Skip to content

CrowdStrike Falcon (EDR)

pip install "tulip-integrations[edr-crowdstrike]"
Env CROWDSTRIKE_URL · CROWDSTRIKE_TOKEN (aliases FALCON_URL · FALCON_TOKEN)
Import from tulip_integrations.edr.crowdstrike import CrowdStrikeEndpoint, crowdstrike_adapter
Provider CrowdStrikeEndpointSecurityContext(endpoint=CrowdStrikeEndpoint())
Tools cs_host_timeline(host, window) · cs_detections(host=None) · cs_isolate(host_id) ⚠️ write
Adapter crowdstrike_adapter()SecurityAdapter
from tulip.security import SecurityContext
from tulip_integrations.edr.crowdstrike import CrowdStrikeEndpoint

ctx = SecurityContext(endpoint=CrowdStrikeEndpoint())
await ctx.endpoint.get_host("WIN-ABC", window="24h")   # host device record (live)
await ctx.endpoint.detections()                         # open detections (live)

On the live path get_host queries Falcon's device-entity endpoint (/devices/entities/devices/v2) and returns the raw device record; the richer process/network/file forensic timeline is what the bundled offline sample returns. detections lists open detections — on the live path it queries the detect-IDs endpoint and the host filter is offline-only (the live call ignores it). cs_isolate network-contains a host — a write, so gate it through ctx.actions / approve() first. Passes tulip.security.testing conformance.

cs_isolate is a real action

Network-containment cuts a host off the network. It's marked idempotent and must be approval-gated in agentic use.

Credentials

Set CROWDSTRIKE_URL / CROWDSTRIKE_TOKEN (or the FALCON_* aliases) to run it against your Falcon tenant. Adjust the path/fields per deployment.

Integrations overview · SecurityContext