Perform Incident Action

Update the status or other aspects of one or more incidents. You can modify a maximum of 5,000 incidents in a request.

External Documentation

To learn more, visit the CrowdStrike documentation.

Parameters

Parameter	Description
Action Parameters	A comma-separated list of the parameters for the prospective action.Each action_parameter value will be applied to each incident whose id is listed in Incident IDs.Action Parameters Name: add_tag: Adds the associated value as a new tag on all the incidents of the Incident IDs list. delete_tag: Deletes tags matching the value from all the incidents in the Incident IDs list. unassign: Unassigns all users from all of the incidents in the Incident IDs list.This action does not require a value parameter. For example:"action_parameters": [{"name": "unassign"}] update_name: Updates the name to the parameter value of all the incidents in the Incident IDs list. update_assigned_to_v2: Assigns the user matching the UUID in the parameter value to all of the incidents in the Incident IDs list. Tip: For information on getting the UUID of a user, see Find existing users. update_description: Updates the description to the parameter value of all the incidents listed in the Incident IDs list. update_status: Updates the status to the parameter value of all the incidents in the Incident IDs list.Valid status values are 20, 25, 30, or 40: 20: New 25: Reopened 30: In Progress 40: Closed
Incident IDs	A comma-separated list of incident IDs to perform the action on. Can be obtained via the List Incidents action.

Example Output

{
    "meta": {
        "query_time": 0.480404495,
        "powered_by": "incident-api",
        "trace_id": "12fe5621-0c10-4b07-9277-5fc045a84cb0"
    },
    "resources": [],
    "errors": []
}

Workflow Library Example

Perform Incident Action with Crowdstrike and Send Results Via Email

Preview this Workflow on desktop