Actions
Perform Incident Action
Update the status or other aspects of one or more incidents. You can modify a maximum of 5,000 incidents in a request.
External Documentation
To learn more, visit the CrowdStrike documentation.
Parameters
Parameter | Description |
---|---|
Action Parameters | A comma-separated list of the parameters for the prospective action.Each action_parameter value will be applied to each incident whose id is listed in Incident IDs .Action Parameters Name:- add_tag : Adds the associated value as a new tag on all the incidents of the Incident IDs list.- delete_tag : Deletes tags matching the value from all the incidents in the Incident IDs list.- unassign : Unassigns all users from all of the incidents in the Incident IDs list. This action does not require a value parameter. For example: “action_parameters”: [ {"name": "unassign"} ] - update_name : Updates the name to the parameter value of all the incidents in the Incident IDs list.- update_assigned_to_v2 : Assigns the user matching the UUID in the parameter value to all of the incidents in the Incident IDs list. Tip: For information on getting the UUID of a user, see Find existing users.- update_description : Updates the description to the parameter value of all the incidents listed in the Incident IDs list.- update_status : Updates the status to the parameter value of all the incidents in the Incident IDs list. Valid status values are 20, 25, 30, or 40: - 20: New - 25: Reopened - 30: In Progress - 40: Closed |
Incident IDs | A comma-separated list of incident IDs to perform the action on. Can be obtained via the List Incidents action. |
Example Output
Workflow Library Example
Perform Incident Action with Crowdstrike and Send Results Via Email
Preview this Workflow on desktop
Was this page helpful?