Scope of the Alerts API: EDR or SIEM?

[antoinemzs]

We are currently integrating with Crowdstrike using the Alerts API through falconpy to ingest and analyse alerts in our systems. We are wondering whether the source for the alerts through this API is scoped to the crodwstrike EDR (i.e. only Falcon alerts ?) or whether it is scoped to the entire "next-gen SIEM".

Any thoughts ?

Cheers

[antoinemzs]

Further digging: this documentation suggest I should be able to find alerts with product ngsiem in my calls via falconpy. Is there any guidance as to how to generate such alerts in order to validate this hypothesis?
Thanks

[crowdstrikedcs]

Hi @antoinemzs thanks for the question!

As you've mentioned, a call to query_alerts_v2 can return IDs generated from various products. One of these is NGSIEM which employs a filter like this filter=product:'ngsiem'

As far as generating these events, my suggestion would be to use a correlation rule to generate some detections from a search. This process is documented here

Once the rules are set up and you see them in the UI under the NGSIEM detections dashboard, the corresponding events will also be in the API for your usage.

Let us know with any questions!