📢 Read the latest Release Notes to learn what's new on Hunters! 💡

CrowdStrike Alerts

  • Published on Apr 24, 2026
Prev Next

Overview

Table name: crowdstrike_alerts

The CrowdStrike Alerts API provides programmatic access to security alerts generated by the Falcon platform. It allows users to retrieve, filter, and manage alert data across their environment, enabling seamless integration with SIEMs, SOAR platforms, or custom security workflows. With this API, organizations can automate incident response, monitor real-time threats, and enhance visibility into potential security incidents, all while maintaining tight control over alert data.

This is the most latest Integration (since April 2025) for CrowdStrike, and it has replaced CrowdStrike Detections since end-of-life date on September 30, 2025 and it will replace Incident API Endpoints from deprecation on March 9, 2026. The new “alert” event includes a CompositeId value that can be used to query the /alerts API for detection details, as well as it contains IncidentSummaryEvent.

The logs over here are giving a better investigation experience to the SOC analyst, compared to the falcon-event-streams.

Alerts API provides normalized and enriched alerts generated by various Falcon modules. These alerts contain detailed metadata including timestamps, severity levels, behavioral indicators, MITRE ATT&CK mappings, host details, incident associations, and status information. The** Alerts API includes alerts from Data Protection, EPP, Identity****Protection, Mobile, Insight XDR, Next-Gen SIEM,** and **supported third-party integrations. **

Use Alerts API when you need enriched, actionable security alerts ready for incident response workflows The relationship flows from events → detections → incidents, where not all events become detections, and not all detections become part of incidents.

Send data to Hunters

⚠️ Attention

The process below requires you to select the CrowdStrike API tile (and not CrowdStrike).

image.png

Step 1: Create an API client

Create a CrowdStrike API client with the Alerts: Read scope and permissions (as specified here).

Step 2: Create a data source on Hunters

Complete the process on the Hunters platform, and supply the following keys following this process:

  • Client ID
  • Client Secret
  • Cloud Endpoint - This should only contain the domain name, without the https:// prefix. For example: api.crowdstrike.com.