Add FalconNgsCaseEvidence - CrowdStrike/psfalcon GitHub Wiki
Add alerts or events to a Falcon NGSIEM case
Requires 'Cases: Write'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| AlertId | String[] | Alert identifier | |||||
| EventId | String[] | Event identifier | |||||
| Id | String | Case identifier | X | X |
Add-FalconNgsCaseEvidence [-AlertId] <String[]> [-Id] <String> [-WhatIf] [-Confirm] [<CommonParameters>]Add-FalconNgsCaseEvidence [-EventId] <String[]> [-Id] <String> [-WhatIf] [-Confirm] [<CommonParameters>]POST /cases/entities/alert-evidence/v1
POST /cases/entities/event-evidence/v1
entities_alert_evidence_post_v1
entities_event_evidence_post_v1
Add-FalconNgsCaseEvidence -AlertId <id>,<id> -Id <id>Add-FalconNgsCaseEvidence -EventId <id>,<id> -Id <id>2025-09-22: PSFalcon v2.2.9
