icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

Thank You

Downloading CrowdStrike OAuth API
SHA256 checksum (crowdstrike-oauth-api_361.tgz) 2746ca4a30e6554a8408898d346bda03c5035d2d5b05e2aec5b2c4fa8eea7e1e SHA256 checksum (crowdstrike-oauth-api_360.tgz) 1c1daf52753c91873ab931dbea67a2e189e89da43606d6c25b50a03b22b6e847 SHA256 checksum (crowdstrike-oauth-api_359.tgz) 0ea1a274db4ff74001ff7e78a56b56e33d7f2c3d21de3bd51bf1f5e9d1d3e0ec SHA256 checksum (crowdstrike-oauth-api_354.tgz) 2b372070faad396e2543d0085de4a63b26aade8b3d36b7acaddea8982b22cffc SHA256 checksum (crowdstrike-oauth-api_341.tgz) cf8e56133ebd13ef423367803da1a3bcc29e21044aa54340123fe9023ef4cb0a SHA256 checksum (crowdstrike-oauth-api_330.tgz) 410a82fe7a9707313c58e287d15b884db55d2e1ab43f847579125546fb3a315e SHA256 checksum (crowdstrike-oauth-api_320.tgz) 05af18c8a6cf37424caa48f868e404e1a4719123056d0a6d2aff8a3732a7faaf SHA256 checksum (crowdstrike-oauth-api_310.tgz) 1938bc1b4ee61bd1356bb3ddbd3ab0672e32a6317d6b027b17ea8cbf9e3cfbf9 SHA256 checksum (crowdstrike-oauth-api_207.tgz) 2f9d98454c514a0e0b08c7e9573ae06036f79cc976a47fed84e2078db0710933

Flag As Inappropriate

soar

CrowdStrike OAuth API

Splunk SOAR Cloud
Splunk Built
Overview
This app integrates with CrowdStrike OAuth2 authentication standard to implement querying of endpoint security data

Supported Actions Version 3.6.1

  • test connectivity: Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
  • query device: Fetch the device details based on the provided query
  • list groups: Fetch the details of the host groups
  • quarantine device: Block the device
  • unquarantine device: Unblock the device
  • assign hosts: Assign one or more hosts to the static host group
  • remove hosts: Remove one or more hosts from the static host group
  • create session: Initialize a new session with the Real Time Response cloud
  • delete session: Deletes a Real Time Response session
  • list sessions: Lists Real Time Response sessions
  • run command: Execute an active responder command on a single host
  • run admin command: Execute an RTR Admin command on a single host
  • get command details: Retrieve results of an active responder command executed on a single host
  • list session files: Get a list of files for the specified RTR session
  • get incident behaviors: Get details on behaviors by providing behavior IDs
  • update incident: Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
  • list users: Get information about all users in your Customer ID
  • get user roles: Gets the roles that are assigned to the user
  • list roles: Get information about all user roles from your Customer ID
  • get role: Get information about all user roles from your Customer ID
  • list crowdscores: Query environment wide CrowdScore and return the entity data
  • get incident details: Get details on incidents by providing incident IDs
  • list incident behaviors: Search for behaviors by providing an FQL filter, sorting, and paging details
  • list incidents: Search for incidents by providing an FQL filter, sorting, and paging details
  • get session file: Get RTR extracted file contents for the specified session and sha256 and add it to the vault
  • set status: Set the state of a detection in Crowdstrike Host
  • get system info: Get details of a device, given the device ID
  • get process detail: Retrieve the details of a process that is running or that previously ran, given a process ID
  • hunt file: Hunt for a file on the network by querying for the hash
  • hunt domain: Get a list of device IDs on which the domain was matched
  • upload put file: Upload a new put-file to use for the RTR `put` command
  • get indicator: Get the full definition of one or more indicators that are being watched
  • list custom indicators: Queries for custom indicators in your customer account
  • list put files: Queries for files uploaded to Crowdstrike for use with the RTR `put` command
  • on poll: Callback action for the on_poll ingest functionality
  • list processes: List processes that have recently used the IOC on a particular device
  • upload indicator: Upload indicator that you want CrowdStrike to watch
  • delete indicator: Delete an indicator that is being watched
  • update indicator: Update an indicator that has been uploaded
  • file reputation: Queries CrowdStrike for the file info
  • url reputation: Queries CrowdStrike for the url info
  • download report: To download the report of the provided artifact id
  • detonate file: Upload a file to CrowdStrike and retrieve the analysis results
  • detonate url: Upload an url to CrowdStrike and retrieve the analysis results
  • check status: To check detonation status of the provided resource id
  • get device scroll: Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
  • get zta data: Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID)

Supported Actions Version 3.6.0

  • test connectivity: Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
  • query device: Fetch the device details based on the provided query
  • list groups: Fetch the details of the host groups
  • quarantine device: Block the device
  • unquarantine device: Unblock the device
  • assign hosts: Assign one or more hosts to the static host group
  • remove hosts: Remove one or more hosts from the static host group
  • create session: Initialize a new session with the Real Time Response cloud
  • delete session: Deletes a Real Time Response session
  • list sessions: Lists Real Time Response sessions
  • run command: Execute an active responder command on a single host
  • run admin command: Execute an RTR Admin command on a single host
  • get command details: Retrieve results of an active responder command executed on a single host
  • list session files: Get a list of files for the specified RTR session
  • get incident behaviors: Get details on behaviors by providing behavior IDs
  • update incident: Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
  • list users: Get information about all users in your Customer ID
  • get user roles: Gets the roles that are assigned to the user
  • list roles: Get information about all user roles from your Customer ID
  • get role: Get information about all user roles from your Customer ID
  • list crowdscores: Query environment wide CrowdScore and return the entity data
  • get incident details: Get details on incidents by providing incident IDs
  • list incident behaviors: Search for behaviors by providing an FQL filter, sorting, and paging details
  • list incidents: Search for incidents by providing an FQL filter, sorting, and paging details
  • get session file: Get RTR extracted file contents for the specified session and sha256 and add it to the vault
  • set status: Set the state of a detection in Crowdstrike Host
  • get system info: Get details of a device, given the device ID
  • get process detail: Retrieve the details of a process that is running or that previously ran, given a process ID
  • hunt file: Hunt for a file on the network by querying for the hash
  • hunt domain: Get a list of device IDs on which the domain was matched
  • upload put file: Upload a new put-file to use for the RTR `put` command
  • get indicator: Get the full definition of one or more indicators that are being watched
  • list custom indicators: Queries for custom indicators in your customer account
  • list put files: Queries for files uploaded to Crowdstrike for use with the RTR `put` command
  • on poll: Callback action for the on_poll ingest functionality
  • list processes: List processes that have recently used the IOC on a particular device
  • upload indicator: Upload indicator that you want CrowdStrike to watch
  • delete indicator: Delete an indicator that is being watched
  • update indicator: Update an indicator that has been uploaded
  • file reputation: Queries CrowdStrike for the file info
  • url reputation: Queries CrowdStrike for the url info
  • download report: To download the report of the provided artifact id
  • detonate file: Upload a file to CrowdStrike and retrieve the analysis results
  • detonate url: Upload an url to CrowdStrike and retrieve the analysis results
  • check status: To check detonation status of the provided resource id
  • get device scroll: Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)
  • get zta data: Get Zero Trust Assessment data for one or more hosts by providing agent IDs (AID)

Supported Actions Version 3.5.9

  • test connectivity: Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
  • query device: Fetch the device details based on the provided query
  • list groups: Fetch the details of the host groups
  • quarantine device: Block the device
  • unquarantine device: Unblock the device
  • assign hosts: Assign one or more hosts to the static host group
  • remove hosts: Remove one or more hosts from the static host group
  • create session: Initialize a new session with the Real Time Response cloud
  • delete session: Deletes a Real Time Response session
  • list sessions: Lists Real Time Response sessions
  • run command: Execute an active responder command on a single host
  • run admin command: Execute an RTR Admin command on a single host
  • get command details: Retrieve results of an active responder command executed on a single host
  • list session files: Get a list of files for the specified RTR session
  • get incident behaviors: Get details on behaviors by providing behavior IDs
  • update incident: Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
  • list users: Get information about all users in your Customer ID
  • get user roles: Gets the roles that are assigned to the user
  • list roles: Get information about all user roles from your Customer ID
  • get role: Get information about all user roles from your Customer ID
  • list crowdscores: Query environment wide CrowdScore and return the entity data
  • get incident details: Get details on incidents by providing incident IDs
  • list incident behaviors: Search for behaviors by providing an FQL filter, sorting, and paging details
  • list incidents: Search for incidents by providing an FQL filter, sorting, and paging details
  • get session file: Get RTR extracted file contents for the specified session and sha256 and add it to the vault
  • set status: Set the state of a detection in Crowdstrike Host
  • get system info: Get details of a device, given the device ID
  • get process detail: Retrieve the details of a process that is running or that previously ran, given a process ID
  • hunt file: Hunt for a file on the network by querying for the hash
  • hunt domain: Get a list of device IDs on which the domain was matched
  • upload put file: Upload a new put-file to use for the RTR `put` command
  • get indicator: Get the full definition of one or more indicators that are being watched
  • list custom indicators: Queries for custom indicators in your customer account
  • list put files: Queries for files uploaded to Crowdstrike for use with the RTR `put` command
  • on poll: Callback action for the on_poll ingest functionality
  • list processes: List processes that have recently used the IOC on a particular device
  • upload indicator: Upload indicator that you want CrowdStrike to watch
  • delete indicator: Delete an indicator that is being watched
  • update indicator: Update an indicator that has been uploaded
  • file reputation: Queries CrowdStrike for the file info
  • url reputation: Queries CrowdStrike for the url info
  • download report: To download the report of the provided artifact id
  • detonate file: Upload a file to CrowdStrike and retrieve the analysis results
  • detonate url: Upload an url to CrowdStrike and retrieve the analysis results
  • check status: To check detonation status of the provided resource id
  • get device scroll: Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)

Supported Actions Version 3.5.4

  • test connectivity: Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
  • query device: Fetch the device details based on the provided query
  • list groups: Fetch the details of the host groups
  • quarantine device: Block the device
  • unquarantine device: Unblock the device
  • assign hosts: Assign one or more hosts to the static host group
  • remove hosts: Remove one or more hosts from the static host group
  • create session: Initialize a new session with the Real Time Response cloud
  • delete session: Deletes a Real Time Response session
  • list sessions: Lists Real Time Response sessions
  • run command: Execute an active responder command on a single host
  • run admin command: Execute an RTR Admin command on a single host
  • get command details: Retrieve results of an active responder command executed on a single host
  • list session files: Get a list of files for the specified RTR session
  • get incident behaviors: Get details on behaviors by providing behavior IDs
  • update incident: Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
  • list users: Get information about all users in your Customer ID
  • get user roles: Gets the roles that are assigned to the user
  • list roles: Get information about all user roles from your Customer ID
  • get role: Get information about all user roles from your Customer ID
  • list crowdscores: Query environment wide CrowdScore and return the entity data
  • get incident details: Get details on incidents by providing incident IDs
  • list incident behaviors: Search for behaviors by providing an FQL filter, sorting, and paging details
  • list incidents: Search for incidents by providing an FQL filter, sorting, and paging details
  • get session file: Get RTR extracted file contents for the specified session and sha256 and add it to the vault
  • set status: Set the state of a detection in Crowdstrike Host
  • get system info: Get details of a device, given the device ID
  • get process detail: Retrieve the details of a process that is running or that previously ran, given a process ID
  • hunt file: Hunt for a file on the network by querying for the hash
  • hunt domain: Get a list of device IDs on which the domain was matched
  • upload put file: Upload a new put-file to use for the RTR `put` command
  • get indicator: Get the full definition of one or more indicators that are being watched
  • list custom indicators: Queries for custom indicators in your customer account
  • list put files: Queries for files uploaded to Crowdstrike for use with the RTR `put` command
  • on poll: Callback action for the on_poll ingest functionality
  • list processes: List processes that have recently used the IOC on a particular device
  • upload indicator: Upload indicator that you want CrowdStrike to watch
  • delete indicator: Delete an indicator that is being watched
  • update indicator: Update an indicator that has been uploaded
  • file reputation: Queries CrowdStrike for the file info
  • url reputation: Queries CrowdStrike for the url info
  • download report: To download the report of the provided artifact id
  • detonate file: Upload a file to CrowdStrike and retrieve the analysis results
  • detonate url: Upload an url to CrowdStrike and retrieve the analysis results
  • check status: To check detonation status of the provided resource id
  • get device scroll: Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)

Supported Actions Version 3.4.1

  • test connectivity: Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
  • query device: Fetch the device details based on the provided query
  • list groups: Fetch the details of the host groups
  • quarantine device: Block the device
  • unquarantine device: Unblock the device
  • assign hosts: Assign one or more hosts to the static host group
  • remove hosts: Remove one or more hosts from the static host group
  • create session: Initialize a new session with the Real Time Response cloud
  • delete session: Deletes a Real Time Response session
  • list sessions: Lists Real Time Response sessions
  • run command: Execute an active responder command on a single host
  • run admin command: Execute an RTR Admin command on a single host
  • get command details: Retrieve results of an active responder command executed on a single host
  • list session files: Get a list of files for the specified RTR session
  • get incident behaviors: Get details on behaviors by providing behavior IDs
  • update incident: Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
  • list users: Get information about all users in your Customer ID
  • get user roles: Gets the roles that are assigned to the user
  • list roles: Get information about all user roles from your Customer ID
  • get role: Get information about all user roles from your Customer ID
  • list crowdscores: Query environment wide CrowdScore and return the entity data
  • get incident details: Get details on incidents by providing incident IDs
  • list incident behaviors: Search for behaviors by providing an FQL filter, sorting, and paging details
  • list incidents: Search for incidents by providing an FQL filter, sorting, and paging details
  • get session file: Get RTR extracted file contents for the specified session and sha256 and add it to the vault
  • set status: Set the state of a detection in Crowdstrike Host
  • get system info: Get details of a device, given the device ID
  • get process detail: Retrieve the details of a process that is running or that previously ran, given a process ID
  • hunt file: Hunt for a file on the network by querying for the hash
  • hunt domain: Get a list of device IDs on which the domain was matched
  • upload put file: Upload a new put-file to use for the RTR `put` command
  • get indicator: Get the full definition of one or more indicators that are being watched
  • list custom indicators: Queries for custom indicators in your customer account
  • list put files: Queries for files uploaded to Crowdstrike for use with the RTR `put` command
  • on poll: Callback action for the on_poll ingest functionality
  • list processes: List processes that have recently used the IOC on a particular device
  • upload indicator: Upload indicator that you want CrowdStrike to watch
  • delete indicator: Delete an indicator that is being watched
  • update indicator: Update an indicator that has been uploaded
  • file reputation: Queries CrowdStrike for the file info
  • url reputation: Queries CrowdStrike for the url info
  • download report: To download the report of the provided artifact id
  • detonate file: Upload a file to CrowdStrike and retrieve the analysis results
  • detonate url: Upload an url to CrowdStrike and retrieve the analysis results
  • check status: To check detonation status of the provided resource id
  • get device scroll: Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit)

Supported Actions Version 3.3.0

  • test connectivity: Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
  • query device: Fetch the device details based on the provided query
  • list groups: Fetch the details of the host groups
  • quarantine device: Block the device
  • unquarantine device: Unblock the device
  • assign hosts: Assign one or more hosts to the static host group
  • remove hosts: Remove one or more hosts from the static host group
  • create session: Initialize a new session with the Real Time Response cloud
  • delete session: Deletes a Real Time Response session
  • list sessions: Lists Real Time Response sessions
  • run command: Execute an active responder command on a single host
  • run admin command: Execute an RTR Admin command on a single host
  • get command details: Retrieve results of an active responder command executed on a single host
  • list session files: Get a list of files for the specified RTR session
  • get incident behaviors: Get details on behaviors by providing behavior IDs
  • update incident: Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
  • list users: Get information about all users in your Customer ID
  • get user roles: Gets the roles that are assigned to the user
  • list roles: Get information about all user roles from your Customer ID
  • get role: Get information about all user roles from your Customer ID
  • list crowdscores: Query environment wide CrowdScore and return the entity data
  • get incident details: Get details on incidents by providing incident IDs
  • list incident behaviors: Search for behaviors by providing an FQL filter, sorting, and paging details
  • list incidents: Search for incidents by providing an FQL filter, sorting, and paging details
  • get session file: Get RTR extracted file contents for the specified session and sha256 and add it to the vault
  • set status: Set the state of a detection in Crowdstrike Host
  • get system info: Get details of a device, given the device ID
  • get process detail: Retrieve the details of a process that is running or that previously ran, given a process ID
  • hunt file: Hunt for a file on the network by querying for the hash
  • hunt domain: Get a list of device IDs on which the domain was matched
  • upload put file: Upload a new put-file to use for the RTR `put` command
  • get indicator: Get the full definition of one or more indicators that are being watched
  • list custom indicators: Queries for custom indicators in your customer account
  • list put files: Queries for files uploaded to Crowdstrike for use with the RTR `put` command
  • on poll: Callback action for the on_poll ingest functionality
  • list processes: List processes that have recently used the IOC on a particular device
  • upload indicator: Upload one or more indicators that you want CrowdStrike to watch
  • delete indicator: Delete an indicator that is being watched
  • update indicator: Update an indicator that has been uploaded
  • file reputation: Queries CrowdStrike for the file info
  • url reputation: Queries CrowdStrike for the url info
  • download report: To download the report of the provided artifact id
  • detonate file: Upload a file to CrowdStrike and retrieve the analysis results
  • detonate url: Upload an url to CrowdStrike and retrieve the analysis results
  • check status: To check detonation status of the provided resource id

Supported Actions Version 3.2.0

  • test connectivity: Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
  • query device: Fetch the device details based on the provided query
  • list groups: Fetch the details of the host groups
  • quarantine device: Block the device
  • unquarantine device: Unblock the device
  • assign hosts: Assign one or more hosts to the static host group
  • remove hosts: Remove one or more hosts from the static host group
  • create session: Initialize a new session with the Real Time Response cloud
  • delete session: Deletes a Real Time Response session
  • list sessions: Lists Real Time Response sessions
  • run command: Execute an active responder command on a single host
  • run admin command: Execute an RTR Admin command on a single host
  • get command details: Retrieve results of an active responder command executed on a single host
  • list session files: Get a list of files for the specified RTR session
  • get incident behaviors: Get details on behaviors by providing behavior IDs
  • update incident: Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
  • list users: Get information about all users in your Customer ID
  • get user roles: Gets the roles that are assigned to the user
  • list roles: Get information about all user roles from your Customer ID
  • get role: Get information about all user roles from your Customer ID
  • list crowdscores: Query environment wide CrowdScore and return the entity data
  • get incident details: Get details on incidents by providing incident IDs
  • list incident behaviors: Search for behaviors by providing an FQL filter, sorting, and paging details
  • list incidents: Search for incidents by providing an FQL filter, sorting, and paging details
  • get session file: Get RTR extracted file contents for the specified session and sha256 and add it to the vault
  • set status: Set the state of a detection in Crowdstrike Host
  • get system info: Get details of a device, given the device ID
  • get process detail: Retrieve the details of a process that is running or that previously ran, given a process ID
  • hunt file: Hunt for a file on the network by querying for the hash
  • hunt domain: Get a list of device IDs on which the domain was matched
  • upload put file: Upload a new put-file to use for the RTR `put` command
  • get indicator: Get the full definition of one or more indicators that are being watched
  • list custom indicators: Queries for custom indicators in your customer account
  • list put files: Queries for files uploaded to Crowdstrike for use with the RTR `put` command
  • on poll: Callback action for the on_poll ingest functionality
  • list processes: List processes that have recently used the IOC on a particular device
  • upload indicator: Upload one or more indicators that you want CrowdStrike to watch
  • delete indicator: Delete an indicator that is being watched
  • update indicator: Update an indicator that has been uploaded
  • file reputation: Queries CrowdStrike for the file info
  • url reputation: Queries CrowdStrike for the url info
  • download report: To download the report of the provided artifact id
  • detonate file: Upload a file to CrowdStrike and retrieve the analysis results
  • detonate url: Upload an url to CrowdStrike and retrieve the analysis results
  • check status: To check detonation status of the provided resource id

Supported Actions Version 3.1.0

  • test connectivity: Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
  • query device: Fetch the device details based on the provided query
  • list groups: Fetch the details of the host groups
  • quarantine device: Block the device
  • unquarantine device: Unblock the device
  • assign hosts: Assign one or more hosts to the static host group
  • remove hosts: Remove one or more hosts from the static host group
  • create session: Initialize a new session with the Real Time Response cloud
  • delete session: Deletes a Real Time Response session
  • list sessions: Lists Real Time Response sessions
  • run command: Execute an active responder command on a single host
  • run admin command: Execute an RTR Admin command on a single host
  • get command details: Retrieve results of an active responder command executed on a single host
  • list session files: Get a list of files for the specified RTR session
  • get incident behaviors: Get details on behaviors by providing behavior IDs
  • update incident: Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
  • list users: Get information about all users in your Customer ID
  • get user roles: Gets the roles that are assigned to the user
  • list roles: Get information about all user roles from your Customer ID
  • get role: Get information about all user roles from your Customer ID
  • list crowdscores: Query environment wide CrowdScore and return the entity data
  • get incident details: Get details on incidents by providing incident IDs
  • list incident behaviors: Search for behaviors by providing an FQL filter, sorting, and paging details
  • list incidents: Search for incidents by providing an FQL filter, sorting, and paging details
  • get session file: Get RTR extracted file contents for the specified session and sha256 and add it to the vault
  • set status: Set the state of a detection in Crowdstrike Host
  • get system info: Get details of a device, given the device ID
  • get process detail: Retrieve the details of a process that is running or that previously ran, given a process ID
  • hunt file: Hunt for a file on the network by querying for the hash
  • hunt domain: Get a list of device IDs on which the domain was matched
  • upload put file: Upload a new put-file to use for the RTR `put` command
  • get indicator: Get the full definition of one or more indicators that are being watched
  • list custom indicators: Queries for custom indicators in your customer account
  • list put files: Queries for files uploaded to Crowdstrike for use with the RTR `put` command
  • on poll: Callback action for the on_poll ingest functionality
  • list processes: List processes that have recently used the IOC on a particular device
  • upload indicator: Upload one or more indicators that you want CrowdStrike to watch
  • delete indicator: Delete an indicator that is being watched
  • update indicator: Update an indicator that has been uploaded
  • file reputation: Queries CrowdStrike for the file info
  • url reputation: Queries CrowdStrike for the url info
  • download report: To download the report of the provided artifact id
  • detonate file: Upload a file to CrowdStrike and retrieve the analysis results
  • detonate url: Upload an url to CrowdStrike and retrieve the analysis results
  • check status: To check detonation status of the provided resource id

Supported Actions Version 2.0.7

  • test connectivity: Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials
  • query device: Fetch the device details based on the provided query
  • list groups: Fetch the details of the host groups
  • quarantine device: Block the device
  • unquarantine device: Unblock the device
  • assign hosts: Assign one or more hosts to the static host group
  • remove hosts: Remove one or more hosts from the static host group
  • create session: Initialize a new session with the Real Time Response cloud
  • delete session: Deletes a Real Time Response session
  • list sessions: Lists Real Time Response sessions
  • run command: Execute an active responder command on a single host
  • run admin command: Execute an RTR Admin command on a single host
  • get command details: Retrieve results of an active responder command executed on a single host
  • list session files: Get a list of files for the specified RTR session
  • get incident behaviors: Get details on behaviors by providing behavior IDs
  • update incident: Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
  • list users: Get information about all users in your Customer ID
  • get user roles: Gets the roles that are assigned to the user
  • list roles: Get information about all user roles from your Customer ID
  • get role: Get information about all user roles from your Customer ID
  • list crowdscores: Query environment wide CrowdScore and return the entity data
  • get incident details: Get details on incidents by providing incident IDs
  • list incident behaviors: Search for behaviors by providing an FQL filter, sorting, and paging details
  • list incidents: Search for incidents by providing an FQL filter, sorting, and paging details
  • get session file: Get RTR extracted file contents for the specified session and sha256 and add it to the vault
  • set status: Set the state of a detection in Crowdstrike Host
  • get system info: Get details of a device, given the device ID
  • get process detail: Retrieve the details of a process that is running or that previously ran, given a process ID
  • hunt file: Hunt for a file on the network by querying for the hash
  • hunt domain: Get a list of device IDs on which the domain was matched
  • upload put file: Upload a new put-file to use for the RTR `put` command
  • get indicator: Get the full definition of one or more indicators that are being watched
  • list custom indicators: Queries for custom indicators in your customer account
  • list put files: Queries for files uploaded to Crowdstrike for use with the RTR `put` command
  • on poll: Callback action for the on_poll ingest functionality
  • list processes: List processes that have recently used the IOC on a particular device
  • upload indicator: Upload one or more indicators that you want CrowdStrike to watch
  • delete indicator: Delete an indicator that is being watched
  • update indicator: Update an indicator that has been uploaded

Release Notes

Version 3.6.1
May 6, 2022
  • Added a new custom widget for get device scroll action [PAPP-20822]
Version 3.6.0
April 21, 2022
  • Added the 'get zta data' action [PAPP-24871]
  • Updated the 'get session file' action to get the file in chunks [PAPP-24293]
Version 3.5.9
Feb. 10, 2022

CrowdStrike OAuth API Release Notes - Published by Splunk February 03, 2022

Version 3.5.9 - Released February 03, 2022

  • Added support for Python 3.9
Version 3.5.4
Jan. 20, 2022

CrowdStrike OAuth API Release Notes - Published by Splunk January 20, 2022

Version 3.5.4 - Released January 20, 2022

  • Added documentation to clarify differences in commands between 'run command' and 'run admin command' actions [PAPP-19490]
  • Added custom view for 'run command' and 'run admin command' actions to format the output [PAPP-13361]
  • Changed the hashing algorithm to SHA256 when running in FIPS mode [PAPP-21043]
Version 3.4.1
Oct. 27, 2021

CrowdStrike OAuth API Release Notes - Published by Splunk October 27, 2021

Version - 3.4.1 - Released October 27, 2021

  • Updated the API for the following actions [PAPP-19967, PAPP-20354, PAPP-19283]

    • upload indicator
    • update indicator
    • delete indicator
    • get indicator
    • list custom indicators
  • Added the 'get device scroll' action [PAPP-11357]

Version 3.3.0
Sept. 21, 2021

CrowdStrike OAuth API Release Notes - Published by Splunk August 10, 2021

Version 3.3.0 - Released August 10, 2021

  • Fixed the manual polling issue [PAPP-19046]
Version 3.2.0
Sept. 21, 2021

CrowdStrike OAuth API Release Notes - Published by Splunk August 10, 2021

Version 3.2.0 - Released July 28, 2021

  • Bug fix in 'on poll', 'download report' and 'get session file' actions [PAPP-17196] [PAPP-18786]
Version 3.1.0
Sept. 21, 2021

CrowdStrike OAuth API Release Notes - Published by Splunk August 10, 2021

Version 3.1.0 - Released June 28, 2021

  • Added below mentioned new actions:
  • file reputation
  • url reputation
  • detonate file
  • detonate url
  • check status
  • download report

  • Pass the 'get role', 'get session file', 'hunt domain', 'hunt file', 'get system info' and 'list processes' actions with 'No data found' when API returns empty response [PAPP-16914]

  • Fixed the automation triggering issue for 'on poll' [PAPP-17014]
  • Updated the vault deprecated method [PAPP-18131]
  • Maintained the action_result status while generating token [PAPP-12938]
  • Changed the code structure to resolve 'on poll' action complexity [PAPP-16668]
  • Updated the API and added the pagination for 'hunt file', 'hunt domain', and 'list processes' actions [PAPP-11616]
Version 2.0.7
Sept. 21, 2021

CrowdStrike OAuth API Release Notes - Published by Splunk August 10, 2021

Version 2.0.7 - Released June 04, 2021

  • Fixed an infinite loop issue in the 'run admin command' action

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.