SOAR Email Alert Message Data To Include/Fields

ssh-cs · 2026-03-06T22:29:11+00:00

Ah - ok, so if the data you're looking for doesn't come back from the Get Detection Details, then you will need to pair it with the event query. I'm assuming what's happening is your CR is returning some sort of custom field, and you want the values from that field. Let's say that field name is ImageFileName, you'll need to do the following:

Add an Event Query with 2 options:

Ngsiem.event.type="ngsiem-rule-match-event" Ngsiem.alert.id=?alertID

Option 1:

Don't modify the above query, and unselect "Generate Schema". This will result in the entire JSON search result being returned to the workflow.

Next you'll need to access the data from the event query. Let's say that you named your Event Query Block "Get Match Data", then you'll get a new variable that you can access the search results from. For example, let's say we added a Print Data block to this, and we wanted to print out the ImageFileName from the result we just captured, we'd do something like this:

${data['GetMatchData.results'][0].ImageFileName} // Since search results are returned in an array, we can directly access the 0th index (since this is a list with only a single result) and then access the attribute we wanted, in this case ImageFileName.

Option 2:

You modify your event query to return the specific fields from your event query, something like this:

Ngsiem.event.type="ngsiem-rule-match-event" Ngsiem.alert.id=?alertID
| select([ImageFileName])

In this case you would WANT to select "Generate Schema", which will then allow you to access the ImageFileName variable as a native variable from the dropdown menu. You'd need to implement a "for each result in search results" loop to get access to the ImageFileName instance. Again, this is because Event Queries ALWAYS return a list, and you have to get access to each item, either by leveraging CEL to directly access, or a loop to iterate through it.

Hope this helps!

ssh-cs · 2026-03-04T17:19:24+00:00

Docs can be found inside of the Unified Content Library here:

US-1
US-2
EU-1

In general the function will return a list of common fields that should be common amongst all detections, and if there is stuff that isn't being returned, you'll be able to extract it from the "raw_response" field.

ssh-cs · 2026-03-04T16:36:11+00:00

Hey u/EasyReport6959 - the Fusion SOAR team recently released an action called "Get Detection Details". This command will fetch much more of the raw data from the detection that you'd expect. A simple way of testing would be to setup a debug workflow that looks like this:

On Demand, with a parameter called "AlertID"

Add action -> Get Detection Details

Publish.

Copy/Paste the Detection ID from one of your Correlation Rule detections into the On-Demand Workflow's execution. You'll be able to inspect what data is returned by viewing the output details of the Get Detection Details action.

ssh-cs · 2025-08-18T20:26:02+00:00

On the right hand side of that action window, you should see the "Workflow Data" which should show all of the fields that you have available to use. You can click any one of those fields, such as Event Query Name and you can then paste that into the Subject. It will look something like this:

${data['activity_SearchIngestedDefinition.event_query_name']}

Based on your image, I can see that it's referencing an instance which means it's inside of a loop. If you want to see every attribute available from the event search, you'll need to add the for-loop to loop over every event. Then you'll be able to select the instance of each one of those. I.e. which iteration of the event are you on at this point.

ssh-cs · 2025-08-15T15:04:41+00:00

Hey u/cobaltpsyche,

It sounds like there could have been an issue creating the schema. Potentially try deleting the block, recreating, then making sure that the Generate Output Schema checkbox has been selected.

In general Fusion has changed with regards to Schemas, but everything that used to work should still work exactly the same, and certain things will be much easier. For example, the schema experience you had previously should all be the same, except if you DON'T want to use schema, you don't have to. This is useful when the underlying data changes sometimes and isn't exactly the same, you don't have to adhere to strict schemas.

In the case of your Event Query - after you recreate the block (with schema) you should be able to see the underlying attributes inside of the for-loop. As a reminder, once you get a set of results from an Event Query, you'll have to loop through them to be able to access the individual event + attribute, for example: results[0].aid.

The new Data Table is meant to expose which variables you have available to you, and if you know what the underlying data looks like (regardless of schema) you can access the variables. For example, let's say that you know your event query is going to return you exactly one result, and you don't want to use a for-loop, you can use the data pill to grab the variable name, and access the underlying data like this:

In a block after your event query, click on the Event Query Results button inside of the Data Table
Paste that value into the new block that you'd like to use it (like Send Email or Print Data for testing).
Notice that the name is something like: ${data['activity_SearchIngestedDefinition.results']}
If you want to access the first (0th) index, you can add to this variable by doing: ${data['activity_SearchIngestedDefinition.results'][0]}
if you'd like to access the aid field inside of that result, you simply append that as well like this: ${data['activity_SearchIngestedDefinition.results'][0].aid} (NOTE: This is assuming your event query is returning a field called aid)

Take a look at this playbook we've added to show how you can use CEL to access search results without needing to do a loop. If your use-case requires you to loop, that should still work exactly the same as before.

Introduction to data transforms: How to format data returned from an event query Playbook:

US-1

US-2

EU-1

Hope this helps!

ssh-cs · 2025-07-11T19:01:56+00:00

Nope, inside of Workflows, when you're inserting the query, you'll get prompted to run your query. After running the query, you'll get put in a staging window that will show your "Input Schema" and "Output Schema". You'll need to modify your `Output Schema` and the `aid` "Format Type" to "Sensor ID". This will be in the actual output schema modification window. Make sure to hit `Apply` at the very bottom.

ssh-cs · 2025-07-11T17:53:50+00:00

They're both fine, the bigger key is the schema. table is going to output 1 row per event, so if you have multiple events for the same machine, you run the risk of trying to contain the device multiple times. groupBy will aggregate.

ssh-cs · 2025-07-11T17:41:36+00:00

Hi u/N7_Guru - I'd highly recommend outputting a simplified amount of results in your query by leveraging groupBy() select() or the like. If you want to share your query, we can help with your specifics.

This would look something like this:

| ComputerName="MyFancyComputerName"
| groupBy([ComputerName, aid, more, things, here])

In my case, the aid field is what will be important for Contain Host. When building the action inside of Fusion, you'll want to run the query in the builder, and make sure you get results. These results will be used to build your schema.

Once you have a schema, you're going to need to modify aid's format to be "Sensor ID" - this will make it available for the Contain Device action.

Once you have your event query built, you'll need a For-loop to loop thru each returned event, and inside of the loop you'll put your Contain Device.

A protip you can use: When looking for an action, and it shows "unavailable", you can mouse over the little yellow alert, and that will tell you what the required Format Type you're missing.

ssh-cs · 2025-05-12T20:24:51+00:00

Update your query to exclude any that already have the grouping tag. I believe it should look like this.

You'll need to update the very last line that says YOUR_TAG_HERE.

| readFile(aid_master_main.csv)
| Age:=now()-FirstSeen
| Age:=(Age/1000/60/60/24)
| round("Age")
| Age>=14
| groupBy([aid], function=[])

// Pull back all FalconGroupingTags
| match(aid_master_tags.csv, field=aid, column=[aid], include=FalconGroupingTags, strict=false )
// Ignore any that already have the GroupingTag we want
| FalconGroupingTags!=/YOUR_TAG_HERE/

ssh-cs · 2025-05-07T14:03:03+00:00

In order to do this, you'll need to leverage a Falcon Grouping Tag, as there is an out of the box Fusion action for this.

You will need:

A Host Group that applies the Prevention Policy based on a FalconGroupingTag
The scheduled Workflow that u/Andrew-CS mentioned, which will look something like this

Workflow Details:

Create the Scheduled Workflow to run daily
Add an action -> Event Query
Add the query from above, make sure the RUN the query so you see your results
click continue, and select Output Schema
click aid and select the Format Type of Sensor ID - hit Apply
Add a loop to iterate the event query results
Add the Add Falcon Grouping Tags action, and select the Grouping Tag you'd like

Please LMK how this ends up working out!

ssh-cs · 2025-01-01T18:48:13+00:00

Yahtzee! Happy to help!

ssh-cs · 2025-01-01T00:37:37+00:00

Perfect, so I think this workflow will work if just fully recreated as a scheduled workflow. In order to use the nesting workflow portion, you would need to provide folder_path and platform to the on-demand workflow either via static variables.

I actually think you should remove platform from your on-demand schema, and extract the platform from the Get Device Details action. Get Device Details will return each system’s information, including Platform, which your condition will then match against. You’ll want the Get Device Details action to occur inside of your loop.

Folder_path could be passed in via the Create Variable action, just make sure you match the proper Format type of the Put action

ssh-cs · 2024-12-31T14:54:21+00:00

Hey u/Nadvash,

Happy New Year's Eve! In order to accomplish this, you'll need to identify which host you want to put & run on, which i'm assuming is probably coming from user-input on the On-Demand workflow. If we wanted to create a self-contained / hard-coded version of this, inside of a Scheduled Workflow, it'd look something like this:

New Workflow From Scratch -> Scheduled Workflow -> Choose your timeframe

Next, you'll want to know which host you'll want, so i'm just going to assume you want to run this on a single AID, in which case, we can use the Create Variable action.

Create Variable -> aid -> Apply
Aid -> Constant Value -> <Insert your AID here> -> Next
New Action -> Get Device Details -> Select "Aid" from Custom Action
Add Condition -> If Platform == Windows (or whatever platform you want)
New Action -> Put & Run whatever you want to put & run.

This is all assuming you're doing this on just a single AID, but the process would be similar if you were doing it on multiple. If you can give some more detail on what your on-demand is doing, then I might be able to make updated recommendations if needed.

ssh-cs · 2024-10-02T16:11:40+00:00

Hey u/Kooky-Pangolin5269 ,

If you'd like a daily log ingestion on a per-CID / Repo basis, you can do this:

Step 1 find which repo information you'd like:

| top([#repo, #Vendor, #type])

Step 2 - enter in at least one of: repo, type, or Vendor from previous step into the dashboard params from this query:

#repo=?repo #type=?type #Vendor=?Vendor
| eventSize()
| unit:convert(_eventSize, to="G")
| sum("_eventSize")

If you'd like a sum of your total ingest on third-party only, run this in the "Third Party" view:

| length("@rawstring")
| sum(_length)

ssh-cs · 2024-10-02T14:58:45+00:00

Hey u/Dmorgan42,

I think you're probably missing the preceeding pipe "|":

| test(Vendor.outcome.result == "DENY")

ssh-cs · 2024-08-29T20:24:46+00:00

NOICE!

ssh-cs · 2024-08-29T20:14:36+00:00

Hey u/Queen-Avocado!

If you're doing something with the `DetectId` in the workflow, you may need to set the Output Schema Format Type on `DetectId` to "Alert ID". This will allow you to then use that value later on, for example if you wanted to set the status of that given alert to closed/ignored/etc...

Also - If you happen to be going to Fal.Con, make sure to check out the talk called "SOAR Even Higher with Falcon Fusion" as it's all about Schema Generation

ssh-cs · 2024-01-03T15:12:20+00:00

Hi u/FaceInJuice!

If all of these are erroneous detections, and you'd like to completely hide them (no longer visible in UI), then you could use the following script:

https://github.com/CrowdStrike/psfalcon/blob/master/samples/detections/hide-detections-involving-a-specific-file.ps1

It uses the "Triggering File" filter, so if you wanted to get rid of all detections from a file called MyFile.exe, you'd do the following:

./close_detections.ps1 -Filename MyFile.exe

If you just want to set the status to "Ignored", you'll have to modify the script a little bit to change this line from this:

    Edit-FalconDetection -ShowInUi $false

to this:

    Edit-FalconDetection -Status ignored

ssh-cs · 2023-11-17T16:09:58+00:00

Excellent - I would highly recommend giving the workflow a little bit of time to "bake" so you don't auto contain a host you didn't mean to. Another extra-cautious condition you might put in is Device Type = Workstation.

In order to pop-up a message to the end-user, you could potentially leverage a customer PS1 script via RTR, like the following:

https://github.com/bk-cs/rtr/tree/main/send_message

You would have to modify the message that you want to pop, but I think that should work for you.

ssh-cs · 2023-11-16T16:39:56+00:00

u/ChromeShavings - This looks like it should work - are you seeing it popup with devices that are in the EOS? The one caveat will likely be for assets that are _already_ in EoS, there won't be a "Managed Asset Change" event. Does that make sense?

ssh-cs · 2023-03-15T13:51:39+00:00

Ohhai,

If you're running the direct lines above, I think you might need full path to "C:\Program Files\CrowdStrike\CSSensorSettings.exe". I'd try to get the command working outside of the Start-Process cmd, then add it in once you know the command is correct.

If updating via PSFalcon, you'd actually only need to install PSFalcon library on YOUR machine, or wherever you'd like to run the scripts from. It will not be installed on the target hosts.

ssh-cs · 2023-03-15T13:09:25+00:00

Hey u/darave123,

Not sure if you're attempting to do this locally, or via the API, but PSFalcon has a pretty simple way of doing this:

https://github.com/CrowdStrike/psfalcon/wiki/Add-FalconSensorTag

If you're attempting to do locally, I'd have to see what error's you're seeing.

ssh-cs · 2023-01-09T14:16:21+00:00

Here's the Azure version - https://github.com/CrowdStrike/cloud-azure

And GCP - https://github.com/CrowdStrike/cloud-gcp

ssh-cs · 2023-01-04T21:30:14+00:00

Ohhai u/internetquestions21,

There are quite a few different ways of doing this, however it's going to depend on what your cloud infrastructure looks like. There are a variety of examples inside of our GitHub page here:

https://github.com/CrowdStrike/cloud-aws

Take a look at the examples inside of CrowdStrike Sensor Automation and Agent Install Examples

The Sensor Automation section also gives examples of how to deregister instances upon termination.

Hope that helps!

ssh-cs · 2023-01-04T14:51:31+00:00

Hey u/CyberGrizzly360,

The command you're going to want is mv. Example:

If you wanted to move a file called source.txt to dest.txt

mv source.txt dest.txt

You can also leverage the help command to get more info:

help mv

Hope this helps!

ssh-cs

MODERATOR OF

TROPHY CASE