CrowdStrike

Overview

Table name: crowdstrike_raw_events

CrowdStrike raw events represent the detailed data captured by the Falcon sensor installed on each endpoint. These events encompass a wide range of activities.

Send data to Hunters

Overview

Table name: crowdstrike_detects

CrowdStrike detections are generated by analyzing events collected from endpoints across the network. These detections are based on a wide range of indicators and sophisticated analysis techniques, including machine learning, behavioral analysis, and threat intelligence. CrowdStrike's Falcon platform is known for its ability to detect a variety of threats, from malware and ransomware to more subtle indicators of attack (IOAs) and indicators of compromise (IOCs).

Send data to Hunters

Overview

Table name: crowdstrike_devices

CrowdStrike device logs encompass a wide range of data points collected from each endpoint or device within the network. These logs are crucial for monitoring the health and security status of the network, detecting potential threats, and facilitating forensic analysis in the event of a security incident.

Send data to Hunters

Overview

Table name: crowdstrike_incidents

CrowdStrike Incidents are part of CrowdStrike Falcon's comprehensive suite of endpoint protection capabilities, focusing on identifying, managing, and resolving security threats across an organization's network. When the Falcon platform detects a series of related security events or behaviors that indicate a more significant issue or attack, it aggregates this information into an incident. This approach helps security teams prioritize and respond to the most critical threats more efficiently, ensuring that resources are focused where they are needed most.

Send data to Hunters

Overview

Table name: crowdstrike_idp

CrowdStrike's identity-based alerts are part of its advanced threat detection capabilities, focusing on identifying security threats that specifically target or involve user identities and credentials. These alerts play a critical role in an organization's security posture by helping to prevent unauthorized access, insider threats, and identity-related attacks. With the increasing sophistication of cyber threats, particularly those involving credential theft, social engineering, and lateral movement within networks, identity-based security solutions have become essential.

Send data to Hunters

Step 1: Create an API client

Create a CrowdStrike API client with the Alerts: Read scope and permissions (as specified here).

Step 2: Create a data source on Hunters

Overview

Table name: crowdstrike_mobile

Mobile logs in CrowdStrike encompass detailed records of activities, events, and security incidents on mobile devices that are protected by the CrowdStrike Falcon platform. These logs are crucial for monitoring the security posture of mobile devices, investigating incidents, and ensuring compliance with organizational security policies.

Send data to Hunters

Step 1: Create an API client

Create a CrowdStrike API client with the Alerts: Read scope and permissions (as specified here).

Step 2: Create a data source on Hunters

Overview

Table name: crowdstrike_spotlight

Spotlight logs contain detailed information about detected vulnerabilities in an organization's endpoints. These logs are essential for tracking, managing, and mitigating vulnerabilities effectively. The data includes specifics about each vulnerability, such as its severity, the affected software or system component, and recommendations for remediation.

Send data to Hunters

Step 1: Create an API client

Create a CrowdStrike API client with the Vulnerabilities: read scope and permissions (as specified here).

Step 2: Create a data source on Hunters

Overview

Table name: crowdstrike_indicators

CrowdStrike utilizes a sophisticated array of indicators within its cybersecurity framework to identify, assess, and respond to threats. These indicators are crucial for detecting malicious activities and are part of CrowdStrike's broader approach to endpoint security and threat intelligence. Understanding these indicators can help organizations better prepare for, and respond to, potential cybersecurity threats.

Send data to Hunters

Step 1: Create an API client

Create a CrowdStrike API client with the INDICATORS (FALCON INTELLIGENCE): read scope and permissions (as specified here).

Step 2: Create a data source on Hunters

Overview

Table name: crowdstrike_filevantage_queries_changes

FileVantage is designed to track file changes, access patterns, and potential unauthorized data movement, which are critical for data loss prevention (DLP) and insider threat detection. This tool helps organizations manage and secure their sensitive data by leveraging CrowdStrike's powerful endpoint security platform.

Send data to Hunters

Step 1: Create an API client

Create a CrowdStrike API client with the FILEVANTAGE: read scope and permissions (as specified here).

Step 2: Create a data source on Hunters

Overview

Table name: crowdstrike_falcon_event_streams

CrowdStrike Falcon Event Streams provide real-time access to rich telemetry data from endpoints protected by the Falcon platform. These event streams allow organizations to monitor and analyze security events, such as process execution, network connections, and file activities, as they happen. By leveraging this data, security teams can build custom integrations, enhance threat detection capabilities, and automate responses to potential threats.

Send data to Hunters

Expected format

{
  "AgentId": "afwehw34h5a235h23h52",
  "AggregateId": "aggind:afwehw34h5a235h23h52:577551784278489191",
  "CommandLine": "/usr/sbin/systemsetup -setremotelogin on",
  "CompositeId": "a872ad070d984dff884bf211fda3d2d3:ind:afwehw34h5a235h23h52:577551784277851241-41009-3969400",
  "DataDomains": "Endpoint",
  "Description": "A process triggered an informational severity custom rule.",
  "FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/a872ad070d984dff884bf211fda3d2d3:ind:afwehw34h5a235h23h52:577551784277851241-41009-3969400?_cid=afwh35rw3h3hwh3",
  "FileName": "systemsetup",
  "FilePath": "/usr/sbin/systemsetup",
  "FilesAccessed": [
    {
      "FileName": "systemsetup",
      "FilePath": "/usr/sbin/",
      "Timestamp": 1727004600
    },
    {
      "FileName": "fawegweg",
      "FilePath": "/dev/",
      "Timestamp": 1727004600
    },
    {
      "FileName": "pass",
      "FilePath": "/private/etc/",
      "Timestamp": 1727004600
    },
    {
      "FileName": ".fawefgawaw",
      "FilePath": "/private/var/root/",
      "Timestamp": 1727004600
    },
    {
      "FileName": "dtracehelper",
      "FilePath": "/dev/",
      "Timestamp": 1727004600
    }
  ],
  "GrandParentCommandLine": "/usr/sbin/cron",
  "GrandParentImageFileName": "cron",
  "GrandParentImageFilePath": "/usr/sbin/cron",
  "HostGroups": "2b5993dc70a249b3956e31e4c936f599,c1d473c1c8d546ea87c35f4c02bdf0b2,e452e9983a9f4939abd3e9612b1480ba",
  "Hostname": "ASDHA4356HSWE",
  "IOARuleGroupName": "macOS Custom Detections",
  "IOARuleInstanceID": "73",
  "IOARuleInstanceVersion": 3,
  "IOARuleName": "Remote services. Remote login enabled",
  "LocalIP": "169.254.254.200",
  "LocalIPv6": "",
  "LogonDomain": "",
  "MACAddress": "aa-bb-cc-dd-ee-df",
  "MD5String": "bc91819b3a077dca8ba4054f1c8562ca",
  "Name": "Suspicious Activity",
  "Objective": "Falcon Detection Method",
  "ParentCommandLine": "/bin/sh -c /usr/sbin/systemsetup -setremotelogin on &> /dev/null",
  "ParentImageFileName": "bash",
  "ParentImageFilePath": "/bin/bash",
  "ParentProcessId": 577551784277851239,
  "PatternDispositionDescription": "Detection, standard detection.",
  "PatternDispositionFlags": {
    "BlockingUnsupportedOrDisabled": false,
    "BootupSafeguardEnabled": false,
    "CriticalProcessDisabled": false,
    "Detect": false,
    "FsOperationBlocked": false,
    "HandleOperationDowngraded": false,
    "InddetMask": false,
    "Indicator": false,
    "KillActionFailed": false,
    "KillParent": false,
    "KillProcess": false,
    "KillSubProcess": false,
    "OperationBlocked": false,
    "PolicyDisabled": false,
    "ProcessBlocked": false,
    "QuarantineFile": false,
    "QuarantineMachine": false,
    "RegistryOperationBlocked": false,
    "Rooting": false,
    "SensorOnly": false,
    "SuspendParent": false,
    "SuspendProcess": false
  },
  "PatternDispositionValue": 0,
  "PatternId": 41009,
  "ProcessEndTime": 0,
  "ProcessId": 577551784277851241,
  "ProcessStartTime": 1727004600,
  "SHA1String": "0000000000000000000000000000000000000000",
  "SHA256String": "0467c233807480601368edac622e93c060ef7b3fcd444c0786956a7f1facb505",
  "Severity": 10,
  "SeverityName": "Informational",
  "SourceProducts": "Falcon Insight",
  "SourceVendors": "CrowdStrike",
  "Tactic": "Custom Intelligence",
  "Technique": "Indicator of Attack",
  "Type": "ldt",
  "UserName": "root"
}

Overview

Table name: crowdstrike_alerts

The CrowdStrike Alerts API provides programmatic access to security alerts generated by the Falcon platform. It allows users to retrieve, filter, and manage alert data across their environment, enabling seamless integration with SIEMs, SOAR platforms, or custom security workflows. With this API, organizations can automate incident response, monitor real-time threats, and enhance visibility into potential security incidents, all while maintaining tight control over alert data.

Send data to Hunters

Step 1: Create an API client

Create a CrowdStrike API client with the Alerts: Read scope and permissions (as specified here).

Step 2: Create a data source on Hunters