Back to Tech Center

How to Leverage Scheduled Searches

November 8, 2021

Tech Center
CrowdStrike Tech Center

Introduction

Falcon Insight provides customers with extensive visibility into the events taking place on endpoints and workloads. While triggered detections are an important part of endpoint security, CrowdStrike also provides the ability to search the raw event data. In addition, scheduled searches can be used to automate the recurrence of those searches and trigger various notifications.

Video

Detailed Event Searches

From the main menu, the “Event Search” is available under the “Investigate” app. Based on the Splunk query language, customers can hunt for events based on any number of attributes including host, file, process, application and user.

scheduled search menu

This sample query hunts for the use of different reconnaissance tools run by the local system account.  After selecting the time range, the search returns zero results for the past 24 hours. With scheduled searches, this query can be configured to run regularly to identify any future events.

scheduled search recon results

Creating Scheduled Searches

To save a search, the first step is to enter a name and description.

scheduled search details

The following prompts set the frequency along with a start and stop date for the query.

scheduled search timing

CrowdStrike also provides the ability to trigger notifications based on the results of the scheduled search. In this case, an email will be sent to the analyst. The options below can be used to configure if the email is sent each time the query runs or only when it yields results.

scheduled search email

Finally, there is an option to configure multiple notifications or “Schedule search”.

scheduled searches save

Managing Scheduled Searches

After saving, the list of all scheduled searches is presented including management features and the option to create additional scheduled searches.

scheduled search listing
This page is also available from the main falcon menu under “Investigate”. The Results/Searches column summaries of how each query has performed to date.

scheduled search results

The menu includes options to edit, deactivate and delete searches. “See history” will present a list of the results to date including a download function.

scheduled search log

Other Notification Options

In addition to email, there are other notification options available including Slack messages, Teams messages and PagerDuty notifications. Each saved search also can have multiple notifications as needed. Queries that are likely to yield more results are potentially good use cases for the webhook notification. Webhooks are a simple way to send near real-time data from the Falcon platform to third party applications like a SIEM. There is also the option to schedule a search without configuring a notification. Even without triggering an email or message, the search will run and the results will be available for reference as needed.

scheduled searches notification options

Closing

CrowdStrike’s Falcon Insight provides unparalleled EDR visibility along with the flexibility to query that event data. With scheduled searches, those queries can be automated with the option to configure a variety of workflows and notifications to best meet the needs of busy security analysts.

More resources

 

Related Content