CrowdStrike Next-Gen SIEM
App Vendor: CrowdStrike Next-Gen SIEM
App Category: Analytics & SIEM, SIEM (Security Information & Event Management)
Connector Version: 2.0.0
API Version: v1
About App
The CrowdStrike Next-Gen SIEM app provides access to next-gen SIEM APIs, enabling advanced security information and event management through search, lookup, case management, and correlation rule operations.
The CrowdStrike Next-Gen SIEM app is configured with Cyware Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Add Alerts as Evidence to Case | This action adds one or more alerts as evidence to an existing case. |
Add Events as Evidence to Case | This action adds one or more events as evidence to an existing case. |
Add Tags to Specified Case | This action adds tags to label your cases for easier identification and categorization. |
Create Case | This action creates a new case to group related alerts, events, and context for efficient investigation and response. |
Create Query with ID | The action creates a query with an ID. |
Delete Query by ID | The action deletes the query. |
Fetch Query Results using Query ID | The action fetches the status and result of the query using the ID generated while creating the query. |
Find Correlation Rule IDs | This action retrieves all correlation rule IDs that match the specified query and filter criteria. |
Generic Action | This is a generic action used to make requests to any CrowdStrike Next-Gen SIEM endpoint. |
Get Case Details by ID | This action retrieves details of one or more cases by their unique IDs. |
Get CrowdStrike-Managed Lookup File | This action retrieves the content of a CrowdStrike-managed lookup file from the specified repository, namespace, and package. |
Get Custom Lookup File | This action retrieves a previously uploaded custom lookup file from the specified repository. |
Quick Search Query (Deprecated) | The action searches without instantly generating any ID. |
Remove Tags from Existing Case | This action removes one or more tags from an existing case. |
Retrieve Correlation Rule Details | This action retrieves detailed information for one or more correlation rules by their IDs. |
Search Cases | This action retrieves the IDs of all cases that match the specified query parameters. |
Update Case | This action updates an existing case with new details. |
Upload Lookup File | This action uploads a custom lookup file to the specified repository. You can use it to add, update, or delete lookup entries as needed. |
Configuration Parameters
The following configuration parameters are required for the CrowdStrike Next-Gen SIEM app to communicate with the CrowdStrike Next-Gen SIEM enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL of the CrowdStrike Next-Gen SIEM instance to connect. Example: https://base_url | Text | Required | |
Client ID | Enter the client ID used for authentication to access the CrowdStrike API. | Text | Required | |
Client Secret Key | Enter the client secret key to authenticate with CrowdStrike Falcon. | Password | Required | |
SSL Verification | Choose to verify SSL/TLS certification. | Boolean | Optional | Allowed values are true and false. By default, verification is enabled. |
Timeout | Enter the timeout value (in seconds) for the API request. | Integer | Optional | Allowed range: 15-120 seconds. Default timeout is 15 seconds. |
Action: Add Alerts as Evidence to Case
This action adds one or more alerts as evidence to an existing case.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the unique ID of the case where you want to add the alerts. Example: aaaaaaaxxxxxxxxxxxxdum-fzaxxxxxxxxh3i_zjnsaxxxxxxxxxxxxxsagzt-5k3tpxxxsxzixxxxxxu1lja_fxxx | Text | Required | |
Alert IDs | Enter the composite ID of one or more alerts to attach as evidence. Example: $list[cb28a1bxxxxxxxxxx253914:ind:457526336f1947xxxxxxxxxx9706b2a:5539573751356-2020-1955xxxxxxxxxx921] | List | Required |
Action: Add Events as Evidence to Case
This action adds one or more events as evidence to an existing case.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the unique ID of the case to which you want to add events. Example: aaaaaaaxxxxxxxxxxxxdum-fzaxxxxxxxxh3i_zjnsaxxxxxxxxxxxxxsagzt-5k3tpxxxsxzixxxxxxu1lja_fxxxxr_k7iqoxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxw8hrqxxxx45mzxxxxxxdb_b-fhfxxxx01a | Text | Required | |
Event IDs | Enter the unique identifiers of one or more events to attach as evidence. Example: $list[02e91637-xxxx-xxxx-xxxx-ff277fe99e3c] | List | Required |
Action: Add Tags to Specified Case
This action adds tags to label your cases for easier identification and categorization.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the unique ID of the case to add tags to. Example: aaaaaaaxxxxxxxxxxxxdum-fzaxxxxxxxxh3i_zjnsaxxxxxxxxxxxxxsagzt-5k3tpxxxsxzixxxxxxu1lja_fxxxxr_k7iqoxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxw8hrqxxxx45mzxxxxxxdb_b-fhfxxxx01a | Text | Required | |
Tags | Enter the list of tags to add to the case. Example: $list[triage, incident-32] | List | Required |
Example Request
[
{
"tags": [
"test_tag"
],
"case_id": "AAAAAAAAAAEy4y2hB8DZXC4DOf9fvWmXHNiO-DgnethfpVCxkprN_4Mg6kNhVAjg2G66Bt_cN160RZnrMFIl2kNs22Z0OYFfczOYSSXScNP0wMwh68ZCpCwODtDZBnkgsy8EdRYd4Un2nCrKnQgyEtlCJxNe9Kn8hflHpw"
}
]Action: Create Case
This action creates a new case to group related alerts, events, and context for efficient investigation and response.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Name | Enter a unique name for the case within your CID. Example: customer records | Text | Required | |
Severity | Enter the severity score to indicate the urgency of the case. Example: 80 | Integer | Required | Allowed range: 1 - 100 |
Alert IDs | Enter one or more composite IDs of alerts to associate with this case. Example: $list[cb28a1bxxxxxxxxxx253914:ngsiem:cb28a1bxxxxxxxxxx253914:a6d67daf4f7f443a95f2725807abdfae] | List | Optional | |
Event IDs | Enter one or more event IDs to link correlated activity to the case. Example: $list[02e91637-xxxx-xxxx-xxxx-ff277fe99e3c] | List | Optional | |
Additional Fields | Enter any additional fields to create the case. | Key Value | Optional | Allowed keys: assigned_touser_uuid, description, status, tags, evidence, evidence.alerts, evidence.alerts.id, evidence.events, evidence.events.id, template, and template.id. |
Example Request
[
{
"name": "case_co_1",
"severity": "10",
"additional_fields": {}
}
]Action: Create Query with ID
The action creates a query with an ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query String | Enter the query to search. | Text | Required | |
Repository Name | Enter the repository name. Example: search-all | Text | Required | |
Start Time | Specify the start time for the query. Example: 24hours | Text | Optional | |
End Time | Specify the end time for the search range. Example: now | Text | Optional | |
Extra Parameters | Enter any additional parameters. Example: [islive, timezoneoffsetminutes, arguments] | Key Value | Optional |
Example Request
[
{
"extra_params": {},
"query_string": "key",
"repository_name": "search-all"
}
]Action: Delete Query by ID
The action deletes the query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID. Example: p3-uwolfvvmne8ztp9odrvwmx0b | Text | Required | |
Repository Name | Enter the repository name. Example: search-all | Text | Required |
Example Request
[
{
"query_id": "P434-uLT3PP94ocZJuub9jinrNvm3",
"repository_name": "search-all"
}
]Action: Fetch Query Results using Query ID
The action is used to fetch the status and result of the query using the ID generated while creating the query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID. Example: p3-uwolfvvmne8ztp9odrvwmx0b | Text | Required | |
Repository Name | Enter the repository name. Example: search-all | Text | Required |
Example Request
[
{
"query_id": "P434-uLT3PP94ocZJuub9jinrNvm3",
"repository_name": "search-all"
}
]Action: Find Correlation Rule IDs
This action retrieves all correlation rule ids that match the specified query and filter criteria.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the search query to find correlation rule IDs based on specific keywords or parameters. | Text | Optional | |
Search Filter | Enter the search filter using Falcon query language (FQL) to refine the search results. Example: status:'active' or created_on:>'2025-06-20' | Text | Optional | |
Limit | Enter the maximum number of rule IDs to return in the response. | Integer | Optional | Maximum allowed value: 10,000 Default value: 100 |
Offset | Enter the starting index of the overall result set from which to return rule IDs. | Integer | Optional | |
Sort | Enter the field and sort direction in field|direction format. Example: status|asc | Text | Optional | Supported directions: asc (ascending) and desc (descending) |
Example Request
[
{
"search_filter": "status:'active' or created_on:>'2025-06-20'"
}
]Action: Generic Action
This is a generic action used to make requests to any CrowdStrike Next-Gen SIEM endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Method | Enter the http method to make the request. | Text | Required | Allowed values: get, put, post, and delete. |
Endpoint | Enter the endpoint to make the request to. Example: /repositories/{self.repository}/query | Text | Required | |
Query Params | Enter the query parameters to pass to the API. | Key Value | Optional | |
Payload | Enter the payload to pass to the API. | Any | Optional | |
Extra Fields | Enter the extra fields to pass to the API. | Key Value | Optional | Allowed keys: payload_json, header, download, files, filename, retry_wait, retry_count, custom_output, and response_type. |
Action: Get Case Details by ID
This action retrieves details of one or more cases by their unique IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case IDs | Enter a list of one or more comma-separated case IDs to retrieve details. Example: $list[aaaaaaaaaxxx-xx-xe7x9xxxxxxxxxxxxoqlnx-1dsxyxxxxxxxxxxxxxxxxxxxmgjc9-2uxxxxxo5_z_pmxxxxxwr-ye1pwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxkvgz9_bwxxxxxxxm9_lzxxxxxdy_nyxxxxxww] | List | Required |
Example Request
[
{
"case_ids": [
"AAAAAAAAAAEy4y2hB8DZXC4DOf9fvWmXHNiO-DgnethfpVCxkprN_4Mg6kNhVAjg2G66Bt_cN160RZnrMFIl2kNs22Z0OYFfczOYSSXScNP0wMwh68ZCpCwODtDZBnkgsy8EdRYd4Un2nCrKnQgyEtlCJxNe9Kn8hflHpw"
]
}
]Action: Get CrowdStrike-Managed Lookup File
This action retrieves the content of a CrowdStrike-managed lookup file from the specified repository, namespace, and package.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Name | Enter the name of the CrowdStrike-managed lookup file to retrieve. Example: btdeviceclass.csv | Text | Required | |
Namespace | Enter the namespace associated with the file. Example: falcon | Text | Required | |
Package | Enter the package associated with the file. Example: devicecontrol | Text | Required | |
Repository Name | Enter the repository to retrieve the file from. Example: search-all | Text | Required | |
Download File | Choose true to download the contents of the file. | Boolean | Optional | Default value: false |
Example Request
[
{
"package": "devicecontrol",
"download": true,
"filename": "usbvendors.csv",
"namespace": "falcon",
"repository_name": "search-all"
}
]Action: Get Custom Lookup File
This action retrieves a previously uploaded custom lookup file from the specified repository.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Repository Name | Enter the repository name to retrieve the file from. This must match the repository used when the file was uploaded. Example: investigate_view | Text | Required | |
File Name | Enter the name of the lookup file to retrieve, including the file extension. Example: nw_events.json | Text | Required | |
Download File | Choose true to download the contents of the file. | Boolean | Optional | Default value: false |
Example Request
[
{
"download": true,
"filename": "test_file.csv",
"repository_name": "search-all"
}
]Action: Quick Search Query (Deprecated)
The action is used to search without instantly generating any ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query to search. | Text | Required | |
Repository Name | Enter the repository name to run the query against. Example: search-all | Text | Required | |
Start Time | Specify the start time for the search range. Example: 24hours | Text | Optional | |
End Time | Specify the end time for the search range. Example: now | Text | Optional | |
Extra Parameters | Enter any additional parameters. Example: [islive, timezoneoffsetminutes, arguments] | Key Value | Optional |
Action: Remove Tags from Existing Case
This action removes one or more tags from an existing case.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the unique ID of the case from which to remove the specified tags. | Text | Required | |
Tags | Enter the list of tags to remove from the case. Example: $list[triage, incident-32] | List | Required |
Example Request
[
{
"tags": [
"test_tag"
],
"case_id": "AAAAAAAAAAEy4y2hB8DZXC4DOf9fvWmXHNiO-DgnethfpVCxkprN_4Mg6kNhVAjg2G66Bt_cN160RZnrMFIl2kNs22Z0OYFfczOYSSXScNP0wMwh68ZCpCwODtDZBnkgsy8EdRYd4Un2nCrKnQgyEtlCJxNe9Kn8hflHpw"
}
]Action: Retrieve Correlation Rule Details
This action retrieves detailed information for one or more correlation rules by their IDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Rule IDs | Enter the list of correlation rule IDs to retrieve details for. Example: $list[85ae98xxxxxxd9a8f2] | List | Required |
Action: Search Cases
This action retrieves the IDs of all cases that match the specified query parameters.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter a search string to find cases based on case metadata. | Text | Optional | |
Search Filter | Enter the search filter using Falcon Query Language (FQL) to refine the search results. Example: created_timestamp:>'2025-06-20' | Text | Optional | |
Limit | Enter the maximum number of cases to return. | Integer | Optional | Allowed range: 1 - 1000 Default value: 100 |
Offset | Enter the starting position for the results, where 0 returns the latest case. | Integer | Optional | Default value: 0 |
Sort | Enter the field and sort order in field|direction format for the results. Sorting is supported on any field available for FQL filtering. Example: status|asc. default value is created_timestamp|desc. | Text | Optional | Allowed directions are asc (ascending) and desc (descending). |
Example Request
[
{
"limit": "100"
}
]Action: Update Case
This action updates an existing case with new details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Case ID | Enter the unique ID of the case to update. Example: aaaaaaaaxxx_zpxxxwd-tvzgxxxxxxxxxxxxxxxxxxxxxxxxxxxwaruv-dppamxxxxxxxa7hd9_ln2ezxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxjtfyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxrtsqxxxxxgbilg | Text | Required | |
Update Fields | Enter one or more fields and their new values to update in the case. Example: {"severity": "50", "status": "in_progress"}. | Key Value | Required | Allowed fields: description, assigned_touser_uuid, evidence, evidence.alerts, evidence.alerts.id, evidence.events, evidence.events.id, name, severity, status, tags, template, and template.id. |
Example Request
[
{
"case_id": "AAAAAAAAAAEy4y2hB8DZXC4DOf9fvWmXHNiO-DgnethfpVCxkprN_4Mg6kNhVAjg2G66Bt_cN160RZnrMFIl2kNs22Z0OYFfczOYSSXScNP0wMwh68ZCpCwODtDZBnkgsy8EdRYd4Un2nCrKnQgyEtlCJxNe9Kn8hflHpw",
"update_fields": {
"name": "test_case"
}
}
]Action: Upload Lookup File
This action uploads a custom lookup file to the specified repository. You can use it to add, update, or delete lookup entries as needed.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
File Path | Enter the path to the CSV or JSON file to upload. Example: /tmp/lookup_data.csv | Text | Required | |
Repository Name | Enter the name of the repository to which the file should be uploaded. | Text | Required | Allowed values: search-all, all, investigate_view, falcon, third-party, falcon_for_it_view, forensics_view, forensics, and 3pi_parsers. |
Example Request
[
{
"file_path": "/tmp/100b03a7-912b-40b3-b4c9-c39e036d4e94/test_file.csv",
"repository_name": "search-all"
}
]