Message Center
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Retrieve aggregate case values based on the matched filter | ||||
|
Retrieve activities for given id's | ||||
|
Add an activity to case. Only activities of type comment are allowed via API | ||||
|
retrieves an attachment for the case, given the attachment id | ||||
|
Upload an attachment for the case. | ||||
|
create a new case | ||||
|
update an existing case | ||||
|
Retrieve message center cases | ||||
|
Retrieve activities id's for a case | ||||
|
Retrieve case id's that match the provided filter criteria | ||||
Retrieve aggregate case values based on the matched filter
aggregate_cases
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Datatype | Description |
|---|---|---|---|---|---|
| body |
 |
 |
body | string | Full body payload in JSON format. |
| date_ranges |
|
 |
body | list of dictionaries | Applies to date_range aggregations. Example: [ { "from": "2016-05-28T09:00:31Z", "to": "2016-05-30T09:00:31Z" }, { "from": "2016-06-01T09:00:31Z", "to": "2016-06-10T09:00:31Z" } ] |
| field |
|
|
body | string | The field on which to compute the aggregation. |
| filter |
|
|
body | string | FQL syntax formatted string to use to filter the results. |
| interval |
|
|
body | string | Time interval for date histogram aggregations. Valid values include:
|
| min_doc_count |
|
|
body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing |
|
|
body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name |
|
|
body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q |
|
|
body | string | Full text search across all metadata fields. |
| ranges |
|
|
body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [ { "From": 0, "To": 70 }, { "From": 70, "To": 100 } ] |
| size |
|
|
body | integer | The max number of term buckets to be returned. |
| sub_aggregates |
|
|
body | list of dictionaries | A nested aggregation, such as: [ { "name": "max_first_behavior", "type": "max", "field": "first_behavior" } ] There is a maximum of 3 nested aggregations per request. |
| sort |
|
|
body | string |
FQL syntax string to sort bucket results.
asc and desc using | format. Example: _count|desc
|
| time_zone |
|
|
body | string | Time zone for bucket results. |
| type |
|
|
body | string | Type of aggregation. Valid values include:
|
from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.aggregate_cases(date_ranges=date_ranges,
field="string",
filter="string",
interval="string",
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
response = falcon.AggregateCases(date_ranges=date_ranges,
field="string",
filter="string",
interval="string",
min_doc_count=integer,
missing="string",
name="string",
q="string",
ranges=ranges,
size=integer,
sort="string",
time_zone="string",
type="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
date_ranges = [
{
"from": "2021-05-15T14:55:21.892315096Z",
"to": "2021-05-17T13:42:16.493180643Z"
}
]
ranges = [
{
"From": 1,
"To": 100
}
]
BODY = [{
"date_ranges": date_ranges,
"field": "string",
"filter": "string",
"interval": "string",
"min_doc_count": 0,
"missing": "string",
"name": "string",
"q": "string",
"ranges": ranges,
"size": 0,
"sort": "string",
"sub_aggregates": [
null
],
"time_zone": "string",
"type": "string"
}]
response = falcon.command("AggregateCases", body=BODY)
print(response)Retrieve activities for given id's
get_case_activity
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Datatype | Description |
|---|---|---|---|---|---|
| body |
|
|
body | string | Full body payload in JSON format. |
| ids |
|
|
body | string or list of strings | One or more Case IDs. |
from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_case_activity(ids=id_list)
print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetCaseActivityByIds(ids=id_list)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = ['ID1', 'ID2', 'ID3']
BODY = {
"ids": id_list
}
response = falcon.command("GetCaseActivityByIds", body=BODY)
print(response)Add an activity to case. Only activities of type comment are allowed via API
add_case_activity
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Datatype | Description |
|---|---|---|---|---|---|
| body |
|
|
body | string | Full body payload in JSON format. |
| case_id |
|
|
body | string | Case ID to attach the activity to. |
| content |
|
|
body | string | Case activity content. Used for the body key within the BODY payload. |
| type |
|
|
body | string | Case activity type. |
| user_uuid |
|
|
body | string | UUID of the user attached to the case activity. |
from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.add_case_activity(case_id="string"
content="string",
type="string",
user_uuid="string"
)
print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.CaseAddActivity(case_id="string"
content="string",
type="string",
user_uuid="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
# Raw BODY payload uses the key `body` not `content`
BODY = {
"body": "string",
"case_id": "string",
"type": "string",
"user_uuid": "string"
}
response = falcon.command("CaseAddActivity", body=BODY)
print(response)retrieves an attachment for the case, given the attachment id
download_case_attachment
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Datatype | Description |
|---|---|---|---|---|---|
| id |
|
|
query | string | Attachment ID to retrieve. |
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
with open("savefile.exe", "w") as save_file:
save_file.write(falcon.download_case_attachment(id="string"))from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
with open("savefile.exe", "w") as save_file:
save_file.write(falcon.CaseDownloadAttachment(id="string"))from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
with open("savefile.exe", "w") as save_file:
save_file.write(falcon.command("CaseDownloadAttachment", id="string"))Upload an attachment for the case.
add_case_attachment
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Datatype | Description |
|---|---|---|---|---|---|
| case_id |
|
|
formData | string | Case ID to update. |
| data |
|
|
formData | file | Content of the attachment in binary format. Max file size is 15 MB. Filename must start with a-zA-Z0-9_- and has a maximum of 255 characters. Allowed characters in file name are a-zA-Z0-9-_..Accepted file formats:
|
|
file_data or sample or upfile |
|
|
formData | file | Content of the attachment in binary format. Max file size is 15 MB. sample and upfile are also accepted as this parameter. Filename must start with a-zA-Z0-9_- and has a maximum of 255 characters. Allowed characters in file name are a-zA-Z0-9-_..Accepted file formats:
|
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
| user_uuid |
|
|
formData | string | UUID of the user providing the attachment. |
from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
FILENAME = "testfile.png"
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.add_case_attachment(case_id="string",
file_data=PAYLOAD,
user_uuid="string"
)
print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
FILENAME = "testfile.png"
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.CaseAddAttachment(case_id="string",
file_data=PAYLOAD,
user_uuid="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
FILENAME = "testfile.png"
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.command("CaseAddAttachment",
data=PAYLOAD,
case_id="string",
user_uuid="string"
)
print(response)create a new case
create_case
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Datatype | Description |
|---|---|---|---|---|---|
| body |
|
|
body | string | Full body payload in JSON format. |
| content |
|
|
body | string | Case content. Used for the body key within the BODY payload. |
| detections |
|
|
body | list of dictionaries | List of detections to attach to the case. Dictionary format: { "id": "string", "url": "string" } |
| incidents |
|
|
body | list of dictionaries | List of incidents to attach to the case. Dictionary format: { "id": "string", "url": "string" } |
| title |
|
|
body | string | Case title. |
| type |
|
|
body | string | Case type. |
| user_uuid |
|
|
body | string | UUID of the user attached to the case. |
from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
detect_list = [
{
"id": "string",
"url": "string"
}
]
incident_list = [
{
"id": "string",
"url": "string"
}
]
response = falcon.create_case(content="string",
detections=detect_list,
incidents=incident_list,
title="string",
type="string",
user_uuid="string"
)
print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
detect_list = [
{
"id": "string",
"url": "string"
}
]
incident_list = [
{
"id": "string",
"url": "string"
}
]
response = falcon.CreateCase(content="string",
detections=detect_list,
incidents=incident_list,
title="string",
type="string",
user_uuid="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
detect_list = [
{
"id": "string",
"url": "string"
}
]
incident_list = [
{
"id": "string",
"url": "string"
}
]
# Raw BODY payload uses the key `body` not `content`
BODY = {
"body": "string",
"detections": detect_list,
"incidents": incident_list,
"title": "string",
"type": "string",
"user_uuid": "string"
}
response = falcon.command("CreateCase", body=BODY)
print(response)update an existing case
update_case
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Datatype | Description |
|---|---|---|---|---|---|
| body |
|
|
body | string | Full body payload in JSON format. |
| content |
|
|
body | string | Case content. Used for the body key within the BODY payload. |
| detections |
|
|
body | list of dictionaries | List of detections to attach to the case. Dictionary format: { "id": "string", "url": "string" } |
| incidents |
|
|
body | list of dictionaries | List of incidents to attach to the case. Dictionary format: { "id": "string", "url": "string" } |
| id |
|
|
body | string | Case ID to be updated. |
from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
detect_list = [
{
"id": "string",
"url": "string"
}
]
incident_list = [
{
"id": "string",
"url": "string"
}
]
response = falcon.update_case(content="string",
detections=detect_list,
id="string",
incidents=incident_list
)
print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
detect_list = [
{
"id": "string",
"url": "string"
}
]
incident_list = [
{
"id": "string",
"url": "string"
}
]
response = falcon.UpdateCase(content="string",
detections=detect_list,
id="string",
incidents=incident_list
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
detect_list = [
{
"id": "string",
"url": "string"
}
]
incident_list = [
{
"id": "string",
"url": "string"
}
]
# Raw BODY payload uses the key `body` not `content`
BODY = {
"body": "string",
"detections": detect_list,
"incidents": incident_list,
"id": "string"
}
response = falcon.command("UpdateCase", body=BODY)
print(response)Retrieve message center cases
get_cases
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Datatype | Description |
|---|---|---|---|---|---|
| body |
|
|
body | string | Full body payload in JSON format. |
| ids |
|
|
body | string or list of strings | One or more Case IDs. |
from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_cases(ids=id_list)
print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetCaseEntitiesByIDs(ids=id_list)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = ['ID1', 'ID2', 'ID3']
BODY = {
"ids": id_list
}
response = falcon.command("GetCaseEntitiesByIDs", body=BODY)
print(response)Retrieve activities id's for a case
query_activities
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Datatype | Description |
|---|---|---|---|---|---|
| case_id |
|
|
query | string | Case ID to search for activities. |
| filter |
|
|
query | string | The filter expression that should be used to limit the results. FQL Syntax. |
| limit |
|
|
query | integer | Maximum number of records to return. (Max: 500) |
| offset |
|
|
query | string | Starting index of overall result set from which to return ids. |
| sort |
|
|
query | string | The property to sort by. (Ex: case.created_time.desc) Available sort fields
|
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_activities(case_id="string",
limit=integer,
sort="string",
filter="string",
offset="string"
)
print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.QueryActivityByCaseID(case_id="string",
limit=integer,
sort="string",
filter="string",
offset="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("QueryActivityByCaseID",
case_id="string",
limit=integer,
sort="string",
filter="string",
offset="string"
)
print(response)Retrieve case id's that match the provided filter criteria
query_cases
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Datatype | Description |
|---|---|---|---|---|---|
| filter |
|
|
query | string | The filter expression that should be used to limit the results. FQL Syntax. |
| limit |
|
|
query | integer | Maximum number of records to return. (Max: 500) |
| offset |
|
|
query | string | Starting index of overall result set from which to return ids. |
| sort |
|
|
query | string | The property to sort by. (Ex: case.created_time.desc) Available sort fields
|
| parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_cases(limit=integer,
sort="string",
filter="string",
offset="string"
)
print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.QueryCasesIdsByFilter(limit=integer,
sort="string",
filter="string",
offset="string"
)
print(response)from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("QueryCasesIdsByFilter",
limit=integer,
sort="string",
filter="string",
offset="string"
)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner
- Delivery Settings
- Detects
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
