Crowdstrike Identity Protection
LAST UPDATED: NOVEMBER 12, 2025
Overview
CrowdStrike Falcon® Identity Protection stops breaches faster by protecting workforce identities everywhere leveraging advanced AI in the world's largest unified, threat-centric data fabric. It improves organizations' security posture by segmenting identities and automating analysis and enforcement of AD security. The Falcon Identity Protection solution consists of two products: Falcon Identity Threat Detection (ITD) and Falcon Identity Threat Protection.
D3 SOAR is providing REST operations to function with CrowdStrike Identity Protection.
CrowdStrike Identity Protection is available for use in:
Connection
Gather the following information to connect D3 SOAR to CrowdStrike Identity Protection.
Parameter | Description | Example |
Server URL | The server URL for the API connection. | https://api.crowdstrike.com |
Client ID | The client ID to authenticate the API connection. | acb*****66a9 |
Client Secret | The client secret to authenticate the API connection. | m13*****etf |
API Version | The version of the API to use for the connection. | v1 |
Permission Requirements
Each endpoint in the CrowdStrike Identity Protection API requires a certain permission scope. The following are required scopes for the commands in this integration:
Command | Required Permission | |
Fetch Event | Fetching for "identity detection" type of events | Read: Alerts |
Fetching for "incidents" type of events | Read: Identity Protection Detections Write: Identity Protection GraphQL | |
Search Entities | Read: Identity Protection Entities Write: Identity Protection GraphQL | |
Update Identity-based Detections | Read + Write: Alerts | |
Update Incidents | Read + Write: Identity Protection Detections Write: Identity Protection GraphQL | |
Test Connection | Read: Identity Protection Detections Write: Identity Protection GraphQL | |
As CrowdStrike Identity Protection is using role-based access control (RBAC), the API access token is generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the CrowdStrike Identity Protection console for each command in this integration.
READER NOTE
For more information about user roles, see Identity Protection APIs.
Configuring CrowdStrike Identity Protection to Work with D3 SOAR
Log into CrowdStrike.
Use the shortcut Ctrl + K (Windows) or Cmd + K (macOS) to bring up the search bar. Use it to find and select API clients and keys.
On the API clients and keys page, click Add new API Client.
The Add new API client will appear. Input a Client Name and a description (optional). Select the scopes for the API client according to the use case. Click Add.
READER NOTE*
The screenshot above provides a sample permissions configuration. For a detailed list of API scopes, refer to Permissions Requirement.
The API client created window will appear with a Client ID and Secret.
The Secret will no longer be visible after this point.
Configuring D3 SOAR to Work with CrowdStrike Identity Protection
Log in to D3 SOAR.
Find the CrowdStrike Identity Protection integration.
.png?inst-v=ea994062-dd8e-4883-958f-c85d6a771e16)
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type CrowdStrike Identity Protection in the search box to find the integration, then click it to select it.
Click New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to CrowdStrike Identity Protection.
.png?inst-v=ea994062-dd8e-4883-958f-c85d6a771e16)
Connection Name: The desired name for the connection.
Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.
Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): The description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: The checkbox that enables the connection to be used when selected.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input the domain level Server URL.
2. Input the Client ID. Refer to Step 5 of Configuring CrowdStrike Identity Protection to Work with D3 SOAR.
3. Input the Client Secret. Refer to Step 5 of Configuring CrowdStrike Identity Protection to Work with D3 SOAR.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.
Test the connection.
Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.Click OK to close the alert window.
Click Add to create and add the configured connection.
Commands
CrowdStrike Identity Protection includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, users can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the CrowdStrike Identity Protection API, refer to the CrowdStrike Identity Protection API reference.
READER NOTE
Certain permissions are required for each command. Refer to the Permission Requirements and Configuring CrowdStrike Identity Protection to Work with D3 SOAR for details.
Note for Time-related parameters
The input format of time-related parameters may vary based on user account settings, which may cause the sample data in commands to differ from what is displayed. To adjust the time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose the desired date and time format, then click on the Save button.
The selected time format will now be visible when configuring Date/Time command input parameters.
Fetch Event
Returns event(s) from the platform based on specified criteria. You can filter the event type (i.e. identity-based detections or incidents) to fetch.
READER NOTE
All input parameters are optional to run this command. If no input parameters are defined, all Identity-based Detection type events will be fetched by default.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Optional | The start time of the time range of the specified query time type to fetch events in UTC time. Note: This parameter applies to both Identity-based Detection and Incident event types. | 2022-08-05 00:00 |
End Time | Optional | The end time of the time range of the specified query time type to fetch events in UTC time. Note: This parameter applies to both Identity-based Detection and Incident event types. | 2022-08-12 00:00 |
Query Time Type | Optional | The time field to filter retrieved events, based on the selected value for the Event Type parameter. If the event type is Identity-Based Detection, the options available are First Activity Time, Last Activity Time, Created Time, and Updated Time. If no option is specified, the default time field used for Identity-Based Detection is Last Activity Time. If the event type is Incident, the options available are Created Time and Updated Time. If no option is specified, the default time field used for Incident is Updated Time. | First Activity Time(Identity-Based Detection) |
Event Type | Optional | The type of events to retrieve. The available event types are Identity-based Detection and Incident. The default value will be Identity-based Detection if no event type is specified. | Identity-Based Detection |
Number of Event(s) Fetched | Optional | The maximum number of the most recent events fetch. The valid input value is an integer between 1 and 10,000. If the input value is not within the valid range or not specified, all events that match the filters will be returned. Note: This parameter applies to both Identity-based Detection and Incident event types. | 10 |
Severity | Optional | The minimum severity level of the events to retrieve. For instance, events with a "High" or "Critical" security level will be returned if you select High. If this parameter is not specified, events of all severity levels will be returned. Note: This parameter is applicable to both Identity-based Detection and Incident event types. | High |
Identity-based Detection filter | Optional | The query to filter Identity-based Detection results. For more information about the query syntax, see Crowdstrike Falcon Query Language. If this parameter is not specified, all Identity-based Detections matching the other specified criteria will be returned. Note: This parameter is only valid for Identity-based Detection events. | status:['new'] + tactic_id:[ '*****' ] |
Incident filter | Optional | The query to filter Incident results. For more information about the query syntax, see Crowdstrike Falcon Query Language. For the available incident filter parameters, see Crowdstrike-Incident parameters. If this parameter is not specified, all Incident matching the other specified criteria will be returned. Note: This parameter is only valid for Incident events. | alertTypes:[ ALERT_TYPE ], type:[ INCIDENT_TYPE ] |
Tolerance Scope | Optional | The tolerance scope (in minutes) for the query to fetch events between the specified start and end time to avoid event loss or fetch failure. The events will be fetched between {Start Time - Tolerance Scope, End Time}. The default value is 0. | 0 |
Output
To view the sample output data for all commands, refer to this article.
Fetch Event Field Mapping
See Field Mappings.
The CrowdStrike Identity Protection system integration includes pre-configured field mappings for the default event source.
The Default Event Source is the default system-provided set of field mappings applied when the fetch event command is executed. It includes a Main Event JSON Path, which is the JSONPath expression that points to the base array of event objects. The source field path continues from this array to locate the required data.
The Main Event JSON Path can be viewed by clicking on the Edit Main JSON Path button.
.png?inst-v=ea994062-dd8e-4883-958f-c85d6a771e16)
Main Event JSON Path: $.resources
The resources array contains the event objects. Within each event object, the key activity_id denotes the Activity ID field. As such, the full JSONPath expression to extract the Activity ID is $.resources.activity_id.Event Source for Incidents
The D3 system configures the field mappings which are specific to the incident-related events. If a source field in the field mapping is not found, the corresponding field mapping will be ignored. Because the eventType field in the raw data for incident events consistently has the value incident, these events can be identified by the Search String:{$.eventType}=incident. Click Edit Event Source to view the Search String.
The pre-configured field mappings are detailed below:
Field Name | Source Field |
Default Event Source (Main Event JSON Path: $.resources) | |
Activity ID | .activity_id |
Confidence | .confidence |
Event Internal Name | .name |
Event Time | .created_timestamp |
Falcon Host Link | .falcon_host_link |
Location Country Code | .location_country_code |
Location Latitude | .location_latitude |
Location Longitude | .location_longitude |
Objective | .objective |
Pattern ID | .pattern_id |
Source Account Azure ID | .source_account_azure_id |
Source Account Domain | .source_account_domain |
Source Account ID | .source_account_object_sid |
Source Account Okta ID | .source_account_okta_id |
SSO Application URI | .sso_application_uri |
Technique ID | .technique_id |
UpdateTime | .updated_timestamp |
UTCEventTime | .timestamp |
Webhook Extrainfo | .webhookExtraInfo |
Last Behavior Time | .end_time |
Webhook URL | .webhookURL |
Unique Event Key | .id |
Event name | .display_name |
Event Type | .type |
Start Time | .start_time |
Severity | .severity |
Source Device | .source_endpoint_host_name |
Source Device IP address | .source_endpoint_ip_address |
Source username | .source_account_name |
Status | .status |
Description | .description |
Tactics | .tactic |
Techniques | .technique |
Event Source for Alerts (Search String:{$.eventType}=incident) The search string format is {jsonpath}=value. If the value of the eventType key is incident in the event object under raw data, then the incident-related events will use the field mapping below. | |
Severity | .severity |
Status | .lifeCycleStage |
Sub Event | .alertEvents |
Start Time | .startTime |
Alert type | .alertEvents[*].alertType |
Event code | .incidentId |
Last Behavior Time | .endTime |
Webhook Extrainfo | .webhookExtraInfo |
Webhook URL | .webhookURL |
Related Endpoint Entities | .alertEvents[*].relatedEvents.nodes[*].endpointEntity.primaryDisplayName |
Related Target Entities | .alertEvents[*].relatedEvents.nodes[*].targetEntity.primaryDisplayName |
Related User Entities | .alertEvents[*].relatedEvents.nodes[*].userEntity.primaryDisplayName |
Incident Type | .type |
Event Labels | .alertEvents[*].eventLabel |
Comments | .comments.text |
Compromised Endpoints | .compromisedEntities[?(@.type == 'ENDPOINT')].primaryDisplayName |
Compromised Users | .compromisedEntities[?(@.type == 'USER')].primaryDisplayName |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Fetch Event failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the CrowdStrike Identity Protection portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: access denied, authorization failed. |
Error Sample Data Fetch Event failed. Status Code: 403. Message: access denied, authorization failed. |
Search Entities
Retrieves entites with corresponding information basd on the specified criteria.
READER NOTE
All input parameters are optional to run this command. If no input parameters are defined, all entities will be returned.
By default, the returned entities are sorted by primaryName, in ascending order.
Input
Input Parameter | Required/Optional | Description | Example |
Entity Type | Optional | The type of entities to retrieve. If this parameter is not specified, entities of all types will be returned. | USER |
Entity Primary Names | Optional | The primary display names of the entities to return. |
JSON
|
Minimum Risk Score Severity | Optional | The minimum risk score severity to filter returned entities. If this parameter is not defined, entities with any score severities will be returned. | Medium |
Email Addresses | Optional | The email addresses of the user entities to return. Note: This parameter is only valid then the selected "Entity Type" is "User". |
JSON
|
Host Names | Optional | The names of the host entities to return. Note: This parameter is only valid when the selected "Entity Type" is "Endpoint". |
JSON
|
Entity Filter | Optional | The condition to filter returned entities. This parameter can be used if the other input parameters are inadequate to fulfill your query conditions. If the fields used for filtering in this parameter overlap with other input parameters, the other input parameters will be ignored. For more information about the query syntax, see Crowdstrike Falcon Query Language. For more information on entity filter parameters, see Crowdstrike-Entity parameters. | hasOpenIncidents:true, secondaryDisplayName:[ "*****\\*****" ] |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search Entities failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the CrowdStrike Identity Protection portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: access denied, authorization failed. |
Error Sample Data Search Entities failed. Status Code: 403. Message: access denied, authorization failed. |
Update Identity-based Detections
Updates the specified Identity-based Detections, including status, assigned user and comments with additional info. You can update Identity-based Detection(s) by specifying the corresponding Detection ID(s) or using a filter condition.
READER NOTE
The input parameter Detection IDs is optional to run this command.
You should already have your desired Detection IDs on hand to run this command. If you don’t, you may use the Fetch Event command with the Event Type parameter set to Identity-based Detection to view a list of Detection IDs. The Detection IDs can be found in the raw data at the path $.resources.id.
Input
Input Parameter | Required/Optional | Description | Example |
Detection IDs | Optional | The ID(s) of the detection(s) to update. Identity-based IDs can be obtained using the Fetch Event command. Note: You must define one of the "Detection IDs" or "Filter" parameters. If both are defined, only the "Detection IDs" parameter will be used. The "Filter" parameter will be ignored. |
JSON
|
Filter | Optional | The condition to filter the detections to update. For more information about the query syntax, see Crowdstrike Falcon Query Language. Note: You must define one of the "Detection IDs" or "Filter" parameters. If both are defined, only the "Detection IDs" parameter will be used. The "Filter" parameter will be ignored. | severity:>=80 |
Status | Optional | The updated status of the detection(s). | In Progress |
Comment | Optional | The comment to add to the detection(s). | testAlertComment0208a |
Assignee | Optional | The email address of the user assigned to the detection(s). | *****@*****.***** |
Add Tag | Optional | The associated value to add to the detections as a tag. | Malicious1_tag |
Remove Tag | Optional | The option to remove tags from the detection(s). | Suspicious1_tag |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Identity-based Detections failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the CrowdStrike Identity Protection portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Detection IDs Not Found. |
Error Sample Data Update Identity-based Detections failed. Status Code: 404. Message: Detection IDs Not Found. |
Update Incidents
Updates the specified Incidents, including status and comments with additional info.
READER NOTE
The input parameter Incident IDs is required to run this command.
You should already have your desired Incident IDs on hand to run this command. If you don’t, you may use the Fetch Event command with the Event Type parameter set to Incident to view a list of Incident IDs. The Incident IDs can be found in the raw data at the path $.incidentId.
Input
Input Parameter | Required/Optional | Description | Example |
Incident IDs | Required | The ID(s) of the incident(s) to update. Incident IDs can be obtained using the Fetch Event command. |
JSON
|
Status | Optional | The updated status of the incident(s). | RESOLVED |
Update Status Reason | Optional | The reason for the updated incident status. | Fixed already. |
Comment | Optional | The comment to add to the incident(s). | testComment0215 |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Update Incidents failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the CrowdStrike Identity Protection portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Incident ID Not Found. |
Error Sample Data Update Incidents failed. Status Code: 404. Message: Incident ID Not Found. |
Test Connection
Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the CrowdStrike Identity Protection portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: access denied, authorization failed. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 403. Message: access denied, authorization failed. |