-
Notifications
You must be signed in to change notification settings - Fork 451
Expand file tree
/
Copy pathCrowdStrike_OAuth_API_File_Collection.yml
More file actions
31 lines (31 loc) · 1.2 KB
/
CrowdStrike_OAuth_API_File_Collection.yml
File metadata and controls
31 lines (31 loc) · 1.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
name: CrowdStrike OAuth API File Collection
id: 2296ce3f-171f-467f-8025-f046f5d59133
version: 1
date: '2025-06-09'
author: Christian Cloutier, Splunk
type: Investigation
description: "Accepts a hostname or device id as well as a file path as input and collects the file to the event File Vault from a device in Crowdstrike. An artifact is created from the collected file. We then generate an observable report as well as a Markdown formatted report. Both reports can be customized based on user preference."
playbook: CrowdStrike_OAuth_API_File_Collection
how_to_implement: This input playbook requires the CrowdStrike OAuth API connector to be configured. It is designed to work with an endpoint hostname or agent id and collect a specific file from the endpoint (using an absolute path) for forensics or later use in automation playbooks.
references: []
app_list:
- CrowdStrike OAuth API
tags:
platform_tags:
- "host name"
- "device id"
- "path"
- "File Collection"
- "D3-FA"
- "CrowdStrike_OAuth_API"
playbook_type: Input
vpe_type: Modern
playbook_fields: [device,path]
product:
- Splunk SOAR
use_cases:
- Collection
- Malware
- Endpoint
defend_technique_id:
- D3-FA