CrowdStrike protects the people, processes and technologies that drive modern enterprise. A single agent solution to stop breaches, ransomware, and cyber attacks—powered by world-class security expertise and deep industry experience.

You can use the CrowdStrike connector to:

  • Check whether an IP address is associated with a managed device in CrowdStrike
  • Get a list of CrowdStrike devices associated a username or IP address
  • Get a list of CrowdStrike Incidents associated a username or IP address
  • Get the CrowdStrike scores from multiple incidents
  • Get the CrowdStrike Zero Trust Assessment scores for a managed device
  • Get the CrowdScore from a single environment
  • Quarantine a managed device
  • Lift the quarantine on a managed device

Setup

Resources

For information and setup help, see the following documentation:

Requirements

To use the connector, you'll need:

  • A CrowdStrike license

Setting up CrowdStrike

Follow the steps in Creating an API client.

  • Select the following API scopes:
    Scope Permissions

    Hosts

    Read, Write

    Falcon Discover

    Read

    Incidents

    Read

    Zero Trust Assessment

    Read

  • Record your client ID and secret. You'll use them in the connector configuration.

Setting up the CrowdStrike connector configuration

In DaVinci, add a CrowdStrike connection. For help, see Adding a connection.

Connector configuration

CrowdStrike Base URL
The base URL for your CrowdStrike environment.
Client ID
The client ID you created in Setting up CrowdStrike.
Client Secret
The client secret you created in Setting up CrowdStrike.

Using the connector in a flow

Getting device details

The Get Device Details capability allows you to get detailed information about one or more devices.

In the Device IDs field, you can click {} and select the deviceIds variable from a Get Devices from Logins node.

Quarantining devices

You can quarantine a device by applying CrowdStrike Network Containment on the device ID with the Set Containment on Devices capability.

When you determine a device is safe, you can remove the quarantine with the Lift Containment on Devices capability.

In the Device IDs field, you can click {} and select the deviceIds variable from a Get Devices from Logins node.

Getting incident scores

The Get Incident Scores capability lets you get scores for one or more CrowdStrike incidents.

In the Incident IDs field, you can click {} and select the incidentIds variable from a Get Incidents from Logins node.

Capabilities

Check Device Management Status

Use an IP address to check whether a device is managed by CrowdStrike.


Properties
IP textField

The user's IP address

Username textField

The username associated with the device.

Last Seen Number of Days textField

The number of days to search back in time for a managed device.

Default:

365
Input Schema
default object
ip string required

The IP address of the device

username string

The username associated with the device

lastSeenDays number required

The number of days to search back in time for a managed device

Output Schema
output object
rawResponse object
statusCode number
deviceManaged boolean
foundLoginMatch boolean
Get Devices from Logins

Get a list of device IDs from CrowdStrike Logins that match a username, email address, or IP address.


Properties
Username textField

The username associated with the device.

Email textField

The email of the user associated with the device.

IP textField

The user's IP address

Search Back Number of Days textField

The number of days to search back in time for a login

Default:

365
Input Schema
default object
username string

The username associated with the device

email string

The email of the user associated with the device

ip string

The user's IP address

searchLoginDays number required

The number of days to search back in time for a login

Output Schema
output object
rawResponse object
statusCode number
deviceIds array
Get Device Details

Get device details from a list of devices.


Properties
Device IDs textField required

List of Device IDs (JSON Array formatted)

Input Schema
default object
deviceIds string required

List of Device IDs (JSON Array formatted)

Output Schema
output object
rawResponse object
statusCode number
devices array
Get Incidents by IP

Use an IP address to get a list of incidents associated with the device.


Properties
IP textField

The user's IP address

Last Seen Number of Days textField

The number of days to search back in time for a managed device.

Default:

365
Input Schema
default object
ip string required

The IP address of the device

lastSeenDays number required

The number of days to search back in time for a managed device

Output Schema
output object
rawResponse object
statusCode number
incidentsOnDevice boolean
incidentIds array
Get Incidents from Logins

Get a list of incidents from CrowdStrike Logins that match a username, email address, or IP address.


Properties
Username textField

The username associated with the device.

Email textField

The email of the user associated with the device.

IP textField

The user's IP address

Search Back Number of Days textField

The number of days to search back in time for a login

Default:

365
Input Schema
default object
username string

The username associated with the device

email string

The email of the user associated with the device

ip string

The user's IP address

searchLoginDays string required

The number of days to search back in time for a login

Output Schema
output object
rawResponse object
statusCode number
loginsWithIncidents boolean
incidentIds array
Get Incident Scores

Get the maximum incident score from a list of incident IDs.


Properties
Incident IDs textField

List of Incident IDs (JSON Array formatted)

Input Schema
default object
incidentIds string required

List of Incident IDs

Output Schema
output object
rawResponse object
statusCode number
maxIncidentScore number
incidents array
Get Zero Trust Assessment Scores from Devices

Use a list of device IDs to get the most recent Zero Trust Assessment scores.


Properties
Device IDs textField required

List of Device IDs (JSON Array formatted)

Input Schema
default object
deviceIds string required

List of Device IDs

Output Schema
output object
rawResponse object
statusCode number
maxOverallScore number

Maximum Overall Score from Devices

maxOSScore number

Maximum Operating System Score from Devices

Get Environment CrowdScore

Get the most recent CrowdScore for the CrowdStrike environment.


Output Schema
output object
rawResponse object
statusCode number
score number
adjustedScore number
Set Containment on Devices

Apply CrowdStrike Network Containment on the Device IDs.


Properties
Device IDs textField required

List of Device IDs (JSON Array formatted)

Input Schema
default object
deviceIds string required

List of Device IDs

Output Schema
output object
rawResponse object
statusCode number
Lift Containment on Devices

Remove CrowdStrike Network Containment on the Device IDs.


Properties
Device IDs textField required

List of Device IDs (JSON Array formatted)

Input Schema
default object
deviceIds string required

List of Device IDs

Output Schema
output object
rawResponse object
statusCode number