📢 Read the latest Release Notes to learn what's new on Hunters! 💡

CrowdStrike Falcon Event Streams

  • Published on Apr 24, 2026
Prev Next

Overview

Table name: crowdstrike_falcon_event_streams

CrowdStrike Falcon Event Streams provide real-time access to rich telemetry data from endpoints protected by the** Falcon platform**. These event streams allow organizations to monitor and analyze security events, such as process execution, network connections, and file activities, as they happen. By leveraging this data, security teams can build custom integrations, enhance threat detection capabilities, and automate responses to potential threats.

It deliver raw, real-time security event data from the CrowdStrike****cloud, including audit logs, authentication events, system-level activities, and detection-related telemetry. These are used for continuous, unfiltered data that can be used for correlation and analysis within a SIEM or analytics platform.

Send data to Hunters

If you already have CrowdStrike connected

  • On the Hunters platform, navigate to Data > Data sources.

  • Click **+ Add data sources **to view a list of your connected data sources.

  • Locate CrowdStrike and click Edit Connection.
    image

  • Make sure the CROWDSTRIKE API tab is selected.
    image

  • Scroll down to the Data Types section and activate the CrowdStrike Falcon Event Streams data source.
    image

  • Now click Test Connection and once the test is successful, click Apply.

If this is your first time connecting CrowdStrike

Step 1: Connect Hunters to your CrowdStrike portal

  1. Log into the CrowdStrike Falcon portal.

  2. From the left-side menu, click CrowdStrike Store > All Apps.
    17b6297-cs2

  3. Look for the Hunters.AI tile and click to open it.
    image 23

  4. Click Try it free.

    📘 Note

    1. Your CrowdStrike API token will be shared with Hunters with the following permissions:

      • CrowdStrike Falcon raw data replicator
      • CrowdStrike Detections API

    2. You will receive an automated email from Hunters confirming this action. This is designed for new prospects who have not yet been introduced to Hunters.

  5. To retrieve your Customer ID, open the Falcon menu and navigate to Host setup and management > Sensor downloads.
    image 25

  6. Copy your Customer ID and paste it into a safe place.
    image 26

Step 2: Create a data source on Hunters

  1. Follow this procedure to connect CrowdStrike as a data source.
  2. Insert the Customer ID value from the previous section and click Apply.
📘Note

The Customer ID field is case-sensitive.

02610f3-2023-04-16_12-31-02

Once done, Hunters will connect your CrowdStrike Detections, CrowdStrike Devices, CrowdStrike Incidents, CrowdStrike Falcon Event Streams and CrowdStrike Raw Events to your Hunters platform.

Expected format

{
  "AgentId": "afwehw34h5a235h23h52",
  "AggregateId": "aggind:afwehw34h5a235h23h52:577551784278489191",
  "CommandLine": "/usr/sbin/systemsetup -setremotelogin on",
  "CompositeId": "a872ad070d984dff884bf211fda3d2d3:ind:afwehw34h5a235h23h52:577551784277851241-41009-3969400",
  "DataDomains": "Endpoint",
  "Description": "A process triggered an informational severity custom rule.",
  "FalconHostLink": "https://falcon.crowdstrike.com/activity-v2/detections/a872ad070d984dff884bf211fda3d2d3:ind:afwehw34h5a235h23h52:577551784277851241-41009-3969400?_cid=afwh35rw3h3hwh3",
  "FileName": "systemsetup",
  "FilePath": "/usr/sbin/systemsetup",
  "FilesAccessed": [
    {
      "FileName": "systemsetup",
      "FilePath": "/usr/sbin/",
      "Timestamp": 1727004600
    },
    {
      "FileName": "fawegweg",
      "FilePath": "/dev/",
      "Timestamp": 1727004600
    },
    {
      "FileName": "pass",
      "FilePath": "/private/etc/",
      "Timestamp": 1727004600
    },
    {
      "FileName": ".fawefgawaw",
      "FilePath": "/private/var/root/",
      "Timestamp": 1727004600
    },
    {
      "FileName": "dtracehelper",
      "FilePath": "/dev/",
      "Timestamp": 1727004600
    }
  ],
  "GrandParentCommandLine": "/usr/sbin/cron",
  "GrandParentImageFileName": "cron",
  "GrandParentImageFilePath": "/usr/sbin/cron",
  "HostGroups": "11,22,33",
  "Hostname": "123",
  "IOARuleGroupName": "macOS Custom Detections",
  "IOARuleInstanceID": "73",
  "IOARuleInstanceVersion": 3,
  "IOARuleName": "Remote services. Remote login enabled",
  "LocalIP": "1111",
  "LocalIPv6": "",
  "LogonDomain": "",
  "MACAddress": "aa-bb-cc-dd-ee-df",
  "MD5String": "123",
  "Name": "Suspicious Activity",
  "Objective": "Falcon Detection Method",
  "ParentCommandLine": "/bin/sh -c /usr/sbin/systemsetup -setremotelogin on &> /dev/null",
  "ParentImageFileName": "bash",
  "ParentImageFilePath": "/bin/bash",
  "ParentProcessId": 577551784277851239,
  "PatternDispositionDescription": "Detection, standard detection.",
  "PatternDispositionFlags": {
    "BlockingUnsupportedOrDisabled": false,
    "BootupSafeguardEnabled": false,
    "CriticalProcessDisabled": false,
    "Detect": false,
    "FsOperationBlocked": false,
    "HandleOperationDowngraded": false,
    "InddetMask": false,
    "Indicator": false,
    "KillActionFailed": false,
    "KillParent": false,
    "KillProcess": false,
    "KillSubProcess": false,
    "OperationBlocked": false,
    "PolicyDisabled": false,
    "ProcessBlocked": false,
    "QuarantineFile": false,
    "QuarantineMachine": false,
    "RegistryOperationBlocked": false,
    "Rooting": false,
    "SensorOnly": false,
    "SuspendParent": false,
    "SuspendProcess": false
  },
  "PatternDispositionValue": 0,
  "PatternId": 41009,
  "ProcessEndTime": 0,
  "ProcessId": 577551784277851241,
  "ProcessStartTime": 1727004600,
  "SHA1String": "0000000000000000000000000000000000000000",
  "SHA256String": "0467c233807480601368edac622e93c060ef7b3fcd444c0786956a7f1facb505",
  "Severity": 10,
  "SeverityName": "Informational",
  "SourceProducts": "Falcon Insight",
  "SourceVendors": "CrowdStrike",
  "Tactic": "Custom Intelligence",
  "Technique": "Indicator of Attack",
  "Type": "ldt",
  "UserName": "root"
}