CrowdStrike Cloud Query - Blink Documentation

Background

The Run Crowdstrike Cloud Query Action performs Steampipe queries on CrowdStrike resources with a powerful and simple PostgreSQL syntax. For example, a complicated action such as fetching all of your hosts:

select    instance_id,    hostname,    last_login_timestampfrom    crowdstrike_host;

To list hosts which do not have firewall applied, use the following query:

select    hostname,    device_policiesfrom    crowdstrike_hostwhere    (device_policies -> 'firewall' -> 'applied') :: bool = false;

A query that fetches a list of open detections from the last 4 days might look like this:

select    detection_id,    created_timestamp,    device ->> 'device_id' as device_id,    device ->> 'hostname' as hostname,    device ->> 'platform_name' as platform_name,    device ->> 'os_version' as os_version,    statusfrom    crowdstrike_detectionwhere    status = 'open'  and now() - created_timestamp > interval '4 days';

A full description of all existing tables and official examples are provided here:

Blink supports this Steampipe version: v0.2.0.

Action Parameters

Parameter	Description
SQL statement	The SQL query to execute against database resources. Use standard SQL syntax.
Output format	The representation of the output result. The possible options are “Table”, “CSV” or “JSON”.

Integrations

​Background​

​Action Parameters​

Background

Action Parameters