Skip to content

Incidents

Joshua Hiller edited this page Nov 2, 2021 · 22 revisions

CrowdStrike Falcon Twitter URL

Using the Incidents service collection

Uber class support Service class support Documentation Version

Table of Contents

Operation ID Description
CrowdScore
PEP 8 crowdscore
Query environment wide CrowdScore and return the entity data.
GetBehaviors
PEP 8 get_behaviors
Get details on behaviors by providing behavior IDs.
PerformIncidentAction
PEP 8 perform_incident_action
Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description.
GetIncidents
PEP 8 get_incidents
Get details on incidents by providing incident IDs.
QueryBehaviors
PEP 8 query_behaviors
Search for behaviors by providing a FQL filter, sorting, and paging details.
QueryIncidents
PEP 8 query_incidents
Search for incidents by providing a FQL filter, sorting, and paging details.

CrowdScore

Query environment wide CrowdScore and return the entity data

PEP8 method name

crowdscore

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted string used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.

(Max: 2500)
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: modified_timestamp.desc)
parameters
Service Class Support

Uber Class Support
query string Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

falcon = Incidents(client_id="API_CLIENT_ID_HERE",
                   client_secret="API_CLIENT_SECRET_HERE"
                   )

response = falcon.crowdscore(filter="string",
                             offset="string",
                             limit=integer,
                             sort="string"
                             )
print(response)
Service class example (Operation ID syntax)
from falconpy import Incidents

falcon = Incidents(client_id="API_CLIENT_ID_HERE",
                   client_secret="API_CLIENT_SECRET_HERE"
                   )

response = falcon.CrowdScore(filter="string",
                             offset="string",
                             limit=integer,
                             sort="string"
                             )
print(response)
Uber class example
from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

response = falcon.command("CrowdScore",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

GetBehaviors

Get details on behaviors by providing behavior IDs

PEP8 method name

get_behaviors

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body string Full body payload in JSON format.
ids
Service Class Support

Uber Class Support
body string or list of strings Behavior ID(s) to retrieve.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

falcon = Incidents(client_id="API_CLIENT_ID_HERE",
                   client_secret="API_CLIENT_SECRET_HERE"
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_behaviors(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Incidents

falcon = Incidents(client_id="API_CLIENT_ID_HERE",
                   client_secret="API_CLIENT_SECRET_HERE"
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetBehaviors(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

BODY = {
    "ids": id_list
}

response = falcon.command("GetBehaviors", body=BODY)
print(response)

PerformIncidentAction

Perform a set of actions on one or more incidents, such as adding tags or comments or updating the incident name or description

PEP8 method name

perform_incident_action

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
action_parameters
Service Class Support

Uber Class Support
body list of dictionaries Action specific parameters. Not required.
body
Service Class Support

Uber Class Support
body string Full body payload in JSON format.
ids
Service Class Support

Uber Class Support
body string or list of strings Incident ID(s) to perform the action against.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

falcon = Incidents(client_id="API_CLIENT_ID_HERE",
                   client_secret="API_CLIENT_SECRET_HERE"
                   )

act_params = [{
    "name": "string",
    "value": "string"
}]

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.perform_incident_action(action_parameters=act_params,
                                          ids=id_list
                                          )
print(response)
Service class example (Operation ID syntax)
from falconpy import Incidents

falcon = Incidents(client_id="API_CLIENT_ID_HERE",
                   client_secret="API_CLIENT_SECRET_HERE"
                   )

act_params = [{
    "name": "string",
    "value": "string"
}]

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.PerformIncidentAction(action_parameters=act_params,
                                        ids=id_list
                                        )
print(response)
Uber class example
from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )
act_params = [{
    "name": "string",
    "value": "string"
}]

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
    "action_parameters": act_params,
    "ids": id_list
}

response = falcon.command("PerformIncidentAction", body=BODY)
print(response)

GetIncidents

Get details on incidents by providing incident IDs

PEP8 method name

get_incidents

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body string Full body payload in JSON format.
ids
Service Class Support

Uber Class Support
body string or list of strings Incident ID(s) to retrieve.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

falcon = Incidents(client_id="API_CLIENT_ID_HERE",
                   client_secret="API_CLIENT_SECRET_HERE"
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_incidents(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import Incidents

falcon = Incidents(client_id="API_CLIENT_ID_HERE",
                   client_secret="API_CLIENT_SECRET_HERE"
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetIncidents(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

id_list = ['ID1', 'ID2', 'ID3']

BODY = {
    "ids": id_list
}

response = falcon.command("GetIncidents", body=BODY)
print(response)

QueryBehaviors

Search for behaviors by providing a FQL filter, sorting, and paging details

PEP8 method name

query_behaviors

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted string used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.

(Max: 500)
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: modified_timestamp.desc)
parameters
Service Class Support

Uber Class Support
query string Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

falcon = Incidents(client_id="API_CLIENT_ID_HERE",
                   client_secret="API_CLIENT_SECRET_HERE"
                   )

response = falcon.query_behaviors(filter="string",
                                  offset="string",
                                  limit=integer,
                                  sort="string"
                                  )
print(response)
Service class example (Operation ID syntax)
from falconpy import Incidents

falcon = Incidents(client_id="API_CLIENT_ID_HERE",
                   client_secret="API_CLIENT_SECRET_HERE"
                   )

response = falcon.QueryBehaviors(filter="string",
                                 offset="string",
                                 limit=integer,
                                 sort="string"
                                 )
print(response)
Uber class example
from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

response = falcon.command("QueryBehaviors",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

QueryIncidents

Search for incidents by providing a FQL filter, sorting, and paging details

PEP8 method name

query_incidents

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string FQL Syntax formatted string used to limit the results.
limit
Service Class Support

Uber Class Support
query integer Maximum number of records to return.

(Max: 500)
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
sort
Service Class Support

Uber Class Support
query string The property to sort by. (Ex: modified_timestamp.desc)
parameters
Service Class Support

Uber Class Support
query string Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import Incidents

falcon = Incidents(client_id="API_CLIENT_ID_HERE",
                   client_secret="API_CLIENT_SECRET_HERE"
                   )

response = falcon.query_incidents(sort="string",
                                  filter="string",
                                  offset="string",
                                  limit=integer
                                  )
print(response)
Service class example (Operation ID syntax)
from falconpy import Incidents

falcon = Incidents(client_id="API_CLIENT_ID_HERE",
                   client_secret="API_CLIENT_SECRET_HERE"
                   )

response = falcon.QueryIncidents(sort="string",
                                 filter="string",
                                 offset="string",
                                 limit=integer
                                 )
print(response)
Uber class example
from falconpy import APIHarness

falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
                    client_secret="API_CLIENT_SECRET_HERE"
                    )

response = falcon.command("QueryIncidents",
                          sort="string",
                          filter="string",
                          offset="string",
                          limit=integer
                          )
print(response)

CrowdStrike Falcon

Clone this wiki locally