Perform Incident Action

Update the status or other aspects of one or more incidents. You can modify a maximum of 5,000 incidents in a request.

External Documentation

To learn more, visit the CrowdStrike documentation.

Parameters

Parameter Description

Action Parameters A comma-separated list of the parameters for the prospective action.
Each action_parameter value will be applied to each incident whose id is listed in Incident IDs.

Action Parameters Name:

- add_tag: Adds the associated value as a new tag on all the incidents of the Incident IDs list.

- delete_tag: Deletes tags matching the value from all the incidents in the Incident IDs list.

- unassign: Unassigns all users from all of the incidents in the Incident IDs list.
This action does not require a value parameter. For example:
"action_parameters": [
{"name": "unassign"}
]
- update_name: Updates the name to the parameter value of all the incidents in the Incident IDs list.

- update_assigned_to_v2: Assigns the user matching the UUID in the parameter value to all of the incidents in the Incident IDs list.

Tip: For information on getting the UUID of a user, see Find existing users.

- update_description: Updates the description to the parameter value of all the incidents listed in the Incident IDs list.

- update_status: Updates the status to the parameter value of all the incidents in the Incident IDs list.
Valid status values are 20, 25, 30, or 40:
- 20: New
- 25: Reopened
- 30: In Progress
- 40: Closed

Incident IDs A comma-separated list of incident IDs to perform the action on. Can be obtained via the List Incidents action.

Parameter	Description
Action Parameters	A comma-separated list of the parameters for the prospective action. Each action_parameter value will be applied to each incident whose id is listed in `Incident IDs`. Action Parameters Name: - `add_tag`: Adds the associated value as a new tag on all the incidents of the Incident IDs list. - `delete_tag`: Deletes tags matching the value from all the incidents in the Incident IDs list. - `unassign`: Unassigns all users from all of the incidents in the Incident IDs list. This action does not require a value parameter. For example: "action_parameters": [ {"name": "unassign"} ] - `update_name`: Updates the name to the parameter value of all the incidents in the Incident IDs list. - `update_assigned_to_v2`: Assigns the user matching the UUID in the parameter value to all of the incidents in the Incident IDs list. Tip: For information on getting the UUID of a user, see Find existing users. - `update_description`: Updates the description to the parameter value of all the incidents listed in the Incident IDs list. - `update_status`: Updates the status to the parameter value of all the incidents in the Incident IDs list. Valid status values are 20, 25, 30, or 40: - 20: New - 25: Reopened - 30: In Progress - 40: Closed
Incident IDs	A comma-separated list of incident IDs to perform the action on. Can be obtained via the `List Incidents` action.

Example Output

{
    "meta": {
        "query_time": 0.480404495,
        "powered_by": "incident-api",
        "trace_id": "12fe5621-0c10-4b07-9277-5fc045a84cb0"
    },
    "resources": [],
    "errors": []
}

Workflow Library Example

Perform Incident Action with Crowdstrike and Send Results Via Email

Preview this Workflow on desktop

Perform Incident Action

Parameters​

Example Output​

Workflow Library Example​

Parameters

Example Output

Workflow Library Example