CrowdStrike Integration Kit

JSON Pointer syntax reference

JavaScript Object Notation (JSON) Pointer defines a syntax for identifying a specific value within a JSON payload. Using the sample payload and JSON Pointer examples below, identify the attributes that you want to use to populate your attribute contract.

For a complete technical description of JSON Pointer syntax, see JavaScript Object Notation (JSON) Pointer on ietf.org.

Example CrowdStrike Incident service API response JSON payload

{
   "meta": {
      "query_time": 0.004738113,
       "powered_by": "incident-api",
       "trace_id": "b495ee9e-43e6-48bd-b0ac-19178ae304b1"
   },
   "resources": [
      {
         "incident_id": "inc:8389af03dfa04bac876ce5baf4a2dbbc:3d37a9f8c19b49b18bda301114c0861f",
         "incident_type": 1,
         "cid": "d1438ce1781d470aa639bb3374848448",
         "host_ids": [
             "8389af03dfa04bac876ce5baf4a2dbbc"
         ],
         "hosts": [
            {
               "device_id": "8389af03dfa04bac876ce5baf4a2dbbc",
               "cid": "d1438ce1781d470aa639bb3374848448",
               "agent_load_flags": "0",
               "agent_local_time": "2023-12-22T23:41:46.652Z",
               "agent_version": "6.42.15610.0",
               "bios_manufacturer": "Amazon EC2",
               "bios_version": "1.0",
               "config_id_base": "65994763",
               "config_id_build": "15610",
               "config_id_platform": "3",
               "external_ip": "34.219.249.45",
               "hostname": "EC2AMAZ-8FF6F2B",
               "first_seen": "2023-12-22T23:31:18Z",
               "last_login_timestamp": "2023-12-22T23:33:58Z",
               "last_login_user": "Administrator",
               "last_seen": "2024-01-17T22:19:59Z",
               "local_ip": "10.101.24.96",
               "mac_address": "06-66-9c-b8-bf-89",
               "machine_domain": "pfikteam.ping-eng.com",
               "major_version": "10",
               "minor_version": "0",
               "os_version": "Windows Server 2019",
               "ou": [
                   "Domain Controllers"
               ],
               "platform_id": "0",
               "platform_name": "Windows",
               "product_type": "2",
               "product_type_desc": "Domain Controller",
               "site_name": "Default-First-Site-Name",
               "status": "normal",
               "system_manufacturer": "Amazon EC2",
               "system_product_name": "t3.xlarge",
               "modified_timestamp": "2024-01-17T22:21:46Z",
               "instance_id": "i-00b24ead0c2e2bf27",
               "service_provider": "AWS_EC2_V2",
               "service_provider_account_id": "728729496554"
            }
         ],
         "created": "2024-01-17T22:38:30Z",
         "start": "2024-01-17T22:38:30Z",
         "end": "2024-01-17T22:39:04Z",
         "state": "open",
         "email_state": "START",
         "status": 20,
         "tactics": [
            "Falcon Overwatch"
         ],
         "techniques": [
         "Malicious Activity"
         ],
         "objectives": [
         "Falcon Detection Method"
         ],
         "modified_timestamp": "2024-01-17T22:39:09Z",
         "fine_score": 13
      }
   ],
   "errors": []
}

JSON Pointer syntax

Description JSON Pointer Example value

Score of first incident detected

/resources/0/final_sscore

13

Host name of first incident

/resources/0/hosts/0/hostname

EC2AMAZ-8FF6F2B

To populate an attribute with the entire JSON response, leave the CrowdStrike Service API Response Mappings field blank.