Alerts: Read and Write.
This endpoint does not support detection IDs prefixed with ldt.
External DocumentationTo learn more, visit the CrowdStrike documentation.
Parameters
| Parameter | Description |
|---|---|
| Action Parameters | A comma-separated list of the parameters for the prospective action. As you work on an alert, you’ll often need to update the status, assign it to a user, or add comments with additional info. In most cases, you must provide both the action name, such as update_status, and a value, such as in_progress, in the body of the request. Some actions accept empty values. You can perform these actions on alerts: - add_tag: Add a tag (keyword) to the specified alerts.- append_comment: Appends a new comment to any existing comments for the specified alerts.- assign_to_name: Assign the specified alerts to a user based on their username.- assign_to_user_id: Assign the specified alerts to a user based on their email address.- assign_to_uuid: Assign the specified alerts to a user based on their UUID.- remove_tag: Remove a tag from the specified alerts.- remove_tags_by_prefix: Remove all tags containing a given prefix from the specified alerts.- show_in_ui: If the value specified is true, display the specified alerts in the Falcon console. Any other value, including an empty value, prevents the specified alerts from appearing in the Falcon console.- unassign: If there are any users currently assigned to the specified alerts, unassign them.This action doesn’t require a value; if one is specified, the value is ignored. - update_status: Update the status for the specified alerts.Valid statuses are: - closed - in_progress - new - reopened |
| Alert IDs | Comma separated list of alert IDs to get details on. This endpoint does not support detection IDs prefixed with ldt. |
Example Output
Workflow Library Example
Update Alerts with Crowdstrike and Send Results Via Email