Skip to content

Incidents

Joshua Hiller edited this page Dec 8, 2024 · 29 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Incidents service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation ID Description
CrowdScore
PEP 8 crowdscore
Query environment wide CrowdScore and return the entity data.
GetBehaviors
PEP 8 get_behaviors
Get details on behaviors by providing behavior IDs.
PerformIncidentAction
PEP 8 perform_incident_action
Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description.
GetIncidents
PEP 8 get_incidents
Get details on incidents by providing incident IDs.
QueryBehaviors
PEP 8 query_behaviors
Search for behaviors by providing a FQL filter, sorting, and paging details.
QueryIncidents
PEP 8 query_incidents
Search for incidents by providing a FQL filter, sorting, and paging details.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

CrowdScore

Query environment wide CrowdScore and return the entity data

PEP8 method name

crowdscore

Endpoint

Method Route
GET /incidents/combined/crowdscores/v1

Required Scope

incidents:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted string used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.

(Max: 2500)
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: modified_timestamp.desc)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.crowdscore(filter="string",
                             offset="string",
                             limit=integer,
                             sort="string"
                             )
print(response)
Service class example (Operation ID syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.CrowdScore(filter="string",
                             offset="string",
                             limit=integer,
                             sort="string"
                             )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("CrowdScore",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

GetBehaviors

Get details on behaviors by providing behavior IDs

PEP8 method name

get_behaviors

Endpoint

Method Route
POST /incidents/entities/behaviors/GET/v1

Required Scope

incidents:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
ids
Service Class Support

Uber Class Support
body string or list of strings Behavior ID(s) to retrieve.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_behaviors(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetBehaviors(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

BODY = {
    "ids": id_list
}

response = falcon.command("GetBehaviors", body=BODY)
print(response)

PerformIncidentAction

Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description

PEP8 method name

perform_incident_action

Endpoint

Method Route
POST /incidents/entities/incident-actions/v1

Required Scope

incidents:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
action_parameters
Service Class Support

Uber Class Support
body list of dictionaries Action specific parameters. Not required.
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
add_comment
Service Class Support

Uber Class Support
body
action_parameters
string Adds the associated value as a new comment on all the incidents in the ids list. Overridden if action_parameters is specified.
add_tag
Service Class Support

Uber Class Support
body
action_parameters
string, comma delimited string, list of strings Adds the associated value as a new tag on all the incidents of the ids list. Overridden if action_parameters is specified. Multiple values may be provided.
delete_tag
Service Class Support

Uber Class Support
body
action_parameters
string, comma delimited string, list of strings Deletes tags matching the value from all the incidents in the ids list. Overridden if action_parameters is specified. Multiple values may be provided.
ids
Service Class Support

Uber Class Support
body string or list of strings Incident ID(s) to perform the action against.
overwrite_detects
Service Class Support

Uber Class Support
query boolean If True and update_detects is also True, the assigned_to_uuid or status for ALL detections associated with the incident(s) will be overwritten. If False, only detects that have default values for assigned_to_uuid and/or status will be updated. Ignored if update_detects is missing or False. Defaults to False.
update_detects
Service Class Support

Uber Class Support
query boolean If True, update assigned_to_uuid and or status of detections associated with the incident(s). Defaults to False.
unassign
Service Class Support

Uber Class Support
body
action_parameters
boolean Unassigns all users from all of the incidents in the ids list. Overridden if action_parameters is specified.
update_name
Service Class Support

Uber Class Support
body
action_parameters
string Updates the name to the parameter value of all the incidents in the ids list. Overridden if action_parameters is specified.
update_assigned_to_v2
Service Class Support

Uber Class Support
body
action_parameters
string (UUID) Assigns the user matching the UUID in the parameter value to all of the incidents in the ids list. For information on getting the UUID of a user, see Find existing users. Overridden if action_parameters is specified.
update_description
Service Class Support

Uber Class Support
body
action_parameters
string Updates the description to the parameter value of all the incidents listed in the ids list. Overridden if action_parameters is specified.
update_status
Service Class Support

Uber Class Support
body
action_parameters
string (Integer) Updates the status to the parameter value of all the incidents in the ids list. Valid status values are 20, 25, 30, or 40:
  • 20: New
  • 25: Reopened
  • 30: In Progress
  • 40: Closed
Overridden if action_parameters is specified.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

act_params = [{
    "name": "string",
    "value": "string"
}]

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.perform_incident_action(action_parameters=act_params,
                                          add_comment="string",
                                          add_tag="string",
                                          delete_tag="string",
                                          ids=id_list,
                                          update_detects=boolean,
                                          update_name="string"
                                          update_assigned_to_v2="string",
                                          update_description="string",
                                          update_status="string",
                                          unassign=boolean,
                                          overwrite_detects=boolean
                                          )

print(response)
Service class example (Operation ID syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

act_params = [{
    "name": "string",
    "value": "string"
}]

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.PerformIncidentAction(action_parameters=act_params,
                                        add_comment="string",
                                        add_tag="string",
                                        delete_tag="string",
                                        ids=id_list,
                                        update_detects=boolean,
                                        update_name="string"
                                        update_assigned_to_v2="string",
                                        update_description="string",
                                        update_status="string",
                                        unassign=boolean,
                                        overwrite_detects=boolean
                                        )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )
act_params = [{
    "name": "string",
    "value": "string"
}]

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
    "action_parameters": act_params,
    "ids": id_list
}

response = falcon.command("PerformIncidentAction",
                          update_detects=boolean,
                          overwrite_detects=boolean,
                          body=BODY
                          )

print(response)

GetIncidents

Get details on incidents by providing incident IDs

PEP8 method name

get_incidents

Endpoint

Method Route
POST /incidents/entities/incidents/GET/v1

Required Scope

incidents:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
ids
Service Class Support

Uber Class Support
body string or list of strings Incident ID(s) to retrieve.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_incidents(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIncidents(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
    "ids": id_list
}

response = falcon.command("GetIncidents", body=BODY)
print(response)

QueryBehaviors

Search for behaviors by providing a FQL filter, sorting, and paging details

PEP8 method name

query_behaviors

Endpoint

Method Route
GET /incidents/queries/behaviors/v1

Required Scope

incidents:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted string used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.

(Max: 500)
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: modified_timestamp.desc)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_behaviors(filter="string",
                                  offset="string",
                                  limit=integer,
                                  sort="string"
                                  )
print(response)
Service class example (Operation ID syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.QueryBehaviors(filter="string",
                                 offset="string",
                                 limit=integer,
                                 sort="string"
                                 )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryBehaviors",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

QueryIncidents

Search for incidents by providing a FQL filter, sorting, and paging details

PEP8 method name

query_incidents

Endpoint

Method Route
GET /incidents/queries/incidents/v1

Required Scope

incidents:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted string used to limit the results.

Review the following table for a complete list of available filters.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.

(Max: 500)
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: modified_timestamp.desc)
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
Available filters

For more detail regarding filters and their usage, please review the Falcon Query Language documentation.

Name Description Example
host_ids The device IDs of all the hosts on which the incident occurred. 9a07d39f8c9f430eb3e474d1a0c16ce9
lm_host_ids If lateral movement has occurred, this field shows the remote device IDs of the hosts on which the lateral movement occurred. c4e9e4643999495da6958ea9f21ee597
lm_hosts_capped Indicates that the list of lateral movement hosts has been truncated. The limit is 15 hosts. True
name The name of the incident. Initially the name is assigned by CrowdScore, but it can be updated through the API. Incident on DESKTOP-27LTE3R at 2019-12-20T19:56:16Z
description The description of the incident. Initially the description is assigned by CrowdScore, but it can be updated through the API. Objectives in this incident: Keep Access.
Techniques: Masquerading.
Involved hosts and end users: DESKTOP-27LTE3R, DESKTOP-27LTE3R$.
users The usernames of the accounts associated with the incident. someuser
tags Tags associated with the incident. CrowdScore will assign an initial set of tags, but tags can be added or removed through the API. Objective/Keep Access
fine_score The incident score. Divide the integer by 10 to match the displayed score for the incident. 56
start The recorded time of the earliest behavior. 2017-01-31T22:36:11Z
end The recorded time of the latest behavior. 2017-01-31T22:36:11Z
assigned_to_name The name of the user the incident is assigned to.
state The incident state: “open” or “closed” open
status The incident status as a number:
  • 20: New
  • 25: Reopened
  • 30: In Progress
  • 40: Closed
20
modified_timestamp The most recent time a user has updated the incident. 2021-02-04T05:57:04Z

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_incidents(sort="string",
                                  filter="string",
                                  offset="string",
                                  limit=integer
                                  )
print(response)
Service class example (Operation ID syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.QueryIncidents(sort="string",
                                 filter="string",
                                 offset="string",
                                 limit=integer
                                 )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIncidents",
                          sort="string",
                          filter="string",
                          offset="string",
                          limit=integer
                          )
print(response)

CrowdStrike Falcon

Clone this wiki locally