> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blinkops.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Next Gen SIEM Advanced Search

Advanced SIEM search with query.

In case of timeout - the ID will be returned and you can search for the search results with `Search Query By ID` action.

Once the job is started, the search runs in the background, and the results will be returned once the job is completed.

<Note>
  External Documentation

  To learn more, visit the [CrowdStrike documentation](https://falcon.us-2.crowdstrike.com/documentation/page/bda96fc1/next-gen-siem-search-apis#g6dc1785).
</Note>

## Basic Parameters

<div className="integrations-table">
  | Parameter                     | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
  | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  | Around                        | Find events that occurred around a specific event by using the `around` argument with its specified parameters.                                                                                                                                                                                                                                                                                                                                                                                                      |
  | Around Event ID               | The ID of the event to search around.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
  | Around Time Stamp             | The timestamp to use as the reference point.                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
  | End                           | The date and time to use as the ending point of the search results.<br /><br />You can use `End` with a `Start` to define a specific time range. If `Start` is provided, it must be less than or equal to the `End`.<br /><br />You can also use the `Time Zone Off Set Minutes` to retrieve results relative to your timezone.<br /><br />For information about formatting options when specifying a time see [Search API Time Specification](https://library.humio.com/logscale-api/api-search-timespec.html)      |
  | Number of Events After Event  | Number of events to show after the eventId.                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
  | Number of Events Before Event | Number of events to show before the eventId.                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
  | Query                         | The CQL query to use for the search. For more information, see [Query Language Syntax](https://library.humio.com/data-analysis/syntax.html). <br /><br />The `Query` parameter accepts queries written in CrowdStrike Query Language.<br /><br />**Note:** Double quotes `“` and backslashes `\` must be escaped with a backslash `\` to ensure they are properly interpreted.<br /><br />For example:<br /><br />Escaped double quote: `\"`<br /><br />Escaped backslash: `\\`                                      |
  | Repository                    | The repository to run the query against. For info about repository options, see [Repositories](https://falcon.us-2.crowdstrike.com/documentation/page/bda96fc1/next-gen-siem-search-apis#fbc28030).                                                                                                                                                                                                                                                                                                                  |
  | Start                         | The date and time to use as the starting point of the search results.<br /><br />You can use `Start` with an `End` to define a specific time range. If `End` is provided, it must be greater than or equal to the `Start`.<br /><br />You can also use the `Time Zone Offset Minutes` to retrieve results relative to your timezone.<br /><br />For information about formatting options when specifying a time see [Search API Time Specification](https://library.humio.com/logscale-api/api-search-timespec.html) |
</div>

## Advanced Parameters

<div className="integrations-table">
  | Parameter                | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
  | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
  | Ingest End               | The date and time to use as the ending point of the search results, based on an event’s recorded `Ingest Time Stamp` field. <br /><br />You can use `Ingest End` with `Ingest Start` to define a specific time range. If `Ingest Start` is provided, it must be less than or equal to the `Ingest End`.<br /><br />You can also use the `Time Zone Off Set Minutes` to retrieve results relative to your timezone.<br /><br />For information about formatting options when specifying a time see [Search API Time Specification](https://library.humio.com/logscale-api/api-search-timespec.html)     |
  | Ingest Start             | The date and time to use as the starting point of the search results, based on an event’s recorded `Ingest Time Stamp` field.<br /><br />You can use `Ingest Start` with `Ingest End` to define a specific time range. If `Ingest End` is provided, it must be greater than or equal to the `Ingest Start`.<br /><br />You can also use the `Time Zone Off Set Minutes` to retrieve results relative to your timezone.<br /><br />For information about formatting options when specifying a time see [Search API Time Specification](https://library.humio.com/logscale-api/api-search-timespec.html) |
  | Time Zone Offset Minutes | A positive or negative number representing how many minutes a given time zone is ahead or behind Coordinated Universal Time (UTC).<br /><br />You can use `Time Zone Offset Minutes` with timestamp parameters like `start` and `end` to retrieve search results relative to your local time zone.<br /><br />The time zone offset must be provided in minutes. For example, if your time zone is UTC+1:00, you would pass a value of 60.                                                                                                                                                              |
  | Use Ingest Time          | When set to true, the event’s `ingestStart` and `ingestEnd` times are used as the basis for the query timespan rather than the `start` and `end` timestamps.<br /><br />If both `ingestStart`/`ingestEnd` and `start`/`end` are provided and `Use Ingest Time` is false, the `start`/`end` times are used.                                                                                                                                                                                                                                                                                             |
</div>

## Example Output

```json theme={"dark"}
{
	"cancelled": false,
	"done": true,
	"events": [
		{
			"Vendor.modulesRun[0]": "<string>",
			"Vendor.messageParts[0].oContentType": "<string>",
			"Vendor.messageParts[1].disposition": "<string>",
			"Vendor.threatsInfoMap[0].threatStatus": "<string>",
			"Vendor.modulesRun[5]": "<string>",
			"Vendor.messageParts[0].filename": "<string>",
			"Vendor.messageParts[0].sha256": "<string>",
			"email.attachments.file.hash.md5": "<string>",
			"Vendor.modulesRun[6]": "<string>",
			"email.attachments.file.hash.sha256": "<string>",
			"@timestamp": 3104353851384,
			"#Cps.version": "<string>",
			"@ingesttimestamp": "<string>",
			"Vendor.messageParts[1].contentType": "<string>",
			"Vendor.spamScore": "<string>",
			"Vendor.QID": "<string>",
			"Vendor.cluster": "<string>",
			"#type": "<string>",
			"email.subject": "<string>",
			"event.type[0]": "<string>",
			"Vendor.modulesRun[1]": "<string>",
			"Vendor.threatsInfoMap[0].threat": "<string>",
			"Vendor.completelyRewritten": "<string>",
			"Vendor.messageID": "<string>",
			"Vendor.phishScore": "<string>",
			"event.id": "<string>",
			"Vendor.eventType": "<string>",
			"Vendor.messageParts[0].disposition": "<string>",
			"#repo": "<string>",
			"#Vendor": "<string>",
			"Vendor.modulesRun[2]": "<string>",
			"threat.indicator.name": "<string>",
			"#repo.cid": "<string>",
			"Vendor.threatsInfoMap[0].threatID": "<string>",
			"#event.kind": "<string>",
			"Vendor.threatsInfoMap[0].threatUrl": "<string>",
			"Vendor.impostorScore": "<string>",
			"Vendor.toAddresses[0]": "<string>",
			"@sourcetype": "<string>",
			"Vendor.modulesRun[3]": "<string>",
			"Vendor.policyRoutes[1]": "<string>",
			"event.category[0]": "<string>",
			"#ecs.version": "<string>",
			"Vendor.messageParts[1].oContentType": "<string>",
			"Vendor.messageParts[1].sha256": "<string>",
			"Vendor.threatsInfoMap[0].threatTime": "2018-07-25T05:26:29.243Z",
			"email.sender.address": "<string>",
			"@timezone": "<string>",
			"email.to.address[0]": "<string>",
			"#event.module": "<string>",
			"Vendor.messageParts[0].md5": "<string>",
			"Vendor.quarantineFolder": "<string>",
			"Vendor.messageParts[1].md5": "<string>",
			"source.ip": "<string>",
			"Vendor.messageParts[0].contentType": "<string>",
			"Vendor.messageParts[1].filename": "<string>",
			"email.attachments.file.mime_type": "<string>",
			"@source": "<string>",
			"email.from.address[0]": "<string>",
			"file.name": "<string>",
			"Vendor.modulesRun[4]": "<string>",
			"Parser.version": "<string>",
			"@timestamp.nanos": "<string>",
			"Vendor.fromAddress[0]": "<string>",
			"Vendor.messageSize": "<string>",
			"Vendor.threatsInfoMap[0].threatType": "<string>",
			"Vendor.policyRoutes[0]": "<string>",
			"event.action": "<string>",
			"@dataConnectionID": "<string>",
			"Vendor.malwareScore": "<string>",
			"@rawstring": "<string>",
			"Vendor.modulesRun[7]": "<string>",
			"event.reason": "<string>",
			"Vendor.threatsInfoMap[0].detectionType": "<string>",
			"Vendor.recipient[0]": "<string>",
			"Vendor.GUID": "<string>",
			"@id": "<string>"
		},
		{
			"Vendor.modulesRun[0]": "<string>",
			"Vendor.messageParts[0].oContentType": "<string>",
			"Vendor.messageParts[1].disposition": "<string>",
			"Vendor.threatsInfoMap[0].threatStatus": "<string>",
			"Vendor.modulesRun[5]": "<string>",
			"Vendor.messageParts[0].filename": "<string>",
			"Vendor.messageParts[0].sha256": "<string>",
			"email.attachments.file.hash.md5": "<string>",
			"Vendor.modulesRun[6]": "<string>",
			"email.attachments.file.hash.sha256": "<string>",
			"@timestamp": 858547536611,
			"#Cps.version": "<string>",
			"@ingesttimestamp": "1745010203640",
			"Vendor.messageParts[1].contentType": "<string>",
			"Vendor.spamScore": "<string>",
			"Vendor.QID": "<string>",
			"Vendor.cluster": "<string>",
			"#type": "<string>",
			"email.subject": "<string>",
			"event.type[0]": "<string>",
			"Vendor.modulesRun[1]": "<string>",
			"Vendor.threatsInfoMap[0].threat": "<string>",
			"Vendor.completelyRewritten": "<string>",
			"Vendor.messageID": "<string>",
			"Vendor.phishScore": "<string>",
			"event.id": "<string>",
			"Vendor.eventType": "<string>",
			"Vendor.messageParts[0].disposition": "<string>",
			"#repo": "<string>",
			"#Vendor": "<string>",
			"Vendor.modulesRun[2]": "<string>",
			"threat.indicator.name": "<string>",
			"#repo.cid": "<string>",
			"Vendor.threatsInfoMap[0].threatID": "<string>",
			"#event.kind": "<string>",
			"Vendor.threatsInfoMap[0].threatUrl": "<string>",
			"Vendor.impostorScore": "<string>",
			"Vendor.toAddresses[0]": "<string>",
			"@sourcetype": "<string>",
			"Vendor.modulesRun[3]": "<string>",
			"Vendor.policyRoutes[1]": "<string>",
			"event.category[0]": "<string>",
			"#ecs.version": "<string>",
			"Vendor.messageParts[1].oContentType": "<string>",
			"Vendor.messageParts[1].sha256": "<string>",
			"Vendor.threatsInfoMap[0].threatTime": "2022-12-09T07:33:07",
			"email.sender.address": "<string>",
			"@timezone": "<string>",
			"email.to.address[0]": "<string>",
			"#event.module": "<string>",
			"Vendor.messageParts[0].md5": "<string>",
			"Vendor.quarantineFolder": "<string>",
			"Vendor.messageParts[1].md5": "<string>",
			"source.ip": "<string>",
			"Vendor.messageParts[0].contentType": "<string>",
			"Vendor.messageParts[1].filename": "<string>",
			"email.attachments.file.mime_type": "<string>",
			"@source": "<string>",
			"email.from.address[0]": "<string>",
			"file.name": "<string>",
			"Vendor.modulesRun[4]": "<string>",
			"Parser.version": "<string>",
			"@timestamp.nanos": "<string>",
			"Vendor.fromAddress[0]": "<string>",
			"Vendor.messageSize": "<string>",
			"Vendor.threatsInfoMap[0].threatType": "<string>",
			"Vendor.policyRoutes[0]": "<string>",
			"event.action": "<string>",
			"@dataConnectionID": "<string>",
			"Vendor.malwareScore": "<string>",
			"@rawstring": "<string>",
			"Vendor.modulesRun[7]": "<string>",
			"event.reason": "<string>",
			"Vendor.threatsInfoMap[0].detectionType": "<string>",
			"Vendor.recipient[0]": "<string>",
			"Vendor.GUID": "<string>",
			"@id": "<string>"
		}
	],
	"fieldStats": [],
	"filesUsed": [],
	"metaData": {
		"costs": {
			"liveCost": 2,
			"liveCostRate": 1,
			"staticCost": 245,
			"staticCostRate": 2
		},
		"digestFlow": {
			"ingestTimeKnownGood": 278569914634,
			"maxIngestLatency": 21820,
			"minIngestTimeIncluded": 2993615274157
		},
		"eventCount": 20,
		"extraData": {
			"hasMoreEvents": "<string>"
		},
		"filterQuery": {
			"allowEventSkipping": false,
			"computeFieldStats": false,
			"end": 967630219902,
			"includeDeletedEvents": false,
			"ingestEnd": 16081319460800930941,
			"ingestStart": 1,
			"isAlertQuery": false,
			"isInteractive": false,
			"isLive": false,
			"isRepeatingSubquery": false,
			"languageVersion": "<string>",
			"noResultUntilDone": false,
			"queryString": "<string>",
			"showQueryEventDistribution": false,
			"start": 1922788899957,
			"useIngestTime": false
		},
		"isAggregate": false,
		"pollAfter": 1574,
		"processedBytes": 972414891273,
		"processedEvents": 563919,
		"queryEnd": 1721278336224,
		"querySpent": {
			"day": {
				"liveCost": 1,
				"queryCount": 1,
				"staticCost": 530
			},
			"hour": {
				"liveCost": 0,
				"queryCount": 1,
				"staticCost": 1407
			},
			"oneMinute": {
				"liveCost": 0,
				"queryCount": 2,
				"staticCost": 1017
			},
			"tenMinutes": {
				"liveCost": 2,
				"queryCount": 0,
				"staticCost": 182
			}
		},
		"queryStart": 2334108608729,
		"queuedMillis": 0,
		"quotaTotalSpent": {
			"day": {
				"liveCost": 1,
				"queryCount": 793,
				"staticCost": 1887
			},
			"hour": {
				"liveCost": 1,
				"queryCount": 14,
				"staticCost": 331
			},
			"oneMinute": {
				"liveCost": 0,
				"queryCount": 4,
				"staticCost": 19
			},
			"tenMinutes": {
				"liveCost": 0,
				"queryCount": 9,
				"staticCost": 67
			}
		},
		"responderVHost": 37,
		"resultBufferSize": 19,
		"timeMillis": 405,
		"totalWork": 15873,
		"warnings": [],
		"workDone": 11172
	},
	"warnings": []
}
```

## Workflow Library Example

[Next Gen Siem Advanced Search with Crowdstrike and Send Results Via Email](https://library.blinkops.com/workflows/next-gen-siem-advanced-search-with-crowdstrike-and-send-results-via-email)

<div className="iframe-wrapper">
  <div className="iframe-media">
    <img src="https://mintcdn.com/blinkops-2/ojHYuDeYX5FWuN8a/img/Icons/play-box.svg?fit=max&auto=format&n=ojHYuDeYX5FWuN8a&q=85&s=b8af968e71438a9499c3223c9bd29fb2" alt="Workflow Library" width="16" height="16" data-path="img/Icons/play-box.svg" />

    Preview this Workflow on desktop
  </div>

  <iframe className="iframe" src="https://library.blinkops.com/workflows/next-gen-siem-advanced-search-with-crowdstrike-and-send-results-via-email/canvas" />
</div>
