CrowdStrike Discover

LAST UPDATED: NOVEMBER 12, 2025

Overview

CrowdStrike Falcon® Discover allows you to quickly identify and eliminate malicious or noncompliant activity by providing unmatched real-time visibility into the devices, users and applications in your network. Discover shows you the accounts that are logged in, the applications they're using, and the hardware and virtual hardware assets they're accessing.

D3 SOAR is providing REST operations to function with CrowdStrike Discover.

CrowdStrike Discover is available for use in:

Known Limitations

• The Falcon Discover API returns data only when the total response contains 10,000 or fewer items. Responses exceeding this limit trigger a 400 error. Use filter parameters to reduce the result set.

• The default rate limit is 6,000 requests per minute per customer account. Each request, regardless of endpoint or client, counts toward this total. The limit is enforced using a sliding window.

• Requests with missing, invalid, or expired bearer tokens are limited to 15 requests per minute per source IP address rather than per customer account.

• When the rate limit is exceeded, subsequent requests return an HTTP 429 (Too Many Requests) error with the current rate-limit status included in the response headers.

For more information, refer to Falcon Discover APIs.

Connection

To connect to CrowdStrike Discover from D3 SOAR, follow this part to collect the required information below:

Permission Requirements

All commands in this integration require the Falcon Discover:Read permission.

Configuring CrowdStrike Discover to Work with D3 SOAR

1. Log into CrowdStrike.

   

2. Use the shortcut Ctrl + K (Windows) or Cmd + K (macOS) to bring up the search bar. Use it to find and select API clients and keys.

   

3. Click the Add new API Client button.

   

4. The Add new API client will appear. Input a Client Name and a description (optional). Select the Falcon Discover Read permission. Click Add.

   

READER NOTE*

See Permissions Requirements for more information on API scopes.

5. Copy the Client ID and Secret.

   

   The Secret will no longer be visible after this point.

Configuring D3 SOAR to Work with CrowdStrike Discover

1. Log in to D3 SOAR.

2. Find the CrowdStrike Discover integration.

   

   1. Navigate to Configuration on the top header menu.

   2. Click on the Integration icon on the left sidebar.

   3. Type CrowdStrike Discover in the search box to find the integration, then click it to select it.

   4. Click + Connection, on the right side of the Connections section. A new connection window will appear.

3. Configure the following fields to create a connection to CrowdStrike Discover.

   

   1. Connection Name: The desired name for the connection.

   2. Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

   3. Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.

   4. Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

   5. Description (Optional): The description for the connection.

   6. Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.

      

   7. Configure User Permissions: Defines which users have access to the connection.

   8. Active: The checkbox that enables the connection to be used when selected.

   9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      

      1. Copy and input the Base URL from the CrowdStrike platform. The default value is https://api.crowdstrike.com.
      2. Copy and input the Client ID from the CrowdStrike platform. Refer to step 5 of Configuring CrowdStrike to Work with D3 SOAR.
      3. Copy and input the Client Secret from the CrowdStrike platform. Refer to step 5 of Configuring CrowdStrike to Work with D3 SOAR.
      4. Input the API Version. The default value is v1.

   10. Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.

   11. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.

4. Test the connection.

   1. Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.

   2. Click OK to close the alert window.

   3. Click + Add to create and add the configured connection.

Commands

CrowdStrike Discover includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, users can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the CrowdStrike Discover API, refer to the CrowdStrike Discover API reference.

READER NOTE

Certain permissions are required for each command. Refer to the Permission Requirements and Configuring CrowdStrike Discover to Work with D3 SOAR for details.

List Accounts

Retrieves details on the accounts matching the input Falcon Query Language (FQL) query statement.

READER NOTE

Use Filter to define the search query.

• The basic syntax is property_name:<operator>‘<value>’, where <operator> is optional.

  • For example, to search for the username d3user-C, use the filter expression username:"d3user-C".

  • The following are commonly used operators and their meanings:

    • + = and

    • , = or

    • ! = not equal to

  • Refer to Falcon Query Language (FQL) for details on the syntax.

• Run this command without filter expressions to view the queryable property names in the returned raw data.

• For the list of filterable property names, see Account and Login Filters.

Input

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

List Assets

Retrieves details on the assets matching the input Falcon Query Language (FQL) query statement.

READER NOTE

Use Filter to define the search query.

• The basic syntax is property_name:<operator>‘<value>’, where <operator> is optional.

  • For example, to search for the username d3user-C, use the filter expression username:"d3user-C".

  • The following are commonly used operators and their meanings:

    • + = and

    • , = or

    • ! = not equal to

  • Refer to Falcon Query Language (FQL) for details on the syntax.

• Run this command without filter expressions to view the queryable property names in the returned raw data.

• For the list of filterable property names, see Asset Filters.

Input

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

List Logins

Retrieves details on the logins matching the input Falcon Query Language (FQL) query statement. Note: A single login ID in Falcon may consist of one or multiple login attempts, whether they are all successful or failed. These attempts are made by a single account on a particular asset within a designated time frame. For information about how logins are defined in CrowdStrike, see Understanding Logins.

READER NOTE

Use Filter to define the search query.

• The basic syntax is property_name:<operator>‘<value>’, where <operator> is optional.

  • For example, to search for the username d3user-C, use the filter expression username:"d3user-C".

  • The following are commonly used operators and their meanings:

    • + = and

    • , = or

    • ! = not equal to

  • Refer to Falcon Query Language (FQL) for details on the syntax.

• Run this command without filter expressions to view the queryable property names in the returned raw data.

• For the list of filterable property names, see Account and Login Filters.

Input

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Test Connection

Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Error Handling

If the Return Data is failed, an Error tab will appear in the Test Result window.

The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.