Skip to main content
Skip table of contents

CrowdStrike Discover

Overview

CrowdStrike Falcon® Discover allows you to quickly identify and eliminate malicious or noncompliant activity by providing unmatched real-time visibility into the devices, users and applications in your network. Discover shows you the accounts that are logged in, the applications they're using, and the hardware and virtual hardware assets they're accessing.

D3 SOAR is providing REST operations to function with CrowdStrike Discover.

CrowdStrike Discover is available for use in:

D3 SOAR

V15.4.1.0+

Category

Identity Access Management

Deployment Options

Option II, Option IV

Known Limitations

The Falcon Discover API endpoint only returns data if the response set includes 10,000 or fewer items. This limit applies to the total size of the API response, regardless of the pagination sizes with the limit and offset parameters. If the response set contains more than 10,000 items, the Falcon Discover API will return an HTML 400 response. To prevent his issue, use the filter parameter to reduce the total number of items in the API response.

The default rate limit for requests that contain a valid bearer token is 6,000 requests per minute per customer account. Every request in the customer account decreases one request from that pool, regardless of the API endpoint or API client used for the request. The rate limit is calculated on a sliding window.

Requests with missing, malformed, or expired bearer tokens are rate limited at 15 requests per minute per source IP address (not per customer account).

If you exceed your rate limit, any further request will receive an "HTTP 429: Too Many Requests" error along with the current rate limit status in the HTTP headers.

For more information, see Falcon Discover APIs.

Connection

To connect to CrowdStrike Discover from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The server URL of the CrowdStrike API.

https://api.crowdstrike.com

Client ID

The client ID to authenticate the API connection.

acb9eb714b************75b76e66a9

Client Secret

The client secret to authenticate the API connection.

m132NkPjVva************I6sJ7UFC8LwGQdSetf

API Version

The API version to use for the connection.

v1

Permission Requirements

All commands in this integration require the Falcon Discover:Read permission.

Reader Note

Please refer to Users and Roles for details on configuring user profiles. You can also use the shortcut Ctrl + K (Windows) or Cmd + K (macOS) to bring up the search bar to find and access the Roles and permissions page.

Configuring CrowdStrike Discover to Work with D3 SOAR

  1. Log in to the CrowdStrike portal (https://falcon.crowdstrike.com/login/).

  2. Use the shortcut Ctrl + K (Windows) or Cmd + K (macOS) to bring up the search bar. Use it to find and select API clients and keys.

  3. On the API clients and keys page, click Add new API Client.

  4. The Add new API client will appear. Input a Client Name and a description (optional). Select the Falcon Discover Read permission. Click Add.

Reader Note

See Permissions Requirements for more information on API scopes.

  1. The API client created window will appear with a Client ID and Secret.

Reader Note

This is the only time you can view the Secret Key. Store it in a secure location for future reference.

  1. (Optional) You can edit the permission scopes for the created API client by clicking the Edit icon under the Action column of the API client. An Edit API client window will appear for you to edit the permission scopes. Click Save to complete editing.

  2. (Optional) You can reset the Secret Key by clicking the Reset Secret icon under the Action column of the API client. A Reset the secret window will appear asking you to confirm. Click Reset.

Configuring D3 SOAR to Work with CrowdStrike Discover

  1. Log in to D3 SOAR.

  2. Find the CrowdStrike Discover integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type CrowdStrike Discover in the search box to find the integration, then click it to select it.

    4. Click + Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to CrowdStrike Discover.

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Configure User Permissions: Defines which users have access to the connection.

    7. Active: Check the tick box to ensure the connection is available for use.

    8. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
      1. Copy and input the Base URL from the CrowdStrike platform. The default value is https://api.crowdstrike.com (refer to step 5 of Configuring CrowdStrike to Work with D3 SOAR).
      2. Copy and input the Client ID from the CrowdStrike platform (refer to step 5 of Configuring CrowdStrike to Work with D3 SOAR)
      3. Copy and input the Client Secret from the CrowdStrike platform (refer to step 5 of Configuring CrowdStrike to Work with D3 SOAR)
      4. The default value of the API Version is v1. You can use the default value when creating connections.

    9. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

    10. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
      To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

CrowdStrike Discover includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the CrowdStrike Discover API, please refer to the CrowdStrike Discover API reference.

Reader Note

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring CrowdStrike Discover to Work with D3 SOAR for details.

List Accounts

Retrieves details on the accounts matching the input Falcon Query Language (FQL) query statement.

Reader Note

Filter allows you to define the search query. Refer to Falcon Query Language (FQL) from Crowdstrike’s documentation for more information about the syntax. You can run this command with no filter expressions defined to see the queryable property names in the returned raw data.

  • The basic syntax is: property_name:<operator>‘<value>’. The <operator> is optional to input. For example, to search the username d3user-C, the filter expression would be username: "d3user-C".

  • The following are commonly used operators and their associated meanings:

    • + = and

    • , = or

    • ! = not equal to

  • For the list of filterable property names, see Account and Login Filters.

Input

Input Parameter

Required/Optional

Description

Example

Filter

Optional

The query to filter results. For more information about the query syntax, see Crowdstrike Falcon Query Language.

admin_privileges:'Yes'+ last_successful_login_timestamp:>'now-7d'

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON 
{
    "meta": {
        "query_time": 0.002910538,
        "powered_by": "discover-api",
        "trace_id": "***-***-***-***-***"
    },
    "resources": [
        {
            "id": "***",
            "cid": "***",
            "user_sid": "S-1-5-21-268******-***-***-500",
            "login_domain": "***",
            "account_name": "***\\***",
            "username": "**",
            "account_type": "Local",
            "admin_privileges": "Yes",
            "first_seen_timestamp": "2023-01-17T21:03:49Z",
            "last_successful_login_type": "Terminal server",
            "last_successful_login_timestamp": "2023-02-28T21:00:00Z",
            "last_successful_login_hostname": "***",
            "last_successful_login_remote_ip": "1.2.3.4",
            "last_successful_login_host_country": "Canada",
            "last_successful_login_host_city": "Vancouver",
            "password_last_set_timestamp": "2020-05-20T18:09:24Z"
        },
        {
            "id": "***",
            "cid": "***",
            "user_sid": "S-1-5-21-***-***-***-***",
            "login_domain": "***",
            "account_name": "***\\***",
            "username": "***",
            "account_type": "Local",
            "admin_privileges": "Yes",
            "first_seen_timestamp": "2022-05-09T04:40:15Z",
            "last_successful_login_type": "Terminal server",
            "last_successful_login_timestamp": "2023-03-07T07:00:00Z",
            "last_successful_login_hostname": "***",
            "last_successful_login_remote_ip": "1.2.3.5",
            "last_successful_login_host_country": "Canada",
            "last_successful_login_host_city": "Toronto",
            "password_last_set_timestamp": "2022-05-09T06:04:52Z"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE 
{
    "UserNames": "\"[ \\\"***\\\", \\\"***\\\" ]\"",
    "AccountNames": "\"[ \\\"***\\\\\\\\***\\\", \\\"***\\\\\\\\***\\\" ]\"",
    "AccountIDs": "\"[ \\\"***\\\", \\\"***\\\" ]\"",
    "AccountTypes": "\"[ \\\"Local\\\", \\\"Local\\\" ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE 
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE 
$body

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Accounts and Logins failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the CrowdStrike Discover portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: ****** filter is invalid, cannot be parsed.

Error Sample Data

List Accounts and Logins failed.

Status Code: 400.

Message: ****** filter is invalid, cannot be parsed.

List Assets

Retrieves details on the assets matching the input Falcon Query Language (FQL) query statement.

Reader Note

Filter allows you to define the search query. Refer to Falcon Query Language (FQL) from Crowdstrike’s documentation for more information about the syntax. You can run this command with no filter expressions defined to see the queryable property names in the returned raw data.

  • The basic syntax is: property_name:<operator>‘<value>’. The <operator> is optional to input. For example, to search the username d3user-C, the filter expression would be username: "d3user-C".

  • The following are commonly used operators and their associated meanings:

    • + = and

    • , = or

    • ! = not equal to

  • For the list of filterable property names, see Asset Filters.

Input

Input Parameter

Required/Optional

Description

Example

Filter

Optional

The query to filter results. For more information about the query syntax, see Crowdstrike Falcon Query Language.

entity_type:'managed'+product_type_desc:'Workstation'+hostname:'DESKTOP-***'

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON 
{
    "meta": {
        "query_time": 0.004045221,
        "powered_by": "discover-api",
        "trace_id": "***-***-***-***-***"
    },
    "resources": [
        {
            "id": "***",
            "field_metadata": {
                "agent_version": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "aid": {
                    "providers": [
                        "Active Directory",
                        "CrowdStrike"
                    ]
                },
                "available_disk_space": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "available_disk_space_pct": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "average_memory_usage": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "average_memory_usage_pct": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "average_processor_usage": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "bios_manufacturer": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "bios_version": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "cid": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "city": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "country": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "current_local_ip": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "data_providers": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "data_providers_count": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "encryption_status": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "entity_type": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "external_ip": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "field_metadata": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "first_seen_timestamp": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "groups": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "hostname": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "id": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "internet_exposure": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "kernel_version": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "last_seen_timestamp": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "local_ip_addresses": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "local_ips_count": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "logical_core_count": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "mac_addresses": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "machine_domain": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "max_memory_usage": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "max_memory_usage_pct": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "max_processor_usage": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "network_interfaces": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "number_of_disk_drives": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "object_guid": {
                    "providers": [
                        "Active Directory"
                    ]
                },
                "os_is_eol": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "os_security": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "os_version": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "physical_core_count": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "platform_name": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "processor_package_count": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "product_type": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "product_type_desc": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "reduced_functionality_mode": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "site_name": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "system_manufacturer": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "system_product_name": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "system_serial_number": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "total_disk_space": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "total_memory": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "unencrypted_drives": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "unencrypted_drives_count": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "used_disk_space": {
                    "providers": [
                        "CrowdStrike"
                    ]
                },
                "used_disk_space_pct": {
                    "providers": [
                        "CrowdStrike"
                    ]
                }
            },
            "cid": "***",
            "aid": "***",
            "entity_type": "managed",
            "first_seen_timestamp": "2022-03-25T00:12:53Z",
            "last_seen_timestamp": "2023-02-12T20:00:00Z",
            "country": "Canada",
            "city": "Vancouver",
            "platform_name": "Windows",
            "os_version": "Windows 10",
            "kernel_version": "19044",
            "product_type": "1",
            "product_type_desc": "Workstation",
            "groups": [
                "***"
            ],
            "agent_version": "6.37.15103.0",
            "system_product_name": "VMware7,1",
            "system_manufacturer": "VMware, Inc.",
            "system_serial_number": "VMware-***",
            "bios_manufacturer": "VMware, Inc.",
            "bios_version": "***",
            "machine_domain": "***.local",
            "site_name": "***",
            "external_ip": "1.1.1.1",
            "hostname": "***",
            "local_ips_count": 1,
            "network_interfaces": [
                {
                    "local_ip": "1.2.3.4",
                    "mac_address": "00-00-00-B0-00-0C",
                    "interface_alias": "Ethernet0",
                    "interface_description": "Intel(R) 82574L Gigabit Network Connection",
                    "network_prefix": "***"
                }
            ],
            "os_security": {
                "secure_boot_requested_status": false,
                "device_guard_status": false,
                "system_guard_status": "0",
                "credential_guard_status": false,
                "iommu_protection_status": "N/A",
                "secure_boot_enabled_status": true,
                "uefi_memory_protection_status": "1",
                "virtualization_based_security_status": false,
                "secure_memory_overwrite_requested_status": "1",
                "kernel_dma_protection_status": false
            },
            "current_local_ip": "1.1.1.1",
            "internet_exposure": "Unknown",
            "reduced_functionality_mode": "No",
            "number_of_disk_drives": 3,
            "cpu_processor_name": "Intel(R) Xeon(R) CPU E5-2690 0 @ 2.90GHz",
            "processor_package_count": 2,
            "physical_core_count": 4,
            "logical_core_count": 4,
            "total_memory": 8190,
            "total_disk_space": 100,
            "os_is_eol": "No",
            "encryption_status": "Unencrypted",
            "unencrypted_drives": [
                "\\\\?\\Volume{***-***-***-***-***}",
                "\\\\?\\Volume{***-***-***-***-***}",
                "C:"
            ],
            "unencrypted_drives_count": 3,
            "average_processor_usage": 26,
            "max_processor_usage": 90,
            "average_memory_usage": 3680,
            "average_memory_usage_pct": 44,
            "max_memory_usage": 3715,
            "max_memory_usage_pct": 45,
            "used_disk_space": 43,
            "used_disk_space_pct": 43,
            "available_disk_space": 58,
            "available_disk_space_pct": 58,
            "data_providers": [
                "Active Directory",
                "CrowdStrike"
            ],
            "data_providers_count": 2,
            "mac_addresses": [
                "00-00-00-B0-00-0C"
            ],
            "local_ip_addresses": [
                "1.1.1.1"
            ],
            "object_guid": "***"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE 
{
    "AssetIDs": "\"[ \\\"***\\\" ]\"",
    "EntityTypes": "\"[ \\\"managed\\\" ]\"",
    "ExternalIPs": "\"[ \\\"1.1.1.1\\\" ]\"",
    "HostNames": "\"[ \\\"**-***\\\" ]\"",
    "CurrentLocalIPs": "\"[ \\\"1.1.1.1\\\" ]\"",
    "OSVersions": "\"[ \\\"Windows 10\\\" ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE 
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE 
$body

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Assets failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the CrowdStrike Discover portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: ****** filter is invalid, cannot be parsed.

Error Sample Data

List Assets failed.

Status Code: 400.

Message: ****** filter is invalid, cannot be parsed.

List Logins

Retrieves details on the logins matching the input Falcon Query Language (FQL) query statement. Note: A single login ID in Falcon may consist of one or multiple login attempts, whether they are all successful or failed. These attempts are made by a single account on a particular asset within a designated time frame. For information about how logins are defined in CrowdStrike, see Understanding Logins.

Reader Note

Filter allows you to define the search query. Refer to Falcon Query Language (FQL) from Crowdstrike’s documentation for more information about the syntax. You can run this command with no filter expressions defined to see the queryable property names in the returned raw data.

  • The basic syntax is: property_name:<operator>‘<value>’. The <operator> is optional to input. For example, to search the username d3user-C, the filter expression would be username: "d3user-C".

  • The following are commonly used operators and their associated meanings:

    • + = and

    • , = or

    • ! = not equal to

  • For the list of filterable property names, see Account and Login Filters.

Input

Input Parameter

Required/Optional

Description

Example

Filter

Optional

The query to filter results. For more information about the query syntax, see Crowdstrike Falcon Query Language.

login_status:'Failed'+login_timestamp:>'now-5d'

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON 
{
    "meta": {
        "query_time": 0.003720151,
        "powered_by": "discover-api",
        "trace_id": "***-***-***-***-***"
    },
    "resources": [
        {
            "id": "***",
            "cid": "***",
            "login_status": "Failed",
            "account_id": "***",
            "host_id": "***",
            "user_sid": "S-1-5-21-***-500",
            "aid": "**",
            "account_name": "***.***\\**",
            "username": "***",
            "hostname": "***",
            "account_type": "Domain",
            "login_type": "Network",
            "login_timestamp": "2023-03-03T00:00:00Z",
            "login_domain": "***",
            "admin_privileges": "Yes",
            "local_ip": "1.1.1.1",
            "remote_ip": "1.0.0.0",
            "host_country": "Canada",
            "host_city": "Vancouver",
            "failure_description": "This is either due to a bad username or authentication information",
            "login_event_count": 1,
            "aggregation_time_interval": "24h"
        },
        {
            "id": "***",
            "cid": "***",
            "login_status": "Failed",
            "host_id": "***",
            "aid": "***",
            "account_name": "%***%\\--",
            "username": "***",
            "hostname": "***",
            "login_type": "Interactive",
            "login_timestamp": "2023-03-03T00:00:00Z",
            "login_domain": "%***%",
            "admin_privileges": "Unknown",
            "local_ip": "10.0.0.0",
            "remote_ip": "1.1.1.1",
            "host_country": "Canada",
            "host_city": "Vancouver",
            "failure_description": "This is either due to a bad username or authentication information",
            "login_event_count": 27,
            "aggregation_time_interval": "24h"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE 
{
    "LoginIDs": "\"[ \\\"***\\\", \\\"***\\\" ]\"",
    "AccountNames": "\"[ \\\"***\\\\\\\\***\\\", \\\"%***%\\\\\\\\--\\\" ]\"",
    "HostNames": "\"[ \\\"**\\\", \\\"***\\\" ]\"",
    "LoginStatuses": "\"[ \\\"Failed\\\", \\\"Failed\\\" ]\"",
    "LocalIPs": "\"[ \\\"10.0.0.0\\\", \\\"10.0.1.1\\\" ]\"",
    "LoginTime": "\"[\\\"2023-03-03T00:00:00Z\\\", \\\"2023-03-03T00:00:00Z\\\" ]\"",
    "UserNames": "\"[\\\"***\\\", \\\"***\\\" ]\"",
    "RemoteIPs": "\"[\\\"1.0.0.0\\\", \\\"1.2.3.4\\\" ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE 
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE 
$body

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Error Sample Data

List Logins failed.

Status Code: 400.

Message: ****** filter is invalid, cannot be parsed.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE 
Successful

Error Handling

If the Return Data is failed, an Error tab will appear in the Test Result window.

The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed:Get accesstoken failed

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the CrowdStrike Discover portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Test Connection failed:Get accesstoken failed

Error Sample Data

Test Connection failed:Get accesstoken failed

Status Code: 400.

Message: Test Connection failed:Get accesstoken failed

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close