Documentation Index
Fetch the complete documentation index at: https://learninghub.blinkops.com/llms.txt
Use this file to discover all available pages before exploring further.
Parameters
| Parameter | Description |
|---|---|
| Detection ID | The ID of the detection. You can find the detection ID in the Endpoint Detections page. |
Example Output
{ "meta": { "query_time": 0.002676577, "powered_by": "legacy-detects", "trace_id": "400000-0000-00000-000-000" }, "resources": [ { "cid": "0000000000011112222333333", "created_timestamp": "2022-10-30T19:02:19.99957614Z", "detection_id": "ldt:0000000000011112222333333:1234567", "device": { "device_id": "0000000000011112222333333", "cid": "0000000000011112222333333", "agent_load_flags": "0", "agent_local_time": "2022-10-30T01:06:40.420Z", "agent_version": "0.00.00000.0", "bios_manufacturer": "Parallels Software International Inc.", "bios_version": "00.0.0 (00000)", "config_id_base": "00000000", "config_id_build": "00000", "config_id_platform": "8", "external_ip": "109.66.13.250", "hostname": "parallels-Parallels-Virtual-Platform", "first_seen": "2022-10-29T22:01:17Z", "last_seen": "2022-10-30T19:01:28Z", "local_ip": "00.00.00.0", "mac_address": "00-00-00-00-00-00", "major_version": "5", "minor_version": "15", "os_version": "Ubuntu 22.04", "platform_id": "3", "platform_name": "Linux", "product_type_desc": "Server", "status": "normal", "system_manufacturer": "Parallels Software International Inc.", "system_product_name": "Parallels Virtual Platform", "tags": [ "FalconGroupingTags/office" ], "modified_timestamp": "2022-10-30T19:01:29Z" }, "behaviors": [ { "device_id": "034ddc4e29464ed8bfe0d26db1651d45", "timestamp": "2022-10-30T19:00:58Z", "behavior_id": "000", "filename": "cmdline.doc", "filepath": "/home/parallels/Desktop/cmdline.doc", "alleged_filetype": "doc", "cmdline": "./cmdline.doc", "scenario": "suspicious_activity", "objective": "Keep Access", "tactic": "Defense Evasion", "tactic_id": "TA000000", "technique": "Masquerading", "technique_id": "T1036", "display_name": "FalseExecutableExtension", "description": "An executable was run with a contradicting file extension", "severity": 50, "confidence": 50, "ioc_type": "", "ioc_value": "", "ioc_source": "", "ioc_description": "", "user_name": "", "user_id": "1000", "control_graph_id": "ctg:0000000011111122222333333434444455555666666:111222", "triggering_process_graph_id": "pid:0000000011111122222333333434444455555666666:111222333", "sha256": "0000000011111122222333333434444455555666666", "md5": "0000000011111122222333333434444455555666666", "parent_details": { "parent_sha256": "0000000011111122222333333434444455555666666", "parent_md5": "0000000011111122222333333434444455555666666", "parent_cmdline": "bash", "parent_process_graph_id": "pid:0000000000000000:123456789" }, "pattern_disposition": 272, "pattern_disposition_details": { "indicator": false, "detect": false, "inddet_mask": false, "sensor_only": false, "rooting": false, "kill_process": true, "kill_subprocess": false, "quarantine_machine": false, "quarantine_file": false, "policy_disabled": true, "kill_parent": false, "operation_blocked": false, "process_blocked": false, "registry_operation_blocked": false, "critical_process_disabled": false, "bootup_safeguard_enabled": false, "fs_operation_blocked": false, "handle_operation_downgraded": false, "kill_action_failed": false, "blocking_unsupported_or_disabled": false, "suspend_process": false, "suspend_parent": false } } ], "email_sent": true, "first_behavior": "2022-10-30T19:00:58Z", "last_behavior": "2022-10-30T19:00:58Z", "max_confidence": 50, "max_severity": 50, "max_severity_displayname": "Medium", "show_in_ui": true, "status": "new", "hostinfo": { "domain": "" }, "seconds_to_triaged": 0, "seconds_to_resolved": 0, "behaviors_processed": [ "pid:00000000000:0000000000" ], "date_updated": "2022-10-30T19:02:27Z" } ], "errors": []}
Workflow Library Example
Run Crowdstrike Query
Preview this Workflow on desktop