/
CrowdStrikeFalcon.yml
4391 lines (4391 loc) · 187 KB
/
CrowdStrikeFalcon.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
category: Endpoint
sectionOrder:
- Connect
- Collect
commonfields:
id: CrowdstrikeFalcon
version: -1
configuration:
- defaultvalue: https://api.crowdstrike.com
display: Server URL (e.g., https://api.crowdstrike.com)
name: url
required: true
type: 0
section: Connect
- display: Client ID
name: credentials
type: 9
displaypassword: Secret
section: Connect
required: false
- display: Client ID
name: client_id
type: 0
hidden: true
section: Connect
required: false
- display: Secret
name: secret
type: 4
hidden: true
section: Connect
required: false
- defaultvalue: 'A+ - 3rd party enrichment'
display: Source Reliability
name: Reliability
type: 15
additionalinfo: Reliability of the source providing the intelligence data. Currently used for “CVE” reputation command.
options:
- A+ - 3rd party enrichment
- A - Completely reliable
- B - Usually reliable
- C - Fairly reliable
- D - Not usually reliable
- E - Unreliable
- F - Reliability cannot be judged
section: Collect
advanced: true
required: false
- display: First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)
name: fetch_time
type: 0
defaultvalue: '3 days'
section: Collect
required: false
- display: Max incidents per fetch
name: incidents_per_fetch
type: 0
defaultvalue: '15'
section: Collect
advanced: true
required: false
- display: Endpoint Detections fetch query
name: fetch_query
type: 0
section: Collect
advanced: true
required: false
- display: Endpoint Incidents fetch query
name: incidents_fetch_query
type: 0
section: Collect
advanced: true
required: false
- display: IDP Detections fetch query
name: idp_detections_fetch_query
required: false
type: 0
section: Collect
advanced: true
- defaultvalue: 'true'
display: Fetch incidents
name: isFetch
type: 8
section: Collect
required: false
- display: Incident type
name: incidentType
type: 13
section: Connect
required: false
- display: Mirroring Direction
name: mirror_direction
type: 15
additionalinfo: 'Choose the direction to mirror the detection: Incoming (from CrowdStrike Falcon to Cortex XSOAR), Outgoing (from Cortex XSOAR to CrowdStrike Falcon), or Incoming and Outgoing (to/from CrowdStrike Falcon and Cortex XSOAR).'
defaultvalue: None
options:
- None
- Incoming
- Outgoing
- Incoming And Outgoing
section: Collect
required: false
- display: Trust any certificate (not secure)
name: insecure
type: 8
section: Connect
advanced: true
required: false
- display: Use system proxy settings
name: proxy
type: 8
section: Connect
advanced: true
required: false
- additionalinfo: When selected, closes the CrowdStrike Falcon incident or detection, which is mirrored in the Cortex XSOAR incident.
defaultvalue: 'false'
display: Close Mirrored XSOAR Incident
name: close_incident
type: 8
section: Collect
advanced: true
required: false
- defaultvalue: 'false'
display: Close Mirrored CrowdStrike Falcon Incident or Detection
name: close_in_cs_falcon
type: 8
additionalinfo: When selected, closes the Cortex XSOAR incident, which is mirrored in the CrowdStrike Falcon incident or detection, according to the types that were chosen to be fetched and mirrored.
section: Collect
advanced: true
required: false
- additionalinfo: Choose what to fetch - incidents, detections, IDP detections. You can choose any combination.
defaultvalue: 'Endpoint Detection'
display: 'Fetch types'
name: fetch_incidents_or_detections
type: 16
options:
- IDP Detection
- Endpoint Incident
- Endpoint Detection
section: Collect
advanced: true
required: false
- defaultvalue: '1'
display: 'Incidents Fetch Interval'
name: incidentFetchInterval
type: 19
section: Collect
advanced: true
required: false
- additionalinfo: Use this parameter to determine how long backward to look in the search for incidents that were created before the last run time and did not match the query when they were created.
defaultvalue: 1
display: 'Advanced: Time in minutes to look back when fetching incidents and detections'
name: look_back
type: 0
section: Collect
advanced: true
required: false
description: The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.
display: CrowdStrike Falcon
name: CrowdstrikeFalcon
script:
commands:
- arguments:
- name: extended_data
predefined:
- Yes
- No
description: Whether or not to get additional data about the device.
auto: PREDEFINED
- description: The query to filter the device.
name: filter
- description: A comma-separated list of device IDs to limit the results.
name: ids
- auto: PREDEFINED
description: 'The status of the device. Possible values are: "Normal", "containment_pending", "contained", and "lift_containment_pending".'
name: status
predefined:
- normal
- containment_pending
- contained
- lift_containment_pending
- auto: PREDEFINED
description: The host name of the device.
name: hostname
predefined:
- ''
- auto: PREDEFINED
description: 'The platform name of the device. Possible values are: Windows, Mac, and Linux.'
name: platform_name
predefined:
- Windows
- Mac
- Linux
- description: The site name of the device.
name: site_name
description: Searches for a device that matches the query.
name: cs-falcon-search-device
outputs:
- contextPath: CrowdStrike.Device.ID
description: The ID of the device.
type: String
- contextPath: CrowdStrike.Device.LocalIP
description: The local IP address of the device.
type: String
- contextPath: CrowdStrike.Device.ExternalIP
description: The external IP address of the device.
type: String
- contextPath: CrowdStrike.Device.Hostname
description: The host name of the device.
type: String
- contextPath: CrowdStrike.Device.OS
description: The operating system of the device.
type: String
- contextPath: CrowdStrike.Device.MacAddress
description: The MAC address of the device.
type: String
- contextPath: CrowdStrike.Device.FirstSeen
description: The first time the device was seen.
type: String
- contextPath: CrowdStrike.Device.LastSeen
description: The last time the device was seen.
type: String
- contextPath: CrowdStrike.Device.PolicyType
description: The policy type of the device.
type: String
- contextPath: CrowdStrike.Device.Status
description: The device status.
type: String
- contextPath: Endpoint.Hostname
description: The endpoint hostname.
type: String
- contextPath: Endpoint.OS
description: The endpoint operation system.
type: String
- contextPath: Endpoint.IPAddress
description: The endpoint IP address.
type: String
- contextPath: Endpoint.ID
description: The endpoint ID.
type: String
- contextPath: Endpoint.Status
description: The endpoint status.
type: String
- contextPath: Endpoint.IsIsolated
description: The endpoint isolation status.
type: String
- contextPath: Endpoint.MACAddress
description: The endpoint MAC address.
type: String
- contextPath: Endpoint.Vendor
description: The integration name of the endpoint vendor.
type: String
- contextPath: Endpoint.OSVersion
description: The endpoint operation system version.
type: String
- arguments:
- description: The ID of the behavior.
name: behavior_id
required: true
description: Searches for and fetches the behavior that matches the query.
name: cs-falcon-get-behavior
outputs:
- contextPath: CrowdStrike.Behavior.FileName
description: The file name of the behavior.
type: String
- contextPath: CrowdStrike.Behavior.Scenario
description: The scenario name of the behavior.
type: String
- contextPath: CrowdStrike.Behavior.MD5
description: The MD5 hash of the IOC in the behavior.
type: String
- contextPath: CrowdStrike.Behavior.SHA256
description: The SHA256 hash of the IOC in the behavior.
type: String
- contextPath: CrowdStrike.Behavior.IOCType
description: The type of the indicator of compromise.
type: String
- contextPath: CrowdStrike.Behavior.IOCValue
description: The value of the IOC.
type: String
- contextPath: CrowdStrike.Behavior.CommandLine
description: The command line executed in the behavior.
type: String
- contextPath: CrowdStrike.Behavior.UserName
description: The user name related to the behavior.
type: String
- contextPath: CrowdStrike.Behavior.SensorID
description: The sensor ID related to the behavior.
type: String
- contextPath: CrowdStrike.Behavior.ParentProcessID
description: The ID of the parent process.
type: String
- contextPath: CrowdStrike.Behavior.ProcessID
description: The process ID of the behavior.
type: String
- contextPath: CrowdStrike.Behavior.ID
description: The ID of the behavior.
type: String
- arguments:
- description: The IDs of the detections to search. If provided, will override other arguments.
isArray: true
name: ids
- description: |-
Filter detections using a query in Falcon Query Language (FQL).
For example, filter="device.hostname:'CS-SE-TG-W7-01'"
For a full list of valid filter options, see: https://falcon.crowdstrike.com/support/documentation/2/query-api-reference#detectionsearch
name: filter
- auto: PREDEFINED
description: Whether to get additional data such as device and behaviors processed.
name: extended_data
predefined:
- Yes
- No
description: Search for details of specific detections, either using a filter query, or by providing the IDs of the detections.
name: cs-falcon-search-detection
outputs:
- contextPath: CrowdStrike.Detection.Behavior.FileName
description: The file name of the behavior.
type: String
- contextPath: CrowdStrike.Detection.Behavior.Scenario
description: The scenario name of the behavior.
type: String
- contextPath: CrowdStrike.Detection.Behavior.MD5
description: The MD5 hash of the IOC of the behavior.
type: String
- contextPath: CrowdStrike.Detection.Behavior.SHA256
description: The SHA256 hash of the IOC of the behavior.
type: String
- contextPath: CrowdStrike.Detection.Behavior.IOCType
description: The type of the IOC.
type: String
- contextPath: CrowdStrike.Detection.Behavior.IOCValue
description: The value of the IOC.
type: String
- contextPath: CrowdStrike.Detection.Behavior.CommandLine
description: The command line executed in the behavior.
type: String
- contextPath: CrowdStrike.Detection.Behavior.UserName
description: The user name related to the behavior.
type: String
- contextPath: CrowdStrike.Detection.Behavior.SensorID
description: The sensor ID related to the behavior.
type: String
- contextPath: CrowdStrike.Detection.Behavior.ParentProcessID
description: The ID of the parent process.
type: String
- contextPath: CrowdStrike.Detection.Behavior.ProcessID
description: The process ID of the behavior.
type: String
- contextPath: CrowdStrike.Detection.Behavior.ID
description: The ID of the behavior.
type: String
- contextPath: CrowdStrike.Detection.System
description: The system name of the detection.
type: String
- contextPath: CrowdStrike.Detection.CustomerID
description: The ID of the customer (CID).
type: String
- contextPath: CrowdStrike.Detection.MachineDomain
description: The name of the domain of the detection machine.
type: String
- contextPath: CrowdStrike.Detection.ID
description: The detection ID.
type: String
- contextPath: CrowdStrike.Detection.ProcessStartTime
description: The start time of the process that generated the detection.
type: Date
- arguments:
- description: A comma-separated list of one or more IDs to resolve.
name: ids
required: true
- auto: PREDEFINED
description: 'The status to transition a detection to. Possible values: "new", "in_progress", "true_positive", "false_positive", "closed", "reopened" and "ignored".'
name: status
predefined:
- new
- in_progress
- true_positive
- false_positive
- closed
- reopened
- ignored
- description: 'A user ID, for example: 1234567891234567891. username and assigned_to_uuid are mutually exclusive.'
name: assigned_to_uuid
- description: Optional comment to add to the detection. Comments are displayed with the detection in CrowdStrike Falcon and provide context or notes for other Falcon users.
name: comment
- auto: PREDEFINED
description: If true, displays the detection in the UI.
name: show_in_ui
predefined:
- 'true'
- 'false'
- description: Username to assign the detections to. (This is usually the user’s email address, but may vary based on your configuration). username and assigned_to_uuid are mutually exclusive.
name: username
description: Resolves and updates a detection using the provided arguments. At least one optional argument must be passed, otherwise no change will take place. Note that IDP detections are not supported.
name: cs-falcon-resolve-detection
- arguments:
- description: The host agent ID (AID) of the host to contain. Get an agent ID from a detection.
isArray: true
name: ids
required: true
description: Contains containment for a specified host. When contained, a host can only communicate with the CrowdStrike cloud and any IPs specified in your containment policy.
name: cs-falcon-contain-host
- arguments:
- description: The host agent ID (AID) of the host you want to contain. Get an agent ID from a detection. Can also be a comma separated list of IDs.
isArray: true
name: ids
required: true
description: Lifts containment on the host, which returns its network communications to normal.
name: cs-falcon-lift-host-containment
- arguments:
- description: Any commands run against an offline-queued session will be queued up and executed when the host comes online.
name: queue_offline
defaultValue: false
- description: A comma-separated list of host agent IDs to run commands for. (Can be retrieved by running the 'cs-falcon-search-device' command.).
name: host_ids
required: true
- description: The type of command to run.
name: command_type
required: true
- description: 'The full command to run.'
name: full_command
required: true
- auto: PREDEFINED
defaultValue: read
description: 'The scope to run the command for. Possible values are: "read", "write", and "admin". (NOTE: In order to run the CrowdStrike RTR `put` command, it is necessary to pass `scope=admin`.).'
name: scope
predefined:
- read
- write
- admin
- name: timeout
description: The amount of time (in seconds) that a request will wait for a client to establish a connection to a remote machine before a timeout occurs.
defaultValue: "180"
type: unknown
- auto: PREDEFINED
defaultValue: batch
description: 'The target to run the command for. Possible values are: "single" and "batch".'
name: target
predefined:
- batch
- single
description: Sends commands to hosts.
name: cs-falcon-run-command
outputs:
- contextPath: CrowdStrike.Command.HostID
description: The ID of the host the command was running for.
type: String
- contextPath: CrowdStrike.Command.SessionID
description: The session ID of the host.
type: string
- contextPath: CrowdStrike.Command.Stdout
description: The standard output of the command.
type: String
- contextPath: CrowdStrike.Command.Stderr
description: The standard error of the command.
type: String
- contextPath: CrowdStrike.Command.BaseCommand
description: The base command.
type: String
- contextPath: CrowdStrike.Command.FullCommand
description: The full command.
type: String
- contextPath: CrowdStrike.Command.TaskID
description: (For single host) The ID of the command request which has been accepted.
type: string
- contextPath: CrowdStrike.Command.Complete
description: (For single host) True if the command completed.
type: boolean
- contextPath: CrowdStrike.Command.NextSequenceID
description: (For single host) The next sequence ID.
type: number
- arguments:
- description: The script name to upload.
name: name
required: true
- auto: PREDEFINED
defaultValue: private
description: 'The permission type for the custom script. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins.'
name: permission_type
predefined:
- private
- group
- public
- description: The content of the PowerShell script.
name: content
required: true
description: Uploads a script to Falcon.
name: cs-falcon-upload-script
- arguments:
- description: The file entry ID to upload.
name: entry_id
required: true
description: Uploads a file to the CrowdStrike cloud. (Can be used for the RTR 'put' command.).
name: cs-falcon-upload-file
- arguments:
- description: The ID of the file to delete. (The ID of the file can be retrieved by running the 'cs-falcon-list-files' command).
name: file_id
required: true
description: Deletes a file based on the provided ID. Can delete only one file at a time.
name: cs-falcon-delete-file
- arguments:
- description: A comma-separated list of file IDs to get. (The list of file IDs can be retrieved by running the 'cs-falcon-list-files' command.).
name: file_id
required: true
description: Returns files based on the provided IDs. These files are used for the RTR 'put' command.
name: cs-falcon-get-file
outputs:
- contextPath: CrowdStrike.File.ID
description: The ID of the file.
type: String
- contextPath: CrowdStrike.File.CreatedBy
description: The email address of the user who created the file.
type: String
- contextPath: CrowdStrike.File.CreatedTime
description: The date and time the file was created.
type: Date
- contextPath: CrowdStrike.File.Description
description: The description of the file.
type: String
- contextPath: CrowdStrike.File.Type
description: The type of the file. For example, script.
type: String
- contextPath: CrowdStrike.File.ModifiedBy
description: The email address of the user who modified the file.
type: String
- contextPath: CrowdStrike.File.ModifiedTime
description: The date and time the file was modified.
type: Date
- contextPath: CrowdStrike.File.Name
description: The full name of the file.
type: String
- contextPath: CrowdStrike.File.Permission
description: 'The permission type of the file. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins.'
type: String
- contextPath: CrowdStrike.File.SHA256
description: The SHA-256 hash of the file.
type: String
- contextPath: File.Type
description: The file type.
type: String
- contextPath: File.Name
description: The full name of the file.
type: String
- contextPath: File.SHA256
description: The SHA-256 hash of the file.
type: String
- contextPath: File.Size
description: The size of the file in bytes.
type: Number
- arguments: []
description: Returns a list of put-file IDs that are available for the user in the 'put' command.
name: cs-falcon-list-files
outputs:
- contextPath: CrowdStrike.File.ID
description: The ID of the file.
type: String
- contextPath: CrowdStrike.File.CreatedBy
description: The email address of the user who created the file.
type: String
- contextPath: CrowdStrike.File.CreatedTime
description: The date and time the file was created.
type: Date
- contextPath: CrowdStrike.File.Description
description: The description of the file.
type: String
- contextPath: CrowdStrike.File.Type
description: The type of the file. For example, script.
type: String
- contextPath: CrowdStrike.File.ModifiedBy
description: The email address of the user who modified the file.
type: String
- contextPath: CrowdStrike.File.ModifiedTime
description: The date and time the file was modified.
type: Date
- contextPath: CrowdStrike.File.Name
description: The full name of the file.
type: String
- contextPath: CrowdStrike.File.Permission
description: 'The permission type of the file. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins.'
type: String
- contextPath: CrowdStrike.File.SHA256
description: The SHA-256 hash of the file.
type: String
- contextPath: File.Type
description: The file type.
type: String
- contextPath: File.Name
description: The full name of the file.
type: String
- contextPath: File.SHA256
description: The SHA-256 hash of the file.
type: String
- contextPath: File.Size
description: The size of the file in bytes.
type: Number
- arguments:
- description: A comma-separated list of script IDs to return. (The script IDs can be retrieved by running the 'cs-falcon-list-scripts' command.).
name: script_id
required: true
description: Returns custom scripts based on the provided ID. Used for the RTR 'runscript' command.
name: cs-falcon-get-script
outputs:
- contextPath: CrowdStrike.Script.ID
description: The ID of the script.
type: String
- contextPath: CrowdStrike.Script.CreatedBy
description: The email address of the user who created the script.
type: String
- contextPath: CrowdStrike.Script.CreatedTime
description: The date and time the script was created.
type: Date
- contextPath: CrowdStrike.Script.Description
description: The description of the script.
type: String
- contextPath: CrowdStrike.Script.ModifiedBy
description: The email address of the user who modified the script.
type: String
- contextPath: CrowdStrike.Script.ModifiedTime
description: The date and time the script was modified.
type: Date
- contextPath: CrowdStrike.Script.Name
description: The script name.
type: String
- contextPath: CrowdStrike.Script.Permission
description: 'Permission type of the script. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins.'
type: String
- contextPath: CrowdStrike.Script.SHA256
description: The SHA-256 hash of the script file.
type: String
- contextPath: CrowdStrike.Script.RunAttemptCount
description: The number of times the script attempted to run.
type: Number
- contextPath: CrowdStrike.Script.RunSuccessCount
description: The number of times the script ran successfully.
type: Number
- contextPath: CrowdStrike.Script.Platform
description: The list of operating system platforms on which the script can run. For example, Windows.
type: String
- contextPath: CrowdStrike.Script.WriteAccess
description: Whether the user has write access to the script.
type: Boolean
- arguments:
- description: The script ID to delete. (Script IDs can be retrieved by running the 'cs-falcon-list-scripts' command.).
name: script_id
required: true
description: Deletes a custom-script based on the provided ID. Can delete only one script at a time.
name: cs-falcon-delete-script
- arguments: []
description: Returns a list of custom script IDs that are available for the user in the 'runscript' command.
name: cs-falcon-list-scripts
outputs:
- contextPath: CrowdStrike.Script.ID
description: The ID of the script.
type: String
- contextPath: CrowdStrike.Script.CreatedBy
description: The email address of the user who created the script.
type: String
- contextPath: CrowdStrike.Script.CreatedTime
description: The date and time the script was created.
type: Date
- contextPath: CrowdStrike.Script.Description
description: The description of the script.
type: String
- contextPath: CrowdStrike.Script.ModifiedBy
description: The email address of the user who modified the script.
type: String
- contextPath: CrowdStrike.Script.ModifiedTime
description: The date and time the script was modified.
type: Date
- contextPath: CrowdStrike.Script.Name
description: The script name.
type: String
- contextPath: CrowdStrike.Script.Permission
description: 'Permission type of the script. Possible values are: "private", which is used only by the user who uploaded it, "group", which is used by all RTR Admins, and "public", which is used by all active-responders and RTR admins.'
type: String
- contextPath: CrowdStrike.Script.SHA256
description: The SHA-256 hash of the script file.
type: String
- contextPath: CrowdStrike.Script.RunAttemptCount
description: The number of times the script attempted to run.
type: Number
- contextPath: CrowdStrike.Script.RunSuccessCount
description: The number of times the script ran successfully.
type: Number
- contextPath: CrowdStrike.Script.Platform
description: The list of operating system platforms on which the script can run. For example, Windows.
type: String
- contextPath: CrowdStrike.Script.WriteAccess
description: Whether the user has write access to the script.
type: Boolean
- arguments:
- description: The name of the script to run.
name: script_name
- description: A comma-separated list of host agent IDs to run commands. (The list of host agent IDs can be retrieved by running the 'cs-falcon-search-device' command.).
name: host_ids
required: true
- description: The PowerShell script code to run.
name: raw
- defaultValue: '30'
description: Timeout for how long to wait for the request in seconds. Maximum is 600 (10 minutes).
name: timeout
- description: Whether the command will run against an offline-queued session and be queued for execution when the host comes online.
name: queue_offline
defaultValue: false
description: Runs a script on the agent host.
name: cs-falcon-run-script
outputs:
- contextPath: CrowdStrike.Command.HostID
description: The ID of the host for which the command was running.
type: String
- contextPath: CrowdStrike.Command.SessionID
description: The ID of the session of the host.
type: String
- contextPath: CrowdStrike.Command.Stdout
description: The standard output of the command.
type: String
- contextPath: CrowdStrike.Command.Stderr
description: The standard error of the command.
type: String
- contextPath: CrowdStrike.Command.BaseCommand
description: The base command.
type: String
- contextPath: CrowdStrike.Command.FullCommand
description: The full command.
type: String
- arguments:
- description: List of host agent IDs on which to run the RTR command.
isArray: true
name: host_ids
required: true
- description: Full path to the file that will be retrieved from each host in the batch.
name: file_path
required: true
- description: List of a subset of hosts on which to run the command.
name: optional_hosts
- description: 'The number of seconds to wait for the request before it times out. In ISO time format. For example: 2019-10-17T13:41:48.487520845Z.'
name: timeout
- description: 'The amount of time to wait for the request before it times out. In duration syntax. For example, 10s. Valid units are: ns, us, ms, s, m, h. Maximum value is 10 minutes.'
name: timeout_duration
description: Batch executes 'get' command across hosts to retrieve files.
name: cs-falcon-run-get-command
outputs:
- contextPath: CrowdStrike.Command.HostID
description: The ID of the host on which the command was running.
type: string
- contextPath: CrowdStrike.Command.Stdout
description: The standard output of the command.
type: string
- contextPath: CrowdStrike.Command.Stderr
description: The standard error of the command.
type: string
- contextPath: CrowdStrike.Command.BaseCommand
description: The base command.
type: string
- contextPath: CrowdStrike.Command.TaskID
description: The ID of the command that was running on the host.
type: string
- contextPath: CrowdStrike.Command.GetRequestID
description: The ID of the command request that was accepted.
type: string
- contextPath: CrowdStrike.Command.Complete
description: True if the command completed.
type: boolean
- contextPath: CrowdStrike.Command.FilePath
description: The file path.
type: string
- arguments:
- description: The list of IDs of the command requested.
isArray: true
name: request_ids
required: true
- description: 'The number of seconds to wait for the request before it times out. In ISO time format. For example: 2019-10-17T13:41:48.487520845Z.'
name: timeout
- description: 'The amount of time to wait for the request before it times out. In duration syntax. For example, 10s. Valid units are: ns, us, ms, s, m, h. Maximum value is 10 minutes.'
name: timeout_duration
description: Retrieves the status of the specified batch 'get' command.
name: cs-falcon-status-get-command
outputs:
- contextPath: CrowdStrike.File.ID
description: The ID of the file.
type: string
- contextPath: CrowdStrike.File.TaskID
description: The ID of the command that is running.
type: string
- contextPath: CrowdStrike.File.CreatedAt
description: The date the file was created.
type: date
- contextPath: CrowdStrike.File.DeletedAt
description: The date the file was deleted.
type: date
- contextPath: CrowdStrike.File.UpdatedAt
description: The date the file was last updated.
type: date
- contextPath: CrowdStrike.File.Name
description: The full name of the file.
type: string
- contextPath: CrowdStrike.File.SHA256
description: The SHA256 hash of the file.
type: string
- contextPath: CrowdStrike.File.Size
description: The size of the file in bytes.
type: number
- contextPath: File.Name
description: The full name of the file.
type: string
- contextPath: File.Size
description: The size of the file in bytes.
type: number
- contextPath: File.SHA256
description: The SHA256 hash of the file.
type: string
- arguments:
- description: The ID of the command requested.
name: request_id
required: true
- description: The sequence ID in chunk requests.
name: sequence_id
- auto: PREDEFINED
defaultValue: read
description: 'The scope to run the command for. Possible values are: "read", "write", or "admin".'
name: scope
predefined:
- read
- write
- admin
description: Gets the status of a command executed on a host.
name: cs-falcon-status-command
outputs:
- contextPath: CrowdStrike.Command.TaskID
description: The ID of the command request that was accepted.
type: string
- contextPath: CrowdStrike.Command.Stdout
description: The standard output of the command.
type: string
- contextPath: CrowdStrike.Command.Stderr
description: The standard error of the command.
type: string
- contextPath: CrowdStrike.Command.BaseCommand
description: The base command.
type: string
- contextPath: CrowdStrike.Command.Complete
description: True if the command completed.
type: boolean
- contextPath: CrowdStrike.Command.SequenceID
description: The sequence ID in the current request.
type: number
- contextPath: CrowdStrike.Command.NextSequenceID
description: The sequence ID for the next request in the chunk request.
type: number
- arguments:
- description: The host agent ID.
name: host_id
required: true
- description: The SHA256 hash of the file.
name: sha256
required: true
- description: The filename to use for the archive name and the file within the archive.
name: filename
description: Gets the RTR extracted file contents for the specified session and SHA256 hash.
name: cs-falcon-get-extracted-file
- arguments:
- description: The ID of the host agent that lists files in the session.
name: host_id
required: true
- description: The ID of the existing session with the agent.
name: session_id
description: Gets a list of files for the specified RTR session on a host.
name: cs-falcon-list-host-files
outputs:
- contextPath: CrowdStrike.Command.HostID
description: The ID of the host the command was running for.
type: string
- contextPath: CrowdStrike.Command.TaskID
description: The ID of the command request that was accepted.
type: string
- contextPath: CrowdStrike.Command.SessionID
description: The ID of the session of the host.
type: string
- contextPath: CrowdStrike.File.ID
description: The ID of the file.
type: string
- contextPath: CrowdStrike.File.CreatedAt
description: The date the file was created.
type: date
- contextPath: CrowdStrike.File.DeletedAt
description: The date the file was deleted.
type: date
- contextPath: CrowdStrike.File.UpdatedAt
description: The date the file was last updated.
type: date
- contextPath: CrowdStrike.File.Name
description: The full name of the file.
type: string
- contextPath: CrowdStrike.File.SHA256
description: The SHA256 hash of the file.
type: string
- contextPath: CrowdStrike.File.Size
description: The size of the file in bytes.
type: number
- contextPath: File.Name
description: The full name of the file.
type: string
- contextPath: File.Size
description: The size of the file in bytes.
type: number
- contextPath: File.SHA256
description: The SHA256 hash of the file.
type: string
- arguments:
- description: The ID of the host to extend the session for.
name: host_id
required: true
description: Refresh a session timeout on a single host.
name: cs-falcon-refresh-session
- arguments:
- description: 'A comma-separated list of indicator types. Valid types are: "sha256", "sha1", "md5", "domain", "ipv4", "ipv6".'
isArray: true
name: types
- description: A comma-separated list of indicator values.
isArray: true
name: values
- description: A comma-separated list of indicator policies.
isArray: true
name: policies
- description: The level the indicator will be shared at. Only "red" share level (not shared) is supported, which indicates that the IOC is not shared with other CrowdStrike Falcon Host customers.
isArray: true
name: share_levels
- description: A comma-separated list of IOC sources.
isArray: true
name: sources
- description: Start of date range to search in (YYYY-MM-DD format).
name: from_expiration_date
- description: End of date range to search in (YYYY-MM-DD format).
name: to_expiration_date
- description: The maximum number of records to return. The minimum is 1 and the maximum is 500. Default is 100.
name: limit
- auto: PREDEFINED
description: 'The order the results are returned in. Possible values are: "type.asc", "type.desc", "value.asc", "value.desc", "policy.asc", "policy.desc", "share_level.asc", "share_level.desc", "expiration_timestamp.asc", and "expiration_timestamp.desc".'
name: sort
predefined:
- type.asc
- type.desc
- value.asc
- value.desc
- policy.asc
- policy.desc
- share_level.asc
- share_level.desc
- expiration_timestamp.asc
- expiration_timestamp.desc
- description: The offset to begin the list from. For example, start from the 10th record and return the list.
name: offset
deprecated: true
description: Deprecated. Use the cs-falcon-search-custom-iocs command instead.
name: cs-falcon-search-iocs
outputs:
- contextPath: CrowdStrike.IOC.Type
description: The type of the IOC.
type: string
- contextPath: CrowdStrike.IOC.Value
description: The string representation of the indicator.
type: string
- contextPath: CrowdStrike.IOC.ID
description: The full ID of the indicator (type:value).
type: string
- contextPath: CrowdStrike.IOC.Policy
description: The policy of the indicator.
type: string
- contextPath: CrowdStrike.IOC.Source
description: The source of the IOC.
type: string
- contextPath: CrowdStrike.IOC.ShareLevel
description: The level at which the indicator will be shared.
type: string
- contextPath: CrowdStrike.IOC.Expiration
description: The datetime the indicator will expire.
type: string
- contextPath: CrowdStrike.IOC.Description
description: The description of the IOC.
type: string
- contextPath: CrowdStrike.IOC.CreatedTime
description: The datetime the IOC was created.
type: string
- contextPath: CrowdStrike.IOC.CreatedBy
description: The identity of the user/process who created the IOC.
type: string
- contextPath: CrowdStrike.IOC.ModifiedTime
description: The datetime the indicator was last modified.
type: string
- contextPath: CrowdStrike.IOC.ModifiedBy
description: The identity of the user/process who last updated the IOC.
type: string
- arguments:
- auto: PREDEFINED
description: 'The IOC type to retrieve. Possible values are: "sha256", "sha1", "md5", "domain", "ipv4", and "ipv6".'
name: type
predefined:
- sha256
- sha1