Skip to main content

Get-FalconBehavior

Search for behaviors associated with incidents. Required Permission: Incidents: Read

Syntax

# Search for behaviors
Get-FalconBehavior [-Filter <string>] [-Sort <string>] [-Limit <int32>] [-Offset <int32>] 
  [-Detailed] [-All] [-Total]

# Get specific behaviors by ID
Get-FalconBehavior -Id <string[]>

Parameters

Id
string[]
Behavior identifier(s). Can be provided via pipeline.Pattern: ^ind:[a-fA-F0-9]{32}:(\d|\-)+$Aliases: ids, behavior_id
Filter
string
Falcon Query Language (FQL) expression to limit results.Must be a valid FQL statement.
Sort
string
Property and direction to sort results.Valid values: timestamp.asc, timestamp.desc
Limit
int32
Maximum number of results per request.Range: 1-500
Offset
int32
Position to begin retrieving results (used for pagination).
Detailed
switch
Retrieve detailed information for behaviors.
All
switch
Repeat requests until all available results are retrieved.
Total
switch
Display total result count instead of results.

Examples

# Get all behaviors sorted by timestamp
Get-FalconBehavior -Sort timestamp.desc -All

# Get behaviors with specific filter
Get-FalconBehavior -Filter "severity:'high'" -Limit 100

Get-FalconIncident

Search for incidents in the CrowdStrike Falcon platform. Required Permission: Incidents: Read

Syntax

# Search for incidents
Get-FalconIncident [-Filter <string>] [-Sort <string>] [-Limit <int32>] [-Offset <int32>] 
  [-Detailed] [-All] [-Total]

# Get specific incidents by ID
Get-FalconIncident -Id <string[]>

Parameters

Id
string[]
Incident identifier(s). Can be provided via pipeline.Pattern: ^inc:[a-fA-F0-9]{32}:[a-fA-F0-9]{32}$Aliases: ids, incident_id
Filter
string
Falcon Query Language (FQL) expression to limit results.Must be a valid FQL statement.
Sort
string
Property and direction to sort results.Valid values: assigned_to.asc, assigned_to.desc, assigned_to_name.asc, assigned_to_name.desc, end.asc, end.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, sort_score.asc, sort_score.desc, start.asc, start.desc, state.asc, state.desc, status.asc, status.desc
Limit
int32
Maximum number of results per request.Range: 1-500
Offset
int32
Position to begin retrieving results (used for pagination).
Detailed
switch
Retrieve detailed information for incidents.
All
switch
Repeat requests until all available results are retrieved.
Total
switch
Display total result count instead of results.

Examples

# Get all open incidents
Get-FalconIncident -Filter "state:'open'" -All

# Get incidents sorted by severity score
Get-FalconIncident -Sort sort_score.desc -Limit 50

Get-FalconScore

Search for CrowdScore values in the CrowdStrike Falcon platform. Required Permission: Incidents: Read

Syntax

Get-FalconScore [-Filter <string>] [-Sort <string>] [-Limit <int32>] [-Offset <int32>] 
  [-All] [-Total]

Parameters

Filter
string
Falcon Query Language (FQL) expression to limit results.Must be a valid FQL statement.
Sort
string
Property and direction to sort results.Valid values: score.asc, score.desc, timestamp.asc, timestamp.desc
Limit
int32
Maximum number of results per request.Range: 1-2500
Offset
int32
Position to begin retrieving results (used for pagination).
All
switch
Repeat requests until all available results are retrieved.
Total
switch
Display total result count instead of results.

Examples

# Get all CrowdScores
Get-FalconScore -All

# Get CrowdScores sorted by value
Get-FalconScore -Sort score.desc -Limit 100

Invoke-FalconIncidentAction

Perform actions on incidents in the CrowdStrike Falcon platform. Required Permission: Incidents: Write

Syntax

# Perform a single action
Invoke-FalconIncidentAction -Name <string> [-Value <string>] [-UpdateDetects <boolean>] 
  [-OverwriteDetects <boolean>] -Id <string[]>

# Perform multiple actions
Invoke-FalconIncidentAction -Action <hashtable[]> [-UpdateDetects <boolean>] 
  [-OverwriteDetects <boolean>] -Id <string[]>

Parameters

Name
string
required
Action to perform on the incident(s).Valid values:
  • add_tag - Add a tag to the incident
  • delete_tag - Remove a tag from the incident
  • unassign - Unassign the incident
  • update_description - Update the incident description
  • update_name - Update the incident name
  • update_status - Update the incident status
  • update_assigned_to_v2 - Assign incident to a user
Value
string
Value for the chosen action (e.g., tag name, description text, user ID, status value).
Action
hashtable[]
One or more hashtables defining multiple name/value pairs for batch operations.Aliases: action_parametersExample: @(@{name='add_tag'; value='investigated'}, @{name='update_status'; value='closed'})
UpdateDetects
boolean
Update status of related ‘new’ detections when updating incident status.Aliases: update_detects
OverwriteDetects
boolean
Replace existing status for related detections when updating incident status.Aliases: overwrite_detects
Id
string[]
required
Incident identifier(s). Can be provided via pipeline.Pattern: ^inc:[a-fA-F0-9]{32}:[a-fA-F0-9]{32}$Aliases: ids, incident_id

Examples

# Update status of an incident
Invoke-FalconIncidentAction -Name update_status -Value 'closed' -Id $IncidentId

# Update status and related detections
Invoke-FalconIncidentAction -Name update_status -Value 'in_progress' -UpdateDetects $true -Id $IncidentId

Notes

  • Maximum of 1000 incident IDs can be processed per request
  • When using -Action, multiple operations can be performed in a single API call
  • The -UpdateDetects parameter automatically updates related detections when changing incident status
  • Use -OverwriteDetects to replace existing detection statuses instead of only updating ‘new’ detections

Build docs developers (and LLMs) love

Get started for freeTalk to us