CrowdStrike OAuth API

This app integrates with CrowdStrike OAuth2 authentication standard to implement querying of endpoint security data

Supported Actions

• test connectivity: Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
• run query: Run a query against CrowdStrike API
• query device: Fetch the device details based on the provided query
• list groups: Fetch the details of the host groups
• quarantine device: Block the device
• unquarantine device: Unblock the device
• assign hosts: Assign one or more hosts to the static host group
• remove hosts: Remove one or more hosts from the static host group
• create session: Initialize a new session with the Real Time Response cloud
• delete session: Deletes a Real Time Response session
• list detections: Get a list of detections *The action uses legacy Detects API being deprecated. Please use the 'list epp alerts' action instead*
• list epp alerts: Get a list of epp alerts, replaces legacy Detects API
• get detections details: Get a list of detections details by providing detection IDs *The action uses legacy Detects API being deprecated. Please use the 'get epp details' action instead*
• get epp details: Get list of alert details for EPP alerts by providing composite IDs, replaces legacy Detects API
• update detections: Update detections in crowdstrike host *The action uses legacy Detects API being deprecated. Please use the 'update epp alerts' action instead*
• update epp alerts: Update EPP alerts in CrowdStrike, replaces legacy Detects API
• list alerts: Get a list of alerts
• list sessions: Lists Real Time Response sessions
• run command: Execute an active responder command on a single host
• run admin command: Execute an RTR Admin command on a single host
• get command details: Retrieve results of an active responder command executed on a single host
• list session files: Get a list of files for the specified RTR session
• get incident behaviors: Get details on behaviors by providing behavior IDs
• update incident: Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
• list users: Get information about all users in your Customer ID
• get user roles: Gets the roles that are assigned to the user
• list roles: Get information about all user roles from your Customer ID
• get role: Get information about all user roles from your Customer ID
• list crowdscores: Query environment wide CrowdScore and return the entity data
• get incident details: Get details on incidents by providing incident IDs
• list incident behaviors: Search for behaviors by providing an FQL filter, sorting, and paging details
• list incidents: Search for incidents by providing an FQL filter, sorting, and paging details
• get session file: Get RTR extracted file contents for the specified session and sha256 and add it to the vault
• set status: Set the state of a detection in Crowdstrike Host *The action uses legacy Detects API being deprecated. Please use the 'resolve epp alerts' action instead*
• resolve epp alerts: Update the status of an EPP alert in CrowdStrike, replaces legacy Detects API
• get system info: Get details of a device, given the device ID
• get process detail: Retrieve the details of a process that is running or that previously ran, given a process ID
• hunt file: Hunt for a file on the network by querying for the hash
• hunt domain: Get a list of device IDs on which the domain was matched
• hunt ip: Get a list of device IDs on which the ip was matched
• upload put file: Upload a new put-file to use for the RTR `put` command
• get indicator: Get the full definition of one or more indicators that are being watched
• list custom indicators: Queries for custom indicators in your customer account
• list put files: Queries for files uploaded to Crowdstrike for use with the RTR `put` command
• on poll: Callback action for the on_poll ingest functionality
• list processes: List processes that have recently used the IOC on a particular device
• upload indicator: Upload indicator that you want CrowdStrike to watch
• delete indicator: Delete an indicator that is being watched
• update indicator: Update an indicator that has been uploaded
• file reputation: Queries CrowdStrike for the file info given a vault ID or a SHA256 hash, vault ID has higher priority than SHA256 hash if both are provided
• url reputation: Queries CrowdStrike for the url info
• download report: To download the report of the provided artifact id
• detonate file: Upload a file to CrowdStrike and retrieve the analysis results
• detonate url: Upload an url to CrowdStrike and retrieve the analysis results
• check status: To check detonation status of the provided resource id
• get device scroll: Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
• get zta data: Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID)
• create ioa rule group: Create an empty IOA Rule Group
• update ioa rule group: Modify an existing IOA Rule Group
• delete ioa rule group: Delete an existing IOA Rule Group
• list ioa platforms: List valid platforms for IOA Rule Groups
• list ioa rule groups: List IOA Rule Groups
• list ioa severities: List valid severity values for IOA rules
• list ioa types: List valid types of IOA rules
• create ioa rule: Create a new IOA Rule
• update ioa rule: Update an existing IOA Rule
• delete ioa rule: Delete an existing IOA Rule