GetIncidents Question #472
-
Hi team, Hope you are doing well. I'm trying to query incidents. I want to query the incidents for example in the last 30 minutes, and get all details related to hots and etc, without providing a list of ids as stated in documentation. from falconpy import Incidents
falcon = Incidents(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_incidents(ids=id_list)
print(response) The error i'm getting while preforming the call without id_list: {
"status_code": 400,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "237",
"Content-Type": "application/json",
"Date": "Thu, 02 Dec 2021 15:03:59 GMT",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains, max-age=15724800; includeSubDomains",
"X-Cs-Region": "us-1",
"X-Cs-Traceid": "cd485863-c8a6-4808-afd4-cf8b5b00c2d1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5999"
},
"body": {
"meta": {
"query_time": 0.008969446,
"powered_by": "incident-api",
"trace_id": "cd485863-c8a6-4808-afd4-cf8b5b00c2d1"
},
"resources": [],
"errors": [{
"code": 400,
"message": "The 'ids' parameter must be present at least once and can be present up to 500 times."
}]
}
} @jshcodes can you please help!! |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 3 replies
-
Hey There! Great Question, we should be able to cover this use case with the This function accepts an FQL Filter where you can specify search parameters. In this case your filter for incidents updated in the last 30 minutes would look like this This will return incident IDs that have been modified since your timestamp (which you can set to the current time less 30 minutes). You can feed these into your existing calls to get details by ID. Try Something like this: Let Me Know how it works! |
Beta Was this translation helpful? Give feedback.
-
Hi @crowdstrikedcs, Thank you so much. I got this response: {
"status_code": 200,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "249",
"Content-Type": "application/json",
"Date": "Thu, 02 Dec 2021 15:34:53 GMT",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains, max-age=15724800; includeSubDomains",
"X-Cs-Region": "us-1",
"X-Cs-Traceid": "801dfdf7-7bb8-489d-bce0-05f0634afa80",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5999"
},
"body": {
"meta": {
"query_time": 0.011390812,
"pagination": {
"offset": 0,
"limit": 100,
"total": 1
},
"powered_by": "incident-api",
"trace_id": "801dfdf7-7bb8-489d-bce0-05f0634afa80"
},
"resources": ["inc:43f1a387a0344bREDACTED:ef93b92f89f64d388ddREDACTED"],
"errors": []
}
} then i extracted in resources the inc: Then id_list = '43f1a387a0344bREDACTED:ef93b92f89f64d388ddREDACTED'
response = falcon.get_behaviors(ids=id_list) The error now is: {
"status_code": 400,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "245",
"Content-Type": "application/json",
"Date": "Thu, 02 Dec 2021 15:40:02 GMT",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains, max-age=15724800; includeSubDomains",
"X-Cs-Region": "us-1",
"X-Cs-Traceid": "c6835afe-c6aa-4c21-b971-e85fd20f0060",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5997"
},
"body": {
"meta": {
"query_time": 0.009547633,
"powered_by": "incident-api",
"trace_id": "c6835afe-c6aa-4c21-b971-e85fd20f0060"
},
"resources": [],
"errors": [{
"code": 400,
"message": "invalid behavior id=43f1a387a0344bREDACTED:ef93b92f89f64d388ddREDACTED"
}]
}
} PS C:\local\dev\python\falcon> How can i get the details about each incident?The best approach. |
Beta Was this translation helpful? Give feedback.
-
Thank you so much @crowdstrikedcs !! |
Beta Was this translation helpful? Give feedback.
-
Hi @crowdstrikedcs How can i find the details related to path where malicious files are hosted? For example: I dont have these informations when i run response = falcon.get_incidents(ids=ids['body']['resources']) {
"headers": {
"X-Cs-Traceid": "5f663eb4-6b4e-4294-87cd-72353b4323d2",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5997"
},
"body": {
"meta": {
"query_time": 0.01266727,
"powered_by": "incident-api",
"trace_id": "5f663eb4-6b4e-4294-87cd-72353b4323d2"
},
"resources": [{
"incident_id": "inc:43f1a387a0344XXX:ef93b92f89f64d388dd8f2eec7cea45c",
"incident_type": 1,
"cid": "XXX",
"host_ids": ["43f1a387a0344bcc9f1314092a4b682b"],
"hosts": [{
"device_id": "43f1a387a0344bXXX",
"cid": "XXX",
"agent_load_flags": "1",
"agent_local_time": "2021-11-27T17:41:58.057Z",
"agent_version": "6.30.14406.0",
"bios_manufacturer": "HP",
"bios_version": "R70 Ver. 01.03.04",
"config_id_base": "65994753",
"config_id_build": "14406",
"config_id_platform": "3",
"external_ip": "xxxxx.235.237.156",
"hostname": "xxxxxxxx",
"first_seen": "2021-01-13T08:08:14Z",
"last_seen": "2021-11-28T03:36:23Z",
"local_ip": "xxxx.24.0.2",
"mac_address": "00-05-9a-3c-7a-00",
"machine_domain": "xxxxxxx.CO.MZ",
"major_version": "10",
"minor_version": "0",
"os_version": "Windows 10",
"ou": ["Notebooks", "Computers", "xxxx"],
"platform_id": "0",
"platform_name": "Windows",
"product_type": "1",
"product_type_desc": "Workstation",
"site_name": "HQ-SITE",
"status": "normal",
"system_manufacturer": "HP",
"system_product_name": "HP EliteBook 840 G6",
"modified_timestamp": "2021-11-28T03:37:50Z"
}],
"created": "2021-11-28T03:40:27Z",
"start": "2021-11-28T03:40:45Z",
"end": "2021-11-28T03:40:53Z",
"state": "closed",
"assigned_to": "a45ce366-e849-4076-9136-68b7cbccb8f1",
"assigned_to_name": "xxxxxxxx",
"status": 30,
"tactics": ["Defense Evasion", "Execution"],
"techniques": ["PowerShell", "Mshta"],
"objectives": ["Keep Access", "Follow Through"],
"modified_timestamp": "2021-11-30T22:36:27.632439798Z",
"users": ["xxxxxxxxx"],
"fine_score": 27
}],
"errors": []
}
} In think this information we can find on detects. correct if i'm wrong. The problem is i can see detects details in the incident response. What i want to achieve is to build a powershell script to be invoked in python to delete the infected files in the path listed. |
Beta Was this translation helpful? Give feedback.
Hey There! Great Question, we should be able to cover this use case with the
query_incidents
function.This function accepts an FQL Filter where you can specify search parameters. In this case your filter for incidents updated in the last 30 minutes would look like this
modified_timestamp:>'timestamp'
Wheretimestamp
is of the form2021-02-04T05:57:04Z
.This will return incident IDs that have been modified since your timestamp (which you can set to the current time less 30 minutes). You can feed these into your existing calls to get details by ID.
Try Something like this:
response = falcon.query_incidents(filter="modified_timestamp:>'2021-02-04T05:57:04Z'")
Let Me Know how it works!