Retrieve aggregated alert data based on specified queries.
External DocumentationTo learn more, visit the CrowdStrike documentation.

Parameters

ParameterDescription
Aggregate QueriesA list of queries by which to aggregate the retrieved alerts.

For example:

[
  {
    “date_ranges”: [
      {
        “from”: “string”,
        “to”: “string”
      }
    ],
    “exclude”: “string”,
    “field”: “string”,
    “filter”: “string”,
    “from”: 0,
    “include”: “string”,
    “interval”: “string”,
    “max_doc_count”: 0,
    “min_doc_count”: 0,
    “missing”: “string”,
    “name”: “string”,
    “q”: “string”,
    “ranges”: [
      {
        “From”: 0,
        “To”: 0
      }
    ],
    “size”: 0,
    “sort”: “string”,
    “sub_aggregates”: [
      null
    ],
    “time_zone”: “string”,
    “type”: “string”
  }
]
Include HiddenSelect to allow hidden alerts to be retrieved.

Example Output

{
	"errors": [
		{
			"code": 0,
			"id": "string",
			"message": "string"
		}
	],
	"meta": {
		"pagination": {
			"limit": 0,
			"offset": 0,
			"total": 0
		},
		"powered_by": "string",
		"query_time": 0,
		"trace_id": "string",
		"writes": {
			"resources_affected": 0
		}
	},
	"resources": [
		{
			"buckets": [
				{
					"count": 0,
					"from": 0,
					"key_as_string": "string",
					"string_from": "string",
					"string_to": "string",
					"sub_aggregates": [
						null
					],
					"to": 0,
					"value": 0,
					"value_as_string": "string"
				}
			],
			"name": "string",
			"sum_other_doc_count": 0
		}
	]
}

Workflow Library Example

List Aggregated Alerts with Crowdstrike and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop