Update the status or other aspects of one or more incidents. You can modify a maximum of 5,000 incidents in a request.

External Documentation

To learn more, visit the CrowdStrike documentation.

Parameters

ParameterDescription
Action ParametersA comma-separated list of the parameters for the prospective action.
Each action_parameter value will be applied to each incident whose id is listed in Incident IDs.

Action Parameters Name:

- add_tag: Adds the associated value as a new tag on all the incidents of the Incident IDs list.

- delete_tag: Deletes tags matching the value from all the incidents in the Incident IDs list.

- unassign: Unassigns all users from all of the incidents in the Incident IDs list.
This action does not require a value parameter. For example:
“action_parameters”:

[
{"name": "unassign"}
]

- update_name: Updates the name to the parameter value of all the incidents in the Incident IDs list.

- update_assigned_to_v2: Assigns the user matching the UUID in the parameter value to all of the incidents in the Incident IDs list.

Tip: For information on getting the UUID of a user, see Find existing users.

- update_description: Updates the description to the parameter value of all the incidents listed in the Incident IDs list.

- update_status: Updates the status to the parameter value of all the incidents in the Incident IDs list.
Valid status values are 20, 25, 30, or 40:
- 20: New
- 25: Reopened
- 30: In Progress
- 40: Closed
Incident IDsA comma-separated list of incident IDs to perform the action on. Can be obtained via the List Incidents action.

Example Output

{
	"meta": {
		"query_time": 0.480404495,
		"powered_by": "incident-api",
		"trace_id": "12fe5621-0c10-4b07-9277-5fc045a84cb0"
	},
	"resources": [],
	"errors": []
}

Workflow Library Example

Perform Incident Action with Crowdstrike and Send Results Via Email

Preview this Workflow on desktop