Create custom alerts

[TaihouKai]

Are we able to create custom alerts using FalconPy?

From the wiki page, it seems like we can only...

• get all alerts giving cid(s)
• modify alert with specific alert id
• get all alerts giving alert id's
• search alerts

I'm not quite sure whether this is the newest documentation... But if we are not able to do that for now, is there any plan for this in the coming future?

Thank you very much for your help!

[crowdstrikedcs]

Hi @TaihouKai

Thank you for the question!

The Alerts library itself does not provide the ability to generate custom alerting. As designed it returns alerts generated from different Falcon modules.

Alerts provide insight into potential security issues by delivering combined notifications regarding detected activity within your tenant. (Similar to event streams.)

Unlike endpoint detections, alerts might not be process or host oriented.

Currently these Falcon Modules generate alerts

Falcon Insight XDR
Falcon Identity Protection
Falcon for Mobile

That said, I did want to ask a clarifying question on your use case. What sort of event are you looking to generate an alert for? We can for example create things like scheduled searches or indicator based rules that alert when specific activity is observed. This can also extend to things like IOAs or Firewall rules. Let me know a bit more about what sort of activity you are looking to be alerted on and we can walk through some other options.

[TaihouKai]

Thank you very much for your answer! I would like to create custom alerts for "host online" event, providing aid of the host. I expect to send email, modify subject of the email, and preview alert contents in the email, as we could do in the custom alerts UI, when certain host(s) becomes online.

[crowdstrikedcs]

Sounds good, can you send a link to the custom alerts UI that you're viewing?

[TaihouKai]

Sorry for late reply! I usually created custom alerts here: https://falcon.crowdstrike.com/investigate/events/en-us/app/eam2/cd_overview (and Alert Templates -> Host Back Online -> Preview Alert -> AgentId -> etc...)

[crowdstrikedcs]

That page specifically lives only in Splunk from what I can find. I'm afraid it doesn't have an API to access the data so we aren't currently able to manage the data there.