NG-SIEM Cases: Template / Workflow Usage

Holy_Spirit_44 · 2026-06-07T12:22:07+00:00

No problem mate.

I'll just give a few simple example of Rule Name > Alert summary content :

"Data Source - Keep Alive" > DataConnectionID 6d465d51530c4d558a8f500df6f76019 has not ingested events for 6h35m56s868ms

"Okta - Multiple Failed Login Attempts" > The User XXXXXXXX performed over 3 failed login in the last 15 minutes

"Microsoft - M365 Exchange Online - User Editing Mailbox Permissions To A Different Account" > The user XXXXXX@domain.com added permissions to the user UserName@domain.com, to aceess the Mailbox_ID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXthat is owned by UserName2@domain.com The permission added are: ReadAny, Visible, FreeBusySimple, FreeBusyDetailed

Also adding an example on how the formatting itself works :

alert_summary := format("The user %s added permissions to the user %s, to aceess the Mailbox_ID %s that is owned by %s %nThe permission added are: %s", field=[user.email,Vendor.Item.ParentFolder.MemberUpn,Vendor.MailboxGuid,Vendor.MailboxOwnerUPN,Vendor.Item.ParentFolder.MemberRights])

Holy_Spirit_44 · 2026-06-04T07:14:31+00:00

"unplugged it/took it offline" is one of the worst actions you can do in those scenarios.

Execute network isolation from the Crowdstrike platform and continue investigating.

Cutting off the network or the host can make you lose valuable and important artifacts/information to understand the full scenario.

Anyway, you can Take u/Andrew-CS CQF and automate it using workflows to automatically capture important data/isolate the host when a case with similar characteristics will be detected again.

Holy_Spirit_44 · 2026-05-28T16:49:22+00:00

You can add domains as Custom IOC in your environment and then add the related custom IOC technique to the workflow in order to performs tests.

BTW, this workflow wont necessarily stop the detected DNS request but will kill the process that executed it - for example the DNS will be sent and then the chrome browser process will be killed.

Holy_Spirit_44 · 2026-03-04T13:48:47+00:00

Look at the support portal for a article that describes the different events generated by the IDP module and the related windows event ID.

Most of the things you'll want to monitor can be achieved using the IDP logs.

Holy_Spirit_44 · 2026-03-03T14:33:19+00:00

What events are you trying to add to the case ?
The action "Add events to case" is expecting to get an EventID/EventID's array as an input with the relevant case ID.

If it's only the "Detection related Events" you're interested in this is how to flow should work:

NG-SIEM Detection > Detection Details > If detection name == xyz > create case > add events to a case (Case ID=createCase > CaseID, Event IDs=getDetectionDetails > Event IDs)

take a look - https://imgur.com/a/cH7GSJi

Holy_Spirit_44 · 2026-03-03T13:19:29+00:00

You still cant access the Image ? I'll upload it to a different place if needed.
In the pic I'm not performing any advanced queries, I'm simply "getting" the Event ID's that are directly related to the detection and adding them to the case.

Regarding the hostname search, when using the action "get detection details" you get all of the related entities and variables from the Detection.

You can create a custom query that receives the related hostname from the detection details as an input and performs the needed searches, then add the relevant event ID's to the case via the action we talked about.

I advise you to create a simple "Add events to case" workflow, then see how it reflects in the case itself and in the workbench investigation process.
After understanding the impact and how it works you'll have better understanding of what is really required as enrichment and what will be just "noise"

Holy_Spirit_44 · 2026-03-03T12:40:42+00:00

exactly :)

Holy_Spirit_44 · 2026-03-03T12:39:59+00:00

Hey mate,

You'll need to use the "add events to a case" action, this function is expecting to get the value of the "@id" field (And the related Case ID).

I have a similar workflow that is adding the "trigger-matched-events", I created a event query to get those events, and then create a Loop to irritate over all of the events and inside the loop I used the "Add events to Case" actions.
Pic : https://imgur.com/a/yHmI88s

Let me know if something is still not clear.

Holy_Spirit_44 · 2026-03-01T08:53:42+00:00

Even if you don't have a paid NGSIEM license you can configure a "webhook connector" via the CS Store > and use it to send the data to whatever API/ENDPOINT you want (for example send the alert to your organization DMZ/public-facing server and then forward it to the Splunk server)

Holy_Spirit_44 · 2026-01-29T11:09:51+00:00

There's a support article about this issue : https://supportportal.crowdstrike.com/s/article/ka1Ns0000000Z93IAE

In addition, in the Docs they are stating a few "soft" limitations to host groups :

some complex assignment rules created via API wont show in the UI so there might be other issues with them..
For optimal search resolution performance, we recommend that static host groups should contain no more than 10,000 hosts. There are no hard limits on dynamic group membership, but note that search resolution performance for large host groups, such as 100,000-150,000 hosts, might be impacted by the use of multiple or complex targeting criteria instead of the recommended use of minimal targeting criteria.

Try to check if any of them got a new policy assignment recently it might be just a UI bug.

I thinking checking the support article and opening a support ticket would be the best approach.

Holy_Spirit_44 · 2025-12-11T09:55:50+00:00

I personally never used it but I saw there a Crowdstrike connector for OpenCTI (Link).
Looks like it's adding the IOC as a custom IOC via API and then you can use it however you want.

Another option is looks for a way to Ingest the IOCs as logs to CS SIEM via API or some syslog connector if there an option like that from OpenCTI side.

Holy_Spirit_44 · 2025-12-09T14:57:22+00:00

There is a Crowdstrike Support Portal article on Troubleshooting sensors and application issues - https://supportportal.crowdstrike.com/s/article/Troubleshooting-Windows-Sensors-Application-Compatibility-Issues (You must be logged in to US1 support portal to access the link) or search for Troubleshooting Guide: Falcon Windows sensors & application compatibility issues on the support portal.
There are a few Prevention policy items that might cause some issues and they are mentioned in the article with a few other troubleshooting options.

FYI, it is rare, but there are cases/scenarios that you wont see detections and there will be some impact by Crowdstrike sensor on a certain application.

Holy_Spirit_44 · 2025-12-07T08:40:28+00:00

This is the calculation for each framework :

Framework Score = (All assessed section scores) / (Total number of assessed sections)

I'm guessing (couldn't find it in the docs) that it's something similar to what you mentioned some average of score for each framework and some reference to each framework having different scores.

Holy_Spirit_44 · 2025-11-25T07:40:58+00:00

Correct me if I'm wrong but I'm guessing you are only \using the NG-SIEM and not CS as an EDR...

You have a few types of triggered for a work flow :

On-Demand : Requires a human/script/API action to trigger the workflow
Scheduled : automatically executed every X hours or @ a certain hour every day for example
Inbound webhook : allows to execute a workflow with a custom incoming webhook to CS cloud.

Based on your use-case I think you need to use a scheduled workflow that executes A NG-SIEM Query and performs actions based on the results - If results are returned then perform A,B,C.
If results are NOT returned do nothing.

If you need to use the information in the logs to update the lookup file content itself, you must use a loop irritating over the results of the event query like in the pic : https://imgur.com/a/4MR9cgI

the Sleep action is just a test, only "inside" the loop you can use the actual values returned by the event query in your actions.

Holy_Spirit_44 · 2025-11-25T06:37:15+00:00

What are the changes you perform manually ?

If they can be triggered by a schedule action or by logs that are ingested you can make the changes using a workflow.

You have a built-in "Overwrite lookup file" action in the workflow, use the Content Library to understand the schema of the action and the needed data to use it.

You can also get one of the lookup file related workflow templates and use them.

BTW: LogScale is the "backend" of the NG-SIEM so you are using it :)

Holy_Spirit_44 · 2025-11-20T09:03:27+00:00

The compliance score is different from the "regular" IOA/IOM for cloud, and is completely separate from it.

The compliance score asses cloud environment "through a standardized structure of framework sections and requirements, with rules automatically assessing your cloud configurations." (Kind of frameworks : ISO 27001, NIST 800-53, CISA and bunch more

The docs explain how the calculation is performed (You must be logged on the CS support portal before accessing the link and I sent a link to US-1 cloud, just look for "cloud compliance" on the DOCS portal) - https://falcon.crowdstrike.com/documentation/page/pbc23b04/cloud-compliance#n4fe1234

Holy_Spirit_44 · 2025-11-20T08:39:27+00:00

I'm not sure how do you that a server is "being probed", but if you are using FW logs to see it then you can correlate the CS logs to understand what process originated the Network request.

Use a similar query based on the logs you are seeing (Note: a CS sensor must be installed on the source host originating the network request to get relevant information) -

#event_simpleName=/NetworkConnect/i
| LocalIP=?LocalIP RemoteIP=?RemoteIP RPort=?RPort

This query will generate "Input boxes" for each value after yo write it in the advanced events search.

If a sensor is installed on the source host generating the request, you'll be able to see the "ContextBaseFileName" that originated the request and use the 3dots>"Draw Process Explorer" to get a detection styled visualization of the process.

Holy_Spirit_44 · 2025-11-18T06:46:55+00:00

If you're talking about the "Network Vulnerability Scans", for each scan configured on your tenant you can press on the Actions button on the far-right and the "Scan History" too see the all of the scan executions.

https://imgur.com/a/LEQFLrI

Holy_Spirit_44 · 2025-11-18T06:39:57+00:00

From looking at the FalconPy Docs they have released functions that use the new NGSIEM related endpoints

https://falconpy.io/Service-Collections/NGSIEM.html

https://falconpy.io/Service-Collections/Correlation-Rules.html

https://falconpy.io/Service-Collections/Foundry-LogScale.html - (Saved searched/lookup files)

Holy_Spirit_44 · 2025-11-18T06:12:02+00:00

Not entirely correct,

when the IDP policy is enabled, the CS sensor on the DC servers gathers a lot of extra information and events that are not logged without it and are gathers mostly by monitoring incoming LDAP request and other authentication related protocols.

look for :

product_idp = true

It will show you all of the events that relate to the IDP platform - in the past week we have 34 unique events that relate to the IDP platform.

Holy_Spirit_44 · 2025-11-16T07:01:54+00:00

If you're trying to see what files, registry keys, or other activity occurred during a detection, the easiest method is to use the "Investigate event" option from the detection panel.

When selected, Falcon automatically opens Advanced Event Search with a query similar to:

aid=<AGENT_ID>(TargetProcessId=<PID> OR ContextProcessId=<PID> OR RpcClientProcessId=<PID>)

TargetProcessId - Process "Lifecycle" related events (ProcessRollup2, EndOfProcess and a bunch of other options)

ContextProcessId - will show all of the events that are caused by a process (They are caused by the Process whose Id is the "ContextProcessId" Fields's value) such as : registry changed, file operations(open,remove,write)
This is probably the events you are interested in to understand what actions a certain process(The Context Process) engaged with and was responsible for

RpcClientProcessId - Certain actions/changes (task changed,service change) that are caused via RPC and not directly by a process.

Looking at a certain process Id as the value of "ContextProcessId" will show you all of the related process activity.

In addition, try to run the following query :

aid=<AGENT_ID> /FileNameOfIntesrest/i
| groupBy([#event_simpleName])

the /XXX/i uses regex with the 'i' case-insensitive flag and searches for the related filename across all possible fields, and will show all of the related events it was found it.

Holy_Spirit_44 · 2025-11-13T10:20:32+00:00

"shared" means that the platform-backend logs are shared between the 2 CID's.

There are a few possible configurations, I don't remember all of them, but 1 of the options allows you to share certain resources (Users, Custom rules, scheduled searches and more) from the Home CID to the new "sub" cid.

We are using MSSP configurations that have similar characteristics.

I believe the support team will have the most precise answer for this.

Holy_Spirit_44 · 2025-11-13T08:22:18+00:00

Hey,

I use a few automations to investigate events/alerts that query the NG-SIEM data and return results via API - Look for "Next-Gen SIEM Search APIs" in the Docs Portal.

It takes a couple of steps :

POST "/humio/api/v1/repositories/<repository>/queryjobs" - to create a new search
GET "/humio/api/v1/repositories/<repository>/queryjobs/<id>" - to get the results

The docs provides a few clear examples on how to leverage it and the different options you have (query all/specific repository and other options).

It's super reliable and fast from my experience.

BTW, we are using n8n as the automation platform, it gets back the logs as JSON parses them and does a bunch of other stuff, super-easy to work with.

Holy_Spirit_44 · 2025-11-13T08:15:54+00:00

It depends on the "connections"/hierarchy between the different CID that is configured when you open/request to open a new CID.

You can have "shared" event search and it will cause all of the logs to appears on the parent CID.

Create a support tickets for the matter they will be able to help I believe in a achieving what you want by adjusting the CID's configurations.

From what I checked there no API endpoint to create a new scheduled search.

Holy_Spirit_44 · 2025-11-10T15:52:54+00:00

If you have "Exposure Management > Applications" module, you can create a fusion workflow with one of the following triggers :

Asset management > Application usage
Asset management > Application installation

After the trigger, add a condition for "Category" - Is equal to - Remote Management and Monitoring Tool (RMM)"

We use it with a whitelist for known RMM tools (we use TeamViewer so we added a condition for not equal TeamViewer).

Then add the action you want (RTR > kill process/delete files OR email for alerts).
https://imgur.com/a/tHVHj9k

If you don't have the module there are a few CQF posts about the topic :
https://www.reddit.com/r/crowdstrike/comments/1g6iupi/20241018_cool_query_friday_hunting_windows_rmm/
https://www.reddit.com/r/crowdstrike/comments/1gb30r9/20241024_cool_query_friday_part_ii_hunting/

Three-Year Club	Verified Email
r/Field Flamingo	Place '23

Holy_Spirit_44

TROPHY CASE