Incidents Module Returning 404 Errors: Migration to Cases
Users of falcon-mcp are encountering 404 errors when attempting to use the Incidents module. This issue manifests as an inability to retrieve incident data using functions such as falcon_search_incidents and falcon_search_behaviors. The API returns a "No content was received for this request" error, despite correct API key configuration and permissions.
Root Cause: Deprecation of the Incidents API
The underlying cause is the migration of incident management within the CrowdStrike Falcon platform from the traditional "Incidents" model to a new "Cases" model. This shift involves the deprecation of the /incidents/ API endpoints in favor of the Case Management API, accessible via /casemgmt/. The new API introduces a different data model and requires different scopes for authentication.
Solution: Transitioning to the Case Management API
To resolve this issue, falcon-mcp needs to be updated to utilize the new Case Management API. This involves significant changes due to the differences in data structure and authentication requirements. Here's a breakdown of the necessary steps:
- Authentication Scope Update: The API key used by
falcon-mcpmust be granted thecase-templates:readandcase-templates:writescopes to access the Case Management API. - Endpoint Modification: The code needs to be modified to target the
/casemgmt/endpoints instead of the deprecated/incidents/endpoints. - Data Model Adaptation: The data parsing logic must be updated to handle the new Case Management API data structures. Cases contain alert evidence, event evidence, SLAs, templates, and other attributes that are not present in the old Incidents model.
- Function Replacement: The existing functions (
falcon_search_incidents,falcon_get_incident_details,falcon_search_behaviors) need to be refactored or replaced with new functions that interact with the Case Management API.
Here's an example of how you might adapt a search function (conceptual):
# Old (broken) way:
# def falcon_search_incidents(api_client, filter, limit):
# response = api_client.command(action='get', path='/incidents/', parameters={'filter': filter, 'limit': limit})
# return response
# New (hypothetical) way using the Case Management API:
def falcon_search_cases(api_client, fql_filter, limit):
response = api_client.command(action='get', path='/casemgmt/entities/cases/v1', parameters={'filter': fql_filter, 'limit': limit})
return response
Important Considerations:
- The FQL filter syntax for the Case Management API may differ from the Incidents API. Review the FalconPy documentation for the Case Management API for specific filter options.
- Error handling should be updated to reflect the different error codes and messages returned by the new API.
- Consider providing a migration path for users who have existing scripts or workflows that rely on the old Incidents module. This could involve creating compatibility layers or providing clear documentation on how to update their code.
This is a significant change requiring a thorough update to falcon-mcp. Community contributions and testing against live tenants are crucial to ensure a smooth transition.