Search for and retrieve indicators based on custom criteria. The following permissions are required to run this action:
  • Indicators (Falcon Indicator Graph): Read.
External DocumentationTo learn more, visit the CrowdStrike documentation.

Basic Parameters

ParameterDescription
FilterFilter the results by a FQL query.

For a complete list of filterable properties and syntax guidance, refer to the CrowdStrike API documentation.
Return All PagesAutomatically fetch all resources, page by page.
Sort ByThe field to sort results by.
Sort OrderThe direction in which to sort the results.

Advanced Parameters

ParameterDescription
LimitThe number of results to return.
OffsetThe offset to start retrieving records from.

Example Output

{
	"meta": {
		"query_time": 1.454724531,
		"pagination": {
			"limit": 10,
			"offset": "pSFFO1Ctnodv...",
			"next_page": "limit=10&offset=pSFFO1CtnodvTA8G..."
		},
		"powered_by": "fig-api",
		"trace_id": "94efc630-4f99-4345-8d43-d87a6cda41f5",
		"total_hits": 10
	},
	"resources": [
		{
			"ID": "Domain:8c2e3ba5972e6137c8554f4320e14fa410dd9c61b807e030fc04e0834e3ba3eb",
			"Type": "Domain",
			"PublishDate": "2025-01-23T19:24:54Z",
			"LastUpdated": "2025-01-23T19:25:06Z",
			"MaliciousConfidence": "High",
			"MaliciousConfidenceValidatedTime": "2025-01-23T19:24:54Z",
			"ThreatTypes": [
				"Modular",
				"Commodity",
				"OpenSource",
				"Criminal",
				"RAT"
			],
			"Threats": [
				{
					"FamilyName": "AsyncRAT"
				}
			],
			"DomainDetails": {
				"Domain": "example-malicious-domain.com"
			}
		}
	]
}

Workflow Library Example

Search Indicators with Crowdstrike and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop