incidents
Incidents examples
The examples in this folder focus on leveraging CrowdStrike's Incidents API.
Chart your CrowdScore for the past day
This example demonstrates retrieving CrowdScore detail and then charting it a simple histogram.
Running the program
In order to run this demonstration, you will need access to CrowdStrike API keys with the following scopes:
Incidents
READ
Execution syntax
This example accepts the following input parameters.
-h, --help
Show help message and exit
optional
-c, --hide-chart
Hides the chart display
optional
-d, --show-data
Shows the data table display
optional
-r, --reverse
Reverse the data table sort Will not impact chart display
optional
-n, --no-color
Disable color output
optional
-x CHART_SIZE,
--chart-size CHART_SIZE
Size of the chart to display (Max: 100, Default: 25)
optional
-m MAX_ROWS,
--max-rows MAX_ROWS
Maximum number of rows to return (5 - 250, Default: 100)
optional
-b BASE_URL,
--base-url BASE_URL
CrowdStrike cloud region. (auto or usgov1, Default: auto)
optional
-f FALCON_CLIENT_ID,
--falcon_client_id FALCON_CLIENT_ID
Falcon Client ID
always required
-s FALCON_CLIENT_SECRET,
--falcon_client_secret FALCON_CLIENT_SECRET
Falcon Client Secret
always required
Examples
These examples demonstrate command line usage of this sample. Commands may be chained on the same command line as long as all actions make sense for the arguments provided.
Show command line help.
python3 crowdscore_quickchart.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -hShow your current CrowdScore and plot the past 24 hours
python3 crowdscore_quickchart.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRETResult
_______ __ _______ __ _______
| _ .----.-----.--.--.--.--| | _ .----.-----.----.-----.|__| | _ |
|. 1___| _| _ | | | | _ | 1___| __| _ | _| -__| __ |. | |
|. |___|__| |_____|________|_____|____ |____|_____|__| |_____||__| |. | |
|: 1 | |: 1 | |: 1 |
|::.. . | |::.. . | |::.. . |
`-------' `-------' `-------'
72.00 ┼ â•â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â•®
69.12 ┤ │ ╰──────────╮
66.24 ┤ │ ╰────╮
63.36 ┤ │ ╰──╮
60.48 ┤ â•â•¯ ╰─╮
57.60 ┤ │ ╰──╮
54.72 ┼──╯ ╰─╮
51.84 ┤ ╰─╮
48.96 ┤ ╰──╮
46.08 ┤ ╰─╮
43.20 ┤ ╰─╮
40.32 ┤ ╰─╮
37.44 ┤ ╰╮
34.56 ┤ ╰─╮
31.68 ┤ ╰─╮
28.80 ┤ ╰╮
25.92 ┤ ╰─╮
23.04 ┤ ╰─╮
20.16 ┤ ╰─╮
17.28 ┤ ╰──╮
14.40 ┤ ╰─╮
11.52 ┤ ╰─╮
8.64 ┤ ╰──╮
5.76 ┤ ╰────╮
2.88 ┤ ╰──────╮
0.00 ┤ ╰───────Show the data table for the chart display
python3 crowdscore_quickchart.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -dReverse the table sort
python3 crowdscore_quickchart.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -rCreate a chart in the US-GOV-1 region
python3 crowdscore_quickchart.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -b usgov1Increase the number of rows returned
This argument has a range of 5 - 250.
python3 crowdscore_quickchart.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -m 200Increase the chart size
This argument has a range of 5 - 100.
python3 crowdscore_quickchart.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -x 100Disable color output
python3 crowdscore_quickchart.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -nDisable chart display
python3 crowdscore_quickchart.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -cCommand-line help
Command-line help is available using the -h or --help parameters.
% python3 crowdscore_quickchart.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -h
usage: crowdscore_quickchart.py [-h] [-c] [-d] [-r] [-n] [-x CHART_SIZE] [-m MAX_ROWS] -k FALCON_CLIENT_ID -s FALCON_CLIENT_SECRET
CrowdScore QuickChart.
___ __ __ ____ __ __ _ __ __ __ ____ ____ ______
/ \ | T Tl j / ]| l/ ] / ]| T T / T| \| T
Y Y| | | | T / / | ' / / / | l |Y o || D ) |
| Q || | | | | / / | \ / / | _ || || /l_j l_j
| || : | | |/ \_ | Y/ \_ | | || _ || \ | |
l |l | j l\ || . |\ || | || | || . Y | |
\__,_j \__,_j|____j\____jl__j\_j \____jl__j__jl__j__jl__j\_j l__j
for your CrowdScore
Quickly displays your current CrowdScore and charts a histogram
of your score over the past 24 to 36 hours.
Requirements
asciichartpy
crowdstrike-falconpy
pyfiglet
tabulate
optional arguments:
-h, --help show this help message and exit
-c, --hide-chart Hides the chart display
-d, --show-data Shows the data table display
-r, --reverse Reverse the data table sort
Will not impact chart display
-n, --no-color Disable color output
-x CHART_SIZE, --chart-size CHART_SIZE
Size of the chart to display (Max: 100, Default: 25)
-m MAX_ROWS, --max-rows MAX_ROWS
Maximum number of rows to return (5 - 250, Default: 100)
-b BASE_URL, --base-url BASE_URL
CrowdStrike cloud region. (auto or usgov1, Default: auto)
required arguments:
-k FALCON_CLIENT_ID, --falcon_client_id FALCON_CLIENT_ID
Search string
-s FALCON_CLIENT_SECRET, --falcon_client_secret FALCON_CLIENT_SECRET
Search stringExample source code
The source code for this example can be found here.
Incident Triage
This example demonstrates triaging Incidents. You can assign / unassign responders, add / remove tags, and change name, description and status of an incident using this utility.
Running the program
In order to run this demonstration, you will need access to CrowdStrike API keys with the following scopes:
Incidents
READ, WRITE
User Management
READ
Execution syntax
This example accepts the following input parameters.
-h, --help
Show help message and exit
optional
-a ASSIGN, --assign ASSIGN
Email of the user to assign this incident to
modify
-d DESCRIPTION, --description DESCRIPTION
Description to apply to the incident
modify
-i INCIDENT, --incident INCIDENT
Incident ID to modify
modify
-n NAME, --name NAME
Name to apply to the incident
modify
-r REMOVE_TAGS, --remove_tags REMOVE_TAGS
Tags to remove (comma delimit) Case sensitive
modify
-t ADD_TAGS, --add_tags ADD_TAGS
Tags to add (comma delimit)
modify
-u STATUS, --status STATUS
Status to change to (Integer or String)
modify
-x, --unassign
Remove the assignment from the incident
modify
-f FILTER, --filter FILTER
FQL string to use to filter incidents
search
-k FALCON_CLIENT_ID,
--falcon_client_id FALCON_CLIENT_ID
Falcon Client ID
always required
-s FALCON_CLIENT_SECRET,
--falcon_client_secret FALCON_CLIENT_SECRET
Falcon Client Secret
always required
Examples
These examples demonstrate command line usage of this sample. Commands may be chained on the same command line as long as all actions make sense for the arguments provided.
Show command line help.
python3 incident_triage.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -hList all incidents available (Up to maximum limit)
python3 incident_triage.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -hSearch for an incident by host ID
For a complete list of available incident filters you can use for the
--filterargument, please check this page.
python3 incident_triage.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -f "host_ids:['ID1', 'ID2']"Change the status of an incident
You may specify a status value of
20,25,30or40. You may also use the namesNew,Reopened,InProgressandClosed.
python3 incident_triage.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -i INCIDENT_ID -u STATUS_VALUEAssign a responder to an incident
The responder assigned must have an existing user account within your Falcon tenant.
python3 incident_triage.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -i INCIDENT_ID -a [email protected]Unassign a responder from an incident
python3 incident_triage.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -i INCIDENT_ID -xAdd tags to an incident
Multiple tags may be specified by delimiting with a comma.
python3 incident_triage.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -i INCIDENT_ID -t TAG1,TAG2,TAG3Remove tags from an incident
Multiple tags may be specified by delimiting with a comma.
python3 incident_triage.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -i INCIDENT_ID -r TAG1,TAG2,TAG3Change the name of an incident
To delete the name, update it to
" ".
python3 incident_triage.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -i INCIDENT_ID -n "Name goes here"Change the description of an incident
To delete the description, update it to
" ".
python3 incident_triage.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -i INCIDENT_ID -d "Description goes here"Command-line help
Command-line help is available using the -h or --help parameters.
usage: incident_triage.py [-h] [-a ASSIGN] [-d DESCRIPTION] [-i INCIDENT] [-n NAME] [-r REMOVE_TAGS] [-t ADD_TAGS] [-u STATUS] [-x] [-f FILTER] [-k FALCON_CLIENT_ID] [-s FALCON_CLIENT_SECRET]
CrowdStrike incident triage.
_____ _ _ _
\_ \_ __ ___(_) __| | ___ _ __ | |_ ___
/ /\/ '_ \ / __| |/ _` |/ _ \ '_ \| __/ __|
/\/ /_ | | | | (__| | (_| | __/ | | | |_\__ \
\____/ |_| |_|\___|_|\__,_|\___|_| |_|\__|___/
_____ _
/__ \_ __(_) __ _ __ _ ___
/ /\/ '__| |/ _` |/ _` |/ _ \
/ / | | | | (_| | (_| | __/
\/ |_| |_|\__,_|\__, |\___|
|___/
for FalconPy v1.1.1
Requirements
- crowdstrike-falconpy (v1.1.1+)
- tabulate
Search, review and modify incidents within a CrowdStrike Falcon tenant.
A complete list of available incident filters can be found at:
https://falconpy.io/Service-Collections/Incidents.html#available-filters
optional arguments:
-h, --help show this help message and exit
update arguments:
-a ASSIGN, --assign ASSIGN
Email of the user to assign this incident to
-d DESCRIPTION, --description DESCRIPTION
Description to apply to the incident
-i INCIDENT, --incident INCIDENT
Incident ID to modify
-n NAME, --name NAME Name to apply to the incident
-r REMOVE_TAGS, --remove_tags REMOVE_TAGS
Tags to remove (comma delimit)
Case sensitive
-t ADD_TAGS, --add_tags ADD_TAGS
Tags to add (comma delimit)
-u STATUS, --status STATUS
Status to change to (Integer or String)
-x, --unassign Remove the assignment from the incident
search arguments:
-f FILTER, --filter FILTER
FQL string to use to filter incidents
required arguments:
-k FALCON_CLIENT_ID, --falcon_client_id FALCON_CLIENT_ID
CrowdStrike Falcon API Client ID
-s FALCON_CLIENT_SECRET, --falcon_client_secret FALCON_CLIENT_SECRET
CrowdStrike Falcon API Client SecretExample source code
The source code for this example can be found here.
Last updated
Was this helpful?