← Back to Explore
crowdstrike_cql
Calculate Next-Gen SIEM Ingestion Total
Calculates total NG-SIEM ingest by each Vendor (connector) Calculates total NG-SIEM ingest by each Vendor (connector) Can be altered to trim to a single vendor and assist in locating areas of large ingestion usage, such as singular firewall policies. See [this](https://www.reddit.com/r/crowdstrike/comments/1nhuu6g/mediocre_query_monday_calculating_ngsiem/) post for more information about doing this. No modules are required, but the NG-SIEM module is what facilitates the need for this query. EDR/Endpoint/CrowdStrike native log sources are not included in this, as those are not counted against NG-SIEM ingest from a pricing perspective.
Detection Query
// Exclude EDR logs, since these are in-platform and don't count against NG-SIEM ingest
#Vendor != "crowdstrike"
// Add up our fields that are counted for ingest (not 100% accurate, but very close to it)
| total_event := concat([@timestamp, @rawstring, #event.dataset, #event.module])
| length(field=total_event, as=event_size)
// Get our results by Vendor and translate to MB and GB
| groupBy([#Vendor], function=[sum(event_size, as=SizeBytes)], limit=max)
| SizeMB:=unit:convert("SizeBytes", binary=true, from=B, to=M, keepUnit=true)
| SizeGB:=unit:convert("SizeBytes", binary=true, from=B, to=G, keepUnit=true)
// Sort
| sort(SizeBytes, limit=200)
// Total for all vendors (uncomment for this)
//| sum(SizeBytes, as=SizeBytes)
//| SizeMB:=unit:convert("SizeBytes", binary=true, from=B, to=M, keepUnit=true)
//| SizeGB:=unit:convert("SizeBytes", binary=true, from=B, to=G, keepUnit=true)
Author
AAuraa
Data Sources
NetworkCloudOther
Platforms
networkcloud
Tags
Monitoring
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Calculate Next-Gen SIEM Ingestion Total
# Description of what the query does and its purpose.
description: Calculates total NG-SIEM ingest by each Vendor (connector)
# The author or team that created the query.
author: AAuraa
# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
- Network
- Cloud
- Other
# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
- Monitoring
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
// Exclude EDR logs, since these are in-platform and don't count against NG-SIEM ingest
#Vendor != "crowdstrike"
// Add up our fields that are counted for ingest (not 100% accurate, but very close to it)
| total_event := concat([@timestamp, @rawstring, #event.dataset, #event.module])
| length(field=total_event, as=event_size)
// Get our results by Vendor and translate to MB and GB
| groupBy([#Vendor], function=[sum(event_size, as=SizeBytes)], limit=max)
| SizeMB:=unit:convert("SizeBytes", binary=true, from=B, to=M, keepUnit=true)
| SizeGB:=unit:convert("SizeBytes", binary=true, from=B, to=G, keepUnit=true)
// Sort
| sort(SizeBytes, limit=200)
// Total for all vendors (uncomment for this)
//| sum(SizeBytes, as=SizeBytes)
//| SizeMB:=unit:convert("SizeBytes", binary=true, from=B, to=M, keepUnit=true)
//| SizeGB:=unit:convert("SizeBytes", binary=true, from=B, to=G, keepUnit=true)
# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
Calculates total NG-SIEM ingest by each Vendor (connector)
Can be altered to trim to a single vendor and assist in locating areas of large ingestion usage, such as singular firewall policies. See [this](https://www.reddit.com/r/crowdstrike/comments/1nhuu6g/mediocre_query_monday_calculating_ngsiem/) post for more information about doing this.
No modules are required, but the NG-SIEM module is what facilitates the need for this query.
EDR/Endpoint/CrowdStrike native log sources are not included in this, as those are not counted against NG-SIEM ingest from a pricing perspective.