GetIncidents Question

[hermanmaleiane]

Hi team,

Hope you are doing well.

I'm trying to query incidents.

I want to query the incidents for example in the last 30 minutes, and get all details related to hots and etc, without providing a list of ids as stated in documentation.

from falconpy import Incidents

falcon = Incidents(client_id="API_CLIENT_ID_HERE",
                   client_secret="API_CLIENT_SECRET_HERE"
                   )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_incidents(ids=id_list)
print(response)

The error i'm getting while preforming the call without id_list:

{
	"status_code": 400,
	"headers": {
		"Content-Encoding": "gzip",
		"Content-Length": "237",
		"Content-Type": "application/json",
		"Date": "Thu, 02 Dec 2021 15:03:59 GMT",
		"Strict-Transport-Security": "max-age=31536000; includeSubDomains, max-age=15724800; includeSubDomains",
		"X-Cs-Region": "us-1",
		"X-Cs-Traceid": "cd485863-c8a6-4808-afd4-cf8b5b00c2d1",
		"X-Ratelimit-Limit": "6000",
		"X-Ratelimit-Remaining": "5999"
	},
	"body": {
		"meta": {
			"query_time": 0.008969446,
			"powered_by": "incident-api",
			"trace_id": "cd485863-c8a6-4808-afd4-cf8b5b00c2d1"
		},
		"resources": [],
		"errors": [{
			"code": 400,
			"message": "The 'ids' parameter must be present at least once and can be present up to 500 times."
		}]
	}
}

@jshcodes can you please help!!

[crowdstrikedcs]

Hey There! Great Question, we should be able to cover this use case with the query_incidents function.

This function accepts an FQL Filter where you can specify search parameters. In this case your filter for incidents updated in the last 30 minutes would look like this modified_timestamp:>'timestamp' Where timestamp is of the form 2021-02-04T05:57:04Z.

This will return incident IDs that have been modified since your timestamp (which you can set to the current time less 30 minutes). You can feed these into your existing calls to get details by ID.

Try Something like this:
response = falcon.query_incidents(filter="modified_timestamp:>'2021-02-04T05:57:04Z'")

Let Me Know how it works!

[hermanmaleiane]

Hi @crowdstrikedcs,

Thank you so much.
It worked.

I got this response:

{
	"status_code": 200,
	"headers": {
		"Content-Encoding": "gzip",
		"Content-Length": "249",
		"Content-Type": "application/json",
		"Date": "Thu, 02 Dec 2021 15:34:53 GMT",
		"Strict-Transport-Security": "max-age=31536000; includeSubDomains, max-age=15724800; includeSubDomains",
		"X-Cs-Region": "us-1",
		"X-Cs-Traceid": "801dfdf7-7bb8-489d-bce0-05f0634afa80",
		"X-Ratelimit-Limit": "6000",
		"X-Ratelimit-Remaining": "5999"
	},
	"body": {
		"meta": {
			"query_time": 0.011390812,
			"pagination": {
				"offset": 0,
				"limit": 100,
				"total": 1
			},
			"powered_by": "incident-api",
			"trace_id": "801dfdf7-7bb8-489d-bce0-05f0634afa80"
		},
		"resources": ["inc:43f1a387a0344bREDACTED:ef93b92f89f64d388ddREDACTED"],
		"errors": []
	}
}

then i extracted in resources the inc: 43f1a387a0344bREDACTED:ef93b92f89f64d388ddREDACTED

Then

id_list = '43f1a387a0344bREDACTED:ef93b92f89f64d388ddREDACTED'
response = falcon.get_behaviors(ids=id_list)

The error now is:

{
	"status_code": 400,
	"headers": {
		"Content-Encoding": "gzip",
		"Content-Length": "245",
		"Content-Type": "application/json",
		"Date": "Thu, 02 Dec 2021 15:40:02 GMT",
		"Strict-Transport-Security": "max-age=31536000; includeSubDomains, max-age=15724800; includeSubDomains",
		"X-Cs-Region": "us-1",
		"X-Cs-Traceid": "c6835afe-c6aa-4c21-b971-e85fd20f0060",
		"X-Ratelimit-Limit": "6000",
		"X-Ratelimit-Remaining": "5997"
	},
	"body": {
		"meta": {
			"query_time": 0.009547633,
			"powered_by": "incident-api",
			"trace_id": "c6835afe-c6aa-4c21-b971-e85fd20f0060"
		},
		"resources": [],
		"errors": [{
			"code": 400,
			"message": "invalid behavior id=43f1a387a0344bREDACTED:ef93b92f89f64d388ddREDACTED"
		}]
	}
}

PS C:\local\dev\python\falcon>

How can i get the details about each incident?The best approach.
Sorry for my questions, I'm beginner.
Thanks in advance

[crowdstrikedcs]

Almost! For Incident Details all you should need to do is use the falcon.get_incidents which you were using earlier.

Your first call, falcon.query_incidents returns a dict with a list of Incident IDs, next you pass this list of IDs to the second call falcon.get_incidents, which gets the Incident details.

Try Something Like This:

ids= falcon.query_incidents(filter="modified_timestamp:>'2021-02-04T05:57:04Z'")
response = falcon.get_incidents(ids=ids['body']['resources'])

[hermanmaleiane]

Thank you so much @crowdstrikedcs !!
It worked.

[hermanmaleiane]

Hi @crowdstrikedcs
I have one more question please.

How can i find the details related to path where malicious files are hosted?

For example:
For this incident

When i click on table view i can see where files are stored and the commands as well.

I dont have these informations when i run response = falcon.get_incidents(ids=ids['body']['resources'])

{
	"headers": {
		"X-Cs-Traceid": "5f663eb4-6b4e-4294-87cd-72353b4323d2",
		"X-Ratelimit-Limit": "6000",
		"X-Ratelimit-Remaining": "5997"
	},
	"body": {
		"meta": {
			"query_time": 0.01266727,
			"powered_by": "incident-api",
			"trace_id": "5f663eb4-6b4e-4294-87cd-72353b4323d2"
		},
		"resources": [{
			"incident_id": "inc:43f1a387a0344XXX:ef93b92f89f64d388dd8f2eec7cea45c",
			"incident_type": 1,
			"cid": "XXX",
			"host_ids": ["43f1a387a0344bcc9f1314092a4b682b"],
			"hosts": [{
				"device_id": "43f1a387a0344bXXX",
				"cid": "XXX",
				"agent_load_flags": "1",
				"agent_local_time": "2021-11-27T17:41:58.057Z",
				"agent_version": "6.30.14406.0",
				"bios_manufacturer": "HP",
				"bios_version": "R70 Ver. 01.03.04",
				"config_id_base": "65994753",
				"config_id_build": "14406",
				"config_id_platform": "3",
				"external_ip": "xxxxx.235.237.156",
				"hostname": "xxxxxxxx",
				"first_seen": "2021-01-13T08:08:14Z",
				"last_seen": "2021-11-28T03:36:23Z",
				"local_ip": "xxxx.24.0.2",
				"mac_address": "00-05-9a-3c-7a-00",
				"machine_domain": "xxxxxxx.CO.MZ",
				"major_version": "10",
				"minor_version": "0",
				"os_version": "Windows 10",
				"ou": ["Notebooks", "Computers", "xxxx"],
				"platform_id": "0",
				"platform_name": "Windows",
				"product_type": "1",
				"product_type_desc": "Workstation",
				"site_name": "HQ-SITE",
				"status": "normal",
				"system_manufacturer": "HP",
				"system_product_name": "HP EliteBook 840 G6",
				"modified_timestamp": "2021-11-28T03:37:50Z"
			}],
			"created": "2021-11-28T03:40:27Z",
			"start": "2021-11-28T03:40:45Z",
			"end": "2021-11-28T03:40:53Z",
			"state": "closed",
			"assigned_to": "a45ce366-e849-4076-9136-68b7cbccb8f1",
			"assigned_to_name": "xxxxxxxx",
			"status": 30,
			"tactics": ["Defense Evasion", "Execution"],
			"techniques": ["PowerShell", "Mshta"],
			"objectives": ["Keep Access", "Follow Through"],
			"modified_timestamp": "2021-11-30T22:36:27.632439798Z",
			"users": ["xxxxxxxxx"],
			"fine_score": 27
		}],
		"errors": []
	}
}

In think this information we can find on detects. correct if i'm wrong. The problem is i can see detects details in the incident response.

What i want to achieve is to build a powershell script to be invoked in python to delete the infected files in the path listed.

[crowdstrikedcs]

Hmmm, Let's see. This one is going to take a few different calls. CrowdStrike Incidents have related behaviors these are representative of the activity that triggered the Incident. There are 2 API calls needed to retrieve behavior information given an Incident ID (which we receive with the call to falcon.query_incidents)

The First is to falcon.query_behaviors This endpoint can be searched with an FQL filter where to return behavior_ids related to an Incident ID:
response = falcon.query_behaviors(filter="incident_id:'inc:XXX:XXX'")

The Response will include Behavior IDs that can be used in another call to falcon.get_behaviors which returns specific details including filepath and command line:
falcon.get_behaviors(ids=id_list)

[hermanmaleiane]

Thank you so much!!!

I have tested it and it works.
Much appreciated