Find hosts that have observed a given custom Indicator of Compromise (IOC). IOC is a piece of digital forensics (identification, investigation, and remediation of cyberattacks) that suggests that an endpoint or network may have been breached. You can find the custom indicators in the IOC Management page. The following permissions are required to run this action:
  • IOC Management: Read and Write.
  • IOCs (Indicators of Compromise): Read.
External DocumentationTo learn more, visit the CrowdStrike documentation.

Basic Parameters

ParameterDescription
Indicator TypeThe type of indicator used to search for hosts.
Return All PagesAutomatically fetch all resources, page by page.
ValueThe string representation of the indicator, can be obtained by using the Get Indicator Details action.

Advanced Parameters

ParameterDescription
LimitMaximum number of hosts to return in the response.
OffsetThe offset at which to start record retrieval.

Use with the Limit parameter to manage pagination of results.

Example Output

{
  "meta": {
    "query_time": 7.444444,
    "pagination": {
      "offset": "",
      "limit": 100
    },
    "trace_id": ""0000000-00000-0000-0000-000000000000"",
    "entity": "/path/to/device{?ids*}"
  },
  "resources": [
    "000000111111222233333"
  ],
  "errors": []
}

Workflow Library Example

Find Hosts That Observed Ioc with Crowdstrike and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop