CrowdStrike Falcon

Details
Content
Dependencies
Version History

The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.

Endpoint security is at the frontline to protect against malicious cybersecurity threats. It represents one of the first places organizations look to secure their enterprise networks.
As the volume and sophistication of cybersecurity threats have increased, so has the need for more advanced endpoint security solutions.
CrowdStrike Falcon is one of the leaders in the Endpoint Protection Platform (EPP) market, and the CrowdStrike Falcon content pack provides a holistic solution for protecting enterprise endpoints and servers from malicious attacks that can seriously impact your organization.
This pack is designed to quickly detect, analyze, block, and contain malicious attacks in progress. It also gives administrators visibility into advanced threats to speed detection and remediation response times.

What Does This Pack Do?

Mirrors incidents between Cortex XSOAR and CrowdStrike Falcon incidents or detections.
Provides real-time response features
Assesses vulnerability
Contains endpoints (isolation/unisolation)
Removes duplicate incidents
Eliminates false positive incidents
Enriches incidents

Before You Start

Make sure you have the following content packs:

Base
Common Scripts
Common Types

Pack Configurations

To get up and running with this pack, you must get an API client ID and secret from CrowdStrike support.

What Does This Pack Do?

Provides real-time response features
Assesses vulnerability
Contains endpoints (isolation/unisolation)

Before You Start

Make sure you have the following content packs:

Base
Common Scripts
Common Types

Pack Configurations

To get up and running with this pack, you must get an API client ID and secret from CrowdStrike support.

Automations

Name	Description
cspresentpolicyactions
ConvertEnrichmentsToTable	This script is used to convert CrowdStrike IOA enrichments response elements to a table.
ConvertUserIdentityToTable	This script is used to convert CrowdStrike IOA user identity response elements to a table.
ConvertRequestParametersToTable	This script is used to convert CrowdStrike IOA request parameters to a table.
ReadProcessesFile	Load and return the processes file (generated from the cs-falcon-rtr-list-processes command) content.
ConvertResourceAttributesToTable	This script is used to convert CrowdStrike IOM resource attributes to a table.
TransformIndicatorToCSFalconIOC	Transform an indicator in Cortex into a CrowdStrike Falcon IOC. The output (found at the TransformIndicatorToCSFalconIOC.JsonOutput context path) is a JSON, which represents the indicators in CrowdStrike Falcon format. This JSON can be used as the input for the cs-falcon-batch-upload-custom-ioc command.
cspresentparentprocess
ReadNetstatFile	Load and return the processes file (generated from the cs-falcon-rtr-list-network-stats command) content.
cspresentgrandparentprocess
ConvertResponseElementsToTable	This script is used to convert CrowdStrike IOA response elements to a table.

Classifiers

Name	Description
CrowdStrike Falcon Incident Classifier	CrowdStrike Falcon Incident Classifier
CrowdStrike Falcon Mapper	CrowdStrike Falcon Mapper for incidents and detections
Legacy CrowdStrike Falcon-Mapper	CrowdStrike Falcon Mapper for incidents and detections - for legacy version of CrowdStrike
CrowdStrike Falcon - Outgoing Mapper	CrowdStrike Falcon mirror out mapper.

Incident Fields

Name	Description
CrowdStrike Falcon Bios Manufacturer
CrowdStrike Falcon Response Elements
CrowdStrike Falcon Bios Version
CrowdStrike Falcon User Identity
CrowdStrike Falcon Mobile platform version
Behaviour Scenario	Behaviour Scenario
CrowdStrike Falcon Pattern ID
CrowdStrike Falcon Crawled Timestamp
CrowdStrike Falcon Vertex Type
CrowdStrike Falcon Macros IOC Description
CrowdStrike Falcon Firmware Build Fingerprint
Behaviour Objective	Behaviour Objective
CrowdStrike Falcon Macros CMD line
CrowdStrike Falcon Service Type
CrowdStrike Falcon Product Type Description
Behaviour Tactic	Behaviour Tactic
CrowdStrike Falcon User Agent
CrowdStrike Falcon Resource Attributes
CrowdStrike Falcon Scan Id
CrowdStrike Falcon Security patch level
CrowdStrike Falcon Macros Display Name
CrowdStrike Falcon Detection Type
CrowdStrike Falcon Firmware Build Time
CrowdStrike Falcon Macros IOC Type
Grand Parent Process
CrowdStrike Falcon Vertex ID
CrowdStrike Falcon Data Domains
CrowdStrike Falcon Macros IOC Source
CrowdStrike Falcon Mobile Product
CrowdStrike Falcon Mobile Manufacturer
CrowdStrike Falcon Alleged File Type
CrowdStrike Falcon Platform Name
CrowdStrike Falcon Enrichments
CrowdStrike Falcon Scan Name
CrowdStrike Falcon Request Parameters
CrowdStrike Falcon System Manufacturer
CrowdStrike Falcon Behaviour Pattern Disposition Details
CrowdStrike Falcon System Product Name

Incident Types

Name	Description
CrowdStrike Falcon On-Demand Scans Detection
CrowdStrike Falcon IDP Detection
CrowdStrike Falcon IOM Event
CrowdStrike Falcon Mobile Detection
Crowdstrike Command And Scripting
CrowdStrike Falcon Detection
CrowdStrike Falcon NGSIEM Detection
CrowdStrike Falcon OFP Detection
CrowdStrike Falcon IOA Event
CrowdStrike Falcon Third Party Detection
CrowdStrike Falcon Incident

Integrations

Name	Description
CrowdStrike Falcon	The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.

Layouts

Name	Description
CrowdStrike Falcon Layout

Playbooks

Name	Description
CrowdStrike Falcon Malware - Investigation and Response	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike Falcon malware investigation, including: Extracting and displaying MITRE data from the EDR and sandboxes Deduplicating similar incidents Searching for hashes in an alert in a sandbox to provide their relevant information. If the hashes are not found, retrieving them from the endpoint and detonating them in the sandbox. Verifying the actions taken by the EDR Analyzing the command line Searching for relevant hashes in additional hosts in the organization Retrieving data about the host, including process list and network connections Performing containment and mitigation actions as part of handling false/true positives Setting the relevant layouts
CrowdStrike Falcon - T1059 - Command and Scripting Interpreter	This playbook handles command and scripting interpreter alerts based on the MITRE T1059 technique. An attacker might abuse command and script interpreters to execute commands, scripts, or binaries. The playbook executes the following stages: Analysis Initiates the CommandLineAnalysiss script which will determine if the command lines have any suspicious artifacts that might indicate malicious behavior. Enriches any indicators found during the command lines analysis phase. Investigative Actions: In case malicious indicators were found, the playbook will initiate a check against CrowdStrike Falcon to identify if any other endpoint has been associated with the same indicators. If there are any, the playbook will update the layout and create a new incident for further investigation. Remediation: Terminate the process if the CrowdStike Falcon agent doesn't block it. If the process failed or the parent process command line was suspicious as well, a manual action will be provided to the analyst to choose how to proceed further: Terminate the parent process Isolate the endpoint Closure Steps: Handle malicious alerts by closing the alert as True Positive. Handle non-malicious alerts by closing the alert as False Positive.
CrowdStrike Falcon Malware - Incident Enrichment	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enables enriching CrowdStrike Falcon incidents by pivoting to their detections as well as mapping all the relevant data to the Cortex XSOAR incident fields.
CrowdStrike Falcon - True Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike incident that was determined to be a true positive by the analyst. Actions include isolating the host, blocking the indicator by the EDR, and tagging it.
CrowdStrike Falcon - Block File	This playbook receives an MD5 or a SHA256 hash and adds it to the block list in CrowdStrike Falcon. The playbook uses the integration "CrowdStrike Falcon".
CrowdStrike Falcon - Get Endpoint Forensics Data	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook extracts data from the host using RTR commands. For example, commands for getting a list of running processes and network connections.
Crowdstrike Falcon - Isolate Endpoint	This playbook will auto isolate endpoints by the device ID that was provided in the playbook.
Crowdstrike Falcon - Unisolate Endpoint	This playbook unisolates devices according to the device ID that is provided in the playbook input.
CrowdStrike Falcon - False Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike incident that was determined to be a false positive by the analyst. Actions include unisolating the host, allowing the indicator by the EDR, and tagging it.
CrowdStrike Falcon - SIEM ingestion Get Incident Data	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles incident ingestion from a SIEM. The user provides the field for the incident ID or detection ID and the field indicating whether the ingested item is an incident or detection. This playbook enables changing the severity scale in Cortex XSOAR as well as fetching CrowdStrike detections based on the CrowdStrike incident type.
CrowdStrike Falcon - Search Endpoints By Indicators	This playbooks searches for different indicators (IP,IPV6,File hashes,Domain) in the crowdstrike falcon console. The output will be all the endpoints found associated with provided indicators. Provided agent id as an input will be excluded from the returned list.
CrowdStrike Falcon - Search Endpoints By Hash	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook searches across the organization for other endpoints associated with a specific SHA256/MD5/SHA1 hash.
CrowdStrike Falcon Malware - Verify Containment Actions	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook verifies and sets the policy actions applied by CrowdStrike Falcon.
CrowdStrike Falcon - Retrieve File	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook retrieves and unzips files from CrowdStrike Falcon and returns a list of the files that were and were not retrieved.
CrowdStrike Falcon - Get Detections by Incident	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enables getting CrowdStrike Falcon detection details based on the CrowdStrike incident ID.

Automations

Name	Description
ReadProcessesFile	Load and return the processes file (generated from the cs-falcon-rtr-list-processes command) content.
TransformIndicatorToCSFalconIOC	Transform an indicator in Cortex into a CrowdStrike Falcon IOC. The output (found at the TransformIndicatorToCSFalconIOC.JsonOutput context path) is a JSON, which represents the indicators in CrowdStrike Falcon format. This JSON can be used as the input for the cs-falcon-batch-upload-custom-ioc command.

Integrations

Name	Description
CrowdStrike Falcon	The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.

Required Content Packs (7)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR

Optional Content Packs (3)

Pack Name	Pack By
Atlassian Jira	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
ServiceNow	By: Cortex XSOAR

All level dependencies (10)

Pack Name	Pack By
MITRE ATT&CK	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Base	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR

2.4.13 - 6468413 (December 29, 2025)

Integrations

Fixed an issue where the fetch-incidents command could return detections older than the specified date due to incorrect filter handling.

Related pull requests:
- 42395

Download

2.4.12 - 6204767 (December 9, 2025)

Integrations

CrowdStrike Falcon

Added support for fetching CrowdStrike Falcon CNAPP Alert assets, to obtain alerts of this type, you will need one of the following subscriptions:
- Falcon Cloud Security with Containers CNAPP
- Falcon Cloud Security CNAPP
- Falcon Cloud Security with Containers Runtime Protection
- Falcon for Managed Containers Runtime Protection
- Falcon Cloud Security Proactive
- Falcon Cloud Security with Containers
- Falcon for Managed Containers
Added the cs-falcon-list-cnapp-alerts command. Use this command to manually debug the fetch-assets flow.

Related pull requests:
- 42015

Download

2.4.11 - 6105231 (December 2, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41590

Download

2.4.10 - 6012287 (November 25, 2025)

Integrations

CrowdStrike Falcon

Code Improvements.
Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.

Related pull requests:
- 41884

Download

2.4.9 - 5923996 (November 19, 2025)

Integrations

CrowdStrike Falcon

Resolved an issue where updates to the Max incidents per fetch parameter were not applied.

Related pull requests:
- 41780

Download

2.4.8 - 5818832 (November 11, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41805

Download

2.4.7 - 5801457 (November 10, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41857

Download

2.4.6 - 5717993 (November 3, 2025)

Scripts

ConvertRequestParametersToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

cspresentparentprocess

Updated the Docker image to: demisto/python3:3.12.12.5490952.

cspresentpolicyactions

Updated the Docker image to: demisto/python3:3.12.12.5490952.

cspresentgrandparentprocess

Updated the Docker image to: demisto/python3:3.12.12.5490952.

ConvertResourceAttributesToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

ReadNetstatFile

Updated the Docker image to: demisto/python3:3.12.12.5490952.

ReadProcessesFile

Updated the Docker image to: demisto/python3:3.12.12.5490952.

TransformIndicatorToCSFalconIOC

Updated the Docker image to: demisto/python3:3.12.12.5490952.

ConvertUserIdentityToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

ConvertEnrichmentsToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

ConvertResponseElementsToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41760

Download

2.4.5 - 5698874 (November 2, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41748

Download

2.4.4 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

2.4.3 - R5469292 (October 20, 2025)

Integrations

CrowdStrike Falcon

Added support for the file_name argument in the cs-falcon-delete-file command.

Related pull requests:
- 41407

Download

2.4.2 - 5281566 (October 5, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue with the timestamp parsing logic to prevent errors when microsecond components are missing.

Related pull requests:
- 41384

Download

2.4.1 - 5208238 (September 30, 2025)

Integrations

CrowdStrike Falcon

Breaking Change: Deprecated the Use legacy API parameter as of September 30th, 2025. This affects multiple detection-related commands including direct commands (cs-falcon-search-detection, cs-falcon-resolve-detection, cs-falcon-get-detections-for-incident), fetch operations for all detection types, and mirroring operations. All detection functionality will transition from legacy API endpoints to the updated Raptor API format.
Breaking Change: The legacy-specific status options (in_progress, true_positive, false_positive) have been removed from the cs-falcon-resolve-detection command
Breaking Change: The following legacy-specific context outputs have been removed from the cs-falcon-search-detection command:
- CrowdStrike.Detections.behaviors.behavior_id
- CrowdStrike.Detections.behaviors.ioc_source
- CrowdStrike.Detections.behaviors.ioc_description
- CrowdStrike.Detections.first_behavior
- CrowdStrike.Detections.last_behavior
- CrowdStrike.Detections.max_confidence
- CrowdStrike.Detections.max_severity
- CrowdStrike.Detections.max_severity_displayname
- CrowdStrike.Detections.assigned_to_uid
- CrowdStrike.Detections.assigned_to_name

Related pull requests:
- 41444

Download

2.3.11 - 5145026 (September 28, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where fetching detection entities could fail if the number of detection IDs exceeded the API’s maximum per request.

Related pull requests:
- 41381

Download

2.3.10 - 4826286 (September 9, 2025)

Integrations

CrowdStrike Falcon

Added support for the assign_to_user_id argument in the cs-falcon-resolve-identity-detection and cs-falcon-resolve-mobile-detection commands.

Related pull requests:
- 41198

Download

2.3.9 - 4712962 (August 31, 2025)

Integrations

CrowdStrike Falcon

Now using the username argument directly (no extra API call) in cs-falcon-resolve-detection and cs-falcon-resolve-incident.
Removed the usage of the deprecated endpoint in cs-falcon-resolve-detection and cs-falcon-resolve-incident.

Scripts

Updated the documentation and metadata.

Related pull requests:
- 41083

Download

2.3.7 - 4647015 (August 25, 2025)

Integrations

CrowdStrike Falcon

Enhanced incoming mirroring to include more relevant fields for the following detection types: IDP, Endpoint, and OFP.

Related pull requests:
- 41014

Download

2.3.6 - 4568132 (August 18, 2025)

Integrations

CrowdStrike Falcon

Updated the CrowdstrikeFalcon integration to optimize reputation commands with reduced 15-second timeout when executed during automated enrichment workflows to improve overall processing speed.

Related pull requests:
- 40943

Download

2.3.5 - 4486728 (August 11, 2025)

Documentation and metadata improvements.

Related pull requests:
- 40883

Download

2.3.4 - 4424457 (August 5, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where the cve command would not return any results when no matching CVE was found.

Related pull requests:
- 40794

Download

2.3.3 - 4341046 (July 28, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where the fetch-incidents command retrieved older detections than the specified date.
Updated the Docker image to: demisto/py3-tools:1.0.0.4257568.

Related pull requests:
- 40703

Download

2.3.2 - 4261213 (July 22, 2025)

Playbooks

CrowdStrike Falcon - Search Endpoints By Hash

The playbook may now return a list of IP addresses under endpoint.IPAddress rather than a single entry.

Related pull requests:
- 40626

Download

2.3.1 - 4126849 (July 10, 2025)

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 39712
- 40179

Download

2.3.0 - 4121830 (July 10, 2025)

Classifiers

CrowdStrike Falcon Incident Classifier

Added support for CrowdStrike Falcon NGSIEM Detection.
Added support for CrowdStrike Falcon Third Party Detection.

Incident Fields

Behaviour Tactic
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
CrowdStrike Falcon Detection Type
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
CrowdStrike Falcon Pattern ID
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
CrowdStrike Falcon Crawled Timestamp
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.

Integrations

CrowdStrike Falcon

Added a new fetch type NGSIEM Detection.
Added a new fetch type Third Party Detection.

Mappers

CrowdStrike Falcon - Outgoing Mapper

Added support for the CrowdStrike Falcon NGSIEM Detection incident type.
Added support for the CrowdStrike Falcon Third Party Detection incident type.

CrowdStrike Falcon Mapper

Added support for the CrowdStrike Falcon NGSIEM Detection incident type.
Added support for the CrowdStrike Falcon Third Party Detection incident type.

Related pull requests:
- 40208

Download

2.2.0 - 4090197 (July 7, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 40521

Download

2.1.30 - 4083045 (July 7, 2025)

Integrations

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 40519

Download

2.1.29 - 3838742 (June 17, 2025)

Integrations

CrowdStrike Falcon

Updated the CrowdstrikeFalcon integration to support unified platform.

Related pull requests:
- 40242

Download

2.1.28 - 3802487 (June 15, 2025)

Integrations

CrowdStrike Falcon

Added support for the 'Preference Center' feature for selected commands.

Related pull requests:
- 40192
- 40242

Download

2.1.27 - 3752094 (June 11, 2025)

Integrations

CrowdStrike Falcon

Internal code improvements.

Related pull requests:
- 39984

Download

2.1.26 - 3701676 (June 9, 2025)

Integrations

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 40164

Download

2.1.25 - 3626185 (June 3, 2025)

Integrations

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 40111

Download

2.1.24 - 3555682 (May 27, 2025)

Integrations

CrowdStrike Falcon

Documentation and metadata improvements.

Related pull requests:
- 40103

Download

2.1.23 - 3526238 (May 25, 2025)

Scripts

ReadProcessesFile

Updated the Docker image to: demisto/python3:3.12.8.3296088.

cspresentgrandparentprocess

Updated the Docker image to: demisto/python3:3.12.8.3296088.

ReadNetstatFile

Updated the Docker image to: demisto/python3:3.12.8.3296088.

ConvertResponseElementsToTable

Updated the Docker image to: demisto/python3:3.12.8.3296088.

cspresentparentprocess

Updated the Docker image to: demisto/python3:3.12.8.3296088.

ConvertEnrichmentsToTable

Updated the Docker image to: demisto/python3:3.12.8.3296088.

TransformIndicatorToCSFalconIOC

Updated the Docker image to: demisto/python3:3.12.8.3296088.

ConvertUserIdentityToTable

Updated the Docker image to: demisto/python3:3.12.8.3296088.

ConvertResourceAttributesToTable

Updated the Docker image to: demisto/python3:3.12.8.3296088.

cspresentpolicyactions

Updated the Docker image to: demisto/python3:3.12.8.3296088.

ConvertRequestParametersToTable

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 39931

Download

2.1.22 - 3481649 (May 21, 2025)

Integrations

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 40009

Download

2.1.21 - R3414854 (May 15, 2025)

Integrations

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 39883

Download

2.1.20 - 3306217 (May 5, 2025)

Integrations

CrowdStrike Falcon

Updated fields for fetch-events.

Related pull requests:
- 39798

Download

2.1.19 - 3262639 (April 29, 2025)

Integrations

CrowdStrike Falcon

Expanded the CrowdStrikeFalcon Cortex XSOAR pack in Cortex XSIAM to include an event collector.
Updated the Docker image to: demisto/py3-tools:1.0.0.3205634.

Related pull requests:
- 39598

Download

2.1.18 - 3042633 (April 2, 2025)

Integrations

CrowdStrike Falcon

Metadata and documentation improvements.

Scripts

TransformIndicatorToCSFalconIOC

Metadata and documentation improvements.

ConvertResponseElementsToTable

Metadata and documentation improvements.

ReadProcessesFile

Metadata and documentation improvements.

ReadNetstatFile

Metadata and documentation improvements.

cspresentgrandparentprocess

Metadata and documentation improvements.

cspresentparentprocess

Metadata and documentation improvements.

ConvertUserIdentityToTable

Metadata and documentation improvements.

ConvertEnrichmentsToTable

Metadata and documentation improvements.

cspresentpolicyactions

Metadata and documentation improvements.

ConvertResourceAttributesToTable

Metadata and documentation improvements.

ConvertRequestParametersToTable

Metadata and documentation improvements.

Related pull requests:
- 39131

Download

2.1.17 - 3018025 (March 31, 2025)

Playbooks

Crowdstrike Falcon - Unisolate Endpoint

Fixed the Crowdstrike Falcon - Unisolate Endpoint playbook by checking for empty strings on top of undefined objects.

Related pull requests:
- 39274

Download

2.1.16 - R2988287 (March 26, 2025)

Integrations

CrowdStrike Falcon

Added the Use legacy API parameter to XSIAM.
Updated the Docker image to: demisto/py3-tools:1.0.0.2072021.

Related pull requests:
- 39121

Download

2.1.15 - 2763721 (March 12, 2025)

CrowdStrike Falcon

Ensure that mirroring fields only appear in XSOAR integrations.

Related pull requests:
- 38998

Download

2.1.14 - 2454775 (February 13, 2025)

Integrations

CrowdStrike Falcon

Updated the hostname argument in the cs-falcon-search-device.

Related pull requests:
- 38611

Download

2.1.13 - 2451663 (February 12, 2025)

Integrations

CrowdStrike Falcon

Documentation and metadata improvements.

Related pull requests:
- 38559

Download

2.1.12 - 2395597 (February 10, 2025)

Integrations

CrowdStrike Falcon

- Improved documentation and metadata.
Documentation and metadata improvements.

Scripts

ConvertEnrichmentsToTable

Updated the Docker image to: demisto/python3:3.12.8.1983910.

ReadNetstatFile

Updated the Docker image to: demisto/python3:3.12.8.1983910.

ConvertUserIdentityToTable

Updated the Docker image to: demisto/python3:3.12.8.1983910.

ConvertResponseElementsToTable

Updated the Docker image to: demisto/python3:3.12.8.1983910.

ConvertResourceAttributesToTable

Updated the Docker image to: demisto/python3:3.12.8.1983910.

ConvertRequestParametersToTable

Updated the Docker image to: demisto/python3:3.12.8.1983910.

TransformIndicatorToCSFalconIOC

Improved documentation and metadata.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 38581

Download

2.1.10 - 2090051 (January 28, 2025)

Integrations

CrowdStrike Falcon

Updated the default look back parameter to 2 minutes instead of 1 minute.

Related pull requests:
- 38347

Download

2.1.9 - 2086795 (January 27, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where the cs-falcon-search-device command failed when it was run with the extended_data argument, when there were no groups returned.

Related pull requests:
- 38220

Download

2.1.8 - R2040490 (January 22, 2025)

Integrations

CrowdStrike Falcon

Documentation and metadata improvements.

Related pull requests:
- 38178

Download

2.1.7 - 1996610 (January 15, 2025)

Integrations

CrowdStrike Falcon

Added support for the get-mapping-fields command to include ODS Detections and OFP Detections.
Fixed an issue where the mirroring out of certain incident types was using the legacy endpoint.

Mappers

CrowdStrike Falcon - Outgoing Mapper

Fixed an issue where changes to the status of ODS Detections and OFP Detections incident types were not reflected in the mirror out.

Related pull requests:
- 38087

Download

2.1.6 - 1989294 (January 14, 2025)

Layouts

CrowdStrike Falcon Layout
Added endpoint information to the "Investigation" tab under the "General Info" section.

Playbooks

CrowdStrike Falcon - T1059 - Command and Scripting Interpreter

Fixed a conditional task that is responsible to create a new incident.

Related pull requests:
- 38148

Download

2.1.5 - 1970497 (January 12, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where the cs-falcon-search-device command failed when used with the argument extended_data=yes and there were no device groups.

Related pull requests:
- 38079

Download

2.1.4 - 1958116 (January 9, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where, in the ODS Detection incident type, the incident type was changed after mirroring.

Mappers

CrowdStrike Falcon Mapper

Fixed an issue where, in the ODS Detection and OFP Detection incident types, the incident name was changed after mirroring.

Related pull requests:
- 37951

Download

2.1.3 - 1950870 (January 8, 2025)

Integrations

CrowdStrike Falcon

Updated the Docker image to: demisto/py3-tools:1.0.0.117220.

Related pull requests:
- 37924

Download

2.1.2 - 1943362 (January 7, 2025)

Incident Types

Crowdstrike Command And Scripting
Updated the new playbook name associated with this incident type.

Playbooks

CrowdStrike Falcon - T1059 - Command and Scripting Interpreter

Updated the playbook name with the "CrowdStrike Falcon" prefix.

Related pull requests:
- 37929

Download

2.4.13 - 6468413 (December 29, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where the fetch-incidents command could return detections older than the specified date due to incorrect filter handling.

Related pull requests:
- 42395

Download

2.4.12 - 6204767 (December 9, 2025)

Integrations

CrowdStrike Falcon

Added support for fetching CrowdStrike Falcon CNAPP Alert assets, to obtain alerts of this type, you will need one of the following subscriptions:
- Falcon Cloud Security with Containers CNAPP
- Falcon Cloud Security CNAPP
- Falcon Cloud Security with Containers Runtime Protection
- Falcon for Managed Containers Runtime Protection
- Falcon Cloud Security Proactive
- Falcon Cloud Security with Containers
- Falcon for Managed Containers
Added the cs-falcon-list-cnapp-alerts command. Use this command to manually debug the fetch-assets flow.

Related pull requests:
- 42015

Download

2.4.11 - 6095247 (December 2, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41590

Download

2.4.10 - 6012287 (November 25, 2025)

Integrations

CrowdStrike Falcon

Code Improvements.
Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.

Related pull requests:
- 41884

Download

2.4.9 - 5923996 (November 19, 2025)

Integrations

CrowdStrike Falcon

Resolved an issue where updates to the Max incidents per fetch parameter were not applied.

Related pull requests:
- 41780

Download

2.4.8 - 5818832 (November 11, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41805

Download

2.4.7 - 5801457 (November 10, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41857

Download

2.4.6 - 5717993 (November 3, 2025)

Scripts

ReadProcessesFile

Updated the Docker image to: demisto/python3:3.12.12.5490952.

TransformIndicatorToCSFalconIOC

Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41760

Download

2.4.5 - 5698874 (November 2, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41748

Download

2.4.4 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

2.4.3 - R5469292 (October 20, 2025)

Integrations

CrowdStrike Falcon

Added support for the file_name argument in the cs-falcon-delete-file command.

Related pull requests:
- 41407

Download

2.4.2 - 5281566 (October 5, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue with the timestamp parsing logic to prevent errors when microsecond components are missing.

Related pull requests:
- 41384

Download

2.4.1 - 5212533 (October 1, 2025)

Integrations

CrowdStrike Falcon

Breaking Change: Deprecated the Use legacy API parameter as of September 30th, 2025. This affects multiple detection-related commands including direct commands (cs-falcon-search-detection, cs-falcon-resolve-detection, cs-falcon-get-detections-for-incident), fetch operations for all detection types, and mirroring operations. All detection functionality will transition from legacy API endpoints to the updated Raptor API format.
Breaking Change: The legacy-specific status options (in_progress, true_positive, false_positive) have been removed from the cs-falcon-resolve-detection command
Breaking Change: The following legacy-specific context outputs have been removed from the cs-falcon-search-detection command:
- CrowdStrike.Detections.behaviors.behavior_id
- CrowdStrike.Detections.behaviors.ioc_source
- CrowdStrike.Detections.behaviors.ioc_description
- CrowdStrike.Detections.first_behavior
- CrowdStrike.Detections.last_behavior
- CrowdStrike.Detections.max_confidence
- CrowdStrike.Detections.max_severity
- CrowdStrike.Detections.max_severity_displayname
- CrowdStrike.Detections.assigned_to_uid
- CrowdStrike.Detections.assigned_to_name

Related pull requests:
- 41444

Download

2.3.11 - 5158591 (September 28, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where fetching detection entities could fail if the number of detection IDs exceeded the API’s maximum per request.

Related pull requests:
- 41381

Download

2.3.10 - 4826286 (September 9, 2025)

Integrations

CrowdStrike Falcon

Added support for the assign_to_user_id argument in the cs-falcon-resolve-identity-detection and cs-falcon-resolve-mobile-detection commands.

Related pull requests:
- 41198

Download

2.3.9 - 4712962 (August 31, 2025)

Integrations

CrowdStrike Falcon

Now using the username argument directly (no extra API call) in cs-falcon-resolve-detection and cs-falcon-resolve-incident.
Removed the usage of the deprecated endpoint in cs-falcon-resolve-detection and cs-falcon-resolve-incident.

Scripts

Updated the documentation and metadata.

Related pull requests:
- 41083

Download

2.3.7 - 4647015 (August 25, 2025)

Integrations

CrowdStrike Falcon

Enhanced incoming mirroring to include more relevant fields for the following detection types: IDP, Endpoint, and OFP.

Related pull requests:
- 41014

Download

2.3.6 - 4568132 (August 18, 2025)

Integrations

CrowdStrike Falcon

Updated the CrowdstrikeFalcon integration to optimize reputation commands with reduced 15-second timeout when executed during automated enrichment workflows to improve overall processing speed.

Related pull requests:
- 40943

Download

2.3.5 - 4486728 (August 11, 2025)

Documentation and metadata improvements.

Related pull requests:
- 40883

Download

2.3.4 - 4424457 (August 5, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where the cve command would not return any results when no matching CVE was found.

Related pull requests:
- 40794

Download

2.3.3 - 4350237 (July 29, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where the fetch-incidents command retrieved older detections than the specified date.
Updated the Docker image to: demisto/py3-tools:1.0.0.4257568.

Related pull requests:
- 40703

Download

2.3.2 - 4261213 (July 22, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 40626

Download

2.3.1 - 4126849 (July 10, 2025)

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 39712
- 40179

Download

2.3.0 - 4118212 (July 9, 2025)

Integrations

CrowdStrike Falcon

Added a new fetch type NGSIEM Detection.
Added a new fetch type Third Party Detection.

Related pull requests:
- 40208

Download

2.2.0 - 4090197 (July 7, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 40521

Download

2.1.30 - 4083045 (July 7, 2025)

Integrations

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 40519

Download

2.1.29 - 3838742 (June 17, 2025)

Integrations

CrowdStrike Falcon

Updated the CrowdstrikeFalcon integration to support unified platform.

Related pull requests:
- 40242

Download

2.1.28 - 3802487 (June 15, 2025)

Integrations

CrowdStrike Falcon

Added support for the 'Preference Center' feature for selected commands.

Related pull requests:
- 40242
- 40192

Download

2.1.27 - 3752094 (June 11, 2025)

Integrations

CrowdStrike Falcon

Internal code improvements.

Related pull requests:
- 39984

Download

2.1.26 - 3701676 (June 9, 2025)

Integrations

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 40164

Download

2.1.25 - 3633384 (June 4, 2025)

Integrations

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 40111

Download

2.1.24 - 3555682 (May 27, 2025)

Integrations

CrowdStrike Falcon

Documentation and metadata improvements.

Related pull requests:
- 40103

Download

2.1.23 - 3526238 (May 25, 2025)

Scripts

ReadProcessesFile

Updated the Docker image to: demisto/python3:3.12.8.3296088.

TransformIndicatorToCSFalconIOC

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 39931

Download

2.1.22 - 3481649 (May 21, 2025)

Integrations

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 40009

Download

2.1.21 - R3414854 (May 15, 2025)

Integrations

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 39883

Download

2.1.20 - 3306217 (May 5, 2025)

Integrations

CrowdStrike Falcon

Updated fields for fetch-events.

Related pull requests:
- 39798

Download

2.1.19 - 3262639 (April 29, 2025)

Integrations

CrowdStrike Falcon

Expanded the CrowdStrikeFalcon Cortex XSOAR pack in Cortex XSIAM to include an event collector.
Updated the Docker image to: demisto/py3-tools:1.0.0.3205634.

Related pull requests:
- 39598

Download

2.1.18 - 3042633 (April 2, 2025)

Integrations

CrowdStrike Falcon

Metadata and documentation improvements.

Scripts

TransformIndicatorToCSFalconIOC

Metadata and documentation improvements.

ReadProcessesFile

Metadata and documentation improvements.

Related pull requests:
- 39131

Download

2.1.17 - 3018025 (March 31, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 39274

Download

2.1.16 - R2988287 (March 26, 2025)

Integrations

CrowdStrike Falcon

Added the Use legacy API parameter to XSIAM.
Updated the Docker image to: demisto/py3-tools:1.0.0.2072021.

Related pull requests:
- 39121

Download

2.1.15 - 2763721 (March 12, 2025)

CrowdStrike Falcon

Ensure that mirroring fields only appear in XSOAR integrations.

Related pull requests:
- 38998

Download

2.1.14 - 2454775 (February 13, 2025)

Integrations

CrowdStrike Falcon

Updated the hostname argument in the cs-falcon-search-device.

Related pull requests:
- 38611

Download

2.1.13 - 2451663 (February 12, 2025)

Integrations

CrowdStrike Falcon

Documentation and metadata improvements.

Related pull requests:
- 38559

Download

2.1.12 - 2429474 (February 11, 2025)

Related pull requests:
- 38581

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	September 9, 2020
Last Release	January 7, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.