incidents

CrowdStrike FalconPy CrowdStrike FalconPy CrowdStrike Subreddit

Incidents examples

The examples in this folder focus on leveraging CrowdStrike's Incidents API.

Chart your CrowdScore for the past day

This example demonstrates retrieving CrowdScore detail and then charting it a simple histogram.

Running the program

In order to run this demonstration, you will need access to CrowdStrike API keys with the following scopes:

Service Collection
Scope

Incidents

READ

Execution syntax

This example accepts the following input parameters.

Parameter
Purpose
Category

-h, --help

Show help message and exit

optional

-c, --hide-chart

Hides the chart display

optional

-d, --show-data

Shows the data table display

optional

-r, --reverse

Reverse the data table sort Will not impact chart display

optional

-n, --no-color

Disable color output

optional

-x CHART_SIZE, --chart-size CHART_SIZE

Size of the chart to display (Max: 100, Default: 25)

optional

-m MAX_ROWS, --max-rows MAX_ROWS

Maximum number of rows to return (5 - 250, Default: 100)

optional

-b BASE_URL, --base-url BASE_URL

CrowdStrike cloud region. (auto or usgov1, Default: auto)

optional

-f FALCON_CLIENT_ID, --falcon_client_id FALCON_CLIENT_ID

Falcon Client ID

always required

-s FALCON_CLIENT_SECRET, --falcon_client_secret FALCON_CLIENT_SECRET

Falcon Client Secret

always required

Examples

These examples demonstrate command line usage of this sample. Commands may be chained on the same command line as long as all actions make sense for the arguments provided.

Show command line help.

See output example.

Show your current CrowdScore and plot the past 24 hours

Result

Show the data table for the chart display

Reverse the table sort

Create a chart in the US-GOV-1 region

Increase the number of rows returned

This argument has a range of 5 - 250.

Increase the chart size

This argument has a range of 5 - 100.

Disable color output

Disable chart display

Command-line help

Command-line help is available using the -h or --help parameters.

Example source code

The source code for this example can be found here.

Incident Triage

This example demonstrates triaging Incidents. You can assign / unassign responders, add / remove tags, and change name, description and status of an incident using this utility.

Running the program

In order to run this demonstration, you will need access to CrowdStrike API keys with the following scopes:

Service Collection
Scope

Incidents

READ, WRITE

User Management

READ

Execution syntax

This example accepts the following input parameters.

Parameter
Purpose
Category

-h, --help

Show help message and exit

optional

-a ASSIGN, --assign ASSIGN

Email of the user to assign this incident to

modify

-d DESCRIPTION, --description DESCRIPTION

Description to apply to the incident

modify

-i INCIDENT, --incident INCIDENT

Incident ID to modify

modify

-n NAME, --name NAME

Name to apply to the incident

modify

-r REMOVE_TAGS, --remove_tags REMOVE_TAGS

Tags to remove (comma delimit) Case sensitive

modify

-t ADD_TAGS, --add_tags ADD_TAGS

Tags to add (comma delimit)

modify

-u STATUS, --status STATUS

Status to change to (Integer or String)

modify

-x, --unassign

Remove the assignment from the incident

modify

-f FILTER, --filter FILTER

FQL string to use to filter incidents

search

-k FALCON_CLIENT_ID, --falcon_client_id FALCON_CLIENT_ID

Falcon Client ID

always required

-s FALCON_CLIENT_SECRET, --falcon_client_secret FALCON_CLIENT_SECRET

Falcon Client Secret

always required

Examples

These examples demonstrate command line usage of this sample. Commands may be chained on the same command line as long as all actions make sense for the arguments provided.

Show command line help.

See output example.

List all incidents available (Up to maximum limit)

Search for an incident by host ID

For a complete list of available incident filters you can use for the --filter argument, please check this page.

Change the status of an incident

You may specify a status value of 20, 25, 30 or 40. You may also use the names New, Reopened, InProgress and Closed.

Assign a responder to an incident

The responder assigned must have an existing user account within your Falcon tenant.

Unassign a responder from an incident

Add tags to an incident

Multiple tags may be specified by delimiting with a comma.

Remove tags from an incident

Multiple tags may be specified by delimiting with a comma.

Change the name of an incident

To delete the name, update it to " ".

Change the description of an incident

To delete the description, update it to " ".

Command-line help

Command-line help is available using the -h or --help parameters.

Example source code

The source code for this example can be found here.

PreviousidentityNextinstallation_tokens

Last updated

Was this helpful?