Skip to content
CrowdStrike Developer Center

Queries

Queries let you embed LogScale (CQL) queries and saved searches in your Foundry app. Query results can be displayed in dashboards, used in workflow conditions, and surfaced through UI extensions.

Query types

Section titled “Query types”
TypeDescription
Saved searchA pre-defined LogScale query stored in the app. Can be executed on demand or on a schedule.
Dynamic queryA query constructed at runtime, typically from user input or workflow context.
Dashboard queryA query bound to a dashboard widget for visualization.

Creating queries

Section titled “Creating queries”

In the Falcon console

Section titled “In the Falcon console”
  1. In the App Builder, go to Queries.
  2. Click Create query.
  3. Enter a name and the CQL query string.
  4. Optionally configure:
    • Repository — The LogScale repository to query against
    • Time range — Default time window for the query
    • Parameters — Dynamic values that can be supplied at runtime

In the CLI

Section titled “In the CLI”

Queries are defined in manifest.yml under the queries key:

queries:
  - name: recent_detections
    description: High-severity detections in the last 24 hours
    query: "#event_simpleName=DetectionSummaryEvent | severity>=4 | groupBy([ComputerName])"
    repository: main

Using queries in dashboards

Section titled “Using queries in dashboards”

Queries power dashboard widgets. When creating a dashboard:

  1. Add a widget (table, chart, counter, etc.).
  2. Select an existing saved query or write a new one inline.
  3. Configure the visualization settings.

See Dashboards for details.

Using queries in workflows

Section titled “Using queries in workflows”

Fusion SOAR workflows can execute queries using the Event Query action. Query results are available as workflow data for subsequent actions and conditions.

Event queries support both schema-validated and schemaless modes. See Workflow Templates for details.

Using queries from functions

Section titled “Using queries from functions”

Functions can execute queries against LogScale repositories using the FalconPy SDK. Refer to the FalconPy documentation for the specific service class and method names for NG-SIEM query operations.

Using queries from UI extensions

Section titled “Using queries from UI extensions”

UI extensions can execute queries using the Falcon context object to display real-time data. Refer to the UI Extensions documentation for the function-calling pattern.

© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use