crowdstrike.falcon.ngsiem_search module – Execute searches against CrowdStrike Next-Gen SIEM repositories

Note

This module is part of the crowdstrike.falcon collection (version 4.9.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install crowdstrike.falcon. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: crowdstrike.falcon.ngsiem_search.

New in crowdstrike.falcon 4.10.0

Synopsis

  • Execute CQL (CrowdStrike Query Language) searches against Next-Gen SIEM repositories.

  • Provides asynchronous job-based searching with automatic polling for results.

  • Can correlate network connections with process data for incident response.

  • Supports all available repositories including search-all, investigate_view, and others.

  • Jobs automatically timeout after 90 seconds of inactivity to prevent resource waste.

Requirements

The below requirements are needed on the host that executes this module.

  • NGSIEM [READ, WRITE] API scope

  • crowdstrike-falconpy >= 1.3.0

  • python >= 3.6

Parameters

Parameter

Comments

arguments

dictionary

Dictionary of arguments for variables specified in queries with ?param syntax.

Values must be simple strings.

Explicit values in query like ?param=value override values provided here.

auth

dictionary

The registered result of the crowdstrike.falcon.auth module, or a dictionary containing the access_token and cloud keys.

If provided, the client_id, client_secret, member_cid, and cloud options are ignored.

Useful when needing to make multiple API calls to avoid rate limiting issues.

access_token

string

The OAuth2 access token to use for authentication.

cloud

string

The CrowdStrike cloud region to use.

This can differ from the module’s cloud argument due to autodiscovery.

client_id

aliases: falcon_client_id

string

The CrowdStrike API client ID to use.

See the Falcon documentation for more information about API clients.

The FALCON_CLIENT_ID environment variable can also be used.

client_secret

aliases: falcon_client_secret

string

The CrowdStrike API secret that corresponds to the client ID.

See the Falcon documentation for more information about API clients.

The FALCON_CLIENT_SECRET environment variable can also be used.

cloud

string

The CrowdStrike cloud region to use.

All clouds are automatically discovered if not specified, except for the us-gov-1 cloud.

The FALCON_CLOUD environment variable can also be used.

Choices:

  • "us-1" ← (default)

  • "us-2"

  • "us-gov-1"

  • "eu-1"

end

string

Ending point for search results based on event timestamp.

Can use relative time like now, 1h ago, or absolute timestamps.

If start is provided, end must be greater than or equal to start.

ext_headers

dictionary

Extended headers that are prepended to the default headers dictionary.

member_cid

string

The CrowdStrike member CID for MSSP authentication.

See the Falcon documentation for more information about API clients.

The FALCON_MEMBER_CID environment variable can also be used.

poll_interval

integer

Interval in seconds between status checks while waiting for results.

Must be at least 5 seconds to avoid rate limiting.

Should not exceed 90 seconds to prevent job timeout.

Default: 10

query_string

string / required

The CQL query to execute against the repository.

Use CrowdStrike Query Language syntax for filtering and correlation.

Double quotes and backslashes must be escaped in the query string.

Can include variables using ?param syntax when used with arguments.

repository

string

The repository to search against.

search-all searches all event data from CrowdStrike and third-party sources.

investigate_view searches endpoint event data and sensor events (requires Falcon Insight XDR).

third-party searches event data from third-party sources (requires Falcon LogScale).

falcon_for_it_view searches data collected by Falcon for IT module (requires Falcon for IT).

forensics_view searches triage data from Falcon Forensics module (requires Falcon Forensics).

Choices:

  • "search-all" ← (default)

  • "investigate_view"

  • "third-party"

  • "falcon_for_it_view"

  • "forensics_view"

start

string

Starting point for search results based on event timestamp.

Can use relative time like 1d, 24h, or absolute timestamps.

If end is provided, start must be less than or equal to end.

timeout

integer

Maximum time in seconds to wait for query completion.

Query will be canceled if it exceeds this timeout.

Set to 0 to disable timeout (use with caution for long-running queries).

Default: 300

user_agent

string

Custom User-Agent string to use for requests to the API.

The user agent string is prepended to the default user agent string (crowdstrike-ansible/<version>).

See RFC 7231 for more information.

The FALCON_USER_AGENT environment variable can also be used.

Examples

- name: Search for all logs from a specific agent ID in the last 24 hours
  crowdstrike.falcon.ngsiem_search:
    query_string: "aid=abc123"
    start: "1d"
    end: "now"

- name: Find processes that initiated connections to a specific IP
  crowdstrike.falcon.ngsiem_search:
    repository: "investigate_view"
    query_string: |
      #event_simpleName=ProcessRollup2 ImageFileName=?process_name
      | join({{ '{' }}#event_simpleName=NetworkConnectIP4{{ '}' }},
             key=ContextProcessId, field=TargetProcessId,
             include=[RemoteAddressIP4, RemotePort])
      | table([ImageFileName, CommandLine, ParentProcessId, RemoteAddressIP4, RemotePort])
    arguments:
      process_name: "*"
    start: "24h"

- name: Search for network connections between specific IPs
  crowdstrike.falcon.ngsiem_search:
    query_string: |
      #event_simpleName=NetworkConnectIP4 LocalAddressIP4=?source_ip RemoteAddressIP4=?dest_ip
      | table([ImageFileName, CommandLine, LocalAddressIP4, RemoteAddressIP4, RemotePort])
    arguments:
      source_ip: "10.1.1.100"
      dest_ip: "192.168.1.50"
    timeout: 600

- name: Find authentication events in the last hour
  crowdstrike.falcon.ngsiem_search:
    repository: "search-all"
    query_string: |
      #event_simpleName=UserLogon
      | head(25)
      | table([ComputerName, UserName, LogonType, aid])
    start: "1h"
    poll_interval: 5

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

cancelled

boolean

Whether the query was cancelled before completion.

Returned: always

Sample: false

done

boolean

Whether the query completed successfully.

Returned: always

Sample: true

events

list / elements=dictionary

List of events found by the search query.

Returned: success

Sample: [{"ImageSubsystem": "2", "UserName": "USER3", "aid": "abc123", "name": "ProcessRollup2V19", "timestamp": "1736264422005"}]

execution_time

float

Time taken to execute the query in seconds.

Returned: success

Sample: 45.2

query_job_id

string

The ID of the executed query job.

Returned: always

Sample: "P22-xxxx23Nw"

total_events

integer

Total number of events returned by the search.

Returned: success

Sample: 1247

Authors

  • Carlos Matos (@carlosmmatos)