Unable to retrieve incident comments #1144
Unanswered
limbenjamin
asked this question in
Q&A
Replies: 1 comment
-
Hi @limbenjamin - Thank you for the question! Read / update functionality for Incident comments is not currently available via the public API. You can submit a request for this to be added via the ideas portal link available from the Falcon console. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I need to retrieve incident comments via the API but have not been able to find the correct method in the API. Based on research, it seems that I need to query the following URLs.
https://falcon.us-2.crowdstrike.com/api2/audit-logs/queries/audit-logs/v1?filter=resource_id='{resource_id}'+category:'detections'+type:'detection_update'+access_level:!'support'&limit=100&offset=0
It will respond with
{ "meta": { "query_time": 0.055127147, "pagination": { "offset": 1, "limit": 100, "total": 1 }, "powered_by": "msa-api", "trace_id": "deafdcdc9c7c8c0d1ac7......" }, "resources": [ "{comment_resource_id}" ], "errors": [] }
I then need to query the following URL to get the comment message.
https://falcon.us-2.crowdstrike.com/api2/audit-logs/entities/audit-logs/v1?ids={comment_resource_id}
"fields": [ { "name": "append_comment", "value": "Test Comment" },
Appreciate if you could assist in letting me know the correct method in the API to make those queries.
Beta Was this translation helpful? Give feedback.
All reactions