Update the status or other aspects of one or more incidents. You can modify a maximum of 5,000 incidents in a request.

External Documentation

To learn more, visit the CrowdStrike documentation.

Parameters

ParameterDescription
Action ParametersA comma-separated list of the parameters for the prospective action.Each action_parameter value will be applied to each incident whose id is listed in Incident IDs.Action Parameters Name:- add_tag: Adds the associated value as a new tag on all the incidents of the Incident IDs list.- delete_tag: Deletes tags matching the value from all the incidents in the Incident IDs list.- unassign: Unassigns all users from all of the incidents in the Incident IDs list. This action does not require a value parameter. For example: “action_parameters”: [ {"name": "unassign"} ] - update_name: Updates the name to the parameter value of all the incidents in the Incident IDs list.- update_assigned_to_v2: Assigns the user matching the UUID in the parameter value to all of the incidents in the Incident IDs list. Tip: For information on getting the UUID of a user, see Find existing users.- update_description: Updates the description to the parameter value of all the incidents listed in the Incident IDs list.- update_status: Updates the status to the parameter value of all the incidents in the Incident IDs list. Valid status values are 20, 25, 30, or 40: - 20: New - 25: Reopened - 30: In Progress - 40: Closed
Incident IDsA comma-separated list of incident IDs to perform the action on. Can be obtained via the List Incidents action.

Example Output

{
	"meta": {
		"query_time": 0.480404495,
		"powered_by": "incident-api",
		"trace_id": "12fe5621-0c10-4b07-9277-5fc045a84cb0"
	},
	"resources": [],
	"errors": []
}

Workflow Library Example

Perform Incident Action with Crowdstrike and Send Results Via Email

Preview this Workflow on desktop