# EDR Connector

Query and interact with endpoint detection and response products.

## API Reference

For full API documentation see the [EDR API Reference](/api-reference/connectors/edr).

To create an integration with the EDR connector, use the [Create Integration API](/api-reference/management/integrations/integrations_create) endpoint, using one of the provider configs below.

## Supported Providers

- CrowdStrike Falcon® Insight EDR (`edr_crowdstrike`)
- ESET Connect (`edr_eset_connect`)
- Iru (`edr_iru`)
- Microsoft Defender for Endpoint (`edr_defender`)
- SentinelOne Singularity™ Endpoint (`edr_sentinelone`)
- Sophos Endpoint (`edr_sophos`)
- Tanium EDR (`edr_tanium`)
- ThreatDown Endpoint Detection & Response (`edr_malwarebytes`)
- Trellix Endpoint Security (ENS) (`edr_trellix_ens`)
- Trellix ePolicy Orchestrator (`edr_trellix`)
- [MOCK] CrowdStrike Falcon® Insight EDR (`edr_crowdstrike_mock`)


## Supported Operators by Provider

| API | CrowdStrike Insight EDR | [MOCK] CrowdStrike Insight EDR | Microsoft Defender | ESET Connect | Iru | ThreatDown EDR | SentinelOne Endpoint | Sophos Endpoint | Tanium EDR | Trellix ePO | Trellix ENS |
|  --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| query_alerts | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| query_applications | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| execute_command | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| query_edr_events | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ |
| get_endpoint | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
| query_endpoints | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| retrieve_file | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| create_iocs | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| delete_iocs | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| query_iocs | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| query_posture_score | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ |
| network_quarantine | ✅ | ❌ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ |
| create_threat_note | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| get_threat_notes | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| query_threatevents | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |


## APIs with Filters

| API | CrowdStrike Insight EDR | [MOCK] CrowdStrike Insight EDR | Microsoft Defender | ESET Connect | Iru | ThreatDown EDR | SentinelOne Endpoint | Sophos Endpoint | Tanium EDR | Trellix ePO | Trellix ENS |
|  --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
| query_alerts | ✅ [[docs](/guides/connectors/edr/query-filters#crowdstrike-insight-edr-filters-for-query_alerts)] | ✅ [[docs](/guides/connectors/edr/query-filters#%5Bmock%5D-crowdstrike-insight-edr-filters-for-query_alerts)] | ✅ [[docs](/guides/connectors/edr/query-filters#microsoft-defender-filters-for-query_alerts)] | ✅ [[docs](/guides/connectors/edr/query-filters#eset-connect-filters-for-query_alerts)] | ❌ | ✅ [[docs](/guides/connectors/edr/query-filters#threatdown-edr-filters-for-query_alerts)] | ✅ [[docs](/guides/connectors/edr/query-filters#sentinelone-endpoint-filters-for-query_alerts)] | ✅ [[docs](/guides/connectors/edr/query-filters#sophos-endpoint-filters-for-query_alerts)] | ✅ [[docs](/guides/connectors/edr/query-filters#tanium-edr-filters-for-query_alerts)] | ✅ [[docs](/guides/connectors/edr/query-filters#trellix-epo-filters-for-query_alerts)] | ❌ |
| query_applications | ✅ [[docs](/guides/connectors/edr/query-filters#crowdstrike-insight-edr-filters-for-query_applications)] | ✅ [[docs](/guides/connectors/edr/query-filters#%5Bmock%5D-crowdstrike-insight-edr-filters-for-query_applications)] | ✅ [[docs](/guides/connectors/edr/query-filters#microsoft-defender-filters-for-query_applications)] | ❌ | ❌ | ✅ [[docs](/guides/connectors/edr/query-filters#threatdown-edr-filters-for-query_applications)] | ✅ [[docs](/guides/connectors/edr/query-filters#sentinelone-endpoint-filters-for-query_applications)] | ✅ [[docs](/guides/connectors/edr/query-filters#sophos-endpoint-filters-for-query_applications)] | ✅ [[docs](/guides/connectors/edr/query-filters#tanium-edr-filters-for-query_applications)] | ❌ | ❌ |
| query_edr_events | ✅ [[docs](/guides/connectors/edr/query-filters#crowdstrike-insight-edr-filters-for-query_edr_events)] | ✅ [[docs](/guides/connectors/edr/query-filters#%5Bmock%5D-crowdstrike-insight-edr-filters-for-query_edr_events)] | ✅ [[docs](/guides/connectors/edr/query-filters#microsoft-defender-filters-for-query_edr_events)] | ❌ | ❌ | ❌ | ✅ [[docs](/guides/connectors/edr/query-filters#sentinelone-endpoint-filters-for-query_edr_events)] | ❌ | ❌ | ❌ | ✅ [[docs](/guides/connectors/edr/query-filters#trellix-ens-filters-for-query_edr_events)] |
| query_endpoints | ✅ [[docs](/guides/connectors/edr/query-filters#crowdstrike-insight-edr-filters-for-query_endpoints)] | ✅ [[docs](/guides/connectors/edr/query-filters#%5Bmock%5D-crowdstrike-insight-edr-filters-for-query_endpoints)] | ✅ [[docs](/guides/connectors/edr/query-filters#microsoft-defender-filters-for-query_endpoints)] | ✅ [[docs](/guides/connectors/edr/query-filters#eset-connect-filters-for-query_endpoints)] | ✅ [[docs](/guides/connectors/edr/query-filters#iru-filters-for-query_endpoints)] | ✅ [[docs](/guides/connectors/edr/query-filters#threatdown-edr-filters-for-query_endpoints)] | ✅ [[docs](/guides/connectors/edr/query-filters#sentinelone-endpoint-filters-for-query_endpoints)] | ✅ [[docs](/guides/connectors/edr/query-filters#sophos-endpoint-filters-for-query_endpoints)] | ✅ [[docs](/guides/connectors/edr/query-filters#tanium-edr-filters-for-query_endpoints)] | ✅ [[docs](/guides/connectors/edr/query-filters#trellix-epo-filters-for-query_endpoints)] | ✅ [[docs](/guides/connectors/edr/query-filters#trellix-ens-filters-for-query_endpoints)] |
| query_iocs | ✅ [[docs](/guides/connectors/edr/query-filters#crowdstrike-insight-edr-filters-for-query_iocs)] | ✅ [[docs](/guides/connectors/edr/query-filters#%5Bmock%5D-crowdstrike-insight-edr-filters-for-query_iocs)] | ✅ [[docs](/guides/connectors/edr/query-filters#microsoft-defender-filters-for-query_iocs)] | ❌ | ❌ | ❌ | ✅ [[docs](/guides/connectors/edr/query-filters#sentinelone-endpoint-filters-for-query_iocs)] | ❌ | ❌ | ❌ | ❌ |
| query_threatevents | ✅ [[docs](/guides/connectors/edr/query-filters#crowdstrike-insight-edr-filters-for-query_threatevents)] | ✅ [[docs](/guides/connectors/edr/query-filters#%5Bmock%5D-crowdstrike-insight-edr-filters-for-query_threatevents)] | ✅ [[docs](/guides/connectors/edr/query-filters#microsoft-defender-filters-for-query_threatevents)] | ❌ | ❌ | ✅ [[docs](/guides/connectors/edr/query-filters#threatdown-edr-filters-for-query_threatevents)] | ✅ [[docs](/guides/connectors/edr/query-filters#sentinelone-endpoint-filters-for-query_threatevents)] | ✅ [[docs](/guides/connectors/edr/query-filters#sophos-endpoint-filters-for-query_threatevents)] | ✅ [[docs](/guides/connectors/edr/query-filters#tanium-edr-filters-for-query_threatevents)] | ✅ [[docs](/guides/connectors/edr/query-filters#trellix-epo-filters-for-query_threatevents)] | ✅ [[docs](/guides/connectors/edr/query-filters#trellix-ens-filters-for-query_threatevents)] |