CrowdStrike Compliance Integration Guide

Overview

The CrowdStrike Compliance integration allows your NINA workflows to connect with CrowdStrike Falcon platform for compliance monitoring, file integrity, and audit capabilities. This integration enables automated security operations, threat detection, and incident response directly from your automation platform.

Capabilities

This integration provides access to 2 resources with 47 operations covering:

Filevantage: Operations for Filevantage
Ods: Operations for Ods

Credential Configuration

Before using the CrowdStrike Compliance integration in your workflows, you need to configure credentials for authentication.

Authentication Method

CrowdStrike Falcon uses OAuth2 Client Credentials authentication. This is a server-to-server authentication flow where you provide a Client ID and Client Secret, and the integration automatically handles token acquisition and refresh.

Field	Description	Required
Client ID	Your CrowdStrike API Client ID	Yes
Client Secret	Your CrowdStrike API Client Secret	Yes
Base URL	CrowdStrike API endpoint for your cloud region	Yes

How It Works

You provide the Client ID and Client Secret when creating a credential
The integration exchanges these for an OAuth2 access token automatically
Tokens are refreshed automatically when they expire
No redirect URLs or user interaction required

CrowdStrike Cloud Regions

Select the Base URL that matches your CrowdStrike Falcon cloud region:

Cloud Region	Base URL	Description
US-1	`https://api.crowdstrike.com`	United States (default)
US-2	`https://api.us-2.crowdstrike.com`	United States (secondary)
EU-1	`https://api.eu-1.crowdstrike.com`	European Union
US-GOV-1	`https://api.laggar.gcw.crowdstrike.com`	US Government Cloud

How to Obtain API Credentials

Log in to the CrowdStrike Falcon Console
Navigate to Support and resources > API Clients and Keys
Click Add new API client
Configure the API client:
- Client Name: A descriptive name (e.g., "NINA Integration")
- Description: Purpose of this API client
- API Scopes: Select the permissions required for your use case (see Required Scopes below)
Click Add to create the client
Copy and securely store the Client ID and Client Secret immediately

Important: The Client Secret is only displayed once at creation time. If you lose it, you must create a new API client.

Required API Scopes

The API scopes required depend on which operations you plan to use. Common scopes include:

Scope	Permission	Use Case
Detections	Read/Write	View and manage detections
Hosts	Read/Write	Query and manage endpoints
Incidents	Read/Write	View and manage incidents
IOCs	Read/Write	Manage indicators of compromise
Prevention Policies	Read/Write	Manage prevention policies
Real Time Response	Read/Write	Execute RTR commands
Sensor Update Policies	Read/Write	Manage sensor updates

Refer to the CrowdStrike API documentation for a complete list of available scopes.

Creating a CrowdStrike Credential in NINA

Navigate to the Credentials section in NINA
Click Add New Credential
Fill in the credential details:
- Integration Service: Select "CrowdStrike Compliance"
- Client ID: Paste your CrowdStrike API Client ID
- Client Secret: Paste your CrowdStrike API Client Secret
- Base URL: Select your CrowdStrike cloud region URL
Click Test Connection to verify the credentials work
Click Save to store the credential securely

Note: All CrowdStrike integrations (EDR, Intel, Platform, etc.) share the same credential. You only need to create one credential to use across all CrowdStrike modules.

Supported Resources

Resource	Description	Operations
Filevantage	Operations for Filevantage	31
Ods	Operations for Ods	16

Resource Details

Filevantage

Operations for Filevantage

Operations

Operation	Name	Description
`create_policies`	Create Policies	SDK: filevantage.CreatePolicies
`create_rule_groups`	Create Rule Groups	SDK: filevantage.CreateRuleGroups
`create_rules`	Create Rules	SDK: filevantage.CreateRules
`create_scheduled_exclusions`	Create Scheduled Exclusions	SDK: filevantage.CreateScheduledExclusions
`delete_policies`	Delete Policies	SDK: filevantage.DeletePolicies
`delete_rule_groups`	Delete Rule Groups	SDK: filevantage.DeleteRuleGroups
`delete_rules`	Delete Rules	SDK: filevantage.DeleteRules
`delete_scheduled_exclusions`	Delete Scheduled Exclusions	SDK: filevantage.DeleteScheduledExclusions
`get_actions_mixin0`	Get Actions Mixin0	SDK: filevantage.GetActionsMixin0
`get_changes`	Get Changes	SDK: filevantage.GetChanges
`get_contents`	Get Contents	SDK: filevantage.GetContents
`get_policies`	Get Policies	SDK: filevantage.GetPolicies
`get_rule_groups`	Get Rule Groups	SDK: filevantage.GetRuleGroups
`get_rules`	Get Rules	SDK: filevantage.GetRules
`get_scheduled_exclusions`	Get Scheduled Exclusions	SDK: filevantage.GetScheduledExclusions
`list_actions_mixin0`	List Actions Mixin0	SDK: filevantage.QueryActionsMixin0
`list_changes`	List Changes	SDK: filevantage.QueryChanges
`list_high_volume_changes`	List High Volume Changes	SDK: filevantage.HighVolumeQueryChanges
`list_policies`	List Policies	SDK: filevantage.QueryPolicies
`list_rule_groups`	List Rule Groups	SDK: filevantage.QueryRuleGroups
`list_scheduled_exclusions`	List Scheduled Exclusions	SDK: filevantage.QueryScheduledExclusions
`signal_changes_external`	Signal Changes External	SDK: filevantage.SignalChangesExternal
`start_actions`	Start Actions	SDK: filevantage.StartActions
`update_policies`	Update Policies	SDK: filevantage.UpdatePolicies
`update_policy_host_groups`	Update Policy Host Groups	SDK: filevantage.UpdatePolicyHostGroups
`update_policy_precedence`	Update Policy Precedence	SDK: filevantage.UpdatePolicyPrecedence
`update_policy_rule_groups`	Update Policy Rule Groups	SDK: filevantage.UpdatePolicyRuleGroups
`update_rule_group_precedence`	Update Rule Group Precedence	SDK: filevantage.UpdateRuleGroupPrecedence
`update_rule_groups`	Update Rule Groups	SDK: filevantage.UpdateRuleGroups
`update_rules`	Update Rules	SDK: filevantage.UpdateRules
`update_scheduled_exclusions`	Update Scheduled Exclusions	SDK: filevantage.UpdateScheduledExclusions

Create Policies

SDK: filevantage.CreatePolicies

Parameters:

Name	Type	Required	Description
`description`	string	No	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`platform`	string	No	platform. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "description": "<description>",
  "name": "<name>",
  "platform": "<platform>"
}

Create Rule Groups

SDK: filevantage.CreateRuleGroups

Parameters:

Name	Type	Required	Description
`description`	string	No	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`type`	string	Yes	type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "description": "<description>",
  "name": "<name>",
  "type": "<type>"
}

Create Rules

SDK: filevantage.CreateRules

Parameters:

Name	Type	Required	Description
`content_files`	array	Yes	content files. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`content_registry_values`	array	Yes	content registry values
`created_timestamp`	string	No	created timestamp. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...
`depth`	string	Yes	depth. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`description`	string	No	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`enable_content_capture`	boolean	No	enable content capture
`enable_hash_capture`	boolean	No	enable hash capture. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/op...
`exclude`	string	No	exclude. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`exclude_processes`	string	No	exclude processes. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...
`exclude_users`	string	No	exclude users. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes
`include`	string	Yes	include. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`include_processes`	string	No	include processes. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...
`include_users`	string	No	include users. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`modified_timestamp`	string	No	modified timestamp. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/ope...
`path`	string	Yes	path. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`precedence`	number	No	precedence. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`rule_group_id`	string	Yes	rule group id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`severity`	string	Yes	severity. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`type`	string	Yes	type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`watch_attributes_directory_changes`	boolean	No	watch attributes directory changes
`watch_attributes_file_changes`	boolean	No	watch attributes file changes
`watch_create_directory_changes`	boolean	No	watch create directory changes
`watch_create_file_changes`	boolean	No	watch create file changes
`watch_create_key_changes`	boolean	No	watch create key changes
`watch_delete_directory_changes`	boolean	No	watch delete directory changes
`watch_delete_file_changes`	boolean	No	watch delete file changes
`watch_delete_key_changes`	boolean	No	watch delete key changes
`watch_delete_value_changes`	boolean	No	watch delete value changes
`watch_permissions_directory_changes`	boolean	No	watch permissions directory changes
`watch_permissions_file_changes`	boolean	No	watch permissions file changes
`watch_permissions_key_changes`	boolean	No	watch permissions key changes
`watch_rename_directory_changes`	boolean	No	watch rename directory changes
`watch_rename_file_changes`	boolean	No	watch rename file changes
`watch_rename_key_changes`	boolean	No	watch rename key changes
`watch_set_value_changes`	boolean	No	watch set value changes
`watch_write_file_changes`	boolean	No	watch write file changes

Example:

{
  "content_files": ["<content_files>"],
  "content_registry_values": ["<content_registry_values>"],
  "created_timestamp": "<created_timestamp>",
  "depth": "<depth>",
  "description": "<description>",
  "enable_content_capture": true,
  "enable_hash_capture": true,
  "exclude": "<exclude>",
  "exclude_processes": "<exclude_processes>",
  "exclude_users": "<exclude_users>",
  "id": "<id>",
  "include": "<include>",
  "include_processes": "<include_processes>",
  "include_users": "<include_users>",
  "modified_timestamp": "<modified_timestamp>",
  "path": "<path>",
  "precedence": 10,
  "rule_group_id": "<rule_group_id>",
  "severity": "<severity>",
  "type": "<type>",
  "watch_attributes_directory_changes": true,
  "watch_attributes_file_changes": true,
  "watch_create_directory_changes": true,
  "watch_create_file_changes": true,
  "watch_create_key_changes": true,
  "watch_delete_directory_changes": true,
  "watch_delete_file_changes": true,
  "watch_delete_key_changes": true,
  "watch_delete_value_changes": true,
  "watch_permissions_directory_changes": true,
  "watch_permissions_file_changes": true,
  "watch_permissions_key_changes": true,
  "watch_rename_directory_changes": true,
  "watch_rename_file_changes": true,
  "watch_rename_key_changes": true,
  "watch_set_value_changes": true,
  "watch_write_file_changes": true
}

Create Scheduled Exclusions

SDK: filevantage.CreateScheduledExclusions

Parameters:

Name	Type	Required	Description
`description`	string	No	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`policy_id`	string	No	policy id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`processes`	string	No	processes. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`repeated`	object	No	repeated. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`schedule_end`	string	No	schedule end. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`schedule_start`	string	No	schedule start. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`timezone`	string	Yes	timezone. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`users`	string	No	users. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "description": "<description>",
  "name": "<name>",
  "policy_id": "<policy_id>",
  "processes": "<processes>",
  "repeated": {},
  "schedule_end": "<schedule_end>",
  "schedule_start": "<schedule_start>",
  "timezone": "<timezone>",
  "users": "<users>"
}

Delete Policies

SDK: filevantage.DeletePolicies

Parameters:

Name	Type	Required	Description
`ids`	array	No	One or more (up to 500) policy ids in the form of `ids=ID1&ids=ID2`

Example:

{
  "ids": ["<ids>"]
}

Delete Rule Groups

SDK: filevantage.DeleteRuleGroups

Parameters:

Name	Type	Required	Description
`ids`	array	No	One or more (up to 500) rule group ids in the form of `ids=ID1&ids=ID2`

Example:

{
  "ids": ["<ids>"]
}

Delete Rules

SDK: filevantage.DeleteRules

Parameters:

Name	Type	Required	Description
`ids`	array	No	One or more (up to 500) rule ids in the form of `ids=ID1&ids=ID2`
`rule_group_id`	string	No	The id of the rule group from which the rules will be deleted.

Example:

{
  "ids": ["<ids>"],
  "rule_group_id": "<rule_group_id>"
}

Delete Scheduled Exclusions

SDK: filevantage.DeleteScheduledExclusions

Parameters:

Name	Type	Required	Description
`ids`	array	No	One or more (up to 500) scheduled exclusion ids in the form of `ids=ID1&ids=ID2`.
`policy_id`	string	No	ID of the policy to delete the scheduled exclusions from.

Example:

{
  "ids": ["<ids>"],
  "policy_id": "<policy_id>"
}

Get Actions Mixin0

SDK: filevantage.GetActionsMixin0

Parameters:

Name	Type	Required	Description
`ids`	array	No	One or more actions ids in the form of `ids=ID1&ids=ID2`

Example:

{
  "ids": ["<ids>"]
}

Get Changes

SDK: filevantage.GetChanges

Parameters:

Name	Type	Required	Description
`ids`	array	No	One or more change ids in the form of `ids=ID1&ids=ID2`. The maximum number of ids that can be re...

Example:

{
  "ids": ["<ids>"]
}

Get Contents

SDK: filevantage.GetContents

Parameters:

Name	Type	Required	Description
`accept_encoding`	string	No	Providing the value of `gzip` compresses the response, otherwise the content is returned uncompre...
`id`	string	No	ID of the change in the form of id=ID1

Example:

{
  "accept_encoding": "<accept_encoding>",
  "id": "<id>"
}

Get Policies

SDK: filevantage.GetPolicies

Parameters:

Name	Type	Required	Description
`ids`	array	No	One or more (up to 500) policy ids in the form of `ids=ID1&ids=ID2`

Example:

{
  "ids": ["<ids>"]
}

Get Rule Groups

SDK: filevantage.GetRuleGroups

Parameters:

Name	Type	Required	Description
`ids`	array	No	One or more (up to 500) rule group ids in the form of `ids=ID1&ids=ID2`

Example:

{
  "ids": ["<ids>"]
}

Get Rules

SDK: filevantage.GetRules

Parameters:

Name	Type	Required	Description
`ids`	array	No	One or more (up to 500) rule ids in the form of `ids=ID1&ids=ID2`.
`rule_group_id`	string	No	Rule group from which to retrieve the rule configuration.

Example:

{
  "ids": ["<ids>"],
  "rule_group_id": "<rule_group_id>"
}

Get Scheduled Exclusions

SDK: filevantage.GetScheduledExclusions

Parameters:

Name	Type	Required	Description
`ids`	array	No	One or more (up to 500) scheduled exclusion ids in the form of `ids=ID1&ids=ID2`.
`policy_id`	string	No	The id of the policy to retrieve the scheduled exclusion configurations.

Example:

{
  "ids": ["<ids>"],
  "policy_id": "<policy_id>"
}

List Actions Mixin0

SDK: filevantage.QueryActionsMixin0

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter changes using a query in Falcon Query Language (FQL). Common filter options include: - `st...
`limit`	number	No	The maximum number of actions to return in the response (default: 100; max: 500). Use with the `o...
`offset`	number	No	The first action index to return in the response. If not provided it will default to '0'. Use wit...
`sort`	string	No	The sort expression that should be used to sort the results (e.g. created_date

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Changes

SDK: filevantage.QueryChanges

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter changes using a query in Falcon Query Language (FQL). Common filter options include: - `ho...
`limit`	number	No	The maximum number of ids to return. Defaults to `100` if not specified. The maximum number of re...
`offset`	number	No	The offset to start retrieving records from. Defaults to `0` if not specified.
`sort`	string	No	Sort results using options like: - `action_timestamp` (timestamp of the change occurrence) Sort e...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List High Volume Changes

SDK: filevantage.HighVolumeQueryChanges

Parameters:

Name	Type	Required	Description
`after`	string	No	A pagination token used with the `limit` parameter to manage pagination of results. On your first...
`filter`	string	No	Filter changes using a query in Falcon Query Language (FQL). Common filter options include: - `ho...
`limit`	number	No	The maximum number of ids to return. Defaults to `100` if not specified. The maximum number of re...
`sort`	string	No	Sort results using options like: - `action_timestamp` (timestamp of the change occurrence) Sort e...

Example:

{
  "after": "<after>",
  "filter": "<filter>",
  "limit": 10,
  "sort": "<sort>"
}

List Policies

SDK: filevantage.QueryPolicies

Parameters:

Name	Type	Required	Description
`limit`	number	No	The maximum number of ids to return. Defaults to 100 if not specified. The maximum number of resu...
`offset`	number	No	The offset to start retrieving records from. Defaults to 0 if not specified.
`sort`	string	No	Sort the returned ids based on one of the following properties: `precedence`, `created_timestamp`...
`type`	string	No	The types of policies to retrieve. Allowed values are: `Windows`, `Linux` or `Mac`.

Example:

{
  "limit": 10,
  "offset": 10,
  "sort": "<sort>",
  "type": "<type>"
}

List Rule Groups

SDK: filevantage.QueryRuleGroups

Parameters:

Name	Type	Required	Description
`limit`	number	No	The maximum number of ids to return. Defaults to 100 if not specified. The maximum number of resu...
`offset`	number	No	The offset to start retrieving records from. Defaults to 0 if not specified.
`sort`	string	No	Sort the returned ids based on one of the following properties: `created_timestamp` or `modified_...
`type`	string	No	The rule group type to retrieve the ids of. Allowed values are: `WindowsFiles`, `WindowsRegistry`...

Example:

{
  "limit": 10,
  "offset": 10,
  "sort": "<sort>",
  "type": "<type>"
}

List Scheduled Exclusions

SDK: filevantage.QueryScheduledExclusions

Parameters:

Name	Type	Required	Description
`policy_id`	string	No	The id of the policy from which to retrieve the scheduled exclusion ids.

Example:

{
  "policy_id": "<policy_id>"
}

Signal Changes External

SDK: filevantage.SignalChangesExternal

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Start Actions

SDK: filevantage.StartActions

Parameters:

Name	Type	Required	Description
`change_ids`	array	Yes	change ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`comment`	string	No	comment. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`operation`	string	Yes	operation. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "change_ids": ["<change_ids>"],
  "comment": "<comment>",
  "operation": "<operation>"
}

Update Policies

SDK: filevantage.UpdatePolicies

Parameters:

Name	Type	Required	Description
`description`	string	No	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`enabled`	boolean	No	enabled. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes
`name`	string	No	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "description": "<description>",
  "enabled": true,
  "id": "<id>",
  "name": "<name>"
}

Update Policy Host Groups

SDK: filevantage.UpdatePolicyHostGroups

Parameters:

Name	Type	Required	Description
`action`	string	No	The action to perform with the provided ids, must be one of: `assign` or `unassign`.
`ids`	array	No	One or more host group ids in the form of `ids=ID1&ids=ID2`
`policy_id`	string	No	The id of the policy for which to perform the action.

Example:

{
  "action": "<action>",
  "ids": ["<ids>"],
  "policy_id": "<policy_id>"
}

Update Policy Precedence

SDK: filevantage.UpdatePolicyPrecedence

Parameters:

Name	Type	Required	Description
`ids`	array	No	Precedence of the policies for the provided type in the form of `ids=ID1&ids=ID2`
`type`	string	No	The policy type for which to set the precedence order, must be one of `Windows`, `Linux` or `Mac`.

Example:

{
  "ids": ["<ids>"],
  "type": "<type>"
}

Update Policy Rule Groups

SDK: filevantage.UpdatePolicyRuleGroups

Parameters:

Name	Type	Required	Description
`action`	string	No	The action to perform with the provided ids, must be one of: `assign`, `unassign`, or `precedence`.
`ids`	array	No	One or more rule group ids in the form of ids=ID1&ids=ID2. Note, for the precedence action, prece...
`policy_id`	string	No	The id of the policy for which to perform the action.

Example:

{
  "action": "<action>",
  "ids": ["<ids>"],
  "policy_id": "<policy_id>"
}

Update Rule Group Precedence

SDK: filevantage.UpdateRuleGroupPrecedence

Parameters:

Name	Type	Required	Description
`ids`	array	No	One or more (up to 500) rule group ids in the form of `ids=ID1&ids=ID2`.
`rule_group_id`	string	No	Rule group from which to set the precedence.

Example:

{
  "ids": ["<ids>"],
  "rule_group_id": "<rule_group_id>"
}

Update Rule Groups

SDK: filevantage.UpdateRuleGroups

Parameters:

Name	Type	Required	Description
`description`	string	No	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "description": "<description>",
  "id": "<id>",
  "name": "<name>"
}

Update Rules

SDK: filevantage.UpdateRules

Parameters:

Name	Type	Required	Description
`content_files`	array	Yes	content files. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`content_registry_values`	array	Yes	content registry values
`created_timestamp`	string	No	created timestamp. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...
`depth`	string	Yes	depth. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`description`	string	No	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`enable_content_capture`	boolean	No	enable content capture
`enable_hash_capture`	boolean	No	enable hash capture. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/op...
`exclude`	string	No	exclude. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`exclude_processes`	string	No	exclude processes. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...
`exclude_users`	string	No	exclude users. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes
`include`	string	Yes	include. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`include_processes`	string	No	include processes. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...
`include_users`	string	No	include users. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`modified_timestamp`	string	No	modified timestamp. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/ope...
`path`	string	Yes	path. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`precedence`	number	No	precedence. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`rule_group_id`	string	Yes	rule group id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`severity`	string	Yes	severity. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`type`	string	Yes	type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`watch_attributes_directory_changes`	boolean	No	watch attributes directory changes
`watch_attributes_file_changes`	boolean	No	watch attributes file changes
`watch_create_directory_changes`	boolean	No	watch create directory changes
`watch_create_file_changes`	boolean	No	watch create file changes
`watch_create_key_changes`	boolean	No	watch create key changes
`watch_delete_directory_changes`	boolean	No	watch delete directory changes
`watch_delete_file_changes`	boolean	No	watch delete file changes
`watch_delete_key_changes`	boolean	No	watch delete key changes
`watch_delete_value_changes`	boolean	No	watch delete value changes
`watch_permissions_directory_changes`	boolean	No	watch permissions directory changes
`watch_permissions_file_changes`	boolean	No	watch permissions file changes
`watch_permissions_key_changes`	boolean	No	watch permissions key changes
`watch_rename_directory_changes`	boolean	No	watch rename directory changes
`watch_rename_file_changes`	boolean	No	watch rename file changes
`watch_rename_key_changes`	boolean	No	watch rename key changes
`watch_set_value_changes`	boolean	No	watch set value changes
`watch_write_file_changes`	boolean	No	watch write file changes

Example:

{
  "content_files": ["<content_files>"],
  "content_registry_values": ["<content_registry_values>"],
  "created_timestamp": "<created_timestamp>",
  "depth": "<depth>",
  "description": "<description>",
  "enable_content_capture": true,
  "enable_hash_capture": true,
  "exclude": "<exclude>",
  "exclude_processes": "<exclude_processes>",
  "exclude_users": "<exclude_users>",
  "id": "<id>",
  "include": "<include>",
  "include_processes": "<include_processes>",
  "include_users": "<include_users>",
  "modified_timestamp": "<modified_timestamp>",
  "path": "<path>",
  "precedence": 10,
  "rule_group_id": "<rule_group_id>",
  "severity": "<severity>",
  "type": "<type>",
  "watch_attributes_directory_changes": true,
  "watch_attributes_file_changes": true,
  "watch_create_directory_changes": true,
  "watch_create_file_changes": true,
  "watch_create_key_changes": true,
  "watch_delete_directory_changes": true,
  "watch_delete_file_changes": true,
  "watch_delete_key_changes": true,
  "watch_delete_value_changes": true,
  "watch_permissions_directory_changes": true,
  "watch_permissions_file_changes": true,
  "watch_permissions_key_changes": true,
  "watch_rename_directory_changes": true,
  "watch_rename_file_changes": true,
  "watch_rename_key_changes": true,
  "watch_set_value_changes": true,
  "watch_write_file_changes": true
}

Update Scheduled Exclusions

SDK: filevantage.UpdateScheduledExclusions

Parameters:

Name	Type	Required	Description
`description`	string	No	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`policy_id`	string	No	policy id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`processes`	string	No	processes. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`repeated`	object	No	repeated. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`schedule_end`	string	No	schedule end. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`schedule_start`	string	No	schedule start. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`timezone`	string	Yes	timezone. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`users`	string	No	users. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "description": "<description>",
  "id": "<id>",
  "name": "<name>",
  "policy_id": "<policy_id>",
  "processes": "<processes>",
  "repeated": {},
  "schedule_end": "<schedule_end>",
  "schedule_start": "<schedule_start>",
  "timezone": "<timezone>",
  "users": "<users>"
}

Ods

Operations for Ods

Operations

Operation	Name	Description
`aggregate_scans`	Aggregate Scans	SDK: ods.AggregateScans
`aggregate_scheduled_scans`	Aggregate Scheduled Scans	SDK: ods.AggregateScheduledScans
`cancel_scans`	Cancel Scans	SDK: ods.CancelScans
`create_scan`	Create Scan	SDK: ods.CreateScan
`delete_scheduled_scans`	Delete Scheduled Scans	SDK: ods.DeleteScheduledScans
`get_malicious_files_by_ids`	Get Malicious Files By Ids	SDK: ods.GetMaliciousFilesByIds
`get_scan_host_metadata_by_ids`	Get Scan Host Metadata By Ids	SDK: ods.GetScanHostMetadataByIds
`get_scans_by_scan_ids`	Get Scans By Scan Ids	SDK: ods.GetScansByScanIds
`get_scans_by_scan_ids_v2`	Get Scans By Scan Ids V2	SDK: ods.GetScansByScanIdsV2
`get_scheduled_scans_by_scan_ids`	Get Scheduled Scans By Scan Ids	SDK: ods.GetScheduledScansByScanIds
`list_aggregate_scan_host_metadata`	List Aggregate Scan Host Metadata	SDK: ods.AggregateQueryScanHostMetadata
`list_malicious_files`	List Malicious Files	SDK: ods.QueryMaliciousFiles
`list_scan_host_metadata`	List Scan Host Metadata	SDK: ods.QueryScanHostMetadata
`list_scans`	List Scans	SDK: ods.QueryScans
`list_scheduled_scans`	List Scheduled Scans	SDK: ods.QueryScheduledScans
`schedule_scan`	Schedule Scan	SDK: ods.ScheduleScan

Aggregate Scans

SDK: ods.AggregateScans

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregate Scheduled Scans

SDK: ods.AggregateScheduledScans

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Cancel Scans

SDK: ods.CancelScans

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Create Scan

SDK: ods.CreateScan

Parameters:

Name	Type	Required	Description
`cloud_ml_level_detection`	number	Yes	cloud ml level detection
`cloud_ml_level_prevention`	number	Yes	cloud ml level prevention
`cloud_pup_adware_level_detection`	number	Yes	cloud pup adware level detection
`cloud_pup_adware_level_prevention`	number	Yes	cloud pup adware level prevention
`cpu_priority`	number	Yes	cpu priority. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`description`	string	Yes	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`endpoint_notification`	boolean	Yes	endpoint notification
`file_paths`	array	Yes	file paths. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`host_groups`	array	Yes	host groups. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`hosts`	array	Yes	hosts. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`initiated_from`	string	Yes	initiated from. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`max_duration`	number	Yes	max duration. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`pause_duration`	number	Yes	pause duration. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`quarantine`	boolean	Yes	quarantine. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`scan_exclusions`	array	Yes	scan exclusions. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`scan_inclusions`	array	Yes	scan inclusions. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`sensor_ml_level_detection`	number	Yes	sensor ml level detection
`sensor_ml_level_prevention`	number	Yes	sensor ml level prevention

Example:

{
  "cloud_ml_level_detection": 10,
  "cloud_ml_level_prevention": 10,
  "cloud_pup_adware_level_detection": 10,
  "cloud_pup_adware_level_prevention": 10,
  "cpu_priority": 10,
  "description": "<description>",
  "endpoint_notification": true,
  "file_paths": ["<file_paths>"],
  "host_groups": ["<host_groups>"],
  "hosts": ["<hosts>"],
  "initiated_from": "<initiated_from>",
  "max_duration": 10,
  "pause_duration": 10,
  "quarantine": true,
  "scan_exclusions": ["<scan_exclusions>"],
  "scan_inclusions": ["<scan_inclusions>"],
  "sensor_ml_level_detection": 10,
  "sensor_ml_level_prevention": 10
}

Delete Scheduled Scans

SDK: ods.DeleteScheduledScans

Parameters:

Name	Type	Required	Description
`filter`	string	No	A FQL compatible query string.
`ids`	array	No	The scan IDs to retrieve the scan entities

Example:

{
  "filter": "<filter>",
  "ids": ["<ids>"]
}

Get Malicious Files By Ids

SDK: ods.GetMaliciousFilesByIds

Parameters:

Name	Type	Required	Description
`ids`	array	No	The scan IDs to retrieve the scan entities

Example:

{
  "ids": ["<ids>"]
}

Get Scan Host Metadata By Ids

SDK: ods.GetScanHostMetadataByIds

Parameters:

Name	Type	Required	Description
`ids`	array	No	The scan IDs to retrieve the scan entities

Example:

{
  "ids": ["<ids>"]
}

Get Scans By Scan Ids

SDK: ods.GetScansByScanIds

Parameters:

Name	Type	Required	Description
`ids`	array	No	The scan IDs to retrieve the scan entities

Example:

{
  "ids": ["<ids>"]
}

Get Scans By Scan Ids V2

SDK: ods.GetScansByScanIdsV2

Parameters:

Name	Type	Required	Description
`ids`	array	No	The scan IDs to retrieve the scan entities

Example:

{
  "ids": ["<ids>"]
}

Get Scheduled Scans By Scan Ids

SDK: ods.GetScheduledScansByScanIds

Parameters:

Name	Type	Required	Description
`ids`	array	No	The scan IDs to retrieve the scan entities

Example:

{
  "ids": ["<ids>"]
}

List Aggregate Scan Host Metadata

SDK: ods.AggregateQueryScanHostMetadata

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

List Malicious Files

SDK: ods.QueryMaliciousFiles

Parameters:

Name	Type	Required	Description
`filter`	string	No	A FQL compatible query string. Terms: [id scan_id host_id host_scan_id filepath filename hash pat...
`limit`	number	No	The max number of resources to return Default: 500
`offset`	number	No	Index of the starting resource
`sort`	string	No	The property to sort on, followed by a

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Scan Host Metadata

SDK: ods.QueryScanHostMetadata

Parameters:

Name	Type	Required	Description
`filter`	string	No	A FQL compatible query string. Terms: [id profile_id host_id scan_id host_scan_id filecount.scann...
`limit`	number	No	The max number of resources to return Default: 500
`offset`	number	No	Index of the starting resource
`sort`	string	No	The property to sort on, followed by a

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Scans

SDK: ods.QueryScans

Parameters:

Name	Type	Required	Description
`filter`	string	No	A FQL compatible query string. Terms: [id profile_id description.keyword initiated_from filecount...
`limit`	number	No	The max number of resources to return Default: 500
`offset`	number	No	Index of the starting resource
`sort`	string	No	The property to sort on, followed by a

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Scheduled Scans

SDK: ods.QueryScheduledScans

Parameters:

Name	Type	Required	Description
`filter`	string	No	A FQL compatible query string. Terms: [id description initiated_from status schedule.start_timest...
`limit`	number	No	The max number of resources to return Default: 500
`offset`	number	No	Index of the starting resource
`sort`	string	No	The property to sort on, followed by a

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Schedule Scan

SDK: ods.ScheduleScan

Parameters:

Name	Type	Required	Description
`cloud_ml_level_detection`	number	Yes	cloud ml level detection
`cloud_ml_level_prevention`	number	Yes	cloud ml level prevention
`cloud_pup_adware_level_detection`	number	Yes	cloud pup adware level detection
`cloud_pup_adware_level_prevention`	number	Yes	cloud pup adware level prevention
`cpu_priority`	number	Yes	cpu priority. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`description`	string	Yes	description. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`endpoint_notification`	boolean	Yes	endpoint notification
`file_paths`	array	Yes	file paths. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`host_groups`	array	Yes	host groups. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`initiated_from`	string	Yes	initiated from. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`max_duration`	number	Yes	max duration. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`max_file_size`	number	Yes	max file size. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`pause_duration`	number	Yes	pause duration. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`quarantine`	boolean	Yes	quarantine. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`scan_exclusions`	array	Yes	scan exclusions. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`scan_inclusions`	array	Yes	scan inclusions. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`schedule`	object	Yes	schedule. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`sensor_ml_level_detection`	number	Yes	sensor ml level detection
`sensor_ml_level_prevention`	number	Yes	sensor ml level prevention

Example:

{
  "cloud_ml_level_detection": 10,
  "cloud_ml_level_prevention": 10,
  "cloud_pup_adware_level_detection": 10,
  "cloud_pup_adware_level_prevention": 10,
  "cpu_priority": 10,
  "description": "<description>",
  "endpoint_notification": true,
  "file_paths": ["<file_paths>"],
  "host_groups": ["<host_groups>"],
  "initiated_from": "<initiated_from>",
  "max_duration": 10,
  "max_file_size": 10,
  "pause_duration": 10,
  "quarantine": true,
  "scan_exclusions": ["<scan_exclusions>"],
  "scan_inclusions": ["<scan_inclusions>"],
  "schedule": {},
  "sensor_ml_level_detection": 10,
  "sensor_ml_level_prevention": 10
}

Best Practices

Use Appropriate Filters: Leverage FQL (Falcon Query Language) filters to narrow down results and improve performance.
Implement Pagination: For operations returning large datasets, use limit and offset parameters to paginate results.
Handle Rate Limits: CrowdStrike APIs have rate limits. Implement appropriate delays and retry logic in your workflows.
Secure Credentials: Never log or expose API credentials. Use NINA's credential management for secure storage.
Use Specific Scopes: When creating API clients, only request the minimum required API scopes.
Monitor API Usage: Track your API usage to avoid hitting rate limits during critical operations.
Validate IDs: Always validate resource IDs before using them in update or delete operations.
Error Handling: Implement comprehensive error handling for API failures and unexpected responses.

Troubleshooting

Issue	Possible Solution
401 Unauthorized	Verify Client ID and Client Secret are correct; check if credentials have expired
403 Forbidden	Ensure API client has required scopes for the operation
404 Not Found	Verify the resource ID exists and is accessible with your credentials
429 Too Many Requests	Rate limit exceeded; implement delays between requests
Invalid Filter	Check FQL syntax; refer to CrowdStrike FQL documentation
Connection Timeout	Verify network connectivity and correct Base URL for your region
Empty Results	Verify filter criteria; check if resources exist in your environment

Support

For issues with this integration, please contact support with:

The operation you were attempting
Any error messages received
The parameters used (excluding sensitive data)
Your CrowdStrike cloud region

For CrowdStrike API documentation, visit: CrowdStrike Developer Portal

Updated: 2026-02-05

Overview​

Capabilities​

Credential Configuration​

Authentication Method​

How It Works​

CrowdStrike Cloud Regions​

How to Obtain API Credentials​

Required API Scopes​

Creating a CrowdStrike Credential in NINA​

Supported Resources​

Resource Details​

Filevantage​

Operations​

Create Policies​

Create Rule Groups​

Create Rules​

Create Scheduled Exclusions​

Delete Policies​

Delete Rule Groups​

Delete Rules​

Delete Scheduled Exclusions​

Get Actions Mixin0​

Get Changes​

Get Contents​

Get Policies​

Get Rule Groups​

Get Rules​

Get Scheduled Exclusions​

List Actions Mixin0​

List Changes​

List High Volume Changes​

List Policies​

List Rule Groups​

List Scheduled Exclusions​

Signal Changes External​

Start Actions​

Update Policies​

Update Policy Host Groups​

Update Policy Precedence​

Update Policy Rule Groups​

Update Rule Group Precedence​

Update Rule Groups​

Update Rules​

Update Scheduled Exclusions​

Ods​

Operations​

Aggregate Scans​

Aggregate Scheduled Scans​

Cancel Scans​

Create Scan​

Delete Scheduled Scans​

Get Malicious Files By Ids​

Get Scan Host Metadata By Ids​

Get Scans By Scan Ids​

Get Scans By Scan Ids V2​

Get Scheduled Scans By Scan Ids​

List Aggregate Scan Host Metadata​

List Malicious Files​

List Scan Host Metadata​

List Scans​

List Scheduled Scans​

Schedule Scan​

Best Practices​

Troubleshooting​

Support​

Overview

Capabilities

Credential Configuration

Authentication Method

How It Works

CrowdStrike Cloud Regions

How to Obtain API Credentials

Required API Scopes

Creating a CrowdStrike Credential in NINA

Supported Resources

Resource Details

Filevantage

Operations

Create Policies

Create Rule Groups

Create Rules

Create Scheduled Exclusions

Delete Policies

Delete Rule Groups

Delete Rules

Delete Scheduled Exclusions

Get Actions Mixin0

Get Changes

Get Contents

Get Policies

Get Rule Groups

Get Rules

Get Scheduled Exclusions

List Actions Mixin0

List Changes

List High Volume Changes

List Policies

List Rule Groups

List Scheduled Exclusions

Signal Changes External

Start Actions

Update Policies

Update Policy Host Groups

Update Policy Precedence

Update Policy Rule Groups

Update Rule Group Precedence

Update Rule Groups

Update Rules

Update Scheduled Exclusions

Ods

Operations

Aggregate Scans

Aggregate Scheduled Scans

Cancel Scans

Create Scan

Delete Scheduled Scans

Get Malicious Files By Ids

Get Scan Host Metadata By Ids

Get Scans By Scan Ids

Get Scans By Scan Ids V2

Get Scheduled Scans By Scan Ids

List Aggregate Scan Host Metadata

List Malicious Files

List Scan Host Metadata

List Scans

List Scheduled Scans

Schedule Scan

Best Practices

Troubleshooting

Support