Crowdstrike Next-Gen SIEM

the crowdstrike next gen siem connector allows for seamless integration with swimlane turbine, enabling automated security incident management and enhanced threat detection capabilities crowdstrike next gen siem is a cutting edge security information and event management platform that provides comprehensive visibility and advanced analytics to detect and respond to threats this connector enables swimlane turbine users to automate key incident response tasks such as adding alerts and events to cases, managing case tags, and initiating searches within crowdstrike by integrating with crowdstrike next gen siem, security teams can enhance their operational efficiency, reduce response times, and maintain a robust security posture through streamlined case management and evidence collection limitations none to date supported versions this crowdstrike next gen siem connector uses the latest version api additional documents documentation click here https //assets falcon crowdstrike com/support/api/swagger html#/ prerequisites to effectively utilize the crowdstrike next gen siem connector with swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials for secure authentication, which include url the endpoint url for the crowdstrike next gen siem api client id your unique identifier issued by crowdstrike for api access client secret a secret key provided by crowdstrike to authenticate your client id token url the specific url provided by crowdstrike to obtain an oauth token authentication methods oauth 2 0 client credentials authentication method oauth 2 0 client credentials for secure authentication, which include url the endpoint url for the crowdstrike api client id your unique identifier to authenticate with the crowdstrike api client secret a confidential secret key used in conjunction with the client id to authenticate token url the specific url to obtain the oauth 2 0 access token capabilities this crowdstrike next gen siem connector provides the following capabilities add alerts to existing case add event evidence to existing case add tags to an existing case create a new case get cases by ids get search status initiate search list cases remove tags from an existing case stop search update an existing case add alerts to existing case add alerts as evidence to an existing case click here https //assets falcon crowdstrike com/support/api/swagger html#/cases/entities alert evidence post v1 add event evidence to existing case adds the given list of event evidence to the specified case click here https //assets falcon crowdstrike com/support/api/swagger html#/cases/entities event evidence post v1 add tags to an existing case adds the given list of tags to the specified case click here https //assets falcon crowdstrike com/support/api/swagger html#/cases/entities case tags post v1 create a new case creates the given case click here https //assets falcon crowdstrike com/support/api/swagger html#/cases/entities cases put v2 get cases by ids retrieves all cases given their ids click here https //assets falcon crowdstrike com/support/api/swagger html#/cases/entities cases post v2 get search status get status of search click here https //assets falcon crowdstrike com/support/api/swagger html#/ngsiem/getsearchstatusv1 initiate search initiate search click here https //assets falcon crowdstrike com/support/api/swagger html#/ngsiem/startsearchv1 list cases retrieves all cases ids that match a given query click here https //assets falcon crowdstrike com/support/api/swagger html#/cases/queries cases get v1 remove tags from an existing case removes the specified tags from the specified case click here https //assets falcon crowdstrike com/support/api/swagger html#/cases/entities case tags post v1 stop search stop search click here https //assets falcon crowdstrike com/support/api/swagger html#/ngsiem/stopsearchv1 update an existing case updates given fields on the specified case click here https //assets falcon crowdstrike com/support/api/swagger html#/cases/entities cases patch v2 configurations crowdstrike next gen oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required token url string required client id the client id string required client secret the client secret string required scope permission scopes for this action array optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add alerts to existing case adds specified alerts as evidence to an existing case in crowdstrike next gen siem, requiring the case id and alert details endpoint url /cases/entities/alert evidence/v1 method post input argument name type required description alerts array optional an array of objects representing the alerts to add to the case each object in the array identifies a single alert by its id alerts id string required the unique identifier of the alert to add to the case the alert id field expects the alert's composite id value when adding multiple alerts, each id must be provided as its own object in the array id string optional the system level identifier of the case to add the alert to input example {"json body" {"alerts" \[{"id" "abcdefg0123456789hijklmnopqrstuv wx\ ngsiem\ abcdefg0123456789hijklmnopqrstuv wx\ e38579xxxxxxxxxxa05b5c"}],"id" "aaaaaaaaxxx xx xe7x9xxxxxxxxxxxxoqlnx 1dsxyxxxxxxxxxxxxxxxxxxxmgjc9 2uxxxxxo5 z pmxxxxxwr ye1pwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxkvgz9 bwxxxxxxxm9 lzxxxxxdy nyxxxxxww"}} output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any errors code number error message if any errors id string unique identifier errors message string response message meta object output field meta meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination offset number output field meta pagination offset meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta query time number time value meta trace id string unique identifier meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected resources array output field resources resources access tags array output field resources access tags resources access tags cid string unique identifier resources access tags id string unique identifier resources access tags key string output field resources access tags key resources analysis results object result of the operation resources analysis results alerts object result of the operation resources analysis results alerts records array result of the operation resources analysis results alerts records id string unique identifier output example {"errors" \[{"code" 123,"id" "12345678 1234 1234 1234 123456789abc","message" "string"}],"meta" {"pagination" {"limit" 123,"offset" 123,"total" 123},"powered by" "string","query time" 123,"trace id" "string","writes" {"resources affected" 123}},"resources" \[{"access tags" \[],"analysis results" {},"assigned to" {},"cid" "string","consistency" {},"created by" {},"created timestamp" "string","description" "string","end timestamp" "string","evidence" {},"fields" \[],"id" "12345678 1234 1234 1234 12345 add event evidence to existing case adds a list of event evidence to an existing case in crowdstrike next gen siem using the case id and events data endpoint url cases/entities/event evidence/v1 method post input argument name type required description events array optional an array of objects representing the events to add to the case each object in the array identifies a single event by its id events id string required the unique id of the event to add to the case when adding multiple events, each id must be provided as its own object in the array id string optional the system level identifier of the case to add the events to input example {"json body" {"events" \[{"id" "abcdefg0123456789hijklmnopqrstuv wx\ ngsiem\ abcdefg0123456789hijklmnopqrstuv wx\ e38579xxxxxxxxxxa05b5c"}],"id" "aaaaaaaaxxx xx xe7x9xxxxxxxxxxxxoqlnx 1dsxyxxxxxxxxxxxxxxxxxxxmgjc9 2uxxxxxo5 z pmxxxxxwr ye1pwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxkvgz9 bwxxxxxxxm9 lzxxxxxdy nyxxxxxww"}} output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any errors code number error message if any errors id string unique identifier errors message string response message meta object output field meta meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination offset number output field meta pagination offset meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta query time number time value meta trace id string unique identifier meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected resources array output field resources resources access tags array output field resources access tags resources access tags cid string unique identifier resources access tags id string unique identifier resources access tags key string output field resources access tags key resources analysis results object result of the operation resources analysis results alerts object result of the operation resources analysis results alerts records array result of the operation resources analysis results alerts records id string unique identifier output example {"errors" \[{"code" 123,"id" "12345678 1234 1234 1234 123456789abc","message" "string"}],"meta" {"pagination" {"limit" 123,"offset" 123,"total" 123},"powered by" "string","query time" 123,"trace id" "string","writes" {"resources affected" 123}},"resources" \[{"access tags" \[],"analysis results" {},"assigned to" {},"cid" "string","consistency" {},"created by" {},"created timestamp" "string","description" "string","end timestamp" "string","evidence" {},"fields" \[],"id" "12345678 1234 1234 1234 12345 add tags to an existing case appends specified tags to an existing case in crowdstrike next gen siem using the case id endpoint url cases/entities/case tags/v1 method post input argument name type required description id string optional the system level identifier of the case to add the tags to tags array optional the list of tags to add to the case input example {"json body" {"id" "384759xxxxxxxxxxxxxxxxxxxx1234567890","tags" \["test tag1","test tag2"]}} output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any errors code number error message if any errors id string unique identifier errors message string response message meta object output field meta meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination offset number output field meta pagination offset meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta query time number time value meta trace id string unique identifier meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected resources array output field resources resources access tags array output field resources access tags resources access tags cid string unique identifier resources access tags id string unique identifier resources access tags key string output field resources access tags key resources analysis results object result of the operation resources analysis results alerts object result of the operation resources analysis results alerts records array result of the operation resources analysis results alerts records id string unique identifier output example {"errors" \[{"code" 123,"id" "12345678 1234 1234 1234 123456789abc","message" "string"}],"meta" {"pagination" {"limit" 123,"offset" 123,"total" 123},"powered by" "string","query time" 123,"trace id" "string","writes" {"resources affected" 123}},"resources" \[{"access tags" \[],"analysis results" {},"assigned to" {},"cid" "string","consistency" {},"created by" {},"created timestamp" "string","description" "string","end timestamp" "string","evidence" {},"fields" \[],"id" "12345678 1234 1234 1234 12345 create a new case creates a new case in crowdstrike next gen siem with details such as assignment, description, evidence, name, severity, and status endpoint url /cases/entities/cases/v2 method put input argument name type required description access tags array optional the access tags to add to the new case access tags cid string optional the cid of the falcon user to add to the new case access tags id string optional the id of the falcon user to add to the new case access tags key string optional the key of the falcon user to add to the new case assigned to user uuid string optional the uuid of the falcon user to assign the new case to to get user uuids, see list user ids in a cid description string optional a brief summary of the case any utf 8 characters are supported maximum length 2048 bytes evidence object optional the alerts and events to add to the new case as evidence evidence alerts array required the alerts to add to the new case evidence alerts id string required the unique identifier of the alert to add to the case the alert id field expects the alert's composite id value send each id as a separate object in the array evidence events array required the events to add to the new case as evidence evidence events id string required the unique id of the event to add to the case send each id as a separate object in the array evidence leads array required unique identifier evidence leads id string required unique identifier name string optional a user defined name for the case any utf 8 characters are supported maximum length 256 bytes severity number optional the case severity rating on a numeric scale from 1 (least severe) to 100 (most severe) numeric values correspond to the following string severity levels used for cases in the falcon console and case management api 1 19 informational, 20 39 low, 40 59 medium, 60 79 high, 80 100 critical severity info object optional the severity level of the case severity info level string required parameter for create a new case status string optional the workflow state of the case possible values new (default), closed, in progress, reopened tags array optional the tags to add to the new case template object optional the template to apply when creating the case templates are created and managed with the case management api template id string required the unique id of the custom template to apply to the case templates are created using the case management api for more info, see template endpoints input example {"json body" {"access tags" \[{"cid" "abcdefg0123456789hijklmnopqrstuv wx","id" "4d759xxxxxxxxxxe417a","key" "manage"}],"assigned to user uuid" "string","description" "multiple unauthorized login attempts on host windows 2445 ","evidence" {"alerts" \[{"id" "abcdefg0123456789hijklmnopqrstuv wx\ ngsiem\ abcdefg0123456789hijklmnopqrstuv wx\ e38579xxxxxxxxxxa05b5c"},{"id" "abcdefg0123456789hijklmnopqrstuv wx\ ind\ cb28a1xxxxxxxxxx49556f 252f50xxxxxxxxxx37f24c"}],"events" \[{"id" "pbq9xxxxxxxxxxxxxxxxxxxx 12 3 1755xxxxxx"},{"id" "d4s0xxxxxxxxxxxxxxxxxxxx 5 0 1755xxxxxx"}],"leads" \[{"id" "string"}]},"name" "p1 unauthorized access","severity" 90,"severity info" {"level" "string"},"status" "new","tags" \["unauthorized access","p1"],"template" {"id" "4d759xxxxxxxxxxe417a"}}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources id string unique identifier resources cid string unique identifier resources reference id string unique identifier resources version number output field resources version resources consistency object output field resources consistency resources consistency consistent boolean output field resources consistency consistent resources consistency version number output field resources consistency version resources created timestamp string output field resources created timestamp resources created by object output field resources created by resources created by uuid string unique identifier resources created by email string output field resources created by email resources created by full name string name of the resource resources updated timestamp string output field resources updated timestamp resources last updated by object output field resources last updated by resources last updated by uuid string unique identifier resources last updated by email string output field resources last updated by email output example {"meta" {"query time" 123,"writes" {"resources affected" 123},"powered by" "string","trace id" "string"},"resources" \[{"id" "12345678 1234 1234 1234 123456789abc","cid" "string","reference id" "string","version" 123,"consistency" {},"created timestamp" "string","created by" {},"updated timestamp" "string","last updated by" {},"start timestamp" {},"end timestamp" {},"name" "example name","description" "string","severity info" {},"severity" 123}]} get cases by ids retrieves all crowdstrike next gen siem cases for specified case ids provided in the json body endpoint url /cases/entities/cases/v2 method post input argument name type required description ids array optional a comma separated list of system level case id values to retrieve the details for input example {"json body" {"ids" \["aaaaaaaaaxxx xx xe7x9xxxxxxxxxxxxoqlnx 1dsxyxxxxxxxxxxxxxxxxxxxmgjc9 2uxxxxxo5 z pmxxxxxwr ye1pwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxkvgz9 bwxxxxxxxm9 lzxxxxxdy nyxxxxxww"]}} output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any errors code number error message if any errors id string unique identifier errors message string response message meta object output field meta meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination offset number output field meta pagination offset meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta query time number time value meta trace id string unique identifier meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected resources array output field resources resources access tags array output field resources access tags resources access tags cid string unique identifier resources access tags id string unique identifier resources access tags key string output field resources access tags key resources analysis results object result of the operation resources analysis results alerts object result of the operation resources analysis results alerts records array result of the operation resources analysis results alerts records id string unique identifier output example {"errors" \[{"code" 123,"id" "12345678 1234 1234 1234 123456789abc","message" "string"}],"meta" {"pagination" {"limit" 123,"offset" 123,"total" 123},"powered by" "string","query time" 123,"trace id" "string","writes" {"resources affected" 123}},"resources" \[{"access tags" \[],"analysis results" {},"assigned to" {},"cid" "string","consistency" {},"created by" {},"created timestamp" "string","description" "string","end timestamp" "string","evidence" {},"fields" \[],"id" "12345678 1234 1234 1234 12345 get search status retrieve the current status of a search in crowdstrike next gen siem using the specified repository and id endpoint url humio/api/v1/repositories/{{repository}}/queryjobs/{{id}} method get input argument name type required description path parameters repository string required name of repository path parameters id string required id of query input example {"path parameters" {"repository" "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6","id" "search 384759xxxxxxxxxxxxxxxxxxxx1234567890"}} output parameter type description status code number http status code of the response reason string response reason phrase cancelled boolean output field cancelled done boolean output field done events array output field events events bucket string output field events bucket events event simplename string name of the resource events filename string name of the resource events aid string unique identifier events commandline string output field events commandline filesused array output field filesused filtermatches array output field filtermatches metadata object response data metadata costs object response data metadata costs livecost number response data metadata costs livecostrate number response data metadata costs staticcost number response data metadata costs staticcostrate number response data metadata digestflow object response data metadata digestflow\ ingesttimeknowngood number response data metadata digestflow\ maxingestlatency number response data metadata digestflow\ miningesttimeincluded number response data metadata eventcount number response data metadata fieldorder array response data metadata isaggregate boolean response data output example {"cancelled"\ true,"done"\ true,"events" \[{" bucket" "string","event simplename" "example name","filename" "example name","aid" "string","commandline" "string"}],"filesused" \["string"],"filtermatches" \[123],"metadata" {"costs" {"livecost" 123,"livecostrate" 123,"staticcost" 123,"staticcostrate" 123},"digestflow" {"ingesttimeknowngood" 123,"maxingestlatency" 123,"miningesttimeincluded" 123},"eventcount" 123,"fieldorder" \["string"],"isaggregate"\ true,"pollafter" 123,"processedbytes" 123,"processedev initiate search initiates a search in crowdstrike next gen siem using a specified query string and repository endpoint url humio/api/v1/repositories/{{repository}}/queryjobs method post input argument name type required description path parameters repository string required the repository to initiate the search in alloweventskipping boolean optional enables some logscale functions, such as head() and tail(), to stop processing all data in the selected timeframe and exit the query early arguments object optional json blob with parameters defined in query around object optional event context for around based queries with eventid, numberofeventsafter, numberofeventsbefore, and timestamp around eventid string required the event id to center the search around around numberofeventsafter number required the number of events to include after the specified event around numberofeventsbefore number required the number of events to include before the specified event around timestamp number required the timestamp in milliseconds for the around query autobucketcount number optional the number of buckets the system should create during live query searches, when no other explicit bucketing aggregate is specified end string optional the date and time to use as the ending point of the search results ingestend string optional the end date and time applied for @ingesttimestamp ingeststart string optional the start date and time applied for @ingesttimestamp islive boolean optional sets whether this query is live defaults to false live queries are continuously updated querystring string optional the cql query to use for the search start string optional the date and time to use as the starting point of the search results timezone string optional the time zone to use if start and end times are not specified in milliseconds eg utc timezoneoffsetminutes number optional a positive or negative number representing how many minutes a given time zone is ahead or behind coordinated universal time (utc) useingesttime boolean optional when set to true, the event's ingeststart and ingestend times are used as the basis for the query timespan rather than the start and end timestamps input example {"json body" {"alloweventskipping"\ true,"arguments" {},"around" {"eventid" "evt 7b3c9d1e5f2a4b6c8d0e 12 3 1755123456","numberofeventsafter" 50,"numberofeventsbefore" 50,"timestamp" 1721289600000},"autobucketcount" 100,"end" "2026 03 18t23 59 59 999z","ingestend" "2026 03 18t23 59 59 999z","ingeststart" "2026 03 18t00 00 00 000z","islive"\ true,"querystring" "event simplename=processrollup2 and filename= powershell ","start" "2026 03 18t00 00 00 000z","timezone" "america/new york","timezoneoffsetminutes" 300,"useingesttime"\ true},"path parameters" {"repository" "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"}} output parameter type description status code number http status code of the response reason string response reason phrase hashedqueryonview string output field hashedqueryonview id string unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"hashedqueryonview" "test hash","id" "search 384759xxxxxxxxxxxxxxxxxxxx1234567890"}} list cases retrieves all case ids from crowdstrike next gen siem that match a specified query endpoint url cases/queries/cases/v1 method get input argument name type required description parameters limit number optional the maximum number of cases to return in this response (default 100; max 10000) use this parameter together with the offset parameter to manage pagination of the results parameters offset number optional the first case to return, where 0 is the latest case use with the offset parameter to manage pagination of results parameters filter string optional filter cases using a query in falcon query language (fql) filter fields can be any keyword field that is part of #domain case an asterisk wildcard includes all results empty value means to not filter on anything most commonly used filter fields that supports exact match cid, id, etc most commonly used filter fields that supports wildcard ( ) assigned to name, assigned to uuid most commonly filter fields that supports range comparisons (>, <, >=, <=) created timestamp, updated timestamp all filter fields and operations support negation (!) the full list of valid filter options is extensive review it in our documentation inside the falcon console https //falcon crowdstrike com/documentation/45/falcon query language fql | \| parameters sort | string | optional | sort parameter takes the form \<field|direction> direction can be either asc (ascending) or desc (descending) order for example status|asc or status|desc | \| parameters q | string | optional | search all case metadata for the provided string | input example {"parameters" {"limit" 100,"offset" 0,"filter" "cve severity \['high','critical']","sort" "status|asc","q" "test query"}} output parameter type description status code number http status code of the response reason string response reason phrase meta object output field meta meta query time number time value meta pagination object output field meta pagination meta pagination offset number output field meta pagination offset meta pagination limit number output field meta pagination limit meta pagination total number output field meta pagination total meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected meta powered by string output field meta powered by meta trace id string unique identifier resources array output field resources resources file name string name of the resource resources file string output field resources file output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 18 mar 2026 00 43 50 gmt","content type" "application/json","content length" "205","connection" "keep alive","content encoding" "gzip","strict transport security" "max age=31536000; includesubdomains, max age=31536000; includesubdomains","vary" "origin","x cs region" "us 1","x cs traceid" "2a8251e4 083a 4c47 8a96 38cdcb226605","x ratelimit limit" "6000","x ratelimit remaining" "5998"},"reason" "ok","json body" {"meta" {"query t remove tags from an existing case removes specified tags from an existing case in crowdstrike next gen siem using the case id endpoint url cases/entities/case tags/v1 method delete input argument name type required description parameters id string required the system level identifier of the case to remove the specified tags from parameters tag string required the tags to remove to the case send multiple tags input example {"parameters" {"id" "384759xxxxxxxxxxxxxxxxxxxx1234567890","tag" "test tag1"}} output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any errors code number error message if any errors id string unique identifier errors message string response message meta object output field meta meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination offset number output field meta pagination offset meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta query time number time value meta trace id string unique identifier meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected resources array output field resources resources access tags array output field resources access tags resources access tags cid string unique identifier resources access tags id string unique identifier resources access tags key string output field resources access tags key resources analysis results object result of the operation resources analysis results alerts object result of the operation resources analysis results alerts records array result of the operation resources analysis results alerts records id string unique identifier output example {"errors" \[{"code" 123,"id" "12345678 1234 1234 1234 123456789abc","message" "string"}],"meta" {"pagination" {"limit" 123,"offset" 123,"total" 123},"powered by" "string","query time" 123,"trace id" "string","writes" {"resources affected" 123}},"resources" \[{"access tags" \[],"analysis results" {},"assigned to" {},"cid" "string","consistency" {},"created by" {},"created timestamp" "string","description" "string","end timestamp" "string","evidence" {},"fields" \[],"id" "12345678 1234 1234 1234 12345 stop search terminate an ongoing search in crowdstrike next gen siem using the specified repository and search id endpoint url humio/api/v1/repositories/{{repository}}/queryjobs/{{id}} method delete input argument name type required description path parameters repository string required name of repository path parameters id string required id of query input example {"path parameters" {"repository" "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6","id" "search 384759xxxxxxxxxxxxxxxxxxxx1234567890"}} output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any errors code number error message if any errors id string unique identifier errors message string response message meta object output field meta meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination offset number output field meta pagination offset meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta query time number time value meta trace id string unique identifier meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"errors" \[{}],"meta" {"pagination" {},"powered by" "humio query api","query time" 0 032,"trace id" "tr 1n5q7s9t2u4v6w8x0y2z4a","writes" {}}}} update an existing case updates specified fields for an existing case in crowdstrike next gen siem using the case id endpoint url /cases/entities/cases/v2 method patch input argument name type required description expected consistency version number optional the expected consistency version of the case expected version number optional parameter for update an existing case fields object optional the fields to update in the case fields access tags array optional parameter for update an existing case fields access tags cid string optional unique identifier fields access tags id string optional unique identifier fields access tags key string optional parameter for update an existing case fields assigned to user uuid string required the uuid of the falcon user to assign the case to, such as 00000000 0000 0000 0000 000000000000 to remove the current user assignment without assigning a new user, use the remove user assignment parameter fields custom fields array required custom fields applied to a case through a template fields custom fields id string required the id of the custom field to update fields custom fields values array required the custom field value fields description string required the new case description fields name string required the new case name fields remove user assignment boolean required remove the user currently assigned to the case if set to true and assigned to user uuid is not provided, the case becomes unassigned if set to false and assigned to user uuid is provided, the case is reassigned to the specified user uuid if set to true and assigned to user uuid is provided, the case is reassigned to the specified user uuid if this field is omitted and assigned to user uuid is provided, the case is reassigned to the specified user uuid fields severity number required the new case severity rating on a numeric scale from 1 (least severe) to 100 (most severe) numeric values correspond to the following string severity levels used for cases in the falcon console and case management api 1 19 informational, 20 39 low, 40 59 medium, 60 79 high, 80 100 critical fields severity info object required parameter for update an existing case fields severity info level string required parameter for update an existing case fields slas active boolean required when specified, the status of the in progress timer will be changed if appropriate fields status string required the new case status fields template object optional the template to apply to the case this is only valid if no template has been applied to the case yet fields template id string required the unique id of the template to apply to the case fields workflows array optional parameter for update an existing case fields workflows execution id string required unique identifier fields workflows id string required unique identifier fields workflows name string required name of the resource input example {"json body" {"expected consistency version" 0,"expected version" 0,"fields" {"access tags" \[{"cid" "abcdefg0123456789hijklmnopqrstuv wx","id" "4d759xxxxxxxxxxe417a","key" "manage"}],"assigned to user uuid" "550e8400 e29b 41d4 a716 446655440001","custom fields" \[{"id" "field 1a2b3c4d5e6f","values" \["p1"]}],"description" "multiple unauthorized login attempts on host windows 2445 ","name" "p1 unauthorized access","remove user assignment"\ true,"severity" 90,"severity info" {"level" "critical"},"slas active"\ true,"status" "new","template" {"id" "4d759xxxxxxxxxxe417a"},"workflows" \[{"execution id" "wf exec 7b3c9d1e5f2a","id" "wf 7b3c9d1e5f2a","name" "critical response sla","status" "in progress"}]},"id" "aaaaaaaaaxxx xx xe7x9xxxxxxxxxxxxoqlnx 1dsxyxxxxxxxxxxxxxxxxxxxmgjc9 2uxxxxxo5 z pmxxxxxwr ye1pwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxkvgz9 bwxxxxxxxm9 lzxxxxxdy nyxxxxxww"}} output parameter type description status code number http status code of the response reason string response reason phrase errors array error message if any errors code number error message if any errors id string unique identifier errors message string response message meta object output field meta meta pagination object output field meta pagination meta pagination limit number output field meta pagination limit meta pagination offset number output field meta pagination offset meta pagination total number output field meta pagination total meta powered by string output field meta powered by meta query time number time value meta trace id string unique identifier meta writes object output field meta writes meta writes resources affected number output field meta writes resources affected resources array output field resources resources access tags array output field resources access tags resources access tags cid string unique identifier resources access tags id string unique identifier resources access tags key string output field resources access tags key resources analysis results object result of the operation resources analysis results alerts object result of the operation resources analysis results alerts records array result of the operation resources analysis results alerts records id string unique identifier output example {"errors" \[{"code" 123,"id" "12345678 1234 1234 1234 123456789abc","message" "string"}],"meta" {"pagination" {"limit" 123,"offset" 123,"total" 123},"powered by" "string","query time" 123,"trace id" "string","writes" {"resources affected" 123}},"resources" \[{"access tags" \[],"analysis results" {},"assigned to" {},"cid" "string","consistency" {},"created by" {},"created timestamp" "string","description" "string","end timestamp" "string","evidence" {},"fields" \[],"id" "12345678 1234 1234 1234 12345 response headers header description example connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 205 content type the media type of the resource application/json date the date and time at which the message was originated wed, 18 mar 2026 00 43 50 gmt server information about the software used by the origin server nginx strict transport security http response header strict transport security max age=31536000; includesubdomains, max age=31536000; includesubdomains vary http response header vary origin x cs region http response header x cs region us 1 x cs traceid http response header x cs traceid 2a8251e4 083a 4c47 8a96 38cdcb226605 x ratelimit limit the number of requests allowed in the current rate limit window 6000 x ratelimit remaining the number of requests remaining in the current rate limit window 5998