Message Center
The Message Center service collection provides operations for managing support cases and their associated activities and attachments. Retrieve aggregate case analytics, query and manage case activities, upload and download attachments, create new cases, and search for cases by filter criteria.
| Language | Last Update |
|---|---|
| Python | v1.4.6 |
| PowerShell | v2.2.9 |
| Go | v0.20.0 |
| TypeScript | v0.6.0 |
| Rust | v0.7.0 |
| Ruby | v1.2.0 |
Table of Contents
Section titled “Table of Contents”| Operation | Description |
|---|---|
AggregateCasesaggregate_cases | Retrieve aggregate case values based on the matched filter |
GetCaseActivityByIdsget_case_activity | Retrieve activities for given id’s |
CaseAddActivityadd_case_activity | Add an activity to case. Only activities of type comment are allowed via API |
CaseDownloadAttachmentdownload_case_attachment | retrieves an attachment for the case, given the attachment id |
CaseAddAttachmentadd_case_attachment | Upload an attachment for the case. |
CreateCaseV2create_case_v2 | create a new case |
GetCaseEntitiesByIDsget_cases | Retrieve message center cases |
QueryActivityByCaseIDquery_activities | Retrieve activities id’s for a case |
QueryCasesIdsByFilterquery_cases | Retrieve case id’s that match the provided filter criteria |
AggregateCases
Section titled “AggregateCases”Retrieve aggregate case values based on the matched filter
POST /message-center/aggregates/cases/GET/v1
PEP 8
aggregate_casesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | list of dictionaries | Full body payload in JSON format. |
| date_ranges | body | list of dictionaries | Applies to date_range aggregations. Example: [{“from”: “2016-05-28T09:00:31Z”, “to”: “2016-05-30T09:00:31Z”}, {“from”: “2016-06-01T09:00:31Z”, “to”: “2016-06-10T09:00:31Z”}] |
| field | body | string | The field on which to compute the aggregation. |
| filter | body | string | FQL syntax formatted string to use to filter the results. |
| interval | body | string | Time interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute. |
| min_doc_count | body | integer | Only return buckets if values are greater than or equal to the value here. |
| missing | body | string | Missing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value. |
| name | body | string | Name of the aggregate query, as chosen by the user. Used to identify the results returned to you. |
| q | body | string | Full text search across all metadata fields. |
| ranges | body | list of dictionaries | Applies to range aggregations. Ranges values will depend on field. For example, if max_severity is used, ranges might look like: [{“From”: 0, “To”: 70}, {“From”: 70, “To”: 100}] |
| size | body | integer | The max number of term buckets to be returned. |
| sub_aggregates | body | list of dictionaries | A nested aggregation, such as: [{“name”: “max_first_behavior”, “type”: “max”, “field”: “first_behavior”}]. There is a maximum of 3 nested aggregations per request. |
| sort | body | string | FQL syntax string to sort bucket results. _count - sort by document count. _term - sort by the string value alphabetically. Supports asc and desc using \| format. Example: _count\|desc |
| time_zone | body | string | Time zone for bucket results. |
| type | body | string | Type of aggregation. Valid values include: date_histogram - Aggregates counts on a specified time interval. Requires use of “interval” field. date_range - Aggregates counts on custom defined date range buckets. terms - Buckets detections by the value of a specified field. range - Buckets detections by specified (numeric) ranges of a specified field. cardinality - Returns the count of distinct values in a specified field. max - Returns the maximum value of a specified field. min - Returns the minimum value of a specified field. avg - Returns the average value of the specified field. sum - Returns the total sum of all values for the specified field. percentiles - Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99. |
Code Examples
Section titled “Code Examples”from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
date_ranges = [ { "from": "string", "to": "string" }]
ranges = [ { "From": 0, "To": 0 }]
response = falcon.aggregate_cases(date_ranges=date_ranges, field="string", filter="string", interval="string", min_doc_count=integer, missing="string", name="string", q="string", ranges=ranges, size=integer, sort="string", sub_aggregates=["string"], time_zone="string", type="string")print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
date_ranges = [ { "from": "string", "to": "string" }]
ranges = [ { "From": 0, "To": 0 }]
response = falcon.AggregateCases(date_ranges=date_ranges, field="string", filter="string", interval="string", min_doc_count=integer, missing="string", name="string", q="string", ranges=ranges, size=integer, sort="string", sub_aggregates=["string"], time_zone="string", type="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = [ { "date_ranges": [ { "from": "string", "to": "string" } ], "exclude": "string", "extended_bounds": { "max": "string", "min": "string" }, "field": "string", "filter": "string", "filters_spec": { "filters": {}, "other_bucket": boolean, "other_bucket_key": "string" }, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": [ { "from": integer, "to": integer } ], "size": integer, "sort": "string", "sub_aggregates": [ { "date_ranges": ["string"], "exclude": "string", "extended_bounds": {}, "field": "string", "filter": "string", "filters_spec": {}, "from": integer, "include": "string", "interval": "string", "max_doc_count": integer, "min_doc_count": integer, "missing": "string", "name": "string", "percents": ["string"], "q": "string", "ranges": ["string"], "size": integer, "sort": "string", "sub_aggregates": ["string"], "time_zone": "string", "type": "string" } ], "time_zone": "string", "type": "string" }]
response = falcon.command("AggregateCases", body=body_payload)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/message_center" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
from := "string" to := "string" exclude := "string" field := "string" filter := "string" from := integer include := "string" interval := "string" max_doc_count := integer min_doc_count := integer missing := "string" name := "string" q := "string" From := integer To := integer size := integer sort := "string" time_zone := "string" type := "string"
response, err := client.MessageCenter.AggregateCases( &message_center.AggregateCasesParams{ Body: []*models.MsaAggregateQueryRequest{ { DateRanges: []interface{}{ { From: &from, To: &to, }, }, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{ { From: &From, To: &To, }, }, Size: &size, Sort: &sort, SubAggregates: []interface{}{ { DateRanges: []interface{}{ { From: &from, To: &to, }, }, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{ { From: &From, To: &To, }, }, Size: &size, Sort: &sort, SubAggregates: []interface{}{ { DateRanges: []interface{}{}, Exclude: &exclude, ExtendedBounds: &struct{}{}, Field: &field, Filter: &filter, FiltersSpec: &struct{}{}, From: &from, Include: &include, Interval: &interval, MaxDocCount: &max_doc_count, MinDocCount: &min_doc_count, Missing: &missing, Name: &name, Percents: []interface{}{}, Q: &q, Ranges: []interface{}{}, Size: &size, Sort: &sort, SubAggregates: []interface{}{}, TimeZone: &time_zone, Type: &type, }, }, TimeZone: &time_zone, Type: &type, }, }, TimeZone: &time_zone, Type: &type, }, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.messageCenter.aggregateCases( [{ dateRanges: [{ from: "string", to: "string" }], exclude: "string", extendedBounds: { max: "string", min: "string" }, field: "string", filter: "string", filtersSpec: { filters: {}, otherBucket: boolean, otherBucketKey: "string" }, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [{ From: integer, To: integer }], size: integer, sort: "string", subAggregates: [{ dateRanges: [{ from: "string", to: "string" }], exclude: "string", extendedBounds: { max: "string", min: "string" }, field: "string", filter: "string", filtersSpec: { filters: {}, otherBucket: boolean, otherBucketKey: "string" }, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [{ From: integer, To: integer }], size: integer, sort: "string", subAggregates: [{ dateRanges: [], exclude: "string", extendedBounds: {}, field: "string", filter: "string", filtersSpec: {}, from: integer, include: "string", interval: "string", maxDocCount: integer, minDocCount: integer, missing: "string", name: "string", percents: [], q: "string", ranges: [], size: integer, sort: "string", subAggregates: [], timeZone: "string", type: "string" }], timeZone: "string", type: "string" }], timeZone: "string", type: "string"}] // body);
console.log(response);use rusty_falcon::apis::message_center_api::aggregate_cases;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MsaAggregateQueryRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = vec![MsaAggregateQueryRequest { date_ranges: vec![DateRangeSpec { from: Some("string".to_string()), to: Some("string".to_string()), ..Default::default() }], exclude: Some("string".to_string()), field: Some("string".to_string()), filter: Some("string".to_string()), filters_spec: Default::default(), from: Some(integer), include: Some("string".to_string()), interval: Some("string".to_string()), missing: Some("string".to_string()), name: Some("string".to_string()), percents: vec![], q: Some("string".to_string()), ranges: vec![RangeSpec { from: Some(integer), to: Some(integer), ..Default::default() }], size: Some(integer), sort: Some("string".to_string()), sub_aggregates: vec![AggregateQueryRequest { date_ranges: vec![DateRangeSpec { from: Some("string".to_string()), to: Some("string".to_string()), ..Default::default() }], exclude: Some("string".to_string()), field: Some("string".to_string()), filter: Some("string".to_string()), filters_spec: Default::default(), from: Some(integer), include: Some("string".to_string()), interval: Some("string".to_string()), missing: Some("string".to_string()), name: Some("string".to_string()), percents: vec![], q: Some("string".to_string()), ranges: vec![RangeSpec { from: Some(integer), to: Some(integer), ..Default::default() }], size: Some(integer), sort: Some("string".to_string()), sub_aggregates: vec![AggregateQueryRequest { date_ranges: vec![], exclude: Some("string".to_string()), field: Some("string".to_string()), filter: Some("string".to_string()), filters_spec: Default::default(), from: Some(integer), include: Some("string".to_string()), interval: Some("string".to_string()), missing: Some("string".to_string()), name: Some("string".to_string()), percents: vec![], q: Some("string".to_string()), ranges: vec![], size: Some(integer), sort: Some("string".to_string()), sub_aggregates: vec![], time_zone: Some("string".to_string()), type: Some("string".to_string()), ..Default::default() }], time_zone: Some("string".to_string()), type: Some("string".to_string()), ..Default::default() }], time_zone: Some("string".to_string()), type: Some("string".to_string()), ..Default::default() }];
let response = aggregate_cases( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::MessageCenter.new
body = [Falcon::MsaAggregateQueryRequest.new( date_ranges: [{ from: 'string', to: 'string' }], exclude: 'string', extended_bounds: { max: 'string', min: 'string' }, field: 'string', filter: 'string', filters_spec: { filters: {}, other_bucket: boolean, other_bucket_key: 'string' }, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [{ From: integer, To: integer }], size: integer, sort: 'string', sub_aggregates: [{ date_ranges: [{ from: 'string', to: 'string' }], exclude: 'string', extended_bounds: { max: 'string', min: 'string' }, field: 'string', filter: 'string', filters_spec: { filters: {}, other_bucket: boolean, other_bucket_key: 'string' }, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [{ From: integer, To: integer }], size: integer, sort: 'string', sub_aggregates: [{ date_ranges: [], exclude: 'string', extended_bounds: {}, field: 'string', filter: 'string', filters_spec: {}, from: integer, include: 'string', interval: 'string', max_doc_count: integer, min_doc_count: integer, missing: 'string', name: 'string', percents: [], q: 'string', ranges: [], size: integer, sort: 'string', sub_aggregates: [], time_zone: 'string', type: 'string' }], time_zone: 'string', type: 'string' }], time_zone: 'string', type: 'string')]
response = api.aggregate_cases(body)
puts responseGetCaseActivityByIds
Section titled “GetCaseActivityByIds”Retrieve activities for given id’s
POST /message-center/entities/case-activities/GET/v1
PEP 8
get_case_activityParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload in JSON format. |
| ids | body | string or list of strings | One or more Case IDs. |
Code Examples
Section titled “Code Examples”from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_case_activity(ids=id_list)print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetCaseActivityByIds(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
body_payload = { "ids": ["string"]}
response = falcon.command("GetCaseActivityByIds", body=body_payload)print(response)Get-FalconCompleteActivity -Id @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/message_center" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.MessageCenter.GetCaseActivityByIds( &message_center.GetCaseActivityByIdsParams{ Body: &models.MsaIdsRequest{ Ids: []string{"string"}, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.messageCenter.getCaseActivityByIds( { ids: []} // body);
console.log(response);use rusty_falcon::apis::message_center_api::get_case_activity_by_ids;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MsaIdsRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MsaIdsRequest { ids: vec!["string".to_string()], ..Default::default() };
let response = get_case_activity_by_ids( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::MessageCenter.new
body = Falcon::MsaIdsRequest.new( ids: [])
response = api.get_case_activity_by_ids(body)
puts responseCaseAddActivity
Section titled “CaseAddActivity”Add an activity to case. Only activities of type comment are allowed via API
POST /message-center/entities/case-activity/v1
PEP 8
add_case_activityParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload in JSON format. |
| case_id | body | string | Case ID to attach the activity to. |
| content | body | string | Case activity content. Used for the body key within the BODY payload. |
| type | body | string | Case activity type. |
| user_uuid | body | string | UUID of the user attached to the case activity. |
Code Examples
Section titled “Code Examples”from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.add_case_activity(content="string", case_id="string", type="string", user_uuid="string")print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.CaseAddActivity(content="string", case_id="string", type="string", user_uuid="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = { "body": "string", "case_id": "string", "type": "string", "user_uuid": "string"}
response = falcon.command("CaseAddActivity", body=body_payload)print(response)Add-FalconCompleteActivity -Type "string" ` -Content "string" ` -UserId "string" ` -Id "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/message_center" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
body := "string" case_id := "string" type := "string" user_uuid := "string"
response, err := client.MessageCenter.CaseAddActivity( &message_center.CaseAddActivityParams{ Body: &models.MessagecenterActivityCreationRequest{ Body: &body, CaseID: &case_id, Type: &type, UserUuid: &user_uuid, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.messageCenter.caseAddActivity( { body: "string", caseId: "string", type: "string", userUuid: "string"} // body);
console.log(response);use rusty_falcon::apis::message_center_api::case_add_activity;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MessagecenterActivityCreationRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MessagecenterActivityCreationRequest { body: Some("string".to_string()), case_id: Some("string".to_string()), type: Some("string".to_string()), user_uuid: Some("string".to_string()), ..Default::default() };
let response = case_add_activity( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::MessageCenter.new
body = Falcon::MessagecenterActivityCreationRequest.new( body: 'string', case_id: 'string', type: 'string', user_uuid: 'string')
response = api.case_add_activity(body)
puts responseCaseDownloadAttachment
Section titled “CaseDownloadAttachment”retrieves an attachment for the case, given the attachment id
GET /message-center/entities/case-attachment/v1
PEP 8
download_case_attachmentParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| id | query | string | Attachment ID to retrieve. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
Code Examples
Section titled “Code Examples”from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.download_case_attachment(ids=id_list)print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.CaseDownloadAttachment(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("CaseDownloadAttachment", id="string")print(response)Receive-FalconCompleteAttachment -Path "string" -Id "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/message_center")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.MessageCenter.CaseDownloadAttachment( &message_center.CaseDownloadAttachmentParams{ ID: "string", Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.messageCenter.caseDownloadAttachment("string"); // id
console.log(response);use rusty_falcon::apis::message_center_api::case_download_attachment;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = case_download_attachment( &falcon.cfg, // configuration "string", // id ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::MessageCenter.new
response = api.case_download_attachment('string')
puts responseCaseAddAttachment
Section titled “CaseAddAttachment”Upload an attachment for the case.
POST /message-center/entities/case-attachment/v1
PEP 8
add_case_attachmentParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| case_id | formData | string | Case ID to update. |
| data | formData | file | Content of the attachment in binary format. Max file size is 15 MB. Filename must start with a-zA-Z0-9_- and has a maximum of 255 characters. Allowed characters in file name are a-zA-Z0-9-_.. Accepted file formats: Images: .bmp, .jpg, .jpeg, .gif, .png. Adobe PDF: .pdf. Office documents: .doc, .docx, .ppt, .pptx, .xls, .xlsx. Text files: .csv, .txt. |
| file_data or sample or upfile | formData | file | Content of the attachment in binary format. Max file size is 15 MB. sample and upfile are also accepted as this parameter. Filename must start with a-zA-Z0-9_- and has a maximum of 255 characters. Allowed characters in file name are a-zA-Z0-9-_.. Accepted file formats: Images: .bmp, .jpg, .jpeg, .gif, .png. Adobe PDF: .pdf. Office documents: .doc, .docx, .ppt, .pptx, .xls, .xlsx. Text files: .csv, .txt. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
| user_uuid | formData | string | UUID of the user providing the attachment. |
Code Examples
Section titled “Code Examples”from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.add_case_attachment(case_id="string", file_data="string", file_name="string", user_uuid="string")print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.CaseAddAttachment(case_id="string", file_data="string", file_name="string", user_uuid="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("CaseAddAttachment", case_id="string", user_uuid="string", file_data=open("filename", "rb").read())print(response)Send-FalconCompleteAttachment -Path "string" ` -UserId "string" ` -Id "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/message_center")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.MessageCenter.CaseAddAttachment( &message_center.CaseAddAttachmentParams{ CaseID: "string", UserUUID: "string", Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.messageCenter.caseAddAttachment( "string", // caseId "string", // userUuid "string" // file);
console.log(response);use rusty_falcon::apis::message_center_api::case_add_attachment;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = case_add_attachment( &falcon.cfg, // configuration "string", // case_id "string", // user_uuid std::path::PathBuf::default(), // file ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::MessageCenter.new
response = api.case_add_attachment('string', 'string', 'string')
puts responseCreateCaseV2
Section titled “CreateCaseV2”create a new case
POST /message-center/entities/case/v2
PEP 8
create_case_v2Parameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload in JSON format. |
| content | body | string | Case content. Used for the body key within the BODY payload. |
| detections | body | list of dictionaries | List of detections to attach to the case. Dictionary format: {“id”: “string”, “url”: “string”} |
| incidents | body | list of dictionaries | List of incidents to attach to the case. Dictionary format: {“id”: “string”, “url”: “string”} |
| title | body | string | Case title. |
| type | body | string | Case type. |
| user_uuid | body | string | UUID of the user attached to the case. |
Code Examples
Section titled “Code Examples”from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
detections = [ { "id": "string", "product": "string", "url": "string" }]
response = falcon.create_case_v2(content="string", detections=detections, incidents=id_list, title="string", type="string", user_uuid="string")print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
detections = [ { "id": "string", "product": "string", "url": "string" }]
response = falcon.CreateCaseV2(content="string", detections=detections, incidents=id_list, title="string", type="string", user_uuid="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
body_payload = { "body": "string", "detections": [ { "id": "string", "product": "string", "url": "string" } ], "incidents": [ { "id": "string", "url": "string" } ], "malware_submission_id": "string", "recon_rule_type": "string", "title": "string", "type": "string", "user_uuid": "string"}
response = falcon.command("CreateCaseV2", body=body_payload)print(response)New-FalconCompleteCase -Type "string" ` -Title "string" ` -Content "string" ` -UserId "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/message_center" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
body := "string" id := "string" product := "string" url := "string" malware_submission_id := "string" recon_rule_type := "string" title := "string" type := "string" user_uuid := "string"
response, err := client.MessageCenter.CreateCaseV2( &message_center.CreateCaseV2Params{ Body: &models.MessagecenterCaseCreationRequestV2{ Body: &body, Detections: []interface{}{ { ID: &id, Product: &product, URL: &url, }, }, Incidents: []interface{}{ { ID: &id, URL: &url, }, }, MalwareSubmissionID: &malware_submission_id, ReconRuleType: &recon_rule_type, Title: &title, Type: &type, UserUuid: &user_uuid, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.messageCenter.createCaseV2( { body: "string", detections: [{ id: "string", product: "string", url: "string" }], incidents: [{ id: "string", url: "string" }], malwareSubmissionId: "string", reconRuleType: "string", title: "string", type: "string", userUuid: "string"} // body);
console.log(response);use rusty_falcon::apis::message_center_api::create_case_v2;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MessagecenterCaseCreationRequestV2;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MessagecenterCaseCreationRequestV2 { body: Some("string".to_string()), detections: vec![Alert { id: Some("string".to_string()), product: Some("string".to_string()), url: Some("string".to_string()), ..Default::default() }], incidents: vec![Incident { id: Some("string".to_string()), url: Some("string".to_string()), ..Default::default() }], malware_submission_id: Some("string".to_string()), recon_rule_type: Some("string".to_string()), title: Some("string".to_string()), type: Some("string".to_string()), ..Default::default() };
let response = create_case_v2( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::MessageCenter.new
body = Falcon::MessagecenterCaseCreationRequestV2.new( body: 'string', detections: [{ id: 'string', product: 'string', url: 'string' }], incidents: [{ id: 'string', url: 'string' }], malware_submission_id: 'string', recon_rule_type: 'string', title: 'string', type: 'string', user_uuid: 'string')
response = api.create_case_v2(body)
puts responseGetCaseEntitiesByIDs
Section titled “GetCaseEntitiesByIDs”Retrieve message center cases
POST /message-center/entities/cases/GET/v1
PEP 8
get_casesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload in JSON format. |
| ids | body | string or list of strings | One or more Case IDs. |
Code Examples
Section titled “Code Examples”from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_cases(ids=id_list)print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetCaseEntitiesByIDs(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
body_payload = { "ids": ["string"]}
response = falcon.command("GetCaseEntitiesByIDs", body=body_payload)print(response)Get-FalconCompleteCase -Id @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/message_center" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.MessageCenter.GetCaseEntitiesByIDs( &message_center.GetCaseEntitiesByIDsParams{ Body: &models.MsaIdsRequest{ Ids: []string{"string"}, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.messageCenter.getCaseEntitiesByIDs( { ids: []} // body);
console.log(response);use rusty_falcon::apis::message_center_api::get_case_entities_by_ids;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MsaIdsRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MsaIdsRequest { ids: vec!["string".to_string()], ..Default::default() };
let response = get_case_entities_by_ids( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::MessageCenter.new
body = Falcon::MsaIdsRequest.new( ids: [])
response = api.get_case_entities_by_ids(body)
puts responseQueryActivityByCaseID
Section titled “QueryActivityByCaseID”Retrieve activities id’s for a case
GET /message-center/queries/case-activities/v1
PEP 8
query_activitiesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| case_id | query | string | Case ID to search for activities. |
| filter | query | string | The filter expression that should be used to limit the results. FQL Syntax. |
| limit | query | integer | Maximum number of records to return. (Max: 500) |
| offset | query | integer | Starting index of overall result set from which to return ids. |
| sort | query | string | The property to sort by. (Ex: case.created_time.desc) Available sort fields: case.created_time, case.id, case.last_modified_time, case.status, case.type. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
Code Examples
Section titled “Code Examples”from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.query_activities(case_id="string", filter="string", limit=integer, offset=integer, sort="string")print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.QueryActivityByCaseID(case_id="string", filter="string", limit=integer, offset=integer, sort="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("QueryActivityByCaseID", limit=integer, sort="string", filter="string", offset=integer, case_id="string")print(response)Get-FalconCompleteActivity -CaseId "string" ` -Filter "string" ` -Sort "string" ` -Limit integer ` -Offset "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/message_center")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
limit := int64(0) sort := "string" filter := "string" offset := int64(0)
response, err := client.MessageCenter.QueryActivityByCaseID( &message_center.QueryActivityByCaseIDParams{ Limit: &limit, Sort: &sort, Filter: &filter, Offset: &offset, CaseID: "string", Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.messageCenter.queryActivityByCaseID( "string", // caseId integer, // limit "string", // sort "string", // filter integer // offset);
console.log(response);use rusty_falcon::apis::message_center_api::query_activity_by_case_id;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = query_activity_by_case_id( &falcon.cfg, // configuration "string", // case_id Some(integer), // limit Some("string"), // sort Some("string"), // filter Some("string"), // offset ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::MessageCenter.new
response = api.query_activity_by_case_id('string')
puts responseQueryCasesIdsByFilter
Section titled “QueryCasesIdsByFilter”Retrieve case id’s that match the provided filter criteria
GET /message-center/queries/cases/v1
PEP 8
query_casesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | The filter expression that should be used to limit the results. FQL Syntax. |
| limit | query | integer | Maximum number of records to return. (Max: 500) |
| offset | query | string | Starting index of overall result set from which to return ids. |
| sort | query | string | The property to sort by. (Ex: case.created_time.desc) Available sort fields: case.created_time, case.id, case.last_modified_time, case.status, case.type. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
Code Examples
Section titled “Code Examples”from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.query_cases(filter="string", limit=integer, offset=integer, sort="string")print(response)from falconpy import MessageCenter
falcon = MessageCenter(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.QueryCasesIdsByFilter(filter="string", limit=integer, offset=integer, sort="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("QueryCasesIdsByFilter", limit=integer, sort="string", filter="string", offset=integer)print(response)Get-FalconCompleteCase -Filter "string" ` -Sort "string" ` -Limit integer ` -Offset "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/message_center")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
limit := int64(0) sort := "string" filter := "string" offset := int64(0)
response, err := client.MessageCenter.QueryCasesIdsByFilter( &message_center.QueryCasesIdsByFilterParams{ Limit: &limit, Sort: &sort, Filter: &filter, Offset: &offset, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.messageCenter.queryCasesIdsByFilter( integer, // limit "string", // sort "string", // filter integer // offset);
console.log(response);use rusty_falcon::apis::message_center_api::query_cases_ids_by_filter;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = query_cases_ids_by_filter( &falcon.cfg, // configuration Some(integer), // limit Some("string"), // sort Some("string"), // filter Some("string"), // offset ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::MessageCenter.new
response = api.query_cases_ids_by_filter(limit: integer, sort: 'string', filter: 'string', offset: integer)
puts response