ngsiem_search
Execute CQL (CrowdStrike Query Language) searches against Next-Gen SIEM repositories. Provides asynchronous job-based searching with automatic polling for results. Can correlate network connections with process data for incident response. Supports all available repositories including search-all, investigate_view, and others. Jobs automatically timeout after 90 seconds of inactivity to prevent resource waste.
Added in version 4.10.0
Parameters
Section titled “Parameters”| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
arguments | dict | No | Dictionary of arguments for variables specified in queries with C(?param) syntax. Values must be simple strings. Explicit values in query like C(?param=value) override values provided here. | |
end | str | No | Ending point for search results based on event timestamp. Can use relative time like C(now), C(1h) ago, or absolute timestamps. If I(start) is provided, end must be greater than or equal to start. | |
poll_interval | int | No | 10 | Interval in seconds between status checks while waiting for results. Must be at least 5 seconds to avoid rate limiting. Should not exceed 90 seconds to prevent job timeout. |
query_string | str | Yes | The CQL query to execute against the repository. Use CrowdStrike Query Language syntax for filtering and correlation. Double quotes and backslashes must be escaped in the query string. Can include variables using C(?param) syntax when used with I(arguments). | |
repository | str | No | search-all | The repository to search against. C(search-all) searches all event data from CrowdStrike and third-party sources. C(investigate_view) searches endpoint event data and sensor events (requires Falcon Insight XDR). C(third-party) searches event data from third-party sources (requires Falcon LogScale). C(falcon_for_it_view) searches data collected by Falcon for IT module (requires Falcon for IT). C(forensics_view) searches triage data from Falcon Forensics module (requires Falcon Forensics). search-all investigate_view third-party falcon_for_it_view forensics_view |
start | str | No | Starting point for search results based on event timestamp. Can use relative time like C(1d), C(24h), or absolute timestamps. If I(end) is provided, start must be less than or equal to end. | |
timeout | int | No | 300 | Maximum time in seconds to wait for query completion. Query will be canceled if it exceeds this timeout. Set to 0 to disable timeout (use with caution for long-running queries). |
Examples
Section titled “Examples”- name: Search for all logs from a specific agent ID in the last 24 hours crowdstrike.falcon.ngsiem_search: query_string: "aid=abc123" start: "1d" end: "now"
- name: Find processes that initiated connections to a specific IP crowdstrike.falcon.ngsiem_search: repository: "investigate_view" query_string: | #event_simpleName=ProcessRollup2 ImageFileName=?process_name | join({{ '{' }}#event_simpleName=NetworkConnectIP4{{ '}' }}, key=ContextProcessId, field=TargetProcessId, include=[RemoteAddressIP4, RemotePort]) | table([ImageFileName, CommandLine, ParentProcessId, RemoteAddressIP4, RemotePort]) arguments: process_name: "*" start: "24h"
- name: Search for network connections between specific IPs crowdstrike.falcon.ngsiem_search: query_string: | #event_simpleName=NetworkConnectIP4 LocalAddressIP4=?source_ip RemoteAddressIP4=?dest_ip | table([ImageFileName, CommandLine, LocalAddressIP4, RemoteAddressIP4, RemotePort]) arguments: source_ip: "10.1.1.100" dest_ip: "192.168.1.50" timeout: 600
- name: Find authentication events in the last hour crowdstrike.falcon.ngsiem_search: repository: "search-all" query_string: | #event_simpleName=UserLogon | head(25) | table([ComputerName, UserName, LogonType, aid]) start: "1h" poll_interval: 5Return Values
Section titled “Return Values”| Key | Type | Description |
|---|---|---|
query_job_id | T | |
events | L | |
cancelled | W | |
done | W | |
total_events | T | |
execution_time | T |