Overview
Add CrowdStrike to any ModuleX agent or workflow. Query CrowdStrike Identity Protection sensors and aggregates through the Falcon API (api.crowdstrike.com and region-specific hosts). Search the sensor fleet with Falcon Query Language, pull detailed records by device ID, and run documented aggregate queries.
Categories: Monitoring & Observability · Security · Identity · Auth: API Key · Actions: 3
Authentication
API Key Authentication
Authenticate using a CrowdStrike Falcon API client. The client secret is the credential; the client ID and cloud region are supplied per action.Step 2
Create an API client granting it the Identity Protection scopes (Identity Protection Entities: Read, Identity Protection Sensor: Read).
Required Credentials
| Field | Description | Required | Format |
|---|---|---|---|
| CrowdStrike Client Secret | Your CrowdStrike Falcon API client secret | Yes | - |
Available Actions
query_sensors — Search CrowdStrike Identity Protection sensors by hostname, IP, or related fields using a Falcon Query Language filter.
query_sensors — Search CrowdStrike Identity Protection sensors by hostname, IP, or related fields using a Falcon Query Language filter.
Parameters
CrowdStrike Falcon API client ID
CrowdStrike Falcon cloud region: one of ‘us-1’, ‘us-2’, ‘eu-1’, ‘us-gov-1’, ‘us-gov-2’ (Default:
us-1)Falcon Query Language (FQL) filter for sensor search
Maximum number of sensor records to return (1-200)
Pagination offset for the sensor query
Sort expression, e.g. ‘status.asc’
Response
{
"$defs": {
"Pagination": {
"additionalProperties": false,
"description": "Pagination metadata echoed by the Falcon API (``meta.pagination``).",
"properties": {
"limit": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Limit"
},
"offset": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Offset"
},
"total": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Total"
}
},
"title": "Pagination",
"type": "object"
},
"Sensor": {
"additionalProperties": false,
"description": "A single Identity Protection sensor/device record.\n\nThe Falcon API returns a rich device object; the most commonly used\nattributes are surfaced as typed fields and the complete upstream\nrecord is preserved verbatim in ``raw`` so nothing is lost. Field\nnames mirror the documented camelCase shape; values are read\npermissively with ``.get()`` (both snake_case and camelCase keys are\nattempted at parse time).",
"properties": {
"agent_version": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Agent Version"
},
"cid": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Cid"
},
"device_id": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Device Id"
},
"heartbeat_time": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Heartbeat Time"
},
"hostname": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Hostname"
},
"idp_policy_id": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Idp Policy Id"
},
"idp_policy_name": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Idp Policy Name"
},
"ip_address": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Ip Address"
},
"kerberos_config": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Kerberos Config"
},
"ldap_config": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Ldap Config"
},
"ldaps_config": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Ldaps Config"
},
"machine_domain": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Machine Domain"
},
"ntlm_config": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Ntlm Config"
},
"os_version": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Os Version"
},
"rdp_to_dc_config": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Rdp To Dc Config"
},
"smb_to_dc_config": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Smb To Dc Config"
},
"status": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Status"
},
"status_causes": {
"items": {
"type": "string"
},
"title": "Status Causes",
"type": "array"
},
"ti_enabled": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Ti Enabled"
},
"raw": {
"additionalProperties": true,
"title": "Raw",
"type": "object"
}
},
"title": "Sensor",
"type": "object"
}
},
"additionalProperties": false,
"properties": {
"success": {
"title": "Success",
"type": "boolean"
},
"error": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Error"
},
"sensors": {
"items": {
"$ref": "#/$defs/Sensor"
},
"title": "Sensors",
"type": "array"
},
"device_ids": {
"items": {
"type": "string"
},
"title": "Device Ids",
"type": "array"
},
"count": {
"default": 0,
"title": "Count",
"type": "integer"
},
"pagination": {
"anyOf": [
{
"$ref": "#/$defs/Pagination"
},
{
"type": "null"
}
],
"default": null
}
},
"required": [
"success"
],
"title": "QuerySensorsOutput",
"type": "object"
}
get_sensor_details — Get CrowdStrike Identity Protection sensor details for one or more device IDs.
get_sensor_details — Get CrowdStrike Identity Protection sensor details for one or more device IDs.
Parameters
CrowdStrike Falcon API client ID
CrowdStrike Falcon cloud region: one of ‘us-1’, ‘us-2’, ‘eu-1’, ‘us-gov-1’, ‘us-gov-2’ (Default:
us-1)List of CrowdStrike sensor device IDs (max 5000)
Response
{
"$defs": {
"Pagination": {
"additionalProperties": false,
"description": "Pagination metadata echoed by the Falcon API (``meta.pagination``).",
"properties": {
"limit": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Limit"
},
"offset": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Offset"
},
"total": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Total"
}
},
"title": "Pagination",
"type": "object"
},
"Sensor": {
"additionalProperties": false,
"description": "A single Identity Protection sensor/device record.\n\nThe Falcon API returns a rich device object; the most commonly used\nattributes are surfaced as typed fields and the complete upstream\nrecord is preserved verbatim in ``raw`` so nothing is lost. Field\nnames mirror the documented camelCase shape; values are read\npermissively with ``.get()`` (both snake_case and camelCase keys are\nattempted at parse time).",
"properties": {
"agent_version": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Agent Version"
},
"cid": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Cid"
},
"device_id": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Device Id"
},
"heartbeat_time": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Heartbeat Time"
},
"hostname": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Hostname"
},
"idp_policy_id": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Idp Policy Id"
},
"idp_policy_name": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Idp Policy Name"
},
"ip_address": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Ip Address"
},
"kerberos_config": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Kerberos Config"
},
"ldap_config": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Ldap Config"
},
"ldaps_config": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Ldaps Config"
},
"machine_domain": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Machine Domain"
},
"ntlm_config": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Ntlm Config"
},
"os_version": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Os Version"
},
"rdp_to_dc_config": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Rdp To Dc Config"
},
"smb_to_dc_config": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Smb To Dc Config"
},
"status": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Status"
},
"status_causes": {
"items": {
"type": "string"
},
"title": "Status Causes",
"type": "array"
},
"ti_enabled": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Ti Enabled"
},
"raw": {
"additionalProperties": true,
"title": "Raw",
"type": "object"
}
},
"title": "Sensor",
"type": "object"
}
},
"additionalProperties": false,
"properties": {
"success": {
"title": "Success",
"type": "boolean"
},
"error": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Error"
},
"sensors": {
"items": {
"$ref": "#/$defs/Sensor"
},
"title": "Sensors",
"type": "array"
},
"count": {
"default": 0,
"title": "Count",
"type": "integer"
},
"pagination": {
"anyOf": [
{
"$ref": "#/$defs/Pagination"
},
{
"type": "null"
}
],
"default": null
}
},
"required": [
"success"
],
"title": "GetSensorDetailsOutput",
"type": "object"
}
get_sensor_aggregates — Get CrowdStrike Identity Protection sensor aggregates from a JSON aggregate query body.
get_sensor_aggregates — Get CrowdStrike Identity Protection sensor aggregates from a JSON aggregate query body.
Parameters
CrowdStrike Falcon API client ID
CrowdStrike Falcon cloud region: one of ‘us-1’, ‘us-2’, ‘eu-1’, ‘us-gov-1’, ‘us-gov-2’ (Default:
us-1)Aggregate query body documented by CrowdStrike (fields such as field, filter, name, size, sort, type, date_ranges, ranges, extended_bounds, sub_aggregates)
Response
{
"$defs": {
"AggregateBucket": {
"additionalProperties": false,
"description": "A single bucket within an aggregate result group.",
"properties": {
"count": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Count"
},
"from_": {
"anyOf": [
{
"type": "number"
},
{
"type": "null"
}
],
"default": null,
"title": "From"
},
"key": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Key"
},
"key_as_string": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Key As String"
},
"label": {
"anyOf": [
{
"additionalProperties": true,
"type": "object"
},
{
"type": "null"
}
],
"default": null,
"title": "Label"
},
"string_from": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "String From"
},
"string_to": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "String To"
},
"sub_aggregates": {
"items": {
"additionalProperties": true,
"type": "object"
},
"title": "Sub Aggregates",
"type": "array"
},
"to": {
"anyOf": [
{
"type": "number"
},
{
"type": "null"
}
],
"default": null,
"title": "To"
},
"value": {
"anyOf": [
{
"type": "number"
},
{
"type": "null"
}
],
"default": null,
"title": "Value"
},
"value_as_string": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Value As String"
}
},
"title": "AggregateBucket",
"type": "object"
},
"AggregateResult": {
"additionalProperties": false,
"description": "One aggregate result group returned by the aggregates endpoint.",
"properties": {
"name": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Name"
},
"buckets": {
"items": {
"$ref": "#/$defs/AggregateBucket"
},
"title": "Buckets",
"type": "array"
},
"doc_count_error_upper_bound": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Doc Count Error Upper Bound"
},
"sum_other_doc_count": {
"anyOf": [
{
"type": "integer"
},
{
"type": "null"
}
],
"default": null,
"title": "Sum Other Doc Count"
}
},
"title": "AggregateResult",
"type": "object"
}
},
"additionalProperties": false,
"properties": {
"success": {
"title": "Success",
"type": "boolean"
},
"error": {
"anyOf": [
{
"type": "string"
},
{
"type": "null"
}
],
"default": null,
"title": "Error"
},
"aggregates": {
"items": {
"$ref": "#/$defs/AggregateResult"
},
"title": "Aggregates",
"type": "array"
},
"count": {
"default": 0,
"title": "Count",
"type": "integer"
}
},
"required": [
"success"
],
"title": "GetSensorAggregatesOutput",
"type": "object"
}
Limits & Quotas
- Token lifetime: Falcon OAuth2 access tokens expire after ~30 minutes; each action requests a fresh token, so no token caching is required.
- Cloud region: pick the host that matches your Falcon tenant
(
us-1→api.crowdstrike.com,us-2→api.us-2.crowdstrike.com,eu-1→api.eu-1.crowdstrike.com, GovCloud variants forus-gov-1/us-gov-2). get_sensor_detailsaccepts up to 5000 device IDs per call.- Error model: non-2xx responses (including auth failures) and
timeouts are caught and returned as
success=False+errorrather than raising. Plan for retries on the agent side based on the error string.