Incidents - CrowdStrike/falconpy GitHub Wiki
This service collection has code examples posted to the repository.
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Query environment wide CrowdScore and return the entity data. | ||||
|
Get details on behaviors by providing behavior IDs. | ||||
|
Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description. | ||||
|
Get details on incidents by providing incident IDs. | ||||
|
Search for behaviors by providing a FQL filter, sorting, and paging details. | ||||
|
Search for incidents by providing a FQL filter, sorting, and paging details. | ||||
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Query environment wide CrowdScore and return the entity data
crowdscore
| Method | Route |
|---|---|
 |
/incidents/combined/crowdscores/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
 |
|
query | string | FQL Syntax formatted string used to limit the results. |
| limit |
|
|
query | integer | Maximum number of records to return. (Max: 2500) |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| sort |
|
|
query | string | The property to sort by. (Ex: modified_timestamp.desc) |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Incidents
# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.crowdscore(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)from falconpy import Incidents
# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.CrowdScore(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("CrowdScore",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)Get details on behaviors by providing behavior IDs
get_behaviors
| Method | Route |
|---|---|
 |
/incidents/entities/behaviors/GET/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
 |
body | dictionary | Full body payload in JSON format. |
| ids |
|
 |
body | string or list of strings | Behavior ID(s) to retrieve. |
from falconpy import Incidents
# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_behaviors(ids=id_list)
print(response)from falconpy import Incidents
# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetBehaviors(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
BODY = {
"ids": id_list
}
response = falcon.command("GetBehaviors", body=BODY)
print(response)Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description
perform_incident_action
| Method | Route |
|---|---|
|
/incidents/entities/incident-actions/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| action_parameters |
|
|
body | list of dictionaries | Action specific parameters. Not required. |
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| add_comment |
|
|
body action_parameters |
string | Adds the associated value as a new comment on all the incidents in the ids list. Overridden if action_parameters is specified. |
| add_tag |
|
|
body action_parameters |
string, comma delimited string, list of strings | Adds the associated value as a new tag on all the incidents of the ids list. Overridden if action_parameters is specified. Multiple values may be provided. |
| delete_tag |
|
|
body action_parameters |
string, comma delimited string, list of strings | Deletes tags matching the value from all the incidents in the ids list. Overridden if action_parameters is specified. Multiple values may be provided. |
| ids |
|
|
body | string or list of strings | Incident ID(s) to perform the action against. |
| overwrite_detects |
|
|
query | boolean | If True and update_detects is also True, the assigned_to_uuid or status for ALL detections associated with the incident(s) will be overwritten. If False, only detects that have default values for assigned_to_uuid and/or status will be updated. Ignored if update_detects is missing or False. Defaults to False. |
| update_detects |
|
|
query | boolean | If True, update assigned_to_uuid and or status of detections associated with the incident(s). Defaults to False. |
| unassign |
|
|
body action_parameters |
boolean | Unassigns all users from all of the incidents in the ids list. Overridden if action_parameters is specified. |
| update_name |
|
|
body action_parameters |
string | Updates the name to the parameter value of all the incidents in the ids list. Overridden if action_parameters is specified. |
| update_assigned_to_v2 |
|
|
body action_parameters |
string (UUID) | Assigns the user matching the UUID in the parameter value to all of the incidents in the ids list. For information on getting the UUID of a user, see Find existing users. Overridden if action_parameters is specified. |
| update_description |
|
|
body action_parameters |
string | Updates the description to the parameter value of all the incidents listed in the ids list. Overridden if action_parameters is specified. |
| update_status |
|
|
body action_parameters |
string (Integer) | Updates the status to the parameter value of all the incidents in the ids list. Valid status values are 20, 25, 30, or 40:
action_parameters is specified. |
from falconpy import Incidents
# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
act_params = [{
"name": "string",
"value": "string"
}]
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.perform_incident_action(action_parameters=act_params,
add_comment="string",
add_tag="string",
delete_tag="string",
ids=id_list,
update_detects=boolean,
update_name="string"
update_assigned_to_v2="string",
update_description="string",
update_status="string",
unassign=boolean,
overwrite_detects=boolean
)
print(response)from falconpy import Incidents
# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
act_params = [{
"name": "string",
"value": "string"
}]
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.PerformIncidentAction(action_parameters=act_params,
add_comment="string",
add_tag="string",
delete_tag="string",
ids=id_list,
update_detects=boolean,
update_name="string"
update_assigned_to_v2="string",
update_description="string",
update_status="string",
unassign=boolean,
overwrite_detects=boolean
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
act_params = [{
"name": "string",
"value": "string"
}]
id_list = ['ID1', 'ID2', 'ID3']
BODY = {
"action_parameters": act_params,
"ids": id_list
}
response = falcon.command("PerformIncidentAction",
update_detects=boolean,
overwrite_detects=boolean,
body=BODY
)
print(response)Get details on incidents by providing incident IDs
get_incidents
| Method | Route |
|---|---|
|
/incidents/entities/incidents/GET/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body |
|
|
body | dictionary | Full body payload in JSON format. |
| ids |
|
|
body | string or list of strings | Incident ID(s) to retrieve. |
from falconpy import Incidents
# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_incidents(ids=id_list)
print(response)from falconpy import Incidents
# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetIncidents(ids=id_list)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = ['ID1', 'ID2', 'ID3']
BODY = {
"ids": id_list
}
response = falcon.command("GetIncidents", body=BODY)
print(response)Search for behaviors by providing a FQL filter, sorting, and paging details
query_behaviors
| Method | Route |
|---|---|
|
/incidents/queries/behaviors/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string | FQL Syntax formatted string used to limit the results. |
| limit |
|
|
query | integer | Maximum number of records to return. (Max: 500) |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| sort |
|
|
query | string | The property to sort by. (Ex: modified_timestamp.desc) |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import Incidents
# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_behaviors(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)from falconpy import Incidents
# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryBehaviors(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryBehaviors",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)Search for incidents by providing a FQL filter, sorting, and paging details
query_incidents
| Method | Route |
|---|---|
|
/incidents/queries/incidents/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string |
FQL Syntax formatted string used to limit the results. Review the following table for a complete list of available filters. |
| limit |
|
|
query | integer | Maximum number of records to return. (Max: 500) |
| offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
| sort |
|
|
query | string | The property to sort by. (Ex: modified_timestamp.desc) |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
For more detail regarding filters and their usage, please review the Falcon Query Language documentation.
| Name | Description | Example |
|---|---|---|
| host_ids | The device IDs of all the hosts on which the incident occurred. | 9a07d39f8c9f430eb3e474d1a0c16ce9 |
| lm_host_ids | If lateral movement has occurred, this field shows the remote device IDs of the hosts on which the lateral movement occurred. | c4e9e4643999495da6958ea9f21ee597 |
| lm_hosts_capped | Indicates that the list of lateral movement hosts has been truncated. The limit is 15 hosts. | True |
| name | The name of the incident. Initially the name is assigned by CrowdScore, but it can be updated through the API. | Incident on DESKTOP-27LTE3R at 2019-12-20T19:56:16Z |
| description | The description of the incident. Initially the description is assigned by CrowdScore, but it can be updated through the API. | Objectives in this incident: Keep Access.Techniques: Masquerading.Involved hosts and end users: DESKTOP-27LTE3R, DESKTOP-27LTE3R$. |
| users | The usernames of the accounts associated with the incident. | someuser |
| tags | Tags associated with the incident. CrowdScore will assign an initial set of tags, but tags can be added or removed through the API. | Objective/Keep Access |
| fine_score | The incident score. Divide the integer by 10 to match the displayed score for the incident. | 56 |
| start | The recorded time of the earliest behavior. | 2017-01-31T22:36:11Z |
| end | The recorded time of the latest behavior. | 2017-01-31T22:36:11Z |
| assigned_to_name | The name of the user the incident is assigned to. | |
| state | The incident state: “open” or “closed” | open |
| status | The incident status as a number:
|
20 |
| modified_timestamp | The most recent time a user has updated the incident. | 2021-02-04T05:57:04Z |
from falconpy import Incidents
# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_incidents(sort="string",
filter="string",
offset="string",
limit=integer
)
print(response)from falconpy import Incidents
# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryIncidents(sort="string",
filter="string",
offset="string",
limit=integer
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryIncidents",
sort="string",
filter="string",
offset="string",
limit=integer
)
print(response)