Skip to content
CrowdStrike Developer Center

Alerts

The Alerts service collection provides operations for retrieving, querying, and updating Falcon alerts across all CIDs. Aggregate alert data, retrieve alert entities by ID, and perform bulk updates to alert status and properties using Falcon Query Language filters.

LanguageLast Update
Pythonv1.4.8
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

Table of Contents

Section titled “Table of Contents”
OperationDescription
PostAggregatesAlertsV1
get_aggregate_alerts_v1		Retrieve aggregates for alerts across all CIDs.
deprecated
PostAggregatesAlertsV2
get_aggregate_alerts_v2		Retrieve aggregates for alerts across all CIDs.
PostCombinedAlertsV1
get_alerts_combined		Retrieves all Alerts that match a particular FQL filter. This API is intended for retrieval of large amounts of Alerts(>10k) using a pagination based on a after token.
PatchEntitiesAlertsV2
update_alerts_v2		Perform actions on alerts identified by alert ID(s) in request.
deprecated
PatchEntitiesAlertsV3
update_alerts_v3		Perform actions on alerts identified by alert ID(s) in request.
PostEntitiesAlertsV1
get_alerts_v1		Retrieve all alerts given their IDs.
deprecated
PostEntitiesAlertsV2
get_alerts_v2		Retrieve all alerts given their IDs.
GetQueriesAlertsV1
query_alerts_v1		Search for alert IDs that match a given query.
deprecated
GetQueriesAlertsV2
query_alerts_v2		Search for alert IDs that match a given query.

PostAggregatesAlertsV1

Section titled “PostAggregatesAlertsV1”

Get alert aggregates as specified via json in request body.

This operation has been superseded by the PostAggregatesAlertsV2 operation and is now deprecated. Developers should move code over to this new operation as soon as time permits.

POST /alerts/aggregates/alerts/v1
Scope Alerts: READ Consumes · Produces application/json
PEP 8 get_aggregate_alerts_v1 (or get_aggregate_alerts)

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations. Example: [{“from”: “2016-05-28T09:00:31Z”, “to”: “2016-05-30T09:00:31Z”}, {“from”: “2016-06-01T09:00:31Z”, “to”: “2016-06-10T09:00:31Z”}]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [{“From”: 0, “To”: 70}, {“From”: 70, “To”: 100}]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as: [{“name”: “max_first_behavior”, “type”: “max”, “field”: “first_behavior”}]. There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. _count - sort by document count, _term - sort by the string value alphabetically. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values include: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Code Examples

Section titled “Code Examples”
from falconpy import Alerts


falcon = Alerts(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.get_aggregate_alerts_v1(date_ranges="string",
                                          exclude="string",
                                          field="string",
                                          filter="string",
                                          from=integer,
                                          include="string",
                                          interval="string",
                                          max_doc_count=integer,
                                          min_doc_count=integer,
                                          missing="string",
                                          name="string",
                                          q="string",
                                          ranges=ranges,
                                          size=integer,
                                          sort="string",
                                          sub_aggregates=["string"],
                                          time_zone="string",
                                          type="string")
print(response)

PostAggregatesAlertsV2

Section titled “PostAggregatesAlertsV2”

Get alert aggregates as specified via json in request body.

POST /alerts/aggregates/alerts/v2
Scope Alerts: READ Consumes · Produces application/json
PEP 8 get_aggregate_alerts_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations. Example: [{“from”: “2016-05-28T09:00:31Z”, “to”: “2016-05-30T09:00:31Z”}, {“from”: “2016-06-01T09:00:31Z”, “to”: “2016-06-10T09:00:31Z”}]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
include_hiddenquerystringAllows previously hidden alerts to be retrieved.
intervalbodystringTime interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [{“From”: 0, “To”: 70}, {“From”: 70, “To”: 100}]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as: [{“name”: “max_first_behavior”, “type”: “max”, “field”: “first_behavior”}]. There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. _count - sort by document count, _term - sort by the string value alphabetically. Supports asc and desc using | format. Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values include: date_histogram, date_range, terms, range, cardinality, max, min, avg, sum, percentiles

Code Examples

Section titled “Code Examples”
from falconpy import Alerts


falcon = Alerts(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.get_aggregate_alerts_v2(date_ranges="string",
                                          exclude="string",
                                          field="string",
                                          filter="string",
                                          from=integer,
                                          include="string",
                                          include_hidden="string",
                                          interval="string",
                                          max_doc_count=integer,
                                          min_doc_count=integer,
                                          missing="string",
                                          name="string",
                                          q="string",
                                          ranges=ranges,
                                          size=integer,
                                          sort="string",
                                          sub_aggregates=["string"],
                                          time_zone="string",
                                          type="string")
print(response)

PostCombinedAlertsV1

Section titled “PostCombinedAlertsV1”

Retrieves all Alerts that match a particular FQL filter. This API is intended for retrieval of large amounts of Alerts(>10k) using a pagination based on a after token.

POST /alerts/combined/alerts/v1
Scope Alerts: READ Consumes · Produces application/json
PEP 8 get_alerts_combined

Parameters

Section titled “Parameters”
NameTypeData typeDescription
afterbodystringThe after token is used for pagination of results. The after token is present when more results are available on the next page. To retrieve all Alerts: Use the after token in subsequent requests to fetch the next page. Continue this process until you reach a page without an after token, indicating the last page. This value is highly dependant on the sort parameter, so if you plan to change the sort order, you will have to re-start your search from the first page (without after parameter).
bodybodydictionaryFull body payload in JSON format.
filterbodystringFilter Alerts using a query in Falcon Query Language (FQL). Filter fields can be any keyword field that is part of #domain.Alert. An asterisk wildcard * includes all results. Empty value means to not filter on anything. Most commonly used filter fields that supports exact match: cid, id, aggregate_id, product, type, pattern_id, platform … Most commonly used filter fields that supports wildcard (*): assigned_to_name, assigned_to_uuid, tactic_id, technique … Most commonly filter fields that supports range comparisons (>, <, >=, <=): severity, created_timestamp, timestamp, updated_timestamp… All filter fields and operations support negation (!). The full list of valid filter options is extensive. Review it in our documentation inside the Falcon console.
limitbodyintegerThe maximum number of detections to return in this response (default: 100; max: 1000). Use this parameter together with the after parameter to manage pagination of the results.
sortbodystringSort parameter takes the form of <field|direction>. The sorting fields can be any keyword field that is part of #domain.Alert except for the text based fields. Most commonly used fields for sorting are: timestamp, created_timestamp, updated_timestamp, status, aggregate_id, assigned_to_name, assigned_to_uid, assigned_to_uuid, tactic_id, tactic, technique, technique_id, pattern_id or product. By default all the results are sorted by the created_timestamp field in the descending order. Important: The pagination is done on live data in the order defined by the sort field parameter (default: created_timestamp|desc), so if you want to avoid inconsistent results where the same record might appear on multiple pages (or none), sort only on the fields that do not change over time (e.g. created_timestamp, composite_id, etc.).

Code Examples

Section titled “Code Examples”
from falconpy import Alerts


falcon = Alerts(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )


response = falcon.get_alerts_combined(after="string",
                                      filter="string",
                                      limit=integer,
                                      sort="string")
print(response)

PatchEntitiesAlertsV2

Section titled “PatchEntitiesAlertsV2”

Perform actions on alerts identified by alert ID(s) in request.

This operation has been superseded by the PatchEntitiesAlertsV3 operation and is now deprecated. Developers should move code over to this new operation as soon as time permits.

PATCH /alerts/entities/alerts/v2
Scope Alerts: WRITE Consumes · Produces application/json
PEP 8 update_alerts_v2 (or update_alerts)

Parameters

Section titled “Parameters”
NameTypeData typeDescription
action_parametersbodylist of dictionariesList of dictionaries containing action specific parameter settings.
add_tagbody
action_parameters		stringAdd a tag to 1 or more alert(s).
append_commentbody
action_parameters		stringAppends new comment to existing comments.
assign_to_namebody
action_parameters		stringAssign 1 or more alert(s) to a user identified by user name.
assign_to_user_idbody
action_parameters		stringAssign 1 or more alert(s) to a user identified by user id (eg: user1@example.com).
assign_to_uuidbody
action_parameters		stringA user ID (Ex: user@somewhere.com) to assign the alert to.
bodybodydictionaryFull body payload in JSON format.
idsbodystring or list of stringsID(s) of the alerts to update, which you can find with the GetQueriesAlertsV1 operation.
new_behavior_processedbody
action_parameters		stringAdds a newly processed behavior to 1 or more alert(s).
remove_tagbody
action_parameters		stringRemove a tag from 1 or more alert(s).
remove_tag_by_prefixbody
action_parameters		stringRemove tags with given prefix from 1 or more alert(s).
show_in_uibody
action_parameters		booleanBoolean determining if this alert is displayed in the Falcon console. true: This alert is displayed in Falcon, false: This alert is not displayed in Falcon.
unassignbody
action_parameters		stringUnassign an previously assigned user from 1 or more alert(s). The value passed to this action is ignored.
update_statusbody
action_parameters		stringUpdate status of the alert. Allowed values: ignored, new, in_progress, true_positive, false_positive

Code Examples

Section titled “Code Examples”
from falconpy import Alerts


falcon = Alerts(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


action_parameters = [
    {
        "name": "string",
        "value": "string"
    }
]


response = falcon.update_alerts_v2(action_parameters=action_parameters,
                                   add_tag="string",
                                   append_comment="string",
                                   assign_to_name="string",
                                   assign_to_user_id="string",
                                   assign_to_uuid="string",
                                   ids=id_list,
                                   new_behavior_processed="string",
                                   remove_tag="string",
                                   remove_tags_by_prefix="string",
                                   show_in_ui="string",
                                   unassign="string",
                                   update_status="string")
print(response)

PatchEntitiesAlertsV3

Section titled “PatchEntitiesAlertsV3”

Perform actions on alerts identified by alert ID(s) in request.

PATCH /alerts/entities/alerts/v3
Scope Alerts: WRITE Consumes · Produces application/json
PEP 8 update_alerts_v3

Parameters

Section titled “Parameters”
NameTypeData typeDescription
action_parametersbodylist of dictionariesList of dictionaries containing action specific parameter settings.
add_tagbody
action_parameters		stringAdd a tag to 1 or more alert(s).
append_commentbody
action_parameters		stringAppends new comment to existing comments.
assign_to_namebody
action_parameters		stringAssign 1 or more alert(s) to a user identified by user name.
assign_to_user_idbody
action_parameters		stringAssign 1 or more alert(s) to a user identified by user id (eg: user1@example.com).
assign_to_uuidbody
action_parameters		stringA user ID (Ex: user@somewhere.com) to assign the alert to.
bodybodydictionaryFull body payload in JSON format.
composite_idsbodystring or list of stringsComposite ID(s) of the alerts to update, which you can find with the GetQueriesAlertsV1 operation.
include_hiddenquerystringAllows previously hidden alerts to be retrieved.
new_behavior_processedbody
action_parameters		stringAdds a newly processed behavior to 1 or more alert(s).
remove_tagbody
action_parameters		stringRemove a tag from 1 or more alert(s).
remove_tag_by_prefixbody
action_parameters		stringRemove tags with given prefix from 1 or more alert(s).
show_in_uibody
action_parameters		booleanBoolean determining if this alert is displayed in the Falcon console. true: This alert is displayed in Falcon, false: This alert is not displayed in Falcon.
unassignbody
action_parameters		stringUnassign an previously assigned user from 1 or more alert(s). The value passed to this action is ignored.
update_statusbody
action_parameters		stringUpdate status of the alert. Allowed values: new, in_progress, reopened, closed

Code Examples

Section titled “Code Examples”
from falconpy import Alerts


falcon = Alerts(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


action_parameters = [
    {
        "name": "string",
        "value": "string"
    }
]


response = falcon.update_alerts_v3(action_parameters=action_parameters,
                                   add_tag="string",
                                   append_comment="string",
                                   assign_to_name="string",
                                   assign_to_user_id="string",
                                   assign_to_uuid="string",
                                   composite_ids=id_list,
                                   include_hidden="string",
                                   new_behavior_processed="string",
                                   remove_tag="string",
                                   remove_tags_by_prefix="string",
                                   show_in_ui="string",
                                   unassign="string",
                                   update_status="string")
print(response)

PostEntitiesAlertsV1

Section titled “PostEntitiesAlertsV1”

Retrieve all Alerts given their IDs.

This operation has been superseded by the PostEntitiesAlertsV2 operation and is now deprecated. Developers should move code over to this new operation as soon as time permits.

POST /alerts/entities/alerts/v1
Scope Alerts: READ Consumes · Produces application/json
PEP 8 get_alerts_v1 (or get_alerts)

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
idsbodystring or list of stringsID(s) of the alerts to retrieve. Specify one or more alert IDs (max 1000 per request). Find alert IDs with the GetQueriesAlertsV1 operation.

In order to use this method, either a body keyword or the ids keyword must be provided.

Code Examples

Section titled “Code Examples”
from falconpy import Alerts


falcon = Alerts(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_alerts_v1(ids=id_list)
print(response)

PostEntitiesAlertsV2

Section titled “PostEntitiesAlertsV2”

Retrieve all Alerts given their composite IDs.

POST /alerts/entities/alerts/v2
Scope Alerts: READ Consumes · Produces application/json
PEP 8 get_alerts_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
composite_idsbodystring or list of stringsID(s) of the alerts to retrieve. Specify one or more alert IDs (max 1000 per request). Find alert IDs with the GetQueriesAlertsV1 operation.
include_hiddenquerystringAllows previously hidden alerts to be retrieved.
parametersquerydictionaryFull query string parameters payload in JSON format.

In order to use this method, either a body keyword or the ids keyword must be provided.

Code Examples

Section titled “Code Examples”
from falconpy import Alerts


falcon = Alerts(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_alerts_v2(composite_ids=id_list, include_hidden="string")
print(response)

GetQueriesAlertsV1

Section titled “GetQueriesAlertsV1”

Search for alert IDs that match a given query.

This operation has been superseded by the GetQueriesAlertsV2 operation and is now deprecated. Developers should move code over to this new operation as soon as time permits.

GET /alerts/queries/alerts/v1
Scope Alerts: READ Consumes · Produces application/json
PEP 8 query_alerts_v1 (or query_alerts)

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFilter alerts using a query in Falcon Query Language (FQL). An asterisk wildcard * includes all results.
limitqueryintegerThe maximum number of alerts to return in this response (default: 10000; max: 10000). Use with the offset parameter to manage pagination of results.
offsetqueryintegerThe first alert to return, where 0 is the latest alert. Use with the limit parameter to manage pagination of results.
qquerystringSearch all alert metadata for the provided string
sortquerystringSort alerts using the provided FQL filter.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Alerts


falcon = Alerts(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )


response = falcon.query_alerts_v1(filter="string",
                                  limit="string",
                                  offset="string",
                                  q="string",
                                  sort="string")
print(response)

GetQueriesAlertsV2

Section titled “GetQueriesAlertsV2”

Search for alert IDs that match a given query.

GET /alerts/queries/alerts/v2
Scope Alerts: READ Consumes · Produces application/json
PEP 8 query_alerts_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFilter alerts using a query in Falcon Query Language (FQL). An asterisk wildcard * includes all results.
include_hiddenquerystringAllows previously hidden alerts to be retrieved.
limitqueryintegerThe maximum number of alerts to return in this response (default: 100; max: 10000). Use with the offset parameter to manage pagination of results.
offsetqueryintegerThe first alert to return, where 0 is the latest alert. Use with the limit parameter to manage pagination of results.
qquerystringSearch all alert metadata for the provided string
sortquerystringSort alerts using the provided FQL filter.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Alerts


falcon = Alerts(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )


response = falcon.query_alerts_v2(filter="string",
                                  include_hidden="string",
                                  limit="string",
                                  offset="string",
                                  q="string",
                                  sort="string")
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use