CrowdStrike Falcon CrowdStrike Subreddit

Using the Incidents service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation IDDescription
CrowdScore
PEP 8crowdscore
Query environment wide CrowdScore and return the entity data.
GetBehaviors
PEP 8get_behaviors
Get details on behaviors by providing behavior IDs.
PerformIncidentAction
PEP 8perform_incident_action
Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description.
GetIncidents
PEP 8get_incidents
Get details on incidents by providing incident IDs.
QueryBehaviors
PEP 8query_behaviors
Search for behaviors by providing a FQL filter, sorting, and paging details.
QueryIncidents
PEP 8query_incidents
Search for incidents by providing a FQL filter, sorting, and paging details.

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

CrowdScore

Query environment wide CrowdScore and return the entity data

PEP8 method name

crowdscore

Endpoint

MethodRoute
GET/incidents/combined/crowdscores/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted string used to limit the results.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return.

(Max: 2500)
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: modified_timestamp.desc)
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.crowdscore(filter="string",
                             offset="string",
                             limit=integer,
                             sort="string"
                             )
print(response)

Service class example (Operation ID syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.CrowdScore(filter="string",
                             offset="string",
                             limit=integer,
                             sort="string"
                             )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("CrowdScore",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

GetBehaviors

Get details on behaviors by providing behavior IDs

PEP8 method name

get_behaviors

Endpoint

MethodRoute
POST/incidents/entities/behaviors/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
ids
Service Class Support

Uber Class Support
bodystring or list of stringsBehavior ID(s) to retrieve.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_behaviors(ids=id_list)
print(response)

Service class example (Operation ID syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetBehaviors(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

BODY = {
    "ids": id_list
}

response = falcon.command("GetBehaviors", body=BODY)
print(response)

PerformIncidentAction

Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description

PEP8 method name

perform_incident_action

Endpoint

MethodRoute
POST/incidents/entities/incident-actions/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
action_parameters
Service Class Support

Uber Class Support
bodylist of dictionariesAction specific parameters. Not required.
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
add_comment
Service Class Support

Uber Class Support
body
action_parameters
stringAdds the associated value as a new comment on all the incidents in the ids list. Overridden if action_parameters is specified.
add_tag
Service Class Support

Uber Class Support
body
action_parameters
string, comma delimited string, list of stringsAdds the associated value as a new tag on all the incidents of the ids list. Overridden if action_parameters is specified. Multiple values may be provided.
delete_tag
Service Class Support

Uber Class Support
body
action_parameters
string, comma delimited string, list of stringsDeletes tags matching the value from all the incidents in the ids list. Overridden if action_parameters is specified. Multiple values may be provided.
ids
Service Class Support

Uber Class Support
bodystring or list of stringsIncident ID(s) to perform the action against.
overwrite_detects
Service Class Support

Uber Class Support
querybooleanIf True and update_detects is also True, the assigned_to_uuid or status for ALL detections associated with the incident(s) will be overwritten. If False, only detects that have default values for assigned_to_uuid and/or status will be updated. Ignored if update_detects is missing or False. Defaults to False.
update_detects
Service Class Support

Uber Class Support
querybooleanIf True, update assigned_to_uuid and or status of detections associated with the incident(s). Defaults to False.
unassign
Service Class Support

Uber Class Support
body
action_parameters
booleanUnassigns all users from all of the incidents in the ids list. Overridden if action_parameters is specified.
update_name
Service Class Support

Uber Class Support
body
action_parameters
stringUpdates the name to the parameter value of all the incidents in the ids list. Overridden if action_parameters is specified.
update_assigned_to_v2
Service Class Support

Uber Class Support
body
action_parameters
string (UUID)Assigns the user matching the UUID in the parameter value to all of the incidents in the ids list. For information on getting the UUID of a user, see Find existing users. Overridden if action_parameters is specified.
update_description
Service Class Support

Uber Class Support
body
action_parameters
stringUpdates the description to the parameter value of all the incidents listed in the ids list. Overridden if action_parameters is specified.
update_status
Service Class Support

Uber Class Support
body
action_parameters
string (Integer)Updates the status to the parameter value of all the incidents in the ids list. Valid status values are 20, 25, 30, or 40:
  • 20: New
  • 25: Reopened
  • 30: In Progress
  • 40: Closed
Overridden if action_parameters is specified.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

act_params = [{
    "name": "string",
    "value": "string"
}]

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.perform_incident_action(action_parameters=act_params,
                                          add_comment="string",
                                          add_tag="string",
                                          delete_tag="string",
                                          ids=id_list,
                                          update_detects=boolean,
                                          update_name="string"
                                          update_assigned_to_v2="string",
                                          update_description="string",
                                          update_status="string",
                                          unassign=boolean,
                                          overwrite_detects=boolean
                                          )

print(response)
Service class example (Operation ID syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

act_params = [{
    "name": "string",
    "value": "string"
}]

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.PerformIncidentAction(action_parameters=act_params,
                                        add_comment="string",
                                        add_tag="string",
                                        delete_tag="string",
                                        ids=id_list,
                                        update_detects=boolean,
                                        update_name="string"
                                        update_assigned_to_v2="string",
                                        update_description="string",
                                        update_status="string",
                                        unassign=boolean,
                                        overwrite_detects=boolean
                                        )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )
act_params = [{
    "name": "string",
    "value": "string"
}]

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
    "action_parameters": act_params,
    "ids": id_list
}

response = falcon.command("PerformIncidentAction",
                          update_detects=boolean,
                          overwrite_detects=boolean,
                          body=BODY
                          )

print(response)

GetIncidents

Get details on incidents by providing incident IDs

PEP8 method name

get_incidents

Endpoint

MethodRoute
POST/incidents/entities/incidents/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
ids
Service Class Support

Uber Class Support
bodystring or list of stringsIncident ID(s) to retrieve.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_incidents(ids=id_list)
print(response)

Service class example (Operation ID syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIncidents(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
    "ids": id_list
}

response = falcon.command("GetIncidents", body=BODY)
print(response)

QueryBehaviors

Search for behaviors by providing a FQL filter, sorting, and paging details

PEP8 method name

query_behaviors

Endpoint

MethodRoute
GET/incidents/queries/behaviors/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted string used to limit the results.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return.

(Max: 500)
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: modified_timestamp.desc)
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_behaviors(filter="string",
                                  offset="string",
                                  limit=integer,
                                  sort="string"
                                  )
print(response)

Service class example (Operation ID syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.QueryBehaviors(filter="string",
                                 offset="string",
                                 limit=integer,
                                 sort="string"
                                 )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryBehaviors",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

QueryIncidents

Search for incidents by providing a FQL filter, sorting, and paging details

PEP8 method name

query_incidents

Endpoint

MethodRoute
GET/incidents/queries/incidents/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringFQL Syntax formatted string used to limit the results.

Review the following table for a complete list of available filters.
limit
Service Class Support

Uber Class Support
queryintegerMaximum number of records to return.

(Max: 500)
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
querystringThe property to sort by. (Ex: modified_timestamp.desc)
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
Available filters

For more detail regarding filters and their usage, please review the Falcon Query Language documentation.

NameDescriptionExample
host_idsThe device IDs of all the hosts on which the incident occurred.9a07d39f8c9f430eb3e474d1a0c16ce9
lm_host_idsIf lateral movement has occurred, this field shows the remote device IDs of the hosts on which the lateral movement occurred.c4e9e4643999495da6958ea9f21ee597
lm_hosts_cappedIndicates that the list of lateral movement hosts has been truncated. The limit is 15 hosts.True
nameThe name of the incident. Initially the name is assigned by CrowdScore, but it can be updated through the API.Incident on DESKTOP-27LTE3R at 2019-12-20T19:56:16Z
descriptionThe description of the incident. Initially the description is assigned by CrowdScore, but it can be updated through the API.Objectives in this incident: Keep Access.
Techniques: Masquerading.
Involved hosts and end users: DESKTOP-27LTE3R, DESKTOP-27LTE3R$.
usersThe usernames of the accounts associated with the incident.someuser
tagsTags associated with the incident. CrowdScore will assign an initial set of tags, but tags can be added or removed through the API.Objective/Keep Access
fine_scoreThe incident score. Divide the integer by 10 to match the displayed score for the incident.56
startThe recorded time of the earliest behavior.2017-01-31T22:36:11Z
endThe recorded time of the latest behavior.2017-01-31T22:36:11Z
assigned_to_nameThe name of the user the incident is assigned to.
stateThe incident state: “open” or “closed”open
statusThe incident status as a number:
  • 20: New
  • 25: Reopened
  • 30: In Progress
  • 40: Closed
20
modified_timestampThe most recent time a user has updated the incident.2021-02-04T05:57:04Z

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.query_incidents(sort="string",
                                  filter="string",
                                  offset="string",
                                  limit=integer
                                  )
print(response)

Service class example (Operation ID syntax)
from falconpy import Incidents

# Do not hardcode API credentials!
falcon = Incidents(client_id=CLIENT_ID,
                   client_secret=CLIENT_SECRET
                   )

response = falcon.QueryIncidents(sort="string",
                                 filter="string",
                                 offset="string",
                                 limit=integer
                                 )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryIncidents",
                          sort="string",
                          filter="string",
                          offset="string",
                          limit=integer
                          )
print(response)