Find IP addresses known to be involved in attack execution or outbound callbacks from malware. The following permissions are required to run this action:
  • Indicators (Falcon Indicator Graph): Read.
External DocumentationTo learn more, visit the CrowdStrike documentation.

Basic Parameters

ParameterDescription
FilterFilter the results by a FQL query.

For a complete list of filterable properties and syntax guidance, refer to the CrowdStrike API documentation.
Sort ByThe field to sort the results by.
Sort OrderThe direction in which to sort the results.

Advanced Parameters

ParameterDescription
LimitThe number of results to return. Valid range is 0 - 100.

Example Output

{
	"meta": {
		"query_time": 1.454724531,
		"pagination": {
			"limit": 10,
			"offset": "pSFFO1Ctnodv...",
			"next_page": "limit=10&offset=pSFFO1CtnodvTA8G..."
		},
		"powered_by": "fig-api",
		"trace_id": "94efc630-4f99-4345-8d43-d87a6cda41f5",
		"total_hits": 10
	},
	"resources": [
		{
			"ID": "IPv4:8c2e3ba5972e6137c8554f4320e14fa410dd9c61b807e030fc04e0834e3ba3eb",
			"Type": "IPv4",
			"PublishDate": "2025-01-23T19:24:54Z",
			"LastUpdated": "2025-01-23T19:25:06Z",
			"MaliciousConfidence": "High",
			"MaliciousConfidenceValidatedTime": "2025-01-23T19:24:54Z",
			"ThreatTypes": [
				"Modular",
				"Commodity",
				"OpenSource",
				"Criminal",
				"RAT"
			],
			"Threats": [
				{
					"FamilyName": "AsyncRAT"
				}
			],
			"Sectors": [
				{
					"Name": "Government",
					"Definition": "An entity involved in the governing body of a nation, state, or community."
				}
			],
			"IPv4Details": {
				"IPv4": "192.0.2.1",
				"ASN": [
					64496
				],
				"IPProperties": [
					"proxy"
				],
				"ISP": "Example ISP"
			}
		}
	]
}

Workflow Library Example

Find Malicious Ipaddresses with Crowdstrike and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop