EDR Connector
Query and interact with endpoint detection and response products.
API Reference
For full API documentation see the EDR API Reference.
To create an integration with the EDR connector, use the Create Integration API endpoint, using one of the provider configs below.
Supported Providers
- CrowdStrike Falcon® Insight EDR (
edr_crowdstrike) - Malwarebytes EDR (
edr_malwarebytes) - Microsoft Defender for Endpoint (
edr_defender) - SentinelOne Singularity™ Endpoint (
edr_sentinelone) - Sophos EDR (
edr_sophos)
Supported Operators by Provider
| API | CrowdStrike EDR | Defender EDR | Malwarebytes EDR | SentinelOne EDR | Sophos EDR |
|---|---|---|---|---|---|
| query_alerts | ✅ | ✅ | ✅ | ✅ | ✅ |
| query_applications | ✅ | ✅ | ✅ | ✅ | ✅ |
| get_endpoint | ✅ | ✅ | ❌ | ✅ | ✅ |
| query_endpoints | ✅ | ✅ | ✅ | ✅ | ✅ |
| create_iocs | ✅ | ✅ | ❌ | ✅ | ❌ |
| delete_iocs | ✅ | ✅ | ❌ | ✅ | ❌ |
| query_iocs | ✅ | ✅ | ❌ | ✅ | ❌ |
| query_posture_score | ✅ | ✅ | ❌ | ❌ | ✅ |
| network_quarantine | ✅ | ✅ | ✅ | ✅ | ✅ |
| query_threatevents | ✅ | ✅ | ✅ | ✅ | ✅ |
APIs with Filters
| API | CrowdStrike EDR | Defender EDR | Malwarebytes EDR | SentinelOne EDR | Sophos EDR |
|---|---|---|---|---|---|
| query_alerts | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] |
| query_applications | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] |
| query_endpoints | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] |
| query_iocs | ✅ [docs] | ✅ [docs] | ❌ | ✅ [docs] | ❌ |
| query_threatevents | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] | ✅ [docs] |