Self Service Ingestion
Connect this data source on your own, using the Hunters platform.
Overview
CrowdStrike Falcon is a cloud-native endpoint protection platform. Hunters can ingest multiple CrowdStrike data types for detection, IOC search, investigation, and threat hunting workflows.
📘 Note
Some CrowdStrike data types require specific modules:
- Spotlight requires the CrowdStrike Spotlight module.
- Raw Events requires Falcon Data Replicator.
⚠️ Attention
If you have several CrowdStrike customer IDs under one parent ID, create a separate Hunters data source for each customer ID. Do not use the parent ID when configuring the connection.
Supported Data Types
| Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
| CrowdStrike Raw Events | ✅ | ✅ | ✅ | crowdstrike_raw_events | NDJSON | AWS S3 ingest | |
| CrowdStrike Detections | ✅ | ✅ | crowdstrike_detects | NDJSON | CrowdStrike Store | ||
| CrowdStrike Devices | ✅ | ✅ | crowdstrike_devices | NDJSON | CrowdStrike Store | ||
| CrowdStrike Incidents | ✅ | crowdstrike_incidents | NDJSON | CrowdStrike Store | |||
| CrowdStrike Identity Based Alerts | ✅ | ✅ | crowdstrike_idp | NDJSON | API | ||
| CrowdStrike Mobile | ✅ | ✅ | crowdstrike_mobile | NDJSON | API | ||
| CrowdStrike Spotlight | ✅ | crowdstrike_spotlight | NDJSON | API | |||
| CrowdStrike Indicators | ✅ | crowdstrike_indicators | NDJSON | API | |||
| CrowdStrike FileVantage | ✅ | ✅ | crowdstrike_filevantage_queries_changes | NDJSON | API | ||
| CrowdStrike Falcon Event Streams | ✅ | ✅ | ✅ | crowdstrike_falcon_event_streams | NDJSON | CrowdStrike Store | |
| CrowdStrike Alerts | ✅ | crowdstrike_alerts | NDJSON | API |
Connect the CrowdStrike Marketplace App
-
Log into the CrowdStrike Falcon Portal.
-
From the left-side menu, click CrowdStrike > All Apps.
- Search for Hunters, then click the app.
- To retrieve your Customer ID, open the Falcon menu and navigate to Host setup and management > Sensor downloads.
- Copy the Customer ID and keep it available for the Hunters data source setup.
- In the Open App screen, enter your Customer ID to start using the integration.
