CrowdStrike Threat Intelligence Integration Guide

Overview

The CrowdStrike Threat Intelligence integration allows your NINA workflows to connect with CrowdStrike Falcon platform for threat intelligence, iocs, and threat analysis capabilities. This integration enables automated security operations, threat detection, and incident response directly from your automation platform.

Capabilities

This integration provides access to 7 resources with 79 operations covering:

Ioc: Operations for Ioc
Intel: Operations for Intel
Intelligence Feeds: Operations for Intelligence Feeds
Intelligence Indicator Graph: Operations for Intelligence Indicator Graph
Iocs: Operations for Iocs
Recon: Operations for Recon
Tailored Intelligence: Operations for Tailored Intelligence

Credential Configuration

Before using the CrowdStrike Threat Intelligence integration in your workflows, you need to configure credentials for authentication.

Authentication Method

CrowdStrike Falcon uses OAuth2 Client Credentials authentication. This is a server-to-server authentication flow where you provide a Client ID and Client Secret, and the integration automatically handles token acquisition and refresh.

Field	Description	Required
Client ID	Your CrowdStrike API Client ID	Yes
Client Secret	Your CrowdStrike API Client Secret	Yes
Base URL	CrowdStrike API endpoint for your cloud region	Yes

How It Works

You provide the Client ID and Client Secret when creating a credential
The integration exchanges these for an OAuth2 access token automatically
Tokens are refreshed automatically when they expire
No redirect URLs or user interaction required

CrowdStrike Cloud Regions

Select the Base URL that matches your CrowdStrike Falcon cloud region:

Cloud Region	Base URL	Description
US-1	`https://api.crowdstrike.com`	United States (default)
US-2	`https://api.us-2.crowdstrike.com`	United States (secondary)
EU-1	`https://api.eu-1.crowdstrike.com`	European Union
US-GOV-1	`https://api.laggar.gcw.crowdstrike.com`	US Government Cloud

How to Obtain API Credentials

Log in to the CrowdStrike Falcon Console
Navigate to Support and resources > API Clients and Keys
Click Add new API client
Configure the API client:
- Client Name: A descriptive name (e.g., "NINA Integration")
- Description: Purpose of this API client
- API Scopes: Select the permissions required for your use case (see Required Scopes below)
Click Add to create the client
Copy and securely store the Client ID and Client Secret immediately

Important: The Client Secret is only displayed once at creation time. If you lose it, you must create a new API client.

Required API Scopes

The API scopes required depend on which operations you plan to use. Common scopes include:

Scope	Permission	Use Case
Detections	Read/Write	View and manage detections
Hosts	Read/Write	Query and manage endpoints
Incidents	Read/Write	View and manage incidents
IOCs	Read/Write	Manage indicators of compromise
Prevention Policies	Read/Write	Manage prevention policies
Real Time Response	Read/Write	Execute RTR commands
Sensor Update Policies	Read/Write	Manage sensor updates

Refer to the CrowdStrike API documentation for a complete list of available scopes.

Creating a CrowdStrike Credential in NINA

Navigate to the Credentials section in NINA
Click Add New Credential
Fill in the credential details:
- Integration Service: Select "CrowdStrike Threat Intelligence"
- Client ID: Paste your CrowdStrike API Client ID
- Client Secret: Paste your CrowdStrike API Client Secret
- Base URL: Select your CrowdStrike cloud region URL
Click Test Connection to verify the credentials work
Click Save to store the credential securely

Note: All CrowdStrike integrations (EDR, Intel, Platform, etc.) share the same credential. You only need to create one credential to use across all CrowdStrike modules.

Supported Resources

Resource	Description	Operations
Ioc	Operations for Ioc	16
Intel	Operations for Intel	24
Intelligence Feeds	Operations for Intelligence Feeds	3
Intelligence Indicator Graph	Operations for Intelligence Indicator Graph	1
Iocs	Operations for Iocs	4
Recon	Operations for Recon	26
Tailored Intelligence	Operations for Tailored Intelligence	5

Resource Details

Ioc

Operations for Ioc

Operations

Operation	Name	Description
`action_get_`	Action Get	SDK: ioc.ActionGetV1
`get_indicators_report`	Get Indicators Report	SDK: ioc.GetIndicatorsReport
`indicator_aggregate_`	Indicator Aggregate	SDK: ioc.IndicatorAggregateV1
`indicator_combined_`	Indicator Combined	SDK: ioc.IndicatorCombinedV1
`indicator_create_`	Indicator Create	SDK: ioc.IndicatorCreateV1
`indicator_delete_`	Indicator Delete	SDK: ioc.IndicatorDeleteV1
`indicator_get_`	Indicator Get	SDK: ioc.IndicatorGetV1
`indicator_get_device_count_`	Indicator Get Device Count	SDK: ioc.IndicatorGetDeviceCountV1
`indicator_get_devices_ran_on_`	Indicator Get Devices Ran On	SDK: ioc.IndicatorGetDevicesRanOnV1
`indicator_get_processes_ran_on_`	Indicator Get Processes Ran On	SDK: ioc.IndicatorGetProcessesRanOnV1
`indicator_search_`	Indicator Search	SDK: ioc.IndicatorSearchV1
`indicator_update_`	Indicator Update	SDK: ioc.IndicatorUpdateV1
`list_action_`	List Action	SDK: ioc.ActionQueryV1
`list_ioc_type_`	List Ioc Type	SDK: ioc.IocTypeQueryV1
`list_platform_`	List Platform	SDK: ioc.PlatformQueryV1
`list_severity_`	List Severity	SDK: ioc.SeverityQueryV1

Action Get

SDK: ioc.ActionGetV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	The ids of the Actions to retrieve

Example:

{
  "ids": ["<ids>"]
}

Get Indicators Report

SDK: ioc.GetIndicatorsReport

Parameters:

Name	Type	Required	Description
`from_parent`	boolean	No	from parent. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`report_format`	string	Yes	report format. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`search`	object	Yes	search. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "from_parent": true,
  "report_format": "<report_format>",
  "search": {}
}

Indicator Aggregate

SDK: ioc.IndicatorAggregateV1

Parameters:

Name	Type	Required	Description
`date_ranges`	object	Yes	date ranges. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`exclude`	string	Yes	exclude. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`extended_bounds`	object	No	extended bounds. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`field`	string	Yes	field. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`filter`	string	Yes	filter. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`from`	number	Yes	from. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`include`	string	Yes	include. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`interval`	string	Yes	interval. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`max_doc_count`	number	No	max doc count. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`min_doc_count`	number	No	min doc count. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`missing`	string	Yes	missing. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`name`	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`q`	string	Yes
`ranges`	object	Yes	ranges. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`size`	number	Yes	size. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`sort`	string	Yes	sort. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`sub_aggregates`	object	Yes	sub aggregates. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`time_zone`	string	Yes	time zone. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`type`	string	Yes	type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "date_ranges": {},
  "exclude": "<exclude>",
  "extended_bounds": {},
  "field": "<field>",
  "filter": "<filter>",
  "from": 10,
  "include": "<include>",
  "interval": "<interval>",
  "max_doc_count": 10,
  "min_doc_count": 10,
  "missing": "<missing>",
  "name": "<name>",
  "q": "<q>",
  "ranges": {},
  "size": 10,
  "sort": "<sort>",
  "sub_aggregates": {},
  "time_zone": "<time_zone>",
  "type": "<type>"
}

Indicator Combined

SDK: ioc.IndicatorCombinedV1

Parameters:

Name	Type	Required	Description
`after`	string	No	A pagination token used with the `limit` parameter to manage pagination of results. On your first...
`filter`	string	No	The filter expression that should be used to limit the results.
`from_parent`	boolean	No	The filter for returning either only indicators for the request customer or its MSSP parents
`limit`	number	No	The maximum records to return.
`offset`	number	No	The offset to start retrieving records from. Offset and After params are mutually exclusive. If n...
`sort`	string	No	The sort expression that should be used to sort the results.

Example:

{
  "after": "<after>",
  "filter": "<filter>",
  "from_parent": true,
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Indicator Create

SDK: ioc.IndicatorCreateV1

Parameters:

Name	Type	Required	Description
`comment`	string	No	comment. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`indicators`	object	Yes	indicators. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "comment": "<comment>",
  "indicators": {}
}

Indicator Delete

SDK: ioc.IndicatorDeleteV1

Parameters:

Name	Type	Required	Description
`comment`	string	No	The comment why these indicators were deleted
`filter`	string	No	The FQL expression to delete Indicators in bulk. If both 'filter' and 'ids' are provided, then fi...
`from_parent`	boolean	No	The filter for returning either only indicators for the request customer or its MSSP parents
`ids`	array	No	The ids of the Indicators to delete. If both 'filter' and 'ids' are provided, then filter takes p...

Example:

{
  "comment": "<comment>",
  "filter": "<filter>",
  "from_parent": true,
  "ids": ["<ids>"]
}

Indicator Get

SDK: ioc.IndicatorGetV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	The ids of the Indicators to retrieve

Example:

{
  "ids": ["<ids>"]
}

Indicator Get Device Count

SDK: ioc.IndicatorGetDeviceCountV1

Parameters:

Name	Type	Required	Description
`type`	string	No	The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length ...
`value`	string	No	The string representation of the indicator

Example:

{
  "type": "<type>",
  "value": "<value>"
}

Indicator Get Devices Ran On

SDK: ioc.IndicatorGetDevicesRanOnV1

Parameters:

Name	Type	Required	Description
`limit`	string	No	The maximum number of results to return. Use with the offset parameter to manage pagination of re...
`offset`	string	No	The first process to return, where 0 is the latest offset. Use with the limit parameter to manage...
`type`	string	No	The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length ...
`value`	string	No	The string representation of the indicator

Example:

{
  "limit": "<limit>",
  "offset": "<offset>",
  "type": "<type>",
  "value": "<value>"
}

Indicator Get Processes Ran On

SDK: ioc.IndicatorGetProcessesRanOnV1

Parameters:

Name	Type	Required	Description
`device_id`	string	No	Specify a host's ID to return only processes from that host. Get a host's ID from GET /devices/qu...
`limit`	string	No	The maximum number of results to return. Use with the offset parameter to manage pagination of re...
`offset`	string	No	The first process to return, where 0 is the latest offset. Use with the limit parameter to manage...
`type`	string	No	The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length ...
`value`	string	No	The string representation of the indicator

Example:

{
  "device_id": "<device_id>",
  "limit": "<limit>",
  "offset": "<offset>",
  "type": "<type>",
  "value": "<value>"
}

Indicator Search

SDK: ioc.IndicatorSearchV1

Parameters:

Name	Type	Required	Description
`after`	string	No	A pagination token used with the `limit` parameter to manage pagination of results. On your first...
`filter`	string	No	The filter expression that should be used to limit the results.
`from_parent`	boolean	No	The filter for returning either only indicators for the request customer or its MSSP parents
`limit`	number	No	The maximum records to return.
`offset`	number	No	The offset to start retrieving records from. Offset and After params are mutually exclusive. If n...
`sort`	string	No	The sort expression that should be used to sort the results.

Example:

{
  "after": "<after>",
  "filter": "<filter>",
  "from_parent": true,
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Indicator Update

SDK: ioc.IndicatorUpdateV1

Parameters:

Name	Type	Required	Description
`bulk_update`	object	Yes	bulk update. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`comment`	string	No	comment. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`indicators`	object	Yes	indicators. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "bulk_update": {},
  "comment": "<comment>",
  "indicators": {}
}

List Action

SDK: ioc.ActionQueryV1

Parameters:

Name	Type	Required	Description
`limit`	number	No	Number of ids to return.
`offset`	string	No	Starting index of overall result set from which to return ids.

Example:

{
  "limit": 10,
  "offset": "<offset>"
}

List Ioc Type

SDK: ioc.IocTypeQueryV1

Parameters:

Name	Type	Required	Description
`limit`	number	No	Number of ids to return.
`offset`	string	No	Starting index of overall result set from which to return ids.

Example:

{
  "limit": 10,
  "offset": "<offset>"
}

List Platform

SDK: ioc.PlatformQueryV1

Parameters:

Name	Type	Required	Description
`limit`	number	No	Number of ids to return.
`offset`	string	No	Starting index of overall result set from which to return ids.

Example:

{
  "limit": 10,
  "offset": "<offset>"
}

List Severity

SDK: ioc.SeverityQueryV1

Parameters:

Name	Type	Required	Description
`limit`	number	No	Number of ids to return.
`offset`	string	No	Starting index of overall result set from which to return ids.

Example:

{
  "limit": 10,
  "offset": "<offset>"
}

Intel

Operations for Intel

Operations

Operation	Name	Description
`get_intel_actor_entities`	Get Intel Actor Entities	SDK: intel.GetIntelActorEntities
`get_intel_indicator_entities`	Get Intel Indicator Entities	SDK: intel.GetIntelIndicatorEntities
`get_intel_report_entities`	Get Intel Report Entities	SDK: intel.GetIntelReportEntities
`get_intel_report_pdf`	Get Intel Report Pdf	SDK: intel.GetIntelReportPDF
`get_intel_rule_entities`	Get Intel Rule Entities	SDK: intel.GetIntelRuleEntities
`get_intel_rule_file`	Get Intel Rule File	SDK: intel.GetIntelRuleFile
`get_latest_intel_rule_file`	Get Latest Intel Rule File	SDK: intel.GetLatestIntelRuleFile
`get_malware_entities`	Get Malware Entities	SDK: intel.GetMalwareEntities
`get_malware_mitre_report`	Get Malware Mitre Report	SDK: intel.GetMalwareMitreReport
`get_mitre_report`	Get Mitre Report	SDK: intel.GetMitreReport
`get_vulnerabilities`	Get Vulnerabilities	SDK: intel.GetVulnerabilities
`list_intel_actor_entities`	List Intel Actor Entities	SDK: intel.QueryIntelActorEntities
`list_intel_actor_ids`	List Intel Actor Ids	SDK: intel.QueryIntelActorIds
`list_intel_indicator_entities`	List Intel Indicator Entities	SDK: intel.QueryIntelIndicatorEntities
`list_intel_indicator_ids`	List Intel Indicator Ids	SDK: intel.QueryIntelIndicatorIds
`list_intel_report_entities`	List Intel Report Entities	SDK: intel.QueryIntelReportEntities
`list_intel_report_ids`	List Intel Report Ids	SDK: intel.QueryIntelReportIds
`list_intel_rule_ids`	List Intel Rule Ids	SDK: intel.QueryIntelRuleIds
`list_malware`	List Malware	SDK: intel.QueryMalware
`list_malware_entities`	List Malware Entities	SDK: intel.QueryMalwareEntities
`list_mitre_attacks`	List Mitre Attacks	SDK: intel.QueryMitreAttacks
`list_mitre_attacks_for_malware`	List Mitre Attacks For Malware	SDK: intel.QueryMitreAttacksForMalware
`list_vulnerabilities`	List Vulnerabilities	SDK: intel.QueryVulnerabilities
`post_mitre_attacks`	Post Mitre Attacks	SDK: intel.PostMitreAttacks

Get Intel Actor Entities

SDK: intel.GetIntelActorEntities

Parameters:

Name	Type	Required	Description
`fields`	array	No	The fields to return, or a predefined set of fields in the form of the collection name surrounded...
`ids`	array	No	The IDs of the actors you want to retrieve.

Example:

{
  "fields": ["<fields>"],
  "ids": ["<ids>"]
}

Get Intel Indicator Entities

SDK: intel.GetIntelIndicatorEntities

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Get Intel Report Entities

SDK: intel.GetIntelReportEntities

Parameters:

Name	Type	Required	Description
`fields`	array	No	The fields to return, or a predefined set of fields in the form of the collection name surrounded...
`ids`	array	No	The IDs of the reports you want to retrieve.

Example:

{
  "fields": ["<fields>"],
  "ids": ["<ids>"]
}

Get Intel Report Pdf

SDK: intel.GetIntelReportPDF

Parameters:

Name	Type	Required	Description
`id`	string	No	The ID of the report you want to download as a PDF.
`ids`	string	No	The ID of the report you want to download as a PDF. This parameter is used only if no id paramete...

Example:

{
  "id": "<id>",
  "ids": "<ids>"
}

Get Intel Rule Entities

SDK: intel.GetIntelRuleEntities

Parameters:

Name	Type	Required	Description
`ids`	array	No	The ids of rules to return.

Example:

{
  "ids": ["<ids>"]
}

Get Intel Rule File

SDK: intel.GetIntelRuleFile

Parameters:

Name	Type	Required	Description
`accept`	string	No	Choose the format you want the rule set in.
`format`	string	No	Choose the format you want the rule set in. Valid formats are zip and gzip. Defaults to zip.
`id`	number	No	The ID of the rule set.

Example:

{
  "accept": "<accept>",
  "format": "<format>",
  "id": 10
}

Get Latest Intel Rule File

SDK: intel.GetLatestIntelRuleFile

Parameters:

Name	Type	Required	Description
`accept`	string	No	Choose the format you want the rule set in.
`if_modified_since`	string	No	Download Only if changed since
`if_none_match`	string	No	Download the latest rule set only if it doesn't have an ETag matching the given ones.
`format`	string	No	Choose the format you want the rule set in. Valid formats are zip and gzip. Defaults to zip.
`type`	string	No	snort-suricata-changelog yara-master yara-update yara-changelog common-event-format netwitness cq...

Example:

{
  "accept": "<accept>",
  "if_modified_since": "<if_modified_since>",
  "if_none_match": "<if_none_match>",
  "format": "<format>",
  "type": "<type>"
}

Get Malware Entities

SDK: intel.GetMalwareEntities

Parameters:

Name	Type	Required	Description
`ids`	array	No	Malware family name in lower case with spaces, dots and slashes replaced with dashes

Example:

{
  "ids": ["<ids>"]
}

Get Malware Mitre Report

SDK: intel.GetMalwareMitreReport

Parameters:

Name	Type	Required	Description
`xcsuseruuid`	string	No	User id
`format`	string	No	Supported report formats: CSV, JSON or JSON_NAVIGATOR
`id`	string	No	Malware family name in lower case with spaces replaced with dashes

Example:

{
  "xcsuseruuid": "<xcsuseruuid>",
  "format": "<format>",
  "id": "<id>"
}

Get Mitre Report

SDK: intel.GetMitreReport

Parameters:

Name	Type	Required	Description
`actor_id`	string	No	Actor ID(derived from the actor's name)
`format`	string	No	Supported report formats: CSV or JSON

Example:

{
  "actor_id": "<actor_id>",
  "format": "<format>"
}

Get Vulnerabilities

SDK: intel.GetVulnerabilities

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

List Intel Actor Entities

SDK: intel.QueryIntelActorEntities

Parameters:

Name	Type	Required	Description
`fields`	array	No	The fields to return, or a predefined set of fields in the form of the collection name surrounded...
`filter`	string	No	Filter your query by specifying FQL filter parameters. Filter parameters include: actor_type, ani...
`limit`	number	No	Set the number of actors to return. The value must be between 1 and 5000.
`offset`	number	No	Set the starting row number to return actors from. Defaults to 0.
`sort`	string	No	Order fields in ascending or descending order. Ex: created_date

Example:

{
  "fields": ["<fields>"],
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Intel Actor Ids

SDK: intel.QueryIntelActorIds

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter your query by specifying FQL filter parameters. Filter parameters include: actor_type, ani...
`limit`	number	No	Set the number of actor IDs to return. The value must be between 1 and 5000.
`offset`	number	No	Set the starting row number to return actors IDs from. Defaults to 0.
`sort`	string	No	Order fields in ascending or descending order. Ex: created_date

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Intel Indicator Entities

SDK: intel.QueryIntelIndicatorEntities

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter your query by specifying FQL filter parameters. Filter parameters include: _marker, actors...
`include_deleted`	boolean	No	If true, include both published and deleted indicators in the response. Defaults to false.
`include_relations`	boolean	No	If true, include related indicators in the response. Defaults to true.
`limit`	number	No	Set the number of indicators to return. The number must be between 1 and 10000
`offset`	number	No	Set the starting row number to return indicators from. Defaults to 0.
`sort`	string	No	Order fields in ascending or descending order. Ex: published_date

Example:

{
  "filter": "<filter>",
  "include_deleted": true,
  "include_relations": true,
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Intel Indicator Ids

SDK: intel.QueryIntelIndicatorIds

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter your query by specifying FQL filter parameters. Filter parameters include: _marker, actors...
`include_deleted`	boolean	No	If true, include both published and deleted indicators in the response. Defaults to false.
`include_relations`	boolean	No	If true, include related indicators in the response. Defaults to true.
`limit`	number	No	Set the number of indicator IDs to return. The number must be between 1 and 10000
`offset`	number	No	Set the starting row number to return indicator IDs from. Defaults to 0.
`sort`	string	No	Order fields in ascending or descending order. Ex: published_date

Example:

{
  "filter": "<filter>",
  "include_deleted": true,
  "include_relations": true,
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Intel Report Entities

SDK: intel.QueryIntelReportEntities

Parameters:

Name	Type	Required	Description
`fields`	array	No	The fields to return, or a predefined set of fields in the form of the collection name surrounded...
`filter`	string	No	Filter your query by specifying FQL filter parameters. Filter parameters include: actors, actors....
`limit`	number	No	Set the number of reports to return. The value must be between 1 and 5000.
`offset`	number	No	Set the starting row number to return reports from. Defaults to 0.
`sort`	string	No	Order fields in ascending or descending order. Ex: created_date

Example:

{
  "fields": ["<fields>"],
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Intel Report Ids

SDK: intel.QueryIntelReportIds

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter your query by specifying FQL filter parameters. Filter parameters include: actors, actors....
`limit`	number	No	Set the number of report IDs to return. The value must be between 1 and 5000.
`offset`	number	No	Set the starting row number to return report IDs from. Defaults to 0.
`sort`	string	No	Order fields in ascending or descending order. Ex: created_date

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Intel Rule Ids

SDK: intel.QueryIntelRuleIds

Parameters:

Name	Type	Required	Description
`description`	array	No	Substring match on description field.
`limit`	number	No	The number of rule IDs to return. Defaults to 10.
`max_created_date`	string	No	Filter results to those created on or before a certain date.
`min_created_date`	number	No	Filter results to those created on or after a certain date.
`name`	array	No	Search by rule title.
`offset`	number	No	Set the starting row number to return reports from. Defaults to 0.
`sort`	string	No	Order fields in ascending or descending order. Ex: created_date
`tags`	array	No	Search for rule tags.
`type`	string	No	snort-suricata-changelog yara-master yara-update yara-changelog common-event-format netwitness cq...

Example:

{
  "description": ["<description>"],
  "limit": 10,
  "max_created_date": "<max_created_date>",
  "min_created_date": 10,
  "name": ["<name>"],
  "offset": 10,
  "sort": "<sort>",
  "tags": ["<tags>"],
  "type": "<type>"
}

List Malware

SDK: intel.QueryMalware

Parameters:

Name	Type	Required	Description
`filter`	string	No	Filter your query by specifying FQL filter parameters.
`limit`	number	No	Set the number of malware IDs to return. The value must be between 1 and 5000.
`offset`	number	No	Set the starting row number to return malware IDs from. Defaults to 0.
`sort`	string	No	Order fields in ascending or descending order. Ex: created_date

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Malware Entities

SDK: intel.QueryMalwareEntities

Parameters:

Name	Type	Required	Description
`fields`	array	No	The fields to return
`filter`	string	No	Filter your query by specifying FQL filter parameters.
`limit`	number	No	Set the number of malware IDs to return. The value must be between 1 and 5000.
`offset`	number	No	Set the starting row number to return malware IDs from. Defaults to 0.
`sort`	string	No	Order fields in ascending or descending order. Ex: created_date

Example:

{
  "fields": ["<fields>"],
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Mitre Attacks

SDK: intel.QueryMitreAttacks

Parameters:

Name	Type	Required	Description
`id`	string	No	The actor ID(derived from the actor's name) for which to retrieve a list of attacks, for example:...
`ids`	array	No	The actor ID(derived from the actor's name) for which to retrieve a list of attacks, for example:...

Example:

{
  "id": "<id>",
  "ids": ["<ids>"]
}

List Mitre Attacks For Malware

SDK: intel.QueryMitreAttacksForMalware

Parameters:

Name	Type	Required	Description
`ids`	array	No	Malware family name in lower case with spaces replaced with dashes

Example:

{
  "ids": ["<ids>"]
}

List Vulnerabilities

SDK: intel.QueryVulnerabilities

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query specifying the filter parameters. Filter parameters include: _all, affected_products.pr...
`limit`	number	No	Number of IDs to return.
`offset`	string	No	Starting index of result set from which to return IDs.
`sort`	string	No	Order by fields.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Post Mitre Attacks

SDK: intel.PostMitreAttacks

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Intelligence Feeds

Operations for Intelligence Feeds

Operations

Operation	Name	Description
`download_feed_archive`	Download Feed Archive	SDK: intelligence_feeds.DownloadFeedArchive
`list_feed_archives`	List Feed Archives	SDK: intelligence_feeds.QueryFeedArchives
`list_feed_types`	List Feed Types	SDK: intelligence_feeds.ListFeedTypes

Download Feed Archive

SDK: intelligence_feeds.DownloadFeedArchive

Parameters:

Name	Type	Required	Description
`feed_item_id`	string	No	Feed ID

Example:

{
  "feed_item_id": "<feed_item_id>"
}

List Feed Archives

SDK: intelligence_feeds.QueryFeedArchives

Parameters:

Name	Type	Required	Description
`feed_interval`	string	No	Feed interval must be one of: - dump: Complete historical data snapshot - daily: Daily aggregated...
`feed_name`	string	No	Feed Name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`since`	string	No	Since is a valid timestamp in RFC3399 format. Restrictions: minutely: now()-2h, hourly: now()-2d,...

Example:

{
  "feed_interval": "<feed_interval>",
  "feed_name": "<feed_name>",
  "since": "<since>"
}

List Feed Types

SDK: intelligence_feeds.ListFeedTypes

This operation has no parameters.

Example:

{
}

Intelligence Indicator Graph

Operations for Intelligence Indicator Graph

Operations

Operation	Name	Description
`search_indicators`	Search Indicators	SDK: intelligence_indicator_graph.SearchIndicators

Search Indicators

SDK: intelligence_indicator_graph.SearchIndicators

Parameters:

Name	Type	Required	Description
`filter`	string	Yes	filter. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`sort`	object	Yes	sort. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "filter": "<filter>",
  "sort": {}
}

Iocs

Operations for Iocs

Operations

Operation	Name	Description
`devices_count`	Devices Count	SDK: iocs.DevicesCount
`devices_ran_on`	Devices Ran On	SDK: iocs.DevicesRanOn
`entities_processes`	Entities Processes	SDK: iocs.EntitiesProcesses
`processes_ran_on`	Processes Ran On	SDK: iocs.ProcessesRanOn

Devices Count

SDK: iocs.DevicesCount

Parameters:

Name	Type	Required	Description
`type`	string	No	The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length ...
`value`	string	No	The string representation of the indicator

Example:

{
  "type": "<type>",
  "value": "<value>"
}

Devices Ran On

SDK: iocs.DevicesRanOn

Parameters:

Name	Type	Required	Description
`limit`	string	No	The first process to return, where 0 is the latest offset. Use with the offset parameter to manag...
`offset`	string	No	The first process to return, where 0 is the latest offset. Use with the limit parameter to manage...
`type`	string	No	The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length ...
`value`	string	No	The string representation of the indicator

Example:

{
  "limit": "<limit>",
  "offset": "<offset>",
  "type": "<type>",
  "value": "<value>"
}

Entities Processes

SDK: iocs.EntitiesProcesses

Parameters:

Name	Type	Required	Description
`ids`	array	No	ProcessID for the running process you want to lookup

Example:

{
  "ids": ["<ids>"]
}

Processes Ran On

SDK: iocs.ProcessesRanOn

Parameters:

Name	Type	Required	Description
`device_id`	string	No	Specify a host's ID to return only processes from that host. Get a host's ID from GET /devices/qu...
`limit`	string	No	The first process to return, where 0 is the latest offset. Use with the offset parameter to manag...
`offset`	string	No	The first process to return, where 0 is the latest offset. Use with the limit parameter to manage...
`type`	string	No	The type of the indicator. Valid types include: sha256: A hex-encoded sha256 hash string. Length ...
`value`	string	No	The string representation of the indicator

Example:

{
  "device_id": "<device_id>",
  "limit": "<limit>",
  "offset": "<offset>",
  "type": "<type>",
  "value": "<value>"
}

Recon

Operations for Recon

Operations

Operation	Name	Description
`aggregate_notifications_`	Aggregate Notifications	SDK: recon.AggregateNotificationsV1
`aggregate_notifications_exposed_data_records_`	Aggregate Notifications Exposed Data Records	SDK: recon.AggregateNotificationsExposedDataRecordsV1
`create_actions_`	Create Actions	SDK: recon.CreateActionsV1
`create_export_jobs_`	Create Export Jobs	SDK: recon.CreateExportJobsV1
`create_rules_`	Create Rules	SDK: recon.CreateRulesV1
`delete_action_`	Delete Action	SDK: recon.DeleteActionV1
`delete_export_jobs_`	Delete Export Jobs	SDK: recon.DeleteExportJobsV1
`delete_notifications_`	Delete Notifications	SDK: recon.DeleteNotificationsV1
`delete_rules_`	Delete Rules	SDK: recon.DeleteRulesV1
`get_actions_`	Get Actions	SDK: recon.GetActionsV1
`get_export_jobs_`	Get Export Jobs	SDK: recon.GetExportJobsV1
`get_file_content_for_export_jobs_`	Get File Content For Export Jobs	SDK: recon.GetFileContentForExportJobsV1
`get_notifications_`	Get Notifications	SDK: recon.GetNotificationsV1
`get_notifications_detailed_`	Get Notifications Detailed	SDK: recon.GetNotificationsDetailedV1
`get_notifications_detailed_translated_`	Get Notifications Detailed Translated	SDK: recon.GetNotificationsDetailedTranslatedV1
`get_notifications_exposed_data_records_`	Get Notifications Exposed Data Records	SDK: recon.GetNotificationsExposedDataRecordsV1
`get_notifications_translated_`	Get Notifications Translated	SDK: recon.GetNotificationsTranslatedV1
`get_rules_`	Get Rules	SDK: recon.GetRulesV1
`list_actions_`	List Actions	SDK: recon.QueryActionsV1
`list_notifications_`	List Notifications	SDK: recon.QueryNotificationsV1
`list_notifications_exposed_data_records_`	List Notifications Exposed Data Records	SDK: recon.QueryNotificationsExposedDataRecordsV1
`list_rules_`	List Rules	SDK: recon.QueryRulesV1
`preview_rule_`	Preview Rule	SDK: recon.PreviewRuleV1
`update_action_`	Update Action	SDK: recon.UpdateActionV1
`update_notifications_`	Update Notifications	SDK: recon.UpdateNotificationsV1
`update_rules_`	Update Rules	SDK: recon.UpdateRulesV1

Aggregate Notifications

SDK: recon.AggregateNotificationsV1

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Aggregate Notifications Exposed Data Records

SDK: recon.AggregateNotificationsExposedDataRecordsV1

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Create Actions

SDK: recon.CreateActionsV1

Parameters:

Name	Type	Required	Description
`actions`	object	Yes	actions. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`rule_id`	string	Yes	rule id. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "actions": {},
  "rule_id": "<rule_id>"
}

Create Export Jobs

SDK: recon.CreateExportJobsV1

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Create Rules

SDK: recon.CreateRulesV1

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Delete Action

SDK: recon.DeleteActionV1

Parameters:

Name	Type	Required	Description
`id`	string	No	ID of the action.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...

Example:

{
  "id": "<id>"
}

Delete Export Jobs

SDK: recon.DeleteExportJobsV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Export Job IDs.

Example:

{
  "ids": ["<ids>"]
}

Delete Notifications

SDK: recon.DeleteNotificationsV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Notifications IDs.

Example:

{
  "ids": ["<ids>"]
}

Delete Rules

SDK: recon.DeleteRulesV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	IDs of rules.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`notifications_deletion_requested`	boolean	No	Whether we should delete the notifications generated by this rule or not

Example:

{
  "ids": ["<ids>"],
  "notifications_deletion_requested": true
}

Get Actions

SDK: recon.GetActionsV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Action IDs.

Example:

{
  "ids": ["<ids>"]
}

Get Export Jobs

SDK: recon.GetExportJobsV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Export Job IDs.

Example:

{
  "ids": ["<ids>"]
}

Get File Content For Export Jobs

SDK: recon.GetFileContentForExportJobsV1

Parameters:

Name	Type	Required	Description
`id`	string	No	Export Job ID.

Example:

{
  "id": "<id>"
}

Get Notifications

SDK: recon.GetNotificationsV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Notification IDs.

Example:

{
  "ids": ["<ids>"]
}

Get Notifications Detailed

SDK: recon.GetNotificationsDetailedV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Notification IDs.

Example:

{
  "ids": ["<ids>"]
}

Get Notifications Detailed Translated

SDK: recon.GetNotificationsDetailedTranslatedV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Notification IDs.

Example:

{
  "ids": ["<ids>"]
}

Get Notifications Exposed Data Records

SDK: recon.GetNotificationsExposedDataRecordsV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Notification exposed records IDs.

Example:

{
  "ids": ["<ids>"]
}

Get Notifications Translated

SDK: recon.GetNotificationsTranslatedV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	Notification IDs.

Example:

{
  "ids": ["<ids>"]
}

Get Rules

SDK: recon.GetRulesV1

Parameters:

Name	Type	Required	Description
`ids`	array	No	IDs of rules.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

List Actions

SDK: recon.QueryActionsV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query to filter actions by. Possible filter properties are: [id cid user_uuid rule_id type fr...
`limit`	number	No	Number of IDs to return. Offset + limit should NOT be above 10K.
`offset`	number	No	Starting index of overall result set from which to return IDs.
`sort`	string	No	Possible order by fields: created_timestamp, updated_timestamp. Ex: 'updated_timestamp

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Notifications

SDK: recon.QueryNotificationsV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query to filter notifications by. Possible filter properties are: [id cid user_uuid status ru...
`limit`	number	No	Number of IDs to return. Offset + limit should NOT be above 10K.
`offset`	number	No	Starting index of overall result set from which to return IDs.
`sort`	string	No	Possible order by fields: `created_date`, `updated_date`. Ex: `updated_date

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Notifications Exposed Data Records

SDK: recon.QueryNotificationsExposedDataRecordsV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query to filter notifications by. Possible filter properties are: [id cid user_uuid created_d...
`limit`	number	No	Number of IDs to return. Offset + limit should NOT be above 10K.
`offset`	number	No	Starting index of overall result set from which to return ids.
`sort`	string	No	Possible order by fields: created_date, updated_date. Ex: 'updated_date

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

List Rules

SDK: recon.QueryRulesV1

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query to filter rules by. Possible filter properties are: [id cid user_uuid topic priority pe...
`limit`	number	No	Number of IDs to return. Offset + limit should NOT be above 10K.
`offset`	number	No	Starting index of overall result set from which to return IDs.
`secondary_sort`	string	No	Possible order by fields: created_timestamp, last_updated_timestamp. Ex: `last_updated_timestamp
`sort`	string	No	Possible order by fields: created_timestamp, last_updated_timestamp. Ex: `last_updated_timestamp

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "secondary_sort": "<secondary_sort>",
  "sort": "<sort>"
}

Preview Rule

SDK: recon.PreviewRuleV1

Parameters:

Name	Type	Required	Description
`filter`	string	Yes	filter. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`topic`	string	Yes	topic. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "filter": "<filter>",
  "topic": "<topic>"
}

Update Action

SDK: recon.UpdateActionV1

Parameters:

Name	Type	Required	Description
`content_format`	string	Yes	content format. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`frequency`	string	Yes	frequency. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`id`	string	Yes
`recipients`	array	Yes	recipients. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`status`	string	Yes	status. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
`trigger_matchless`	boolean	Yes	trigger matchless. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/open...

Example:

{
  "content_format": "<content_format>",
  "frequency": "<frequency>",
  "id": "<id>",
  "recipients": ["<recipients>"],
  "status": "<status>",
  "trigger_matchless": true
}

Update Notifications

SDK: recon.UpdateNotificationsV1

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Update Rules

SDK: recon.UpdateRulesV1

Parameters:

Name	Type	Required	Description
`body`	object	No	Body.. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "body": {}
}

Tailored Intelligence

Operations for Tailored Intelligence

Operations

Operation	Name	Description
`get_events_body`	Get Events Body	SDK: tailored_intelligence.GetEventsBody
`get_events_entities`	Get Events Entities	SDK: tailored_intelligence.GetEventsEntities
`get_rules_entities`	Get Rules Entities	SDK: tailored_intelligence.GetRulesEntities
`list_events`	List Events	SDK: tailored_intelligence.QueryEvents
`list_rules`	List Rules	SDK: tailored_intelligence.QueryRules

Get Events Body

SDK: tailored_intelligence.GetEventsBody

Parameters:

Name	Type	Required	Description
`id`	string	No	Return the event body for event id.

Example:

{
  "id": "<id>"
}

Get Events Entities

SDK: tailored_intelligence.GetEventsEntities

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

Get Rules Entities

SDK: tailored_intelligence.GetRulesEntities

Parameters:

Name	Type	Required	Description
`ids`	array	Yes	ids. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "ids": ["<ids>"]
}

List Events

SDK: tailored_intelligence.QueryEvents

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query specifying the filter parameters. Special value '*' means to not filter on anything.
`limit`	number	No	Number of ids to return.
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	Possible order by fields: source_type, created_date, updated_date. Ex: 'updated_date

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List Rules

SDK: tailored_intelligence.QueryRules

Parameters:

Name	Type	Required	Description
`filter`	string	No	FQL query specifying the filter parameters. Special value '*' means to not filter on anything.
`limit`	number	No	Number of ids to return.
`offset`	string	No	Starting index of overall result set from which to return ids.
`sort`	string	No	Possible order by fields: name, value, rule_type, customer_id, created_date, updated_date. Ex: 'u...

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Best Practices

Use Appropriate Filters: Leverage FQL (Falcon Query Language) filters to narrow down results and improve performance.
Implement Pagination: For operations returning large datasets, use limit and offset parameters to paginate results.
Handle Rate Limits: CrowdStrike APIs have rate limits. Implement appropriate delays and retry logic in your workflows.
Secure Credentials: Never log or expose API credentials. Use NINA's credential management for secure storage.
Use Specific Scopes: When creating API clients, only request the minimum required API scopes.
Monitor API Usage: Track your API usage to avoid hitting rate limits during critical operations.
Validate IDs: Always validate resource IDs before using them in update or delete operations.
Error Handling: Implement comprehensive error handling for API failures and unexpected responses.

Troubleshooting

Issue	Possible Solution
401 Unauthorized	Verify Client ID and Client Secret are correct; check if credentials have expired
403 Forbidden	Ensure API client has required scopes for the operation
404 Not Found	Verify the resource ID exists and is accessible with your credentials
429 Too Many Requests	Rate limit exceeded; implement delays between requests
Invalid Filter	Check FQL syntax; refer to CrowdStrike FQL documentation
Connection Timeout	Verify network connectivity and correct Base URL for your region
Empty Results	Verify filter criteria; check if resources exist in your environment

Support

For issues with this integration, please contact support with:

The operation you were attempting
Any error messages received
The parameters used (excluding sensitive data)
Your CrowdStrike cloud region

For CrowdStrike API documentation, visit: CrowdStrike Developer Portal

Updated: 2026-02-05

Overview​

Capabilities​

Credential Configuration​

Authentication Method​

How It Works​

CrowdStrike Cloud Regions​

How to Obtain API Credentials​

Required API Scopes​

Creating a CrowdStrike Credential in NINA​

Supported Resources​

Resource Details​

Ioc​

Operations​

Action Get​

Get Indicators Report​

Indicator Aggregate​

Indicator Combined​

Indicator Create​

Indicator Delete​

Indicator Get​

Indicator Get Device Count​

Indicator Get Devices Ran On​

Indicator Get Processes Ran On​

Indicator Search​

Indicator Update​

List Action​

List Ioc Type​

List Platform​

List Severity​

Intel​

Operations​

Get Intel Actor Entities​

Get Intel Indicator Entities​

Get Intel Report Entities​

Get Intel Report Pdf​

Get Intel Rule Entities​

Get Intel Rule File​

Get Latest Intel Rule File​

Get Malware Entities​

Get Malware Mitre Report​

Get Mitre Report​

Get Vulnerabilities​

List Intel Actor Entities​

List Intel Actor Ids​

List Intel Indicator Entities​

List Intel Indicator Ids​

List Intel Report Entities​

List Intel Report Ids​

List Intel Rule Ids​

List Malware​

List Malware Entities​

List Mitre Attacks​

List Mitre Attacks For Malware​

List Vulnerabilities​

Post Mitre Attacks​

Intelligence Feeds​

Operations​

Download Feed Archive​

List Feed Archives​

List Feed Types​

Intelligence Indicator Graph​

Operations​

Search Indicators​

Iocs​

Operations​

Devices Count​

Devices Ran On​

Entities Processes​

Processes Ran On​

Recon​

Operations​

Aggregate Notifications​

Aggregate Notifications Exposed Data Records​

Create Actions​

Create Export Jobs​

Create Rules​

Delete Action​

Delete Export Jobs​

Delete Notifications​

Delete Rules​

Overview

Capabilities

Credential Configuration

Authentication Method

How It Works

CrowdStrike Cloud Regions

How to Obtain API Credentials

Required API Scopes

Creating a CrowdStrike Credential in NINA

Supported Resources

Resource Details

Ioc

Operations

Action Get

Get Indicators Report

Indicator Aggregate

Indicator Combined

Indicator Create

Indicator Delete

Indicator Get

Indicator Get Device Count

Indicator Get Devices Ran On

Indicator Get Processes Ran On

Indicator Search

Indicator Update

List Action

List Ioc Type

List Platform

List Severity

Intel

Operations

Get Intel Actor Entities

Get Intel Indicator Entities

Get Intel Report Entities

Get Intel Report Pdf

Get Intel Rule Entities

Get Intel Rule File

Get Latest Intel Rule File

Get Malware Entities

Get Malware Mitre Report

Get Mitre Report

Get Vulnerabilities

List Intel Actor Entities

List Intel Actor Ids

List Intel Indicator Entities

List Intel Indicator Ids

List Intel Report Entities

List Intel Report Ids

List Intel Rule Ids

List Malware

List Malware Entities

List Mitre Attacks

List Mitre Attacks For Malware

List Vulnerabilities

Post Mitre Attacks

Intelligence Feeds

Operations

Download Feed Archive

List Feed Archives

List Feed Types

Intelligence Indicator Graph

Operations

Search Indicators

Iocs

Operations

Devices Count

Devices Ran On

Entities Processes

Processes Ran On

Recon

Operations

Aggregate Notifications

Aggregate Notifications Exposed Data Records

Create Actions

Create Export Jobs

Create Rules

Delete Action

Delete Export Jobs

Delete Notifications

Delete Rules