Integrate CrowdStrike Identity Protection into workflows to search sensors, fetch documented sensor details by device ID, and run documented sensor aggregate queries.
Get documented CrowdStrike Identity Protection sensor aggregates from a JSON aggregate query body
| Parameter | Type | Required | Description |
|---|
clientId | string | Yes | CrowdStrike Falcon API client ID |
clientSecret | string | Yes | CrowdStrike Falcon API client secret |
cloud | string | Yes | CrowdStrike Falcon cloud region |
aggregateQuery | json | Yes | JSON aggregate query body documented by CrowdStrike for sensor aggregates |
| Parameter | Type | Description |
|---|
aggregates | array | Aggregate result groups returned by CrowdStrike |
↳ buckets | array | Buckets within the aggregate result |
↳ count | number | Bucket document count |
↳ from | number | Bucket lower bound |
↳ keyAsString | string | String representation of the bucket key |
↳ label | json | Bucket label object |
↳ stringFrom | string | String lower bound |
↳ stringTo | string | String upper bound |
↳ subAggregates | json | Nested aggregate results for this bucket |
↳ to | number | Bucket upper bound |
↳ value | number | Bucket metric value |
↳ valueAsString | string | String representation of the bucket value |
↳ docCountErrorUpperBound | number | Upper bound for bucket count error |
↳ name | string | Aggregate result name |
↳ sumOtherDocCount | number | Document count not included in the returned buckets |
count | number | Number of aggregate result groups returned |
Get documented CrowdStrike Identity Protection sensor details for one or more device IDs
| Parameter | Type | Required | Description |
|---|
clientId | string | Yes | CrowdStrike Falcon API client ID |
clientSecret | string | Yes | CrowdStrike Falcon API client secret |
cloud | string | Yes | CrowdStrike Falcon cloud region |
ids | json | Yes | JSON array of CrowdStrike sensor device IDs |
| Parameter | Type | Description |
|---|
sensors | array | CrowdStrike identity sensor detail records |
↳ agentVersion | string | Sensor agent version |
↳ cid | string | CrowdStrike customer identifier |
↳ deviceId | string | Sensor device identifier |
↳ heartbeatTime | number | Last heartbeat timestamp |
↳ hostname | string | Sensor hostname |
↳ idpPolicyId | string | Assigned Identity Protection policy ID |
↳ idpPolicyName | string | Assigned Identity Protection policy name |
↳ ipAddress | string | Sensor local IP address |
↳ kerberosConfig | string | Kerberos configuration status |
↳ ldapConfig | string | LDAP configuration status |
↳ ldapsConfig | string | LDAPS configuration status |
↳ machineDomain | string | Machine domain |
↳ ntlmConfig | string | NTLM configuration status |
↳ osVersion | string | Operating system version |
↳ rdpToDcConfig | string | RDP to domain controller configuration status |
↳ smbToDcConfig | string | SMB to domain controller configuration status |
↳ status | string | Sensor protection status |
↳ statusCauses | array | Documented causes behind the current status |
↳ tiEnabled | string | Threat intelligence enablement status |
count | number | Number of sensors returned |
pagination | json | Pagination metadata when returned by the underlying API |
↳ limit | number | Page size used for the query |
↳ offset | number | Offset returned by CrowdStrike |
↳ total | number | Total records available |
Search CrowdStrike identity protection sensors by hostname, IP, or related fields
| Parameter | Type | Required | Description |
|---|
clientId | string | Yes | CrowdStrike Falcon API client ID |
clientSecret | string | Yes | CrowdStrike Falcon API client secret |
cloud | string | Yes | CrowdStrike Falcon cloud region |
filter | string | No | Falcon Query Language filter for identity sensor search |
limit | number | No | Maximum number of sensor records to return |
offset | number | No | Pagination offset for the identity sensor query |
sort | string | No | Sort expression for identity sensor results |
| Parameter | Type | Description |
|---|
sensors | array | Matching CrowdStrike identity sensor records |
↳ agentVersion | string | Sensor agent version |
↳ cid | string | CrowdStrike customer identifier |
↳ deviceId | string | Sensor device identifier |
↳ heartbeatTime | number | Last heartbeat timestamp |
↳ hostname | string | Sensor hostname |
↳ idpPolicyId | string | Assigned Identity Protection policy ID |
↳ idpPolicyName | string | Assigned Identity Protection policy name |
↳ ipAddress | string | Sensor local IP address |
↳ kerberosConfig | string | Kerberos configuration status |
↳ ldapConfig | string | LDAP configuration status |
↳ ldapsConfig | string | LDAPS configuration status |
↳ machineDomain | string | Machine domain |
↳ ntlmConfig | string | NTLM configuration status |
↳ osVersion | string | Operating system version |
↳ rdpToDcConfig | string | RDP to domain controller configuration status |
↳ smbToDcConfig | string | SMB to domain controller configuration status |
↳ status | string | Sensor protection status |
↳ statusCauses | array | Documented causes behind the current status |
↳ tiEnabled | string | Threat intelligence enablement status |
count | number | Number of sensors returned |
pagination | json | Pagination metadata (limit, offset, total) |
↳ limit | number | Page size used for the query |
↳ offset | number | Offset returned by CrowdStrike |
↳ total | number | Total records available |