EDR Connector
Query and interact with endpoint detection and response products.
API Reference
For full API documentation see the EDR API Reference.
To create an integration with the EDR connector, use the Create Integration API endpoint, using one of the provider configs below.
Supported Providers
- CrowdStrike Falcon® Insight EDR (
edr_crowdstrike) - Microsoft Defender for Endpoint (
edr_defender) - SentinelOne Singularity™ Endpoint (
edr_sentinelone) - Sophos Endpoint (
edr_sophos) - ThreatDown Endpoint Detection & Response (
edr_malwarebytes)
Supported Operators by Provider
| API | CrowdStrike Insight EDR | Microsoft Defender | ThreatDown EDR | SentinelOne Endpoint | Sophos Endpoint |
|---|---|---|---|---|---|
| query_alerts | ✅ | ✅ | ✅ | ✅ | ✅ |
| query_applications | ✅ | ✅ | ✅ | ✅ | ✅ |
| query_edr_events | ❌ | ❌ | ❌ | ✅ | ❌ |
| get_endpoint | ✅ | ✅ | ❌ | ✅ | ✅ |
| query_endpoints | ✅ | ✅ | ✅ | ✅ | ✅ |
| create_iocs | ✅ | ✅ | ❌ | ✅ | ❌ |
| delete_iocs | ✅ | ✅ | ❌ | ✅ | ❌ |
| query_iocs | ✅ | ✅ | ❌ | ✅ | ❌ |
| query_posture_score | ✅ | ✅ | ❌ | ❌ | ✅ |
| network_quarantine | ✅ | ✅ | ✅ | ✅ | ✅ |
| query_threatevents | ✅ | ✅ | ✅ | ✅ | ✅ |
APIs with Filters
| API | CrowdStrike Insight EDR | Microsoft Defender | ThreatDown EDR | SentinelOne Endpoint | Sophos Endpoint |
|---|---|---|---|---|---|
| query_alerts | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] |
| query_applications | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] |
| query_edr_events | ❌ | ❌ | ❌ | ✅ [docs] | ❌ |
| query_endpoints | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] |
| query_iocs | ✅ [docs] | ✅ [docs] | ❌ | ✅ [docs] | ❌ |
| query_threatevents | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] |