Skip to main content
Search for processes associated with a custom IOC. The following permission is required to run this action:
  • IOC Management: Read and Write.
  • IOCs (Indicators of Compromise): Read.
Note: An error with 404 response code may occur if no devices are found for the indicator, or if the host has aged out.
External DocumentationTo learn more, visit the CrowdStrike documentation.

Basic Parameters

ParameterDescription
Device IDSpecify a device ID to return only processes from that device.
Indicator TypeThe type of the indicator.
Return All PagesAutomatically fetch all resources, page by page.
ValueThe string representation of the indicator, can be obtained by using the Get Indicator Details.

Advanced Parameters

ParameterDescription
LimitNumber of processes to return in the response.
OffsetThe first process to return, where 0 is the latest offset. Use with the limit parameter to manage pagination of results.

Example Output

{
	"meta": {
		"query_time": 0.10,
		"pagination": {
			"offset": "1364242733:397800512",
			"limit": 2,
			"next_page": "/indicators/queries/processes/v1?type=domain&value=example.com&device_id=2dd7xxxxxxxxfb3c2&offset=1364242733:397800512&limit=1"
		},
		"trace_id": "a4d3ba63-28e4-473e-9b6f-61dd0b8be4fe",
		"entity": "https://falconapi.crowdstrike.com/processes/entities/processes/v1{?ids*}"
	},
	"resources": [
		"pid:2dd7xxxxxxxxb3c2:298xxx772",
		"pid:2dd7xxxxxxxxb3c2:922xxx411"
	],
	"errors": []
}

Workflow Library Example

Get Processes by Ioc with Crowdstrike and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop