×
CrowdStrike Falcon
CrowdStrike Falcon

Overview

The CrowdStrike Falcon Plugin provides the functionality for managing hosts, performing sandbox analysis, retrieving sandbox artifacts, retrieving information on IoCs, executing real time response (RTR) commands, managing RTR custom scripts, managing custom IoCs, managing detections, and managing incidents.

Functionality

The Security Flow CrowdStrike Falcon Plugin provides the ability to

  • retrieve host IDs and host details
  • delete (hide) and restore (un-hide) hosts
  • contain and lift containment on hosts
  • perform sandboxing analysis on files and URLs
  • retrieve sandboxing analysis artifact files
  • retrieve information on Indicators of Compromise (IoCs)
  • execute Real Time Response (RTR) commands
  • retrieve Real Time Response (RTR) scripts
  • create Real Time Response (RTR) scripts
  • update Real Time Response (RTR) scripts
  • delete Real Time Response (RTR) scripts
  • retrieve RTR get command files
  • retrieve custom IoCs
  • create custom IoCs
  • update custom IoCs
  • delete custom IoCs
  • retrieve filtered detections periodically or when manually triggered
  • retrieve information on detections
  • update detections
  • retrieve information on incidents
  • update incidents

Instance Configuration Parameters

Property
Description

Instance Name

Name for the CrowdStrike Falcon instance.


Unique ID

A system-wide unique identifier for this plugin instance used to locate the service.


API Host Name

Host name used to make Falcon API requests.


Client ID

Client ID used to request an OAuth2 access token.


Client Secret

Client Secret used to request an OAuth2 access token.

Flow Nodes

This node exposes CrowdStrike Falcon detections capabilities documented in the Manage Detections APIs.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

Configuration option determining the type of operation to perform:

  • Find Detections: Retrieves matching detection IDs based on the specified Detections Filter and Search String.
  • Get Detection Details: Retrieves the details of detections in your environment based on the Detection IDs supplied.
  • Find Detections & Get Details: Performs both the Find Detections and Get Detection Details actions in a single request.
  • Update Detections: Updates a subset of fields for the specified Detection IDs.

Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response.


Detections Filter

The Falcon Query Language (FQL) filter used to find matching detections. Set this field to Not Specified to disable filtering. The fields available for filtering are detailed within the Find detections page section. Learn more about filtering using the Falcon Query Language (FQL) page.

In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}. For example, {{payload.data}} would substitute in the value of payload.data found in the incoming message. Visit the Template Engine and Formatters page to learn more.


Search String

Searches the metadata of the descriptions for the specified string. Set Search String to Not Specified to disable searching the detection metadata for the search string.

The Search String uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}. For example, {{payload.data}} would substitute in the value of payload.data found in the incoming message. Visit the Template Engine and Formatters page to learn more.


Size Limit

This field sets the maximum number of returned detections.


Sort By

If specified, the Sort By configuration option specifies the column to sort the results by. Valid sort by values are first_behavior, last_behavior, max_severity, max_confidence, adversary_id, and devices.hostname. Invalid Sort By values are silently ignored.


Sort Order

If specified, sorts the results in ascending or descending order. If not specified, the sort order is assumed to be ascending.


Detection IDs

The detection IDs being retrieved or updated. A value of Standard Detections Location is a useful shortcut to specify the detectionIds field within previously returned results. Detection IDs may be an array of detection ID strings or a single detection ID string.


Assignee

If specified, the Assignee field defines the assignee using the user’s username, usually an email address.


Status

If specified, the Status defines the new desired status. Valid Status values are new, in_progress, true_positive, false_positive, and ignored. If the evaluated Status is invalid, no update is performed and the request errors out.


Comment

If specified, the Comment field uses variable substitution from the incoming message using a mustache format. Visit the Template Engine and Formatters page to learn more.


Show in UI

If supplied, the Show in UI flag is set to true if the value evaluates to a JavaScript truthy value. Not Specified will not set or change the existing value. Most commonly, this would be set to false when the Status is set to false_positive.

This node exposes CrowdStrike Falcon Detection API capabilities for finding matching detections at regular intervals.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Repeat

Use Repeat to define how often a query for detections is triggered. The left inject button on this node is used to immediately trigger the retrieval of detections. If the repeat interval is set to zero, querying will not occur unless manually triggered using the left inject button.


Detections Filter

The Falcon Query Language (FQL) filter used to find matching detections. Clear out this field to avoid filtering. The fields available for filtering are detailed within the Find detections page section. Learn more about filtering using the Falcon Query Language (FQL) page.

In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}. For example, {{payload.data}} would substitute in the value of payload.data found in the incoming message. Visit the Template Engine and Formatters page to learn more. However, for this node, the incoming message consists of only a timestamp.


Search String

Searches the metadata of the descriptions for the specified string. Leave this field blank to disable searching the detection metadata for the search string.


Size Limit

This field sets the maximum number of returned detections.


Sort By

If specified, the Sort By configuration option specifies the column to sort the results by.


Sort Order

Sorts the results in ascending or descending order.


Aggregetion

This node supports five modes for aggregating incidents.

  • None: Never aggregate any incidents (default).
  • Field Match: For a given source field of a message (or jsonata query of the message), aggregate together all messages whose field value exactly matches a previously checked message.
  • Exact Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages whose field exactly matches a given value. One can specify multiple values. Each value specifies a separate grouping of incidents. Useful to aggregate messages with known content.
  • Keyword Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages with a given keyword appearing as a word within the field. One can specify multiple keywords. Each keyword specifies a separate grouping of incidents. An incident is grouped with the first keyword it matches. Useful to aggregate messages with somewhat known content.
  • Fuzzy Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages for which this field is sufficiently similar to the message which started the incident. With this method, one can specify a similarity threshold. Messages matched with the fuzzy matcher get a similarity attribute added to the message which can be inspected to assist when establishing a threshold.
This node exposes CrowdStrike Falcon Host capabilities.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

Configuration option determining the type of operation to perform:

  • Get Hosts: Retrieves the filtered list of hosts in the environment based on the Hosts Filter configuration.
  • Get Deleted (Hidden) Hosts: Retrieves the filtered list of deleted (hidden) hosts in the environment based on the Hosts Filter configuration.
  • Get Host Details: Retrieves detailed information on the designated host agent IDs (AIDs) specified in Host(s).
  • Hosts Action: Performs the selected Host Action on the designated host agent IDs (AIDs) specified in Host(s).

Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response.


Hosts Filter

The Falcon Query Language (FQL) filter used to find matching hosts. Clear the content of this field to disable filtering. Learn more about filtering using the Falcon Query Language (FQL) page.

In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}. For example, {{payload.data}} would substitute in the value of payload.data found in the incoming message. Visit the Template Engine and Formatters page to learn more.


Host(s)

The Host(s) field may contain a single host string or an array of host agent IDs (AIDs).


Hosts Action

Performs the selected Host Action on the designated host agent IDs (AIDs) specified in Host(s). The following operations are supported.

  • Contain: This action contains the hosts, stopping any network communications to locations other than the CrowdStrike cloud and IPs specified in your containment policy.
  • Lift Contain: This action lifts containment on the hosts, which returns its network communications to normal.
  • Delete (Hide) Host: This action will delete the hosts. After the hosts are deleted, no new detections for those hosts will be reported via UI or APIs.
  • Restore (Un-Hide) Host This action will restore the hosts. Detection reporting will resume after the hosts are restored.
This node exposes CrowdStrike Falcon incidents capabilities documented in the Manage Incidents APIs.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

Configuration option determining the type of operation to perform:

  • Find Incidents: Retrieves matching detection IDs based on the specified Incidents Filter and Search String.
  • Get Incident Details: Retrieves the details of incidents in your environment based on the Detection IDs supplied.
  • Find Incidents & Get Details: Performs both the Find Incidents and Get Incident Details actions in a single request.
  • Update Incidents: Updates a subset of fields for the specified Incident IDs.

Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response.


Incidents Filter

The Falcon Query Language (FQL) filter used to find matching incidents. Set this field to Not Specified to disable filtering. The fields available for filtering are detailed within the Find incidents page section. Learn more about filtering using the Falcon Query Language (FQL) page.

In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}. For example, {{payload.data}} would substitute in the value of payload.data found in the incoming message. Visit the Template Engine and Formatters page to learn more.


Size Limit

This field sets the maximum number of returned incidents.


Sort By

If specified, the Sort By configuration option specifies the column to sort the results by. Valid sort by values are assigned_to, assigned_to_name, end, modified_timestamp, name, sort_score, start, state, and status. Invalid Sort By values are silently ignored.


Sort Order

If specified, sorts the results in ascending or descending order. If not specified, the sort order is assumed to be ascending.


Incident IDs

The incident IDs being retrieved or updated. A value of Standard Incidents Location is a useful shortcut to specify the incidentIds field within previously returned results. Incident IDs may be an array of incident ID strings or a single incident ID string.


Name

The Name field uses variable substitution from the incoming message using a mustache format. Visit the Template Engine and Formatters page to learn more. The Name field is optional and applied to all the updated incidents.


Description

The Description field uses variable substitution from the incoming message using a mustache format. Visit the Template Engine and Formatters page to learn more. The Description field is optional and applied to all the updated incidents.


Status

The Status defines the new desired status. Valid Status values are 20, 25, 30, and 40, where 20 is New, 25 is Reopened, 30 is In Progress, and 40 is Closed. If the evaluated Status is not valid, no update is performed and the request errors out.


Update Detection Statuses

If Update Detection Statuses evaluates to JavaScript truthy value and a Status change is performed, the statuses of the incidents’ involved detections is performed. The following rules determine the behavior:

Update Detection Statuses Overwrite Detection Statuses Behavior
false true | false No changes to any involved detections.
true false The involved detections’ status
parameters that have a value of new
are updated to match the incident’s status.
true true The all involved detections’ status
parameters are updated to match the incident’s status.

Overwrite Detection Statuses

Because this option is tightly coupled to the value of Update Detection Statuses, see that node property for details.


Add Tags

Add Tags may be an array of tag strings or a comma separated list of tags. Each tag is added to the incidents.


Delete Tags

Delete Tags may be an array of tag strings or a comma separated list of tags. Each tag is deleted from the incidents.

This node exposes CrowdStrike Falcon Incidents API capabilities for finding matching incidents at regular intervals.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Repeat

Use Repeat to define how often a query for incidents is triggered. The left inject button on this node is used to immediately trigger the retrieval of incidents. If the repeat interval is set to zero, querying will not occur unless manually triggered using the left inject button.


Incidents Filter

The Falcon Query Language (FQL) filter used to find matching incidents. Clear out this field to avoid filtering. The fields available for filtering are detailed within the Find incidents page section. Learn more about filtering using the Falcon Query Language (FQL) page.

In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}. For example, {{payload.data}} would substitute in the value of payload.data found in the incoming message. Visit the Template Engine and Formatters page to learn more. However, for this node, the incoming message consists of only a timestamp.


Size Limit

This field sets the maximum number of returned incidents.


Sort By

If specified, the Sort By configuration option specifies the column to sort the results by.


Sort Order

Sorts the results in ascending or descending order.


Aggregetion

This node supports five modes for aggregating incidents.

  • None: Never aggregate any incidents (default).
  • Field Match: For a given source field of a message (or jsonata query of the message), aggregate together all messages whose field value exactly matches a previously checked message.
  • Exact Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages whose field exactly matches a given value. One can specify multiple values. Each value specifies a separate grouping of incidents. Useful to aggregate messages with known content.
  • Keyword Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages with a given keyword appearing as a word within the field. One can specify multiple keywords. Each keyword specifies a separate grouping of incidents. An incident is grouped with the first keyword it matches. Useful to aggregate messages with somewhat known content.
  • Fuzzy Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages for which this field is sufficiently similar to the message which started the incident. With this method, one can specify a similarity threshold. Messages matched with the fuzzy matcher get a similarity attribute added to the message which can be inspected to assist when establishing a threshold.
This node exposes CrowdStrike Falcon custom IoC capabilities of the Detection and Prevention Policy APIs.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

The desired operation for this node:

  • Find IoCs: Retrieves a filtered list of matching custom IoCs.
  • Get IoC Details: Retrieves the details of custom IoCs identified by their IDs.
  • Find IoCs & Get Details: Performs both the Find IoCs and Get IoC Details actions in one step.
  • Create IoC(s): Creates a new set of custom IoCs.
  • Update IoC(s): Updates an existing set of custom IoCs.
  • Create or Update IoC(s): Creates or updates a set of custom IoCs.
  • Delete IoC(s): Deletes a set of custom IoCs identified by their IDs.

Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response.


IoCs Filter

The Falcon Query Language (FQL) filter used to find matching custom IoCs. Clear the content of this field to disable filtering. Learn more about filtering using the Falcon Query Language (FQL) page.

In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}. For example, {{payload.data}} would substitute in the value of payload.data found in the incoming message. Visit the Template Engine and Formatters page to learn more.


Size Limit

Limits the number of returned results matching the IoCs Filter.


Sort By

The Sort By configuration option specifies the column to sort the results by.


IoC ID Source

For the Update IoC(s) action, this defines the source for IoC information. If via IoC IDs is selected, the IoC IDs and IoC Actions configuration options are shown. If via IoC Locations is selected, the IoC Locations configuration options is shown.


IoC IDs

The location for the IoC IDs array within the specified context. A value of Standard IoCs Location is a useful shortcut to specify the iocIds field within a previous response.


IoC Locations

The incoming message is searched for matching Indicators of Compromise (IoCs) using the configured IoC Locations list. This list consists of three columns. The IoC type, the IoC value context, and the CrowdStrike action.


IoC IDs

This only available when the Update IoC(s) action is selected and the IoC ID Source is set to via IoC IDs. This list defines the CrowdStrike action based on IoC type.


Comment

The Comment field is required and applied to the operation updating or creating IoCs. This field uses variable substitution from the incoming message using a mustache format. Visit the Template Engine and Formatters page to learn more.


Platforms

The Platforms defines the affected platforms. Valid Platforms values are any combination of mac, windows, and linux. If the evaluated Platforms is invalid, all platforms are selected.


Severity

The Severity defines the desired severity of the IoC. Valid Severity values are informational, low, medium, high, and critical. If the evaluated Severity is invalid, critical is assumed.


Retoractive Detections

The Retroactive Detections triggers the specified action for the IoC on historical data if the value evaluates to a JavaScript truthy value.


Apply Globally

The Apply Globally flag is set to true for the IoC if the value evaluates to a JavaScript truthy value.


Source

Defines the source of the custom IoC. If Nevelex Labs Security Flow is selected, the source is set to a Nevelex Labs Security Flow string.


Description

The Description field is optional and applies to an individual IoC. This field uses variable substitution from the incoming message using a mustache format. Visit the Template Engine and Formatters page to learn more.


Tag(s)

The Tags defines tags to apply to the IoC. Not Specified will not set or change the existing tags. A blank value will clear the tags. A JavaScript array will set the supplied array of tags. A string will be separated into an array using commas as the delimiter.


Host Group ID(s)

The Host Groups ID(s) defines host groups the IoC applies to. Not Specified will not set or change the existing host group IDs. A blank value will clear the host group IDs. A JavaScript array will set the supplied array of host group IDs. A string will be separated into an array using commas as the delimiter.


Expires In

The Expires In value determines when the domains, IP addresses, or hashes will set their action to No Action (no_action). If set to IoC Resets to Unknown per Settings, the IoC’s trust level is reset according to the Application Settings screen’s Indicators of Compromise settings for IP addresses and domains. For hashes, the Hash Expiration Settings configuration setting defines the expiration value to use when IoC Resets to Unknown per Settings is selected. If Expires In is set to Never Reset to Unknown, no initial expiration is set. If Expires In is set to Do Not Set/Update Expiration, no initial expiration is set and IoC updates will not change the expiration. If Expires In value evaluates to a number (days), that value is used to calculate the reset interval for all the IoC types. If the Expires In value does not evaluate to a number (days), the default Application Settings screen’s Indicators of Compromise settings are used.


Hash Expiration Settings

The Hash Expiration Settings configuration setting defines the expiration value to use when IoC Resets to Unknown per Settings is selected in the Expires In configuration setting.

This node exposes CrowdStrike Falcon Real Time Response (RTR) capabilities.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

The desired operation for this node:

  • Execute Command(s): Executes a Real Time Response (RTR) command or set of commands specified by Command(s).
  • Execute Get Command: Similar to Execute Command(s), but specifically runs the get command to retrieve a file off of the designated Host(s).
  • Create Script: Creates a new custom script executable by the runscript command.
  • Delete Script: Deletes a custom script identified by its Script ID.
  • Find Script: Finds custom scripts matching the Scripts Filter criteria.
  • Get Script(s): Loads the custom script(s) identified by their Script IDs.
  • Create Script: Updates a custom script identified by its Script ID.

Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response.


Host(s)

This field may contain a single host agent ID (AIDs) string or an array of host agent ID (AIDs).


Command(s)

The command or set of commands to execute on the designated Host(s). The Command(s) field, if specified directly as a string, is a single command to be executed. However, if passed in via a message context as an array, an array of Parameters of equal length must also be passed in with the message. The Command(s) field has a drop down of the available commands names to assist in selection. The list of available commands and required RTR roles can be found within the CrowdStrike Real Time Response and Platforms page.


Parameters

The Parameters are the parameters to pass to the designated Command(s). If the Command(s) evaluates to an array, the Parameters must also evaluate to an array with an equal number of elements. If the command does not require any parameters, the parameter value must be supplied as a JavaScript falsy value, such as an empty string.


File Path

The fully specified path of the file to get from the Host(s).


Download

If this value evaluates to true, the file is downloaded and associated with the message.

If true, the response contains an array of downloadedFiles file names. Files created and associated with the message can be sent via email using the NL-Add-Email-Attachments node and viewed in the Incident timeline. The name of the file is [fileName]_[hostId].7z, where the content is compressed using 7-Zip and is encrypted. The encryption key is supplied in the Real Time Response and Platforms page within the GET command reference.


Timeout

The Timeout is passed as a parameter to all CrowdStrike RTR API methods and is used as the timeout for establishing a batch session to the Host(s).


Script ID

The ID string for a custom script. Custom scripts are those executed by the runscript command. If the Script ID is set to Standard First Script ID Location the ID is obtained within the standard response location at scriptIds[0]. The location is set by successful results from the Find Scripts action that return one or more matches.


Script IDs

A comma separated string or array of custom script IDs strings. Custom scripts are those executed by the runscript command. If Script IDs is set to Standard Script IDs Location, the IDs are obtained within the standard response location at scriptIds. The location is set by successful results from the Find Scripts action.


Description

The description assigned to a custom script when creating or updating a script. This field use variable substitution from the incoming message using a mustache format when the input context is string. Visit the Template Engine and Formatters page to learn more.


Script Name

The name assigned to a custom script when creating or updating a script. This field use variable substitution from the incoming message using a mustache format when the input context is string. Visit the Template Engine and Formatters page to learn more.


Audit Log Comment

The audit log comment associated with the custom script. This field use variable substitution from the incoming message using a mustache format when the input context is string. Visit the Template Engine and Formatters page to learn more.


Permission Type

The Permission Type types define who is allowed to run the script. The Permission Type must evaluate to one of private, group, or public. For more details, on the permission types check out the API reference.


Platforms

The Platforms defines the supported platforms. Valid Platforms values are any combination of mac, windows, and linux. If the evaluated Platforms is invalid or not supplied, windows is selected.


PowerShell Script / Shell Script

This fields defines the content of the custom script.


Scripts Filter

The filter to use when finding custom scripts. Clear the content of the Scripts Filter field to disable filtering. Learn more about filtering using the Falcon Query Language (FQL) page. In addition to FQL, the filter uses variable substitution from the incoming message using a mustache format. A mustache is a set of double curly braces surrounding a variable, i.e. {{ variable }}. For example, {{payload.data}} would substitute in the value of payload.data found in the incoming message. Visit the Template Engine and Formatters page to learn more.


Size Limit

The maximum number of custom script IDs to return.


Order By

The optional Order By configuration option specifies the column to sort the results by.


Sort Order

If an Order By column is specified, the Sort Order configuration option is used to sort the results in ascending or descending order.

This node exposes CrowdStrike Falcon Sandboxing capabilities.
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

Configuration option determining the type of operation to perform:

  • Analyze File: Performs a file upload, which is marked as confidential, followed by a file analysis on the file selected by File Name.
  • Analyze URL: Performs an analysis on the URL selected by URL.
  • Get Analysis Artifacts: This action takes successful analysis report output of this node and returns most of the artifact files.

Successful results for an action are placed in msg.payload.csfalcon.[uniqueId].response.


Username

When performing a file analysis, this is the username of the user being marked as the owner of the file. This is typically an email address.


File Name

When performing a file analysis, the name of a file associated with the message.


URL

When performing a URL analysis, the URL to be sent in for analysis.


Comment

When performing a file analysis, template area to enter in a description of the file. Leave blank to ignore. Visit the Template Engine and Formatters page to learn more about using the template engine.


Environment ID

An ID for the environment to run the analysis within. Options are:

  • 100 – Windows 7, 32-bit
  • 110 – Windows 7, 64-bit
  • 160 – Windows 10, 64-bit
  • 200 – Android (static analysis)
  • 300 – Linux Ubuntu 16.04, 64-bit

If the Environment ID is configured to come from the message and isn’t a valid Environment ID, Windows 10, 64-bit is used.


Action Script

Defines the runtime script for sandbox analysis.


Enable TOR

If checked, sandbox analysis routes network traffic via TOR.


Command Line

The Command Line is the script passed to the submitted file at runtime. This field is a template area and is limited to 2048 characters after template evaluation. Visit the Template Engine and Formatters page to learn more about using the template engine.


Document Password

For Adobe and Office files that are password protected, define the Document Password. Leave the Document Password field type set to string with an empty value if no password is needed. If the Document Password field type is set to msg and the value does not exist, the error is ignored and no password is used.


Report

When retrieving sandbox analysis artifacts, this field defines the location of the report. The initial setting uses the default location for a report within msg.payload.csfalcon.[uniqueId].response.


Artifact Files

When retrieving sandbox analysis artifacts, this multi-select field allows for the selection of artifact files to associate with the message traversing the flows.

CrowdStrike Falcon Threat Intelligence node to gather information about the supplied Indicators of Compromise (IoCs).
Property
Description

Name

The display name of the node within the flows.


Unique ID

System-wide unique ID of the plugin instance.


Action

The desired operation for this node:

  • Search Within: Dynamically search in the message and perform operations based on the IoC type found.
  • Domain Report: Request a report for the specified Domain.
  • File Hash Report: Request a report for the specified hash.
  • IP Address Report: Request a report for the specified IP Address.
  • URL Report: Request a report for the specified URL.

Search Within / URL / Domain / IP / Hash

These fields define the location from the message, flow, global, or JSONata expression to use as the data source for the IoC Threat Intelligence report.

Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2022, All Rights Reserved.

EULA