CrowdStrike Cloud Query
Background
The Run Crowdstrike Cloud Query Action performs Steampipe queries on CrowdStrike resources with a powerful and simple PostgreSQL syntax.
For example, a complicated action such as fetching all of your hosts:
select
instance_id,
hostname,
last_login_timestamp
from
crowdstrike_host;
To list hosts which do not have firewall applied, use the following query:
select
hostname,
device_policies
from
crowdstrike_host
where
(device_policies -> 'firewall' -> 'applied') :: bool = false;
A query that fetches a list of open detections from the last 4 days might look like this:
select
detection_id,
created_timestamp,
device ->> 'device_id' as device_id,
device ->> 'hostname' as hostname,
device ->> 'platform_name' as platform_name,
device ->> 'os_version' as os_version,
status
from
crowdstrike_detection
where
status = 'open'
and now() - created_timestamp > interval '4 days';
A full description of all existing tables and official examples are provided here:
info
Blink's supported Steampipe version is: v0.2.0.
Action Parameters
| Parameter | Description |
|---|---|
| SQL statement | The SQL statement we wish to use to query the resource. |
| Output format | Representation of the output result. The possible options are "Table", "CSV" or "JSON". |
