Next Gen SIEM Advanced Search

Advanced SIEM search with query.

In case of timeout - the ID will be returned and you can search for the search results with Search Query By ID action.

Once the job is started, the search runs in the background, and the results will be returned once the job is completed.

External Documentation

To learn more, visit the CrowdStrike documentation.

Basic Parameters

ParameterDescription
AroundFind events that occurred around a specific event by using the around argument with its specified parameters.
Around Event IDThe ID of the event to search around.
Around Time StampThe timestamp to use as the reference point.
EndThe date and time to use as the ending point of the search results.You can use End with a Start to define a specific time range. If Start is provided, it must be less than or equal to the End.You can also use the Time Zone Off Set Minutes to retrieve results relative to your timezone.For information about formatting options when specifying a time see Search API Time Specification
Number of Events After EventNumber of events to show after the eventId.
Number of Events Before EventNumber of events to show before the eventId.
QueryThe CQL query to use for the search. For more information, see Query Language Syntax. The Query parameter accepts queries written in CrowdStrike Query Language.Note: Double quotes and backslashes \ must be escaped with a backslash \ to ensure they are properly interpreted.For example:Escaped double quote: \"Escaped backslash: \\
RepositoryThe repository to run the query against. For info about repository options, see Repositories.
StartThe date and time to use as the starting point of the search results.You can use Start with an End to define a specific time range. If End is provided, it must be greater than or equal to the Start.You can also use the Time Zone Offset Minutes to retrieve results relative to your timezone.For information about formatting options when specifying a time see Search API Time Specification

Advanced Parameters

ParameterDescription
Ingest EndThe date and time to use as the ending point of the search results, based on an event’s recorded Ingest Time Stamp field. You can use Ingest End with Ingest Start to define a specific time range. If Ingest Start is provided, it must be less than or equal to the Ingest End.You can also use the Time Zone Off Set Minutes to retrieve results relative to your timezone.For information about formatting options when specifying a time see Search API Time Specification
Ingest StartThe date and time to use as the starting point of the search results, based on an event’s recorded Ingest Time Stamp field.You can use Ingest Start with Ingest End to define a specific time range. If Ingest End is provided, it must be greater than or equal to the Ingest Start.You can also use the Time Zone Off Set Minutes to retrieve results relative to your timezone.For information about formatting options when specifying a time see Search API Time Specification
Time Zone Offset MinutesA positive or negative number representing how many minutes a given time zone is ahead or behind Coordinated Universal Time (UTC).You can use Time Zone Offset Minutes with timestamp parameters like start and end to retrieve search results relative to your local time zone.The time zone offset must be provided in minutes. For example, if your time zone is UTC+1:00, you would pass a value of 60.
Use Ingest TimeWhen set to true, the event’s ingestStart and ingestEnd times are used as the basis for the query timespan rather than the start and end timestamps.If both ingestStart/ingestEnd and start/end are provided and Use Ingest Time is false, the start/end times are used.

Example Output

{
	"cancelled": false,
	"done": true,
	"events": [
		{
			"timestamp": "1736264422005",
			"ImageSubsystem": "2",
			"RawProcessId": "60",
			"@sourcetype": "xdr/xdr-base-parsers:falcon-raw-data",
			"@timezone": "Z",
			"Tags": "41, 53, 54, 55, 236",
			"ParentBaseFileName": "host.exe",
			"Entitlements": "15",
			"@id": "XQZxxxxxxxVP9_xxx_xx_xxxxxxx",
			"LocalAddressIP4": "xxx.xx.x.xx",
			"@ingesttimestamp": "1736264423894",
			"aip": "xxx.xxx.xx.x",
			"@timestamp": 1736264422005,
			"LocalIP": "xxx.xx.x.xx",
			"name": "ProcessRollup2V19",
			"UserName": "USER3",
			"#type": "falcon-raw-data",
			"SessionId": "0",
			"SourceThreadId": "233xxxx363",
			"aid": "abc123",
			"ProcessParameterFlags": "24577",
			"ProcessStartTime": "1736264421.987",
			"SHA1HashData": "0000000000000000000000000000000000000000"
		},
		{
			"timestamp": "1736264422006",
			"ImageSubsystem": "3",
			"RawProcessId": "63",
			"@sourcetype": "xdr/xdr-base-parsers:falcon-raw-data",
			"@timezone": "Z",
			"Tags": "41, 53, 54, 55, 236",
			"ParentBaseFileName": "host.exe",
			"Entitlements": "15",
			"@id": "XQZxxxxxxxVP9_xxx_xx_xxxxxxx",
			"LocalAddressIP4": "xxx.xx.x.xx",
			"@ingesttimestamp": "1736264423894",
			"aip": "xxx.xxx.xx.x",
			"@timestamp": 1736264422005,
			"LocalIP": "xxx.xx.x.xx",
			"name": "ProcessRollup2V19",
			"UserName": "USER3",
			"#type": "falcon-raw-data",
			"SessionId": "0",
			"SourceThreadId": "233xxxx363",
			"aid": "abc123",
			"ProcessParameterFlags": "24577",
			"ProcessStartTime": "1736264421.987",
			"SHA1HashData": "0000000000000000000000000000000000000000"
		}
	]
}

Workflow Library Example

Next Gen Siem Advanced Search with Crowdstrike and Send Results Via Email

Preview this Workflow on desktop

Was this page helpful?