Update Alerts

Update an alert or multiple ones. Allows you to update the status, assign it to a user, add comments with additional info, ect.

note

This endpoint does not support detection IDs prefixed with ldt.

External Documentation

To learn more, visit the CrowdStrike documentation.

Parameters

Parameter Description

Action Parameters A comma-separated list of the parameters for the prospective action.
As you work on an alert, you’ll often need to update the status, assign it to a user, or add comments with additional info.

In most cases, you must provide both the action name, such as update_status, and a value, such as in_progress, in the body of the request. Some actions accept empty values.

You can perform these actions on alerts:

- add_tag: Add a tag (keyword) to the specified alerts.

- append_comment: Appends a new comment to any existing comments for the specified alerts.

- assign_to_name: Assign the specified alerts to a user based on their username.

- assign_to_user_id: Assign the specified alerts to a user based on their email address.

- assign_to_uuid: Assign the specified alerts to a user based on their UUID.

- remove_tag: Remove a tag from the specified alerts.

- remove_tags_by_prefix: Remove all tags containing a given prefix from the specified alerts.

- show_in_ui: If the value specified is true, display the specified alerts in the Falcon console. Any other value, including an empty value, prevents the specified alerts from appearing in the Falcon console.

- unassign: If there are any users currently assigned to the specified alerts, unassign them.

This action doesn’t require a value; if one is specified, the value is ignored.

- update_status: Update the status for the specified alerts.
Valid statuses are:
- closed
- in_progress
- new
- reopened

Alert IDs Comma separated list of alert IDs to get details on. This endpoint does not support detection IDs prefixed with ldt.

Parameter	Description
Action Parameters	A comma-separated list of the parameters for the prospective action. As you work on an alert, you’ll often need to update the status, assign it to a user, or add comments with additional info. In most cases, you must provide both the action name, such as update_status, and a value, such as in_progress, in the body of the request. Some actions accept empty values. You can perform these actions on alerts: - `add_tag`: Add a tag (keyword) to the specified alerts. - `append_comment`: Appends a new comment to any existing comments for the specified alerts. - `assign_to_name`: Assign the specified alerts to a user based on their username. - `assign_to_user_id`: Assign the specified alerts to a user based on their email address. - `assign_to_uuid`: Assign the specified alerts to a user based on their UUID. - `remove_tag`: Remove a tag from the specified alerts. - `remove_tags_by_prefix`: Remove all tags containing a given prefix from the specified alerts. - `show_in_ui`: If the value specified is true, display the specified alerts in the Falcon console. Any other value, including an empty value, prevents the specified alerts from appearing in the Falcon console. - `unassign`: If there are any users currently assigned to the specified alerts, unassign them. This action doesn’t require a value; if one is specified, the value is ignored. - `update_status`: Update the status for the specified alerts. Valid statuses are: - closed - in_progress - new - reopened
Alert IDs	Comma separated list of alert IDs to get details on. This endpoint does not support detection IDs prefixed with ldt.

Example Output

{
    "meta": {
        "query_time": 0.209774393,
        "writes": {
            "resources_affected": 2
        },
        "powered_by": "detectsapi",
        "trace_id": "8326daf7-d03a-4268-a6f9-8e7195a50ec6"
    }
}

Workflow Library Example

Update Alerts with Crowdstrike and Send Results Via Email

Preview this Workflow on desktop

Update Alerts

Parameters​

Example Output​

Workflow Library Example​

Parameters

Example Output

Workflow Library Example