Update README.md

splunk-soar-connectors · Dec 9, 2024 · 5a18979 · 5a18979
1 parent 9f3cd27
commit 5a18979
Showing 1 changed file with 40 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -401,18 +401,18 @@ default ports used by Splunk SOAR.
         -   Updated name from 'lastName' to 'last_name'
 
 
-### Configuration Variables
-The below configuration variables are required for this Connector to operate.  These variables are specified when configuring a CrowdStrike asset in SOAR.
+### Configuration variables
+This table lists the configuration variables required to operate CrowdStrike OAuth API. These variables are specified when configuring a CrowdStrike asset in Splunk SOAR.
 
 VARIABLE | REQUIRED | TYPE | DESCRIPTION
 -------- | -------- | ---- | -----------
 **url** |  required  | string | Base URL
-**place_holder** |  optional  | ph | Placeholder
 **client_id** |  required  | password | Client ID
 **client_secret** |  required  | password | Client Secret
 **app_id** |  optional  | string | App ID
 **max_events** |  optional  | numeric | Maximum events to get for scheduled and interval polling
 **max_events_poll_now** |  optional  | numeric | Maximum events to get while POLL NOW
+**ingest_incidents** |  optional  | boolean | Should ingest incidents in addition to detections during scheduled and interval polling
 **collate** |  optional  | boolean | Merge containers for hostname and eventname
 **merge_time_interval** |  optional  | numeric | Merge same containers within specified seconds
 **max_crlf** |  optional  | numeric | Maximum allowed continuous blank lines
@@ -421,6 +421,7 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION
 
 ### Supported Actions  
 [test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity. This action logs into the site to check the connection and credentials  
+[run query](#action-run-query) - Run a query against CrowdStrike API  
 [query device](#action-query-device) - Fetch the device details based on the provided query  
 [list groups](#action-list-groups) - Fetch the details of the host groups  
 [quarantine device](#action-quarantine-device) - Block the device  
@@ -495,6 +496,40 @@ No parameters are required for this action
 #### Action Output
 No Output  
 
+## action: 'run query'
+Run a query against CrowdStrike API
+
+Type: **investigate**  
+Read only: **True**
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**endpoint** |  required  | API endpoint path in the format: /<service>/queries/<resource>/<version> (ex: /devices/queries/devices/v1) | string | 
+**limit** |  optional  | Maximum number of results to return | numeric | 
+**filter** |  optional  | Filter expression (FQL Syntax) | string | 
+**sort** |  optional  | Property to sort by | string | 
+**offset** |  optional  | Starting index for results | numeric | 
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.status | string |  |  
+action_result.parameter.endpoint | string |  |  
+action_result.parameter.limit | numeric |  |  
+action_result.parameter.filter | string |  |  
+action_result.parameter.sort | string |  |  
+action_result.parameter.offset | numeric |  |  
+action_result.data.\*.resource_id | string |  |  
+action_result.summary.total_objects | numeric |  |  
+action_result.summary.total_count | numeric |  |  
+action_result.summary.offset | numeric |  |  
+action_result.summary.limit | numeric |  |  
+action_result.summary.query_time | numeric |  |  
+action_result.summary.powered_by | string |  |  
+action_result.summary.trace_id | string |  |  
+action_result.message | string |  |    
+
 ## action: 'query device'
 Fetch the device details based on the provided query
 
@@ -788,12 +823,14 @@ Read only: **False**
 PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
 --------- | -------- | ----------- | ---- | --------
 **device_id** |  required  | Device ID for session to be created | string |  `crowdstrike device id` 
+**queue_offline** |  optional  | Queue commands for offline devices, will execute when system comes back online | boolean | 
 
 #### Action Output
 DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
 --------- | ---- | -------- | --------------
 action_result.status | string |  |   success  failed 
 action_result.parameter.device_id | string |  `crowdstrike device id`  |   07c312fabcb8473454d0a16f118928ab 
+action_result.parameter.queue_offline | boolean |  |  
 action_result.data.\*.errors | string |  |  
 action_result.data.\*.meta.powered_by | string |  |   empower-api 
 action_result.data.\*.meta.query_time | numeric |  |   5.917429897