Query and interact with endpoint detection and response products.
For full API documentation see the EDR API Reference.
To create an integration with the EDR connector, use the Create Integration API endpoint, using one of the provider configs below.
- CrowdStrike Falcon® Insight EDR (
edr_crowdstrike) - Microsoft Defender for Endpoint (
edr_defender) - SentinelOne Singularity™ Endpoint (
edr_sentinelone) - Sophos Endpoint (
edr_sophos) - Tanium EDR (
edr_tanium) - ThreatDown Endpoint Detection & Response (
edr_malwarebytes) - [MOCK] CrowdStrike Falcon® Insight EDR (
edr_crowdstrike_mock)
| API | CrowdStrike Insight EDR | [MOCK] CrowdStrike Insight EDR | Microsoft Defender | ThreatDown EDR | SentinelOne Endpoint | Sophos Endpoint | Tanium EDR |
|---|---|---|---|---|---|---|---|
| query_alerts | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| query_applications | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| query_edr_events | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ | ❌ |
| get_endpoint | ✅ | ✅ | ✅ | ❌ | ✅ | ✅ | ✅ |
| query_endpoints | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| create_iocs | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ |
| delete_iocs | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ |
| query_iocs | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ❌ |
| query_posture_score | ✅ | ✅ | ✅ | ❌ | ❌ | ✅ | ❌ |
| network_quarantine | ✅ | ❌ | ✅ | ✅ | ✅ | ✅ | ✅ |
| query_threatevents | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| API | CrowdStrike Insight EDR | [MOCK] CrowdStrike Insight EDR | Microsoft Defender | ThreatDown EDR | SentinelOne Endpoint | Sophos Endpoint | Tanium EDR |
|---|---|---|---|---|---|---|---|
| query_alerts | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] |
| query_applications | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] |
| query_edr_events | ✅ [docs] | ✅ [docs] | ❌ | ❌ | ✅ [docs] | ❌ | ❌ |
| query_endpoints | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] |
| query_iocs | ✅ [docs] | ✅ [docs] | ✅ [docs] | ❌ | ✅ [docs] | ❌ | ❌ |
| query_threatevents | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] |