CrowdStrike Falcon

Details
Content
Dependencies
Version History

The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.

Endpoint security is at the frontline to protect against malicious cybersecurity threats. It represents one of the first places organizations look to secure their enterprise networks.
As the volume and sophistication of cybersecurity threats have increased, so has the need for more advanced endpoint security solutions.
CrowdStrike Falcon is one of the leaders in the Endpoint Protection Platform (EPP) market, and the CrowdStrike Falcon content pack provides a holistic solution for protecting enterprise endpoints and servers from malicious attacks that can seriously impact your organization.
This pack is designed to quickly detect, analyze, block, and contain malicious attacks in progress. It also gives administrators visibility into advanced threats to speed detection and remediation response times.

What Does This Pack Do?

Mirrors incidents between Cortex XSOAR and CrowdStrike Falcon incidents or detections.
Provides real-time response features
Assesses vulnerability
Contains endpoints (isolation/unisolation)
Removes duplicate incidents
Eliminates false positive incidents
Enriches incidents

Before You Start

Make sure you have the following content packs:

Base
Common Scripts
Common Types

Pack Configurations

To get up and running with this pack, you must get an API client ID and secret from CrowdStrike support.

What Does This Pack Do?

Provides real-time response features
Assesses vulnerability
Contains endpoints (isolation/unisolation)

Before You Start

Make sure you have the following content packs:

Base
Common Scripts
Common Types

Pack Configurations

To get up and running with this pack, you must get an API client ID and secret from CrowdStrike support.

Automations

Name	Description
ConvertResponseElementsToTable	This script is used to convert CrowdStrike IOA response elements to a table.
ConvertEnrichmentsToTable	This script is used to convert CrowdStrike IOA enrichments response elements to a table.
ReadNetstatFile	Load and return the processes file (generated from the cs-falcon-rtr-list-network-stats command) content.
cspresentgrandparentprocess
ReadProcessesFile	Load and return the processes file (generated from the cs-falcon-rtr-list-processes command) content.
TransformIndicatorToCSFalconIOC	Transform an indicator in Cortex into a CrowdStrike Falcon IOC. The output (found at the TransformIndicatorToCSFalconIOC.JsonOutput context path) is a JSON, which represents the indicators in CrowdStrike Falcon format. This JSON can be used as the input for the cs-falcon-batch-upload-custom-ioc command.
cspresentparentprocess
cspresentpolicyactions
ConvertUserIdentityToTable	This script is used to convert CrowdStrike IOA user identity response elements to a table.
ConvertRequestParametersToTable	This script is used to convert CrowdStrike IOA request parameters to a table.
ConvertResourceAttributesToTable	This script is used to convert CrowdStrike IOM resource attributes to a table.

Classifiers

Name	Description
CrowdStrike Falcon Incident Classifier	CrowdStrike Falcon Incident Classifier
Legacy CrowdStrike Falcon-Mapper	CrowdStrike Falcon Mapper for incidents and detections - for legacy version of CrowdStrike
CrowdStrike Falcon Mapper	CrowdStrike Falcon Mapper for incidents and detections
CrowdStrike Falcon - Outgoing Mapper	CrowdStrike Falcon mirror out mapper.

Incident Fields

Name	Description
CrowdStrike Falcon Vertex ID
CrowdStrike Falcon Item site
CrowdStrike Falcon Service Type
CrowdStrike Falcon System Product Name
CrowdStrike Falcon Pattern ID
CrowdStrike Falcon IOC Hashtags
CrowdStrike Falcon Behaviour Pattern Disposition Details
CrowdStrike Falcon Role priority
CrowdStrike Falcon Platform Name
CrowdStrike Falcon Mobile platform version
CrowdStrike Falcon Actor slug
CrowdStrike Falcon IOC Types
CrowdStrike Falcon Macros IOC Source
CrowdStrike Falcon Lead Type
CrowdStrike Falcon Bios Manufacturer
CrowdStrike Falcon IOC CVES
CrowdStrike Falcon IOC Emails
CrowdStrike Falcon Mobile Product
CrowdStrike Falcon IOC Urls
CrowdStrike Falcon Lead Id
CrowdStrike Falcon Item id
CrowdStrike Falcon Item author
CrowdStrike Falcon Scan Name
CrowdStrike Falcon Vertex Type
CrowdStrike Falcon Detection Type
CrowdStrike Falcon Enrichments
CrowdStrike Falcon Request Parameters
CrowdStrike Falcon Macros Display Name
Behaviour Objective	Behaviour Objective
CrowdStrike Falcon Scan Id
CrowdStrike Falcon Alleged File Type
CrowdStrike Falcon Firmware Build Fingerprint
CrowdStrike Falcon System Manufacturer
CrowdStrike Falcon Role creator UID
CrowdStrike Falcon Response Elements
CrowdStrike Falcon Mitre Attack
CrowdStrike Falcon User Identity
CrowdStrike Falcon Macros IOC Type
Grand Parent Process
CrowdStrike Falcon Mobile Manufacturer
CrowdStrike Falcon Role topic
CrowdStrike Falcon Role ID
CrowdStrike Falcon Macros CMD line
CrowdStrike Falcon Resource Attributes
CrowdStrike Falcon Data Domains
CrowdStrike Falcon At Accounts
Behaviour Tactic	Behaviour Tactic
CrowdStrike Falcon Product Type Description
Behaviour Scenario	Behaviour Scenario
CrowdStrike Falcon Item date
CrowdStrike Falcon Item site ID
CrowdStrike Falcon Item type
CrowdStrike Falcon Security patch level
CrowdStrike Falcon User Agent
CrowdStrike Falcon Macros IOC Description
CrowdStrike Falcon IOC Domains
CrowdStrike Falcon Firmware Build Time
CrowdStrike Falcon Role creator name
CrowdStrike Falcon Crawled Timestamp
CrowdStrike Falcon Item Author ID
CrowdStrike Falcon Bios Version

Incident Types

Name	Description
CrowdStrike Falcon IOA Event
CrowdStrike Falcon IOM Event
CrowdStrike Falcon Third Party Detection
CrowdStrike Falcon NGSIEM Automated Lead
CrowdStrike Falcon On-Demand Scans Detection
CrowdStrike Falcon NGSIEM Case
CrowdStrike Falcon Detection
CrowdStrike Falcon OFP Detection
CrowdStrike Falcon Incident
CrowdStrike Falcon NGSIEM Detection
Crowdstrike Command And Scripting
CrowdStrike Falcon Intelligence Recon notification
CrowdStrike Falcon IDP Detection
CrowdStrike Falcon NGSIEM Incident
CrowdStrike Falcon Mobile Detection

Integrations

Name	Description
CrowdStrike Falcon	The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.

Layouts

Name	Description
CrowdStrike Falcon Layout

Playbooks

Name	Description
CrowdStrike Falcon Malware - Investigation and Response	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike Falcon malware investigation, including: Extracting and displaying MITRE data from the EDR and sandboxes Deduplicating similar incidents Searching for hashes in an alert in a sandbox to provide their relevant information. If the hashes are not found, retrieving them from the endpoint and detonating them in the sandbox. Verifying the actions taken by the EDR Analyzing the command line Searching for relevant hashes in additional hosts in the organization Retrieving data about the host, including process list and network connections Performing containment and mitigation actions as part of handling false/true positives Setting the relevant layouts
CrowdStrike Falcon - Search Endpoints By Hash	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook searches across the organization for other endpoints associated with a specific SHA256/MD5/SHA1 hash.
CrowdStrike Falcon - False Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike incident that was determined to be a false positive by the analyst. Actions include unisolating the host, allowing the indicator by the EDR, and tagging it.
CrowdStrike Falcon - Block File	This playbook receives an MD5 or a SHA256 hash and adds it to the block list in CrowdStrike Falcon. The playbook uses the integration "CrowdStrike Falcon".
CrowdStrike Falcon - Get Detections by Incident	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enables getting CrowdStrike Falcon detection details based on the CrowdStrike incident ID.
CrowdStrike Falcon - Retrieve File	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook retrieves and unzips files from CrowdStrike Falcon and returns a list of the files that were and were not retrieved.
CrowdStrike Falcon - Get Endpoint Forensics Data	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook extracts data from the host using RTR commands. For example, commands for getting a list of running processes and network connections.
Crowdstrike Falcon - Isolate Endpoint	This playbook will auto isolate endpoints by the device ID that was provided in the playbook.
CrowdStrike Falcon - True Positive Incident Handling	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles a CrowdStrike incident that was determined to be a true positive by the analyst. Actions include isolating the host, blocking the indicator by the EDR, and tagging it.
CrowdStrike Falcon Malware - Incident Enrichment	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook enables enriching CrowdStrike Falcon incidents by pivoting to their detections as well as mapping all the relevant data to the Cortex XSOAR incident fields.
CrowdStrike Falcon - SIEM ingestion Get Incident Data	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook handles incident ingestion from a SIEM. The user provides the field for the incident ID or detection ID and the field indicating whether the ingested item is an incident or detection. This playbook enables changing the severity scale in Cortex XSOAR as well as fetching CrowdStrike detections based on the CrowdStrike incident type.
CrowdStrike Falcon Malware - Verify Containment Actions	This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook verifies and sets the policy actions applied by CrowdStrike Falcon.
Crowdstrike Falcon - Unisolate Endpoint	This playbook unisolates devices according to the device ID that is provided in the playbook input.
CrowdStrike Falcon - Search Endpoints By Indicators	This playbooks searches for different indicators (IP,IPV6,File hashes,Domain) in the crowdstrike falcon console. The output will be all the endpoints found associated with provided indicators. Provided agent id as an input will be excluded from the returned list.
CrowdStrike Falcon - T1059 - Command and Scripting Interpreter	This playbook handles command and scripting interpreter alerts based on the MITRE T1059 technique. An attacker might abuse command and script interpreters to execute commands, scripts, or binaries. The playbook executes the following stages: Analysis Initiates the CommandLineAnalysiss script which will determine if the command lines have any suspicious artifacts that might indicate malicious behavior. Enriches any indicators found during the command lines analysis phase. Investigative Actions: In case malicious indicators were found, the playbook will initiate a check against CrowdStrike Falcon to identify if any other endpoint has been associated with the same indicators. If there are any, the playbook will update the layout and create a new incident for further investigation. Remediation: Terminate the process if the CrowdStike Falcon agent doesn't block it. If the process failed or the parent process command line was suspicious as well, a manual action will be provided to the analyst to choose how to proceed further: Terminate the parent process Isolate the endpoint Closure Steps: Handle malicious alerts by closing the alert as True Positive. Handle non-malicious alerts by closing the alert as False Positive.

Automations

Name	Description
ReadProcessesFile	Load and return the processes file (generated from the cs-falcon-rtr-list-processes command) content.
TransformIndicatorToCSFalconIOC	Transform an indicator in Cortex into a CrowdStrike Falcon IOC. The output (found at the TransformIndicatorToCSFalconIOC.JsonOutput context path) is a JSON, which represents the indicators in CrowdStrike Falcon format. This JSON can be used as the input for the cs-falcon-batch-upload-custom-ioc command.

Incident Types

Name	Description
CrowdStrike Falcon Intelligence Recon notification

Integrations

Name	Description
CrowdStrike Falcon	The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.

Required Content Packs (7)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR

Optional Content Packs (3)

Pack Name	Pack By
Atlassian Jira	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR
ServiceNow	By: Cortex XSOAR

All level dependencies (10)

Pack Name	Pack By
Cortex REST API	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Malware Investigation and Response	By: Cortex XSOAR
MITRE ATT&CK	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

2.11.5 - 10281058 (June 18, 2026)

Scripts

ReadNetstatFile

Updated the Docker image to: demisto/python3:3.12.13.10116658.

cspresentgrandparentprocess

Updated the Docker image to: demisto/python3:3.12.13.10116658.

TransformIndicatorToCSFalconIOC

Updated the Docker image to: demisto/python3:3.12.13.10116658.

ReadProcessesFile

Updated the Docker image to: demisto/python3:3.12.13.10116658.

ConvertResponseElementsToTable

Updated the Docker image to: demisto/python3:3.12.13.10116658.

cspresentparentprocess

Updated the Docker image to: demisto/python3:3.12.13.10116658.

cspresentpolicyactions

Updated the Docker image to: demisto/python3:3.12.13.10116658.

ConvertRequestParametersToTable

Updated the Docker image to: demisto/python3:3.12.13.10116658.

ConvertUserIdentityToTable

Updated the Docker image to: demisto/python3:3.12.13.10116658.

ConvertEnrichmentsToTable

Updated the Docker image to: demisto/python3:3.12.13.10116658.

ConvertResourceAttributesToTable

Updated the Docker image to: demisto/python3:3.12.13.10116658.

Related pull requests:
- 44716

Download

2.11.4 - R9967019 (June 8, 2026)

Integrations

Improved the stability of Falcon Spotlight asset and vulnerability collection in environments with millions of vulnerabilities. Memory usage now stays low and steady throughout the collection, so large datasets are fetched reliably and completely.
Falcon Spotlight asset and vulnerability collection now retrieves only vulnerabilities updated within the last 100 days, keeping each collection focused on recent data.

Related pull requests:
- 44474

Download

2.11.3 - 9729413 (June 1, 2026)

Incident Types

CrowdStrike Falcon Intelligence Recon notification
Documentation and metadata improvements.

Integrations

CrowdStrike Falcon

Added support for exposure_management in the integration's supportedModules so the integration can be installed and configured on Cortex Platform tenants with the Exposure Management module enabled.

Scripts

ReadProcessesFile

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.12.13.9059085.

TransformIndicatorToCSFalconIOC

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.12.13.9059085.

Related pull requests:
- 44451

Download

2.11.2 - 9383878 (May 26, 2026)

Integrations

CrowdStrike Falcon

Added support for the next_token argument in the cs-falcon-spotlight-search-vulnerability command. This argument allows for manual pagination of the returned vulnerabilities.

Related pull requests:
- 44389

Download

2.11.1 - 9302376 (May 25, 2026)

Integrations

CrowdStrike Falcon

Fixed an issue where the fetch-assets Spotlight vulnerability flow could cause memory issues.

Related pull requests:
- 44359
- 44389

Download

2.11.0 - 9233795 (May 24, 2026)

Classifiers

CrowdStrike Falcon Incident Classifier

Fixed an issue where Indicator of Attack detections were not classified as the correct incident type.

Integrations

CrowdStrike Falcon

Updated the Indicator of Attack fetch type to use the new /alerts group of endpoints instead of the deprecated /detects/entities/ioa/v1 endpoint.
Breaking changes: The Indicator of Attack (IOA) filter query now uses FQL.

Mappers

CrowdStrike Falcon Mapper

Fixed an issue where Indicator of Attack detections were not mapped to a readable incident name.

Legacy CrowdStrike Falcon-Mapper

Fixed an issue where Indicator of Attack detections were not mapped to a readable incident name.

Related pull requests:
- 44334

Download

2.10.2 - 9183304 (May 20, 2026)

Integrations

CrowdStrike Falcon

Fixed an issue in Spotlight asset collection where HTTP 401 authentication errors were retried instead of failing immediately with a clear error message.

Related pull requests:
- 44358

Download

2.10.1 - 8937460 (May 12, 2026)

Integrations

CrowdStrike Falcon

Fixed an issue where the cs-falcon-apply-quarantine-file-action command failed when search arguments (e.g., filename) yielded no results.

Related pull requests:
- 44187

Download

2.10.0 - 8901148 (May 11, 2026)

Integrations

CrowdStrike Falcon

Added support for the cs-falcon-list-workflow-definitions command that lists workflow definitions.
Added support for the cs-falcon-workflow-execute command that executes an on-demand workflow.
Added support for the cs-falcon-list-workflow-executions command that lists workflow executions.
Added support for the cs-falcon-list-workflow-execution-results command that gets workflow execution results.
Added support for the cs-falcon-workflow-execution-action command that cancels or resumes workflow executions.

Related pull requests:
- 44210

Download

2.9.4 - 8888333 (May 10, 2026)

Integrations

CrowdStrike Falcon

Improved performance of Spotlight asset collection for large-scale environments.

Related pull requests:
- 43885

Download

2.9.3 - 8832968 (May 7, 2026)

Integrations

CrowdStrike Falcon

Added the mobile_action argument to the cs-falcon-upload-custom-ioc and cs-falcon-update-custom-ioc commands, allowing users to specify mobile-specific actions (no_action, allow, detect, prevent) when uploading or updating custom IOCs.
Added the CrowdStrike.IOC.MobileAction context output to all IOC commands: cs-falcon-upload-custom-ioc, cs-falcon-update-custom-ioc, cs-falcon-get-custom-ioc, cs-falcon-search-custom-iocs, and cs-falcon-batch-upload-custom-ioc.
Added android and ios as platform options for the cs-falcon-upload-custom-ioc command.
Added the lift_filesystem_containment_all argument to the cs-falcon-lift-host-containment command, enabling users to lift filesystem containment from hosts in addition to network containment.

Related pull requests:
- 44088
- 44187

Download

2.9.2 - 8801294 (May 6, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 44045

Download

2.9.1 - 8359356 (April 19, 2026)

Integrations

CrowdStrike Falcon

Documentation and metadata improvements.

Related pull requests:
- 43921

Download

2.9.0 - 8227525 (April 13, 2026)

Classifiers

CrowdStrike Falcon Incident Classifier

Updated the CrowdStrike Falcon Incident Classifier to classify the new incident type.

Incident Fields

New: CrowdStrike Falcon Actor slug
New: Added a new incident field- CrowdStrike Falcon Actor slug that contains the actor slug.
New: CrowdStrike Falcon At Accounts
New: Added a new incident field- CrowdStrike Falcon At Accounts that contains the at accounts.
New: CrowdStrike Falcon IOC CVES
New: Added a new incident field- CrowdStrike Falcon IOC CVES that contains the IOC CVEs.
New: CrowdStrike Falcon IOC Domains
New: Added a new incident field- CrowdStrike Falcon IOC Domains that contains the IOC domains.
New: CrowdStrike Falcon IOC Emails
New: Added a new incident field- CrowdStrike Falcon IOC Emails that contains the IOC emails.
New: CrowdStrike Falcon IOC Hashtags
New: Added a new incident field- CrowdStrike Falcon IOC Hashtags that contains the IOC hashtags.
New: CrowdStrike Falcon IOC Types
New: Added a new incident field- CrowdStrike Falcon IOC Types that contains the IOC types.
New: CrowdStrike Falcon IOC Urls
New: Added a new incident field- CrowdStrike Falcon IOC Urls that contains the IOC URLs.
New: CrowdStrike Falcon Item Author ID
New: Added a new incident field- CrowdStrike Falcon Item Author ID that contains the item author ID.
New: CrowdStrike Falcon Item author
New: Added a new incident field- CrowdStrike Falcon Item author that contains the item author.
New: CrowdStrike Falcon Item date
New: Added a new incident field- CrowdStrike Falcon Item date that contains the item date.
New: CrowdStrike Falcon Item id
New: Added a new incident field- CrowdStrike Falcon Item id that contains the item ID.
New: CrowdStrike Falcon Item site
New: Added a new incident field- CrowdStrike Falcon Item site that contains the item site.
New: CrowdStrike Falcon Item site ID
New: Added a new incident field- CrowdStrike Falcon Item site ID that contains the item site ID.
New: CrowdStrike Falcon Item type
New: Added a new incident field- CrowdStrike Falcon Item type that contains the item type.
New: CrowdStrike Falcon Role ID
New: Added a new incident field- CrowdStrike Falcon Role ID that contains the role ID.
New: CrowdStrike Falcon Role creator UID
New: Added a new incident field- CrowdStrike Falcon Role creator UID that contains the role creator UID.
New: CrowdStrike Falcon Role creator name
New: Added a new incident field- CrowdStrike Falcon Role creator name that contains the role creator name.
New: CrowdStrike Falcon Role priority
New: Added a new incident field- CrowdStrike Falcon Role priority that contains the role priority.
New: CrowdStrike Falcon Role topic
New: Added a new incident field- CrowdStrike Falcon Role topic that contains the role topic.

Incident Types

New: CrowdStrike Falcon Intelligence Recon notification
New: Added a new incident type- CrowdStrike Falcon Intelligence Recon notification that handles CrowdStrike Falcon Intelligence Recon notifications.

Integrations

CrowdStrike Falcon

Added support for Recon filter query parameter that use falcon query language (fql) to filter results. for more information, see the fql syntax documentation.

Layouts

CrowdStrike Falcon Layout
Updated the CrowdStrike Falcon Layout to display the new incident fields.

Mappers

CrowdStrike Falcon - Outgoing Mapper

Updated the CrowdStrike Falcon - Outgoing Mapper mapper to map the new incident fields.

CrowdStrike Falcon Mapper

Updated the CrowdStrike Falcon Mapper to map the new incident fields.

Related pull requests:
- 42097
- 41869

Download

2.8.3 - 8195766 (April 12, 2026)

Integrations

CrowdStrike Falcon

Documentation and metadata improvements.

Related pull requests:
- 43744

Download

2.8.2 - 8111918 (April 6, 2026)

Integrations

CrowdStrike Falcon

Fixed an issue where HTTP redirect responses (301, 302, 307, 308) caused authentication failures during Spotlight asset collection, preventing vulnerability and device data from being ingested into XSIAM.

Related pull requests:
- 43762

Download

2.8.1 - 7695964 (March 16, 2026)

Integrations

CrowdStrike Falcon

Added support for polling argument in the cs-falcon-ods-create-scan command.

Related pull requests:
- 43384

Download

2.8.0 - 7609529 (March 11, 2026)

Integrations

CrowdStrike Falcon

Breaking change: Removed the Endpoint Incidents filter query parameter.
Breaking change: Removed the cs-falcon-list-incident-summaries command.
Breaking change: Removed the cs-falcon-get-detections-for-incident command.
Breaking change: Removed the cs-falcon-get-incident-behavior command.
Breaking change: Removed the cs-falcon-update-incident-comment command.
Breaking change: Removed the cs-falcon-resolve-incident command.
Breaking change: Incoming and outgoing mirroring for CrowdStrike Falcon Incidents (inc: prefix IDs) is no longer supported. Existing mirrored incidents will stop receiving updates.

Related pull requests:
- 43469

Download

2.7.3 - 7458490 (March 5, 2026)

Integrations

CrowdStrike Falcon

Updated the Docker image to: demisto/py3-tools:1.0.0.7436613.

Related pull requests:
- 43378

Download

2.7.2 - 7448282 (March 5, 2026)

Integrations

CrowdStrike Falcon

Fixed an issue where fetching NGSIEM cases with a query filter (e.g., severity:>20) would fail with a 400 Bad Request error due to improper URL encoding of the '+' operator in FQL queries.
Documentation and metadata improvements.

Related pull requests:
- 43266
- 43266

Download

2.7.0 - 7422049 (March 3, 2026)

Integrations

CrowdStrike Falcon

Added support for fetching Spotlight assets, which ingests vulnerabilities and their associated host details into the Cortex XSIAM Unified Asset Inventory.
Added support for the Fetch Asset types parameter, which enables users to choose which asset sources to ingest into the Cortex XSIAM Unified Asset Inventory.
Updated the Docker image to: demisto/py3-tools:1.0.0.7186534.

Related pull requests:
- 43079

Download

2.6.1 - 7309700 (February 24, 2026)

Integrations

CrowdStrike Falcon

Added support for the cs-falcon-search-ngsiem-events command, which searches NGSIEM historical events. Requires NGSIEM scope with read-write permissions.

Related pull requests:
- 43044

Download

2.6.0 - 7101393 (February 10, 2026)

Integrations

CrowdStrike Falcon

Added support for the cs-falcon-add-case-tag command that adds tags to the specified case.
Added support for the cs-falcon-get-evidence-for-case command that gets evidence for a specific case.
Added support for the cs-falcon-delete-case-tag command that deletes a tag from the specified case.
Added support for the cs-falcon-list-case-summaries command that lists case summaries.
Added support for the cs-falcon-resolve-case command that resolves or updates a case.
Deprecated the cs-falcon-resolve-incident command. Use the cs-falcon-resolve-case command instead.
Deprecated the cs-falcon-list-incident-summaries command. Use the cs-falcon-list-case-summaries command instead.
Deprecated the cs-falcon-get-incident-behavior command with no replacement.
Deprecated the cs-falcon-get-detections-for-incident command. Use the cs-falcon-get-evidence-for-case command instead.

Related pull requests:
- 42880

Download

2.5.2 - 6903290 (January 27, 2026)

Integrations

CrowdStrike Falcon

Added support for the cloud_pup_adware_level_prevention and cloud_pup_adware_level_detection arguments in the following commands:
- cs-falcon-ods-create-scan.
- cs-falcon-ods-create-scheduled-scan.

Related pull requests:
- 42710

Download

2.5.1 - 6823328 (January 21, 2026)

Incident Fields

New: CrowdStrike Falcon Mitre Attack
New: Added a new incident field- CrowdStrike Falcon Mitre Attack.
(Available from Cortex XSOAR 5.0.0).

Mappers

CrowdStrike Falcon Mapper

Fixed field names.

Related pull requests:
- 42745

Download

2.5.0 - 6802612 (January 20, 2026)

Classifiers

CrowdStrike Falcon Incident Classifier

Added classification support for the new CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types.

Incident Fields

CrowdStrike Falcon System Product Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
New: CrowdStrike Falcon Lead Type
New: Added a new incident field- CrowdStrike Falcon Lead Type.
New: CrowdStrike Falcon Lead Id
New: Added a new incident field- CrowdStrike Falcon Lead Id.
CrowdStrike Falcon Crawled Timestamp
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
CrowdStrike Falcon Pattern ID
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
CrowdStrike Falcon Platform Name
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.
CrowdStrike Falcon Data Domains
Added the CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types as associated types.

Incident Types

New: CrowdStrike Falcon NGSIEM Automated Lead
New: Added a new incident type- CrowdStrike Falcon NGSIEM Automated Lead.
(Available from Cortex XSOAR 6.5.0).
New: CrowdStrike Falcon NGSIEM Incident
New: Added a new incident type- CrowdStrike Falcon NGSIEM Incident.
(Available from Cortex XSOAR 6.5.0).
New: CrowdStrike Falcon NGSIEM Case
New: Added a new incident type- CrowdStrike Falcon NGSIEM Case.
(Available from Cortex XSOAR 6.5.0).

Integrations

CrowdStrike Falcon

Updated the Docker image to: demisto/py3-tools:1.0.0.6308650.

Mappers

CrowdStrike Falcon Mapper

Added mapping for the new CrowdStrike Falcon NGSIEM Case, CrowdStrike Falcon NGSIEM Incident, and CrowdStrike Falcon NGSIEM Automated Lead incident types.

Related pull requests:
- 42537

Download

2.4.13 - 6468413 (December 29, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where the fetch-incidents command could return detections older than the specified date due to incorrect filter handling.

Related pull requests:
- 42395

Download

2.4.12 - 6204767 (December 9, 2025)

Integrations

CrowdStrike Falcon

Added support for fetching CrowdStrike Falcon CNAPP Alert assets, to obtain alerts of this type, you will need one of the following subscriptions:
- Falcon Cloud Security with Containers CNAPP
- Falcon Cloud Security CNAPP
- Falcon Cloud Security with Containers Runtime Protection
- Falcon for Managed Containers Runtime Protection
- Falcon Cloud Security Proactive
- Falcon Cloud Security with Containers
- Falcon for Managed Containers
Added the cs-falcon-list-cnapp-alerts command. Use this command to manually debug the fetch-assets flow.

Related pull requests:
- 42015

Download

2.4.11 - 6105231 (December 2, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41590

Download

2.4.10 - 6012287 (November 25, 2025)

Integrations

CrowdStrike Falcon

Code Improvements.
Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.

Related pull requests:
- 41884

Download

2.4.9 - 5923996 (November 19, 2025)

Integrations

CrowdStrike Falcon

Resolved an issue where updates to the Max incidents per fetch parameter were not applied.

Related pull requests:
- 41780

Download

2.4.8 - 5818832 (November 11, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41805

Download

2.4.7 - 5801457 (November 10, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41857

Download

2.4.6 - 5717993 (November 3, 2025)

Scripts

ConvertRequestParametersToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

cspresentparentprocess

Updated the Docker image to: demisto/python3:3.12.12.5490952.

cspresentpolicyactions

Updated the Docker image to: demisto/python3:3.12.12.5490952.

cspresentgrandparentprocess

Updated the Docker image to: demisto/python3:3.12.12.5490952.

ConvertResourceAttributesToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

ReadNetstatFile

Updated the Docker image to: demisto/python3:3.12.12.5490952.

ReadProcessesFile

Updated the Docker image to: demisto/python3:3.12.12.5490952.

TransformIndicatorToCSFalconIOC

Updated the Docker image to: demisto/python3:3.12.12.5490952.

ConvertUserIdentityToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

ConvertEnrichmentsToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

ConvertResponseElementsToTable

Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41760

Download

2.4.5 - 5698874 (November 2, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41748

Download

2.4.4 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

2.4.3 - R5469292 (October 20, 2025)

Integrations

CrowdStrike Falcon

Added support for the file_name argument in the cs-falcon-delete-file command.

Related pull requests:
- 41407

Download

2.4.2 - 5281566 (October 5, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue with the timestamp parsing logic to prevent errors when microsecond components are missing.

Related pull requests:
- 41384

Download

2.4.1 - 5208238 (September 30, 2025)

Integrations

CrowdStrike Falcon

Breaking Change: Deprecated the Use legacy API parameter as of September 30th, 2025. This affects multiple detection-related commands including direct commands (cs-falcon-search-detection, cs-falcon-resolve-detection, cs-falcon-get-detections-for-incident), fetch operations for all detection types, and mirroring operations. All detection functionality will transition from legacy API endpoints to the updated Raptor API format.
Breaking Change: The legacy-specific status options (in_progress, true_positive, false_positive) have been removed from the cs-falcon-resolve-detection command
Breaking Change: The following legacy-specific context outputs have been removed from the cs-falcon-search-detection command:
- CrowdStrike.Detections.behaviors.behavior_id
- CrowdStrike.Detections.behaviors.ioc_source
- CrowdStrike.Detections.behaviors.ioc_description
- CrowdStrike.Detections.first_behavior
- CrowdStrike.Detections.last_behavior
- CrowdStrike.Detections.max_confidence
- CrowdStrike.Detections.max_severity
- CrowdStrike.Detections.max_severity_displayname
- CrowdStrike.Detections.assigned_to_uid
- CrowdStrike.Detections.assigned_to_name

Related pull requests:
- 41444

Download

2.3.11 - 5145026 (September 28, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where fetching detection entities could fail if the number of detection IDs exceeded the API’s maximum per request.

Related pull requests:
- 41381

Download

2.3.10 - 4826286 (September 9, 2025)

Integrations

CrowdStrike Falcon

Added support for the assign_to_user_id argument in the cs-falcon-resolve-identity-detection and cs-falcon-resolve-mobile-detection commands.

Related pull requests:
- 41198

Download

2.3.9 - 4712962 (August 31, 2025)

Integrations

CrowdStrike Falcon

Now using the username argument directly (no extra API call) in cs-falcon-resolve-detection and cs-falcon-resolve-incident.
Removed the usage of the deprecated endpoint in cs-falcon-resolve-detection and cs-falcon-resolve-incident.

Scripts

Updated the documentation and metadata.

Related pull requests:
- 41083

Download

2.3.7 - 4647015 (August 25, 2025)

Integrations

CrowdStrike Falcon

Enhanced incoming mirroring to include more relevant fields for the following detection types: IDP, Endpoint, and OFP.

Related pull requests:
- 41014

Download

2.3.6 - 4568132 (August 18, 2025)

Integrations

CrowdStrike Falcon

Updated the CrowdstrikeFalcon integration to optimize reputation commands with reduced 15-second timeout when executed during automated enrichment workflows to improve overall processing speed.

Related pull requests:
- 40943

Download

2.3.5 - 4486728 (August 11, 2025)

Documentation and metadata improvements.

Related pull requests:
- 40883

Download

2.3.4 - 4424457 (August 5, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where the cve command would not return any results when no matching CVE was found.

Related pull requests:
- 40794

Download

2.3.3 - 4341046 (July 28, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where the fetch-incidents command retrieved older detections than the specified date.
Updated the Docker image to: demisto/py3-tools:1.0.0.4257568.

Related pull requests:
- 40703

Download

2.3.2 - 4261213 (July 22, 2025)

Playbooks

CrowdStrike Falcon - Search Endpoints By Hash

The playbook may now return a list of IP addresses under endpoint.IPAddress rather than a single entry.

Related pull requests:
- 40626

Download

2.3.1 - 4126849 (July 10, 2025)

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 39712
- 40179

Download

2.3.0 - 4121830 (July 10, 2025)

Classifiers

CrowdStrike Falcon Incident Classifier

Added support for CrowdStrike Falcon NGSIEM Detection.
Added support for CrowdStrike Falcon Third Party Detection.

Incident Fields

Behaviour Tactic
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
CrowdStrike Falcon Detection Type
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
CrowdStrike Falcon Pattern ID
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.
CrowdStrike Falcon Crawled Timestamp
Added the CrowdStrike Falcon NGSIEM Detection incident type as an associated type.
Added the CrowdStrike Falcon Third Party Detection incident type as an associated type.

Integrations

CrowdStrike Falcon

Added a new fetch type NGSIEM Detection.
Added a new fetch type Third Party Detection.

Mappers

CrowdStrike Falcon - Outgoing Mapper

Added support for the CrowdStrike Falcon NGSIEM Detection incident type.
Added support for the CrowdStrike Falcon Third Party Detection incident type.

CrowdStrike Falcon Mapper

Added support for the CrowdStrike Falcon NGSIEM Detection incident type.
Added support for the CrowdStrike Falcon Third Party Detection incident type.

Related pull requests:
- 40208

Download

2.2.0 - 4090197 (July 7, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 40521

Download

2.1.30 - 4083045 (July 7, 2025)

Integrations

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 40519

Download

2.11.5 - 10281058 (June 18, 2026)

Scripts

TransformIndicatorToCSFalconIOC

Updated the Docker image to: demisto/python3:3.12.13.10116658.

ReadProcessesFile

Updated the Docker image to: demisto/python3:3.12.13.10116658.

Related pull requests:
- 44716

Download

2.11.4 - R9967019 (June 8, 2026)

Integrations

CrowdStrike Falcon

Improved the stability of Falcon Spotlight asset and vulnerability collection in environments with millions of vulnerabilities. Memory usage now stays low and steady throughout the collection, so large datasets are fetched reliably and completely.
Falcon Spotlight asset and vulnerability collection now retrieves only vulnerabilities updated within the last 100 days, keeping each collection focused on recent data.

Related pull requests:
- 44474

Download

2.11.3 - 9729413 (June 1, 2026)

Incident Types

CrowdStrike Falcon Intelligence Recon notification
Documentation and metadata improvements.

Integrations

CrowdStrike Falcon

Added support for exposure_management in the integration's supportedModules so the integration can be installed and configured on Cortex Platform tenants with the Exposure Management module enabled.

Scripts

ReadProcessesFile

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.12.13.9059085.

TransformIndicatorToCSFalconIOC

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.12.13.9059085.

Related pull requests:
- 44451

Download

2.11.2 - 9383878 (May 26, 2026)

Integrations

CrowdStrike Falcon

Added support for the next_token argument in the cs-falcon-spotlight-search-vulnerability command. This argument allows for manual pagination of the returned vulnerabilities.

Related pull requests:
- 44389

Download

2.11.1 - 9302376 (May 25, 2026)

Integrations

CrowdStrike Falcon

Fixed an issue where the fetch-assets Spotlight vulnerability flow could cause memory issues.

Related pull requests:
- 44359
- 44389

Download

2.11.0 - 9233795 (May 24, 2026)

Integrations

CrowdStrike Falcon

Updated the Indicator of Attack fetch type to use the new /alerts group of endpoints instead of the deprecated /detects/entities/ioa/v1 endpoint.
Breaking changes: The Indicator of Attack (IOA) filter query now uses FQL.

Related pull requests:
- 44334

Download

2.10.2 - 9183304 (May 20, 2026)

Integrations

CrowdStrike Falcon

Fixed an issue in Spotlight asset collection where HTTP 401 authentication errors were retried instead of failing immediately with a clear error message.

Related pull requests:
- 44358

Download

2.10.1 - 8937460 (May 12, 2026)

Integrations

CrowdStrike Falcon

Fixed an issue where the cs-falcon-apply-quarantine-file-action command failed when search arguments (e.g., filename) yielded no results.

Related pull requests:
- 44187

Download

2.10.0 - 8901148 (May 11, 2026)

Integrations

CrowdStrike Falcon

Added support for the cs-falcon-list-workflow-definitions command that lists workflow definitions.
Added support for the cs-falcon-workflow-execute command that executes an on-demand workflow.
Added support for the cs-falcon-list-workflow-executions command that lists workflow executions.
Added support for the cs-falcon-list-workflow-execution-results command that gets workflow execution results.
Added support for the cs-falcon-workflow-execution-action command that cancels or resumes workflow executions.

Related pull requests:
- 44210

Download

2.9.4 - 8888333 (May 10, 2026)

Integrations

CrowdStrike Falcon

Improved performance of Spotlight asset collection for large-scale environments.

Related pull requests:
- 43885

Download

2.9.3 - 8832968 (May 7, 2026)

Integrations

CrowdStrike Falcon

Added the mobile_action argument to the cs-falcon-upload-custom-ioc and cs-falcon-update-custom-ioc commands, allowing users to specify mobile-specific actions (no_action, allow, detect, prevent) when uploading or updating custom IOCs.
Added the CrowdStrike.IOC.MobileAction context output to all IOC commands: cs-falcon-upload-custom-ioc, cs-falcon-update-custom-ioc, cs-falcon-get-custom-ioc, cs-falcon-search-custom-iocs, and cs-falcon-batch-upload-custom-ioc.
Added android and ios as platform options for the cs-falcon-upload-custom-ioc command.
Added the lift_filesystem_containment_all argument to the cs-falcon-lift-host-containment command, enabling users to lift filesystem containment from hosts in addition to network containment.

Related pull requests:
- 44187
- 44088

Download

2.9.2 - 8801294 (May 6, 2026)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 44045

Download

2.9.1 - 8359356 (April 19, 2026)

Integrations

CrowdStrike Falcon

Documentation and metadata improvements.

Related pull requests:
- 43921

Download

2.9.0 - 8227525 (April 13, 2026)

Incident Types

New: CrowdStrike Falcon Intelligence Recon notification
New: Added a new incident type- CrowdStrike Falcon Intelligence Recon notification that handles CrowdStrike Falcon Intelligence Recon notifications.

Integrations

CrowdStrike Falcon

Added support for Recon filter query parameter that use falcon query language (fql) to filter results. for more information, see the fql syntax documentation.

Related pull requests:
- 42097
- 41869

Download

2.8.3 - 8195766 (April 12, 2026)

Integrations

CrowdStrike Falcon

Documentation and metadata improvements.

Related pull requests:
- 43744

Download

2.8.2 - 8111918 (April 6, 2026)

Integrations

CrowdStrike Falcon

Fixed an issue where HTTP redirect responses (301, 302, 307, 308) caused authentication failures during Spotlight asset collection, preventing vulnerability and device data from being ingested into XSIAM.

Related pull requests:
- 43762

Download

2.8.1 - 7695964 (March 16, 2026)

Integrations

CrowdStrike Falcon

Added support for polling argument in the cs-falcon-ods-create-scan command.

Related pull requests:
- 43384

Download

2.8.0 - 7609529 (March 11, 2026)

Integrations

CrowdStrike Falcon

Breaking change: Removed the Endpoint Incidents filter query parameter.
Breaking change: Removed the cs-falcon-list-incident-summaries command.
Breaking change: Removed the cs-falcon-get-detections-for-incident command.
Breaking change: Removed the cs-falcon-get-incident-behavior command.
Breaking change: Removed the cs-falcon-update-incident-comment command.
Breaking change: Removed the cs-falcon-resolve-incident command.
Breaking change: Incoming and outgoing mirroring for CrowdStrike Falcon Incidents (inc: prefix IDs) is no longer supported. Existing mirrored incidents will stop receiving updates.

Related pull requests:
- 43469

Download

2.7.3 - 7458490 (March 5, 2026)

Integrations

CrowdStrike Falcon

Updated the Docker image to: demisto/py3-tools:1.0.0.7436613.

Related pull requests:
- 43378

Download

2.7.2 - 7448282 (March 5, 2026)

Integrations

CrowdStrike Falcon

Fixed an issue where fetching NGSIEM cases with a query filter (e.g., severity:>20) would fail with a 400 Bad Request error due to improper URL encoding of the '+' operator in FQL queries.
Documentation and metadata improvements.

Related pull requests:
- 43266
- 43266

Download

2.7.0 - 7422049 (March 3, 2026)

Integrations

CrowdStrike Falcon

Added support for fetching Spotlight assets, which ingests vulnerabilities and their associated host details into the Cortex XSIAM Unified Asset Inventory.
Added support for the Fetch Asset types parameter, which enables users to choose which asset sources to ingest into the Cortex XSIAM Unified Asset Inventory.
Updated the Docker image to: demisto/py3-tools:1.0.0.7186534.

Related pull requests:
- 43079

Download

2.6.1 - 7309700 (February 24, 2026)

Integrations

CrowdStrike Falcon

Added support for the cs-falcon-search-ngsiem-events command, which searches NGSIEM historical events. Requires NGSIEM scope with read-write permissions.

Related pull requests:
- 43044

Download

2.6.0 - 7101393 (February 10, 2026)

Integrations

CrowdStrike Falcon

Added support for the cs-falcon-add-case-tag command that adds tags to the specified case.
Added support for the cs-falcon-get-evidence-for-case command that gets evidence for a specific case.
Added support for the cs-falcon-delete-case-tag command that deletes a tag from the specified case.
Added support for the cs-falcon-list-case-summaries command that lists case summaries.
Added support for the cs-falcon-resolve-case command that resolves or updates a case.
Deprecated the cs-falcon-resolve-incident command. Use the cs-falcon-resolve-case command instead.
Deprecated the cs-falcon-list-incident-summaries command. Use the cs-falcon-list-case-summaries command instead.
Deprecated the cs-falcon-get-incident-behavior command with no replacement.
Deprecated the cs-falcon-get-detections-for-incident command. Use the cs-falcon-get-evidence-for-case command instead.

Related pull requests:
- 42880

Download

2.5.2 - 6903290 (January 27, 2026)

Integrations

CrowdStrike Falcon

Added support for the cloud_pup_adware_level_prevention and cloud_pup_adware_level_detection arguments in the following commands:
- cs-falcon-ods-create-scan.
- cs-falcon-ods-create-scheduled-scan.

Related pull requests:
- 42710

Download

2.5.1 - 6823328 (January 21, 2026)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 42745

Download

2.5.0 - 6802612 (January 20, 2026)

Integrations

CrowdStrike Falcon

Updated the Docker image to: demisto/py3-tools:1.0.0.6308650.

Related pull requests:
- 42537

Download

2.4.13 - 6468413 (December 29, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where the fetch-incidents command could return detections older than the specified date due to incorrect filter handling.

Related pull requests:
- 42395

Download

2.4.12 - 6204767 (December 9, 2025)

Integrations

CrowdStrike Falcon

Added support for fetching CrowdStrike Falcon CNAPP Alert assets, to obtain alerts of this type, you will need one of the following subscriptions:
- Falcon Cloud Security with Containers CNAPP
- Falcon Cloud Security CNAPP
- Falcon Cloud Security with Containers Runtime Protection
- Falcon for Managed Containers Runtime Protection
- Falcon Cloud Security Proactive
- Falcon Cloud Security with Containers
- Falcon for Managed Containers
Added the cs-falcon-list-cnapp-alerts command. Use this command to manually debug the fetch-assets flow.

Related pull requests:
- 42015

Download

2.4.11 - 6095247 (December 2, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41590

Download

2.4.10 - 6012287 (November 25, 2025)

Integrations

CrowdStrike Falcon

Code Improvements.
Updated the Docker image to: demisto/py3-tools:1.0.0.5475267.

Related pull requests:
- 41884

Download

2.4.9 - 5923996 (November 19, 2025)

Integrations

CrowdStrike Falcon

Resolved an issue where updates to the Max incidents per fetch parameter were not applied.

Related pull requests:
- 41780

Download

2.4.8 - 5818832 (November 11, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41805

Download

2.4.7 - 5801457 (November 10, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41857

Download

2.4.6 - 5717993 (November 3, 2025)

Scripts

ReadProcessesFile

Updated the Docker image to: demisto/python3:3.12.12.5490952.

TransformIndicatorToCSFalconIOC

Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41760

Download

2.4.5 - 5698874 (November 2, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41748

Download

2.4.4 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

2.4.3 - R5469292 (October 20, 2025)

Integrations

CrowdStrike Falcon

Added support for the file_name argument in the cs-falcon-delete-file command.

Related pull requests:
- 41407

Download

2.4.2 - 5281566 (October 5, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue with the timestamp parsing logic to prevent errors when microsecond components are missing.

Related pull requests:
- 41384

Download

2.4.1 - 5212533 (October 1, 2025)

Integrations

CrowdStrike Falcon

Breaking Change: Deprecated the Use legacy API parameter as of September 30th, 2025. This affects multiple detection-related commands including direct commands (cs-falcon-search-detection, cs-falcon-resolve-detection, cs-falcon-get-detections-for-incident), fetch operations for all detection types, and mirroring operations. All detection functionality will transition from legacy API endpoints to the updated Raptor API format.
Breaking Change: The legacy-specific status options (in_progress, true_positive, false_positive) have been removed from the cs-falcon-resolve-detection command
Breaking Change: The following legacy-specific context outputs have been removed from the cs-falcon-search-detection command:
- CrowdStrike.Detections.behaviors.behavior_id
- CrowdStrike.Detections.behaviors.ioc_source
- CrowdStrike.Detections.behaviors.ioc_description
- CrowdStrike.Detections.first_behavior
- CrowdStrike.Detections.last_behavior
- CrowdStrike.Detections.max_confidence
- CrowdStrike.Detections.max_severity
- CrowdStrike.Detections.max_severity_displayname
- CrowdStrike.Detections.assigned_to_uid
- CrowdStrike.Detections.assigned_to_name

Related pull requests:
- 41444

Download

2.3.11 - 5158591 (September 28, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where fetching detection entities could fail if the number of detection IDs exceeded the API’s maximum per request.

Related pull requests:
- 41381

Download

2.3.10 - 4826286 (September 9, 2025)

Integrations

CrowdStrike Falcon

Added support for the assign_to_user_id argument in the cs-falcon-resolve-identity-detection and cs-falcon-resolve-mobile-detection commands.

Related pull requests:
- 41198

Download

2.3.9 - 4712962 (August 31, 2025)

Integrations

CrowdStrike Falcon

Now using the username argument directly (no extra API call) in cs-falcon-resolve-detection and cs-falcon-resolve-incident.
Removed the usage of the deprecated endpoint in cs-falcon-resolve-detection and cs-falcon-resolve-incident.

Scripts

Updated the documentation and metadata.

Related pull requests:
- 41083

Download

2.3.7 - 4647015 (August 25, 2025)

Integrations

CrowdStrike Falcon

Enhanced incoming mirroring to include more relevant fields for the following detection types: IDP, Endpoint, and OFP.

Related pull requests:
- 41014

Download

2.3.6 - 4568132 (August 18, 2025)

Integrations

CrowdStrike Falcon

Updated the CrowdstrikeFalcon integration to optimize reputation commands with reduced 15-second timeout when executed during automated enrichment workflows to improve overall processing speed.

Related pull requests:
- 40943

Download

2.3.5 - 4486728 (August 11, 2025)

Documentation and metadata improvements.

Related pull requests:
- 40883

Download

2.3.4 - 4424457 (August 5, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where the cve command would not return any results when no matching CVE was found.

Related pull requests:
- 40794

Download

2.3.3 - 4350237 (July 29, 2025)

Integrations

CrowdStrike Falcon

Fixed an issue where the fetch-incidents command retrieved older detections than the specified date.
Updated the Docker image to: demisto/py3-tools:1.0.0.4257568.

Related pull requests:
- 40703

Download

2.3.2 - 4261213 (July 22, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 40626

Download

2.3.1 - 4126849 (July 10, 2025)

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 39712
- 40179

Download

2.3.0 - 4118212 (July 9, 2025)

Integrations

CrowdStrike Falcon

Added a new fetch type NGSIEM Detection.
Added a new fetch type Third Party Detection.

Related pull requests:
- 40208

Download

2.2.0 - 4090197 (July 7, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 40521

Download

2.1.30 - 4083045 (July 7, 2025)

Integrations

CrowdStrike Falcon

Documentation and Metadata improvements.

Related pull requests:
- 40519

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	September 9, 2020
Last Release	June 18, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.