete IOC

Input parameters

Parameter Description
IOC Type Type of indicator that you want to delete from CrowdStrike Falcon.
Valid types include: IPv4, IPv6, Domain, MD5, SHA1, and SHA256.
IOC Value String representation of the indicator that you want to delete from CrowdStrike Falcon.
The value that you specify will be based on the IOC Type you have chosen.

Output

The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}

operation: Hunt File

Input parameters

Parameter Description
Filehash Type Type of the filehash that you want to hunt for on CrowdStrike Falcon.
Filehash Value Value of the filehash that you want to hunt for on CrowdStrike Falcon.
Get Device Count Only If you select this parameter, i.e., set it to True, then the response will contain only the number of devices found for that Filehash and value on CrowdStrike Falcon. For example, "device_count": 13
If you clear this parameter, i.e., set it to False, then the response contains the list of device IDs found for that Filehash and value. For example, "resources": [ "1081290fbf104a1465cc0c91ca4ebe36", "739e412d9ff341a549a75e5c8107b0f3"])
By default, this parameter is cleared, i.e., set as False.

Output

The output contains the following populated JSON schema:
{
"device_count": ""
}

operation: Hunt Domain

Input parameters

Parameter Description
Domain Value of the domain that you want to hunt for on CrowdStrike Falcon.
Get Device Count Only If you select this parameter, i.e., set it to True, then the response will contain only the number of devices found for that domain on CrowdStrike Falcon.
If you clear this parameter, i.e., set it to False, then the response contains the list of device IDs found for that domain on CrowdStrike Falcon.
By default, this parameter is cleared, i.e., set as False.

Output

The output contains the following populated JSON schema:
{
"device_count": ""
}

operation: Get Processes Related to IOC

Input parameters

Parameter Description
IOC Type Type of indicator whose associated processes you want to retrieve from CrowdStrike Falcon.
Valid types include: IPv4, IPv6, Domain, MD5, SHA1, and SHA256.
IOC Value String representation of the indicator whose associated processes you want to retrieve from CrowdStrike Falcon.
The value that you specify will be based on the IOC Type you have chosen.
Device ID ID of the device against which you want to check for IOCs and associated processes on CrowdStrike Falcon.
Record Count (Optional) Number of items to be returned in a single request.
Note: You can specify the minimum number as 1 and the maximum number of 500.
Offset (Optional) Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.

Output

The output contains the following populated JSON schema:
{
"process_ids": [],
"process_count": ""
}

operation: Get Process Details

Input parameters

Parameter Description
Process ID ID of the process whose details you want to retrieve from CrowdStrike Falcon.
This parameter allows you to send multiple IDs to the endpoint to allow for more efficient multi-get type operations.

Output

The output contains the following populated JSON schema:
{
"process_details": {
"meta": {
"query_time": "",
"trace_id": ""
},
"errors": [],
"resources": [
{
"device_id": "",
"stop_timestamp": "",
"process_id_local": "",
"file_name": "",
"process_id": "",
"start_timestamp_raw": "",
"command_line": "",
"start_timestamp": "",
"stop_timestamp_raw": ""
}
]
}
}

operation: Get Device Details

Input parameters

Parameter Description
Device ID ID of the device whose details you want to retrieve from CrowdStrike Falcon.

Output

The output contains the following populated JSON schema:
{
"system_info": {
"meta": {
"powered_by": "",
"trace_id": "",
"query_time": ""
},
"errors": [],
"resources": [
{
"device_id": "",
"config_id_build": "",
"minor_version": "",
"agent_load_flags": "",
"first_seen": "",
"major_version": "",
"policies": [
{
"assigned_date": "",
"policy_type": "",
"settings_hash": "",
"policy_id": "",
"applied": "",
"applied_date": ""
}
],
"modified_timestamp": "",
"system_manufacturer": "",
"config_id_base": "",
"cid": "",
"agent_version": "",
"mac_address": "",
"bios_manufacturer": "",
"machine_domain": "",
"last_seen": "",
"product_type_desc": "",
"platform_name": "",
"product_type": "",
"agent_local_time": "",
"platform_id": "",
"device_policies": {
"sensor_update": {
"assigned_date": "",
"policy_type": "",
"settings_hash": "",
"policy_id": "",
"applied": "",
"applied_date": ""
},
"prevention": {
"assigned_date": "",
"policy_type": "",
"settings_hash": "",
"policy_id": "",
"applied": "",
"applied_date": ""
}
},
"system_product_name": "",
"config_id_platform": "",
"os_version": "",
"bios_version": "",
"external_ip": "",
"site_name": "",
"hostname": "",
"local_ip": "",
"status": "",
"meta": {
"version": ""
}
}
]
}
}

operation: Get Endpoint List

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Query String Filter conditions based on which you want to filter the list of endpoints retrieved from CrowdStrike Falcon.
All parameters listed under Detection Search API > Parameters can be used as filters.
Offset Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.
Record Count Number of items to be returned in a single request.
Note: You can specify the minimum number as 1 and the maximum number of 500.

Output

The output contains the following populated JSON schema:
{
"list_of_endpoints": [],
"endpoint_count": ""
}

operation: Contain the Host

Input parameters

Parameter Description
Device ID Comma-separated device IDs that need to be quarantined from the network, i.e., the devices will now not be able to communicate across the network.

Output

The output contains the following populated JSON schema:
{
"resources": [
{
"path": "",
"id": ""
}
],
"errors": [],
"meta": {
"trace_id": "",
"query_time": "",
"powered_by": ""
}
}

operation: Remove Containment

Input parameters

Parameter Description
Device ID Comma-separated device IDs that need to be un-quarantined from the network, i.e., the devices will now be able to communicate across the network.

Output

The output contains the following populated JSON schema:
{
"resources": [
{
"path": "",
"id": ""
}
],
"errors": [],
"meta": {
"trace_id": "",
"query_time": "",
"powered_by": ""
}
}

operation: Get Detection Details

Input parameters

Parameter Description
Detection ID Comma-separated detection IDs or list of detection IDs whose details you want to retrieve from CrowdStrike Falcon.

Output

The output contains the following populated JSON schema:
{
"errors": [],
"meta": {
"powered_by": "",
"query_time": "",
"trace_id": ""
},
"resources": []
}

operation: Detection Search

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Severity Name used in the UI to determine the severity of the detection that you want to search on CrowdStrike Falcon. You can select multiple options.
Valid values include: Critical, High, Medium, Low, and Informational.
Tactic Tactic for detection filtration on CrowdStrike Falcon.
Technique Technique for detection filtration on CrowdStrike Falcon.
Time Time, based on which you want to search for detections on CrowdStrike Falcon.
You can choose from the following values: Last Hour, Last Day, Last Week, Last 30 days, and Last 90 days.
Status Current status of the detection that you want to search on CrowdStrike Falcon. You can select multiple options.
Valid values include: New, In Progress, True Positive, False Positive, and Ignored.
Detection ID ID of the detection that you want to search on CrowdStrike Falcon.
This ID can be used in conjunction with other APIs, such as the Detection Details API, or the Resolve Detection API.
Confidence When a detection has more than one associated behavior with varying confidence levels, this field captures the highest confidence value of all behaviors.
You can specify any integer between 1-100 in this parameter.
Sort By Sorts detection records by any of the following values: Date Updated, Last Behaviour Descending, and Last Behaviour Ascending.
Triggering File Name of the file that has triggered the process.
Assigned to Human-readable name of the user to whom the detection is currently assigned.
General Search Full-text search for detections across all metadata fields on CrowdStrike Falcon.
Query String Filter conditions based on which you want to filter the list of detections retrieved from CrowdStrike Falcon.
All parameters listed under Detection Search API > Parameters can be used as filters.
Record Count Number of term buckets to be returned in a single request.
Note: You can specify the minimum number as 1 and the maximum number of 500.
Offset (Optional) Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.

Output

The output contains the following populated JSON schema:
{
"errors": [],
"meta": {
"pagination": {
"total": "",
"limit": "",
"offset": ""
},
"powered_by": "",
"query_time": "",
"trace_id": ""
},
"resources": []
}

operation: Detection Aggregates

Input parameters

Parameter Description
Name Name of the aggregate query, as specified by the user.
The name parameter is used to identify the results returned to you.
Aggregate Type Type of aggregation whose count you want to retrieve from CrowdStrike Falcon.
Valid values include: Date Histogram, Date Range, Terms, Cardinality, Max, and Min.
Field Field on which you want to compute the aggregation of detections.
All parameters listed under Detection Search API > Parameters can be used as fields for computing aggregations.
Time Interval Time interval for date histogram aggregations.
Valid values include: Year, Month, Week, Day, Hour, and Minute.
Query Filter String Filter conditions based on which you want to filter the list of detections retrieved from CrowdStrike Falcon.
All parameters listed under Detection Search API > Parameters can be used as filters.
General Search Full-text search for detections across all metadata fields on CrowdStrike Falcon.
Ranges Applies to range aggregations. Ranges values that you can specify will depend on the field that you have specified.
For example, if max_severity is used, ranges can look like [{"From": 0,"To": 70},{"From": 70,"To": 100}]
Date Ranges Applies to date_range aggregations.
For example, [{"from": "2016-05-28T09:00:31Z","to": "2016-05- 30T09:00:31Z"},{"from": "2016-06-01T09:00:31Z","to": "2016-06-10T09:00:31Z"}]
Missing Missing is the value to be used when the aggregation field is missing from the object/document. In other words, the missing parameter defines how documents that are missing the value should be treated.
By default, they will be ignored, but it is also possible to treat them as if they had a value.
Min Doc Count Only return term buckets if values are greater than or equal to the value that you have specified in this parameter.
Record Count Number of term buckets to be returned in a single request.
Note: You can specify the minimum number as 1 and the maximum number of 500.
Sort By Sort detection aggregations based on the value specified in this parameter.
Sub Aggregates Nested aggregation. You can specify a maximum of 3 nested aggregations per request.
For example, "sub_aggregates" :[{"name": "max_first_behavior","type": "max","field": "first_behavior"}]"

Output

The output contains the following populated JSON schema:
{
"errors": [],
"meta": {
"powered_by": "",
"query_time": "",
"trace_id": ""
},
"resources": []
}

operation: Set Detection State

Input parameters

Parameter Description
Detection ID IDs of the detections whose state you want to set on CrowdStrike Falcon.:
Note: v2 of the CrowdStrike API, the CrowdStrike detection IDs are in the following format: ldt:[first field]:[second field] e.g. ldt:cf54bb61f92e4d3e75bf4f7c11fc8f74:4295536142
State Status to which you want to transition the specific detections.
Valid values include: New, In Progress, True Positive, False Positive, and Ignored.

Output

The output contains the following populated JSON schema:
{
"result": {
"meta": {
"writes": {
"resources_affected": ""
},
"query_time": "",
"trace_id": ""
}
},
"status": ""
}

operation: Search Incidents

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Query String Filter conditions based on which you want to filter the list of incidents retrieved from CrowdStrike Falcon.
Sort By Sort query that is used to perform the sorting operation over the result. In the sort query, specify the property to sort the results, followed by a dot (.), and then followed by the sort direction, either "asc" or "desc".
Record Count Number of items to be returned in a single request.
Note: You can specify the minimum number as 1 and the maximum number of 500.
Offset Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items. For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list.

Output

The output contains a non-dictionary value.

operation: Get Incident Details

Input parameters

Parameter Description
Incident IDs Comma-separated incident IDs or a list of incident IDs whose details you want to retrieve from CrowdStrike Falcon.

Output

The output contains the following populated JSON schema:
{
"resources": [
{
"visibility": "",
"assigned_to_name": "",
"cid": "",
"techniques": [],
"modified_timestamp": "",
"name": "",
"events_histogram": [
{
"timestamp_max": "",
"has_prevented": "",
"has_overwatch": "",
"has_detect": "",
"timestamp_min": "",
"count": ""
}
],
"objectives": [],
"assigned_to": "",
"incident_type": "",
"created": "",
"fine_score": "",
"status": "",
"description": "",
"tactics": [],
"start": "",
"lm_host_ids": [],
"incident_id": "",
"users": [],
"end": "",
"tags": [],
"hosts": [
{
"release_group": "",
"site_name": "",
"config_id_platform": "",
"bios_version": "",
"cid": "",
"external_ip": "",
"last_login_user": "",
"bios_manufacturer": "",
"product_type_desc": "",
"last_login_timestamp": "",
"modified_timestamp": "",
"product_type": "",
"status": "",
"groups": [],
"last_seen": "",
"agent_version": "",
"device_id": "",
"config_id_base": "",
"ou": [],
"local_ip": "",
"first_login_timestamp": "",
"agent_load_flags": "",
"minor_version": "",
"platform_name": "",
"machine_domain": "",
"mac_address": "",
"system_product_name": "",
"notes": [],
"config_id_build": "",
"agent_local_time": "",
"os_version": "",
"platform_id": "",
"hostname": "",
"system_manufacturer": "",
"first_login_user": "",
"first_seen": "",
"major_version": "",
"tags": []
}
],
"host_ids": [],
"state": "",
"lm_hosts_capped": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"trace_id": "",
"writes": {
"resources_affected": ""
},
"pagination": {
"total": "",
"offset": "",
"limit": ""
},
"query_time": "",
"powered_by": ""
}
}

operation: Get Incidents Crowdstrike Score

Input parameters

Parameter Description
Timestamp Time at which the CrowdStrike score was calculated based on which you want to retrieve information about the incidents.
CrowdStrike Score Value of the CrowdStrike Score based on which you want to retrieve information about the incidents.

Output

The output contains a non-dictionary value.

operation: Run Admin Command

Input parameters

Parameter Description
Device ID ID of the device on which you want to execute the specified admin command using CrowdStrike Falcon Real-Time Response (RTR).
Command Valid commands that you want to execute on the specified device.
Command Argument Command arguments that can be added to the specified commands as additional parameters.

Output

The output contains a non-dictionary value.

operation: Get Admin Command Result

Input parameters

Parameter Description
Cloud Request ID ID of the request that is returned when you run the admin command on a specific device.
Sequence ID ID of the sequence returned in the result content.

Output

The output contains a non-dictionary value.

operation: Download Session File List

Input parameters

Parameter Description
Device ID ID of the device whose associated session file list you want to download using CrowdStrike Falcon RTR.

Output

The output contains a non-dictionary value.

operation: Download Session File

Input parameters

Parameter Description
Device ID ID of the device whose associated session file you want to download using CrowdStrike Falcon RTR.
File's SHA256 Value SHA256 value of the file that you want to download.
Download File Name Name to be given to the downloaded file. The filename specified here will also be used to upload the file to the FortiSOAR™ "Attachments" module.
Additional Filter Parameters (Optional) Additional filter parameters that can be specified to search for the session file.

Output

The output contains a non-dictionary value.

operation: Get Scripts List

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Input parameters

Parameter Description
Filter FQL Filter based on which you want to filter PowerShell scripts. Based on the filter, this operation retrieves a list of PowerShell scripts from CrowdStrike Falcon.
Offset Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.
For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list.
Limit

(Optional) Limits the number of results to be returned in a single request.

Sort By Sort query that is used to perform the sorting operation over the result. In the sort query, specify the property to sort the results, followed by a dot (.), and then followed by the sort direction, either "asc" or "desc".

Output

The output contains a non-dictionary value.

operation: Get Scripts Details by IDs

Input parameters

Parameter Description
Script File IDs ID of the script files whose details you want to retrieve from CrowdStrike Falcon and which you want to run using the "runscript" command from CrowdStrike Falcon RTR.

Output

The output contains a non-dictionary value.

operation: Get Executable List

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Input parameters

Parameter Description
Filter FQL Filter based on which you want to filter Executable scripts. Based on the filter, this operation retrieves a list of Executable scripts from CrowdStrike Falcon.
Offset Index of the first item that this operation should return.
This allows you to use a pagination token returned by the API to paginate a set of results and allows you to resume pagination without retrieving the already encountered items.
For example, if you specify 10 in this parameter, then the operation will start from the 10th record, then and return the list.
Limit Limits the number of results to be returned in a single request.
Sort By Sort query that is used to perform the sorting operation over the result. In the sort query, specify the property to sort the results, followed by a dot (.), and then followed by the sort direction, either "asc" or "desc".

Output

The output contains a non-dictionary value.

operation: Get Executables Details by IDs

Input parameters

Parameter Description
Executable File IDs ID of the executable files whose details you want to retrieve from CrowdStrike Falcon and which you want to run using the "runscript" command from CrowdStrike Falcon RTR.

The output contains a non-dictionary value.

Included playbooks

The Sample - CrowdStrike Falcon - 2.0.0 playbook collection comes bundled with the CrowdStrike Falcon connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Previous
Next