📢 Read the latest Release Notes to learn what's new on Hunters! 💡

CrowdStrike Raw Events

  • Updated on Apr 24, 2026
  • Published on Apr 24, 2026
Prev Next

Overview

Table name: crowdstrike_raw_events

CrowdStrike raw events represent the detailed data captured by the Falcon sensor installed on each endpoint. These events encompass a wide range of activities. Use Event Streams when you need raw, real-time event data for custom analysis and correlation in your own tools

Send data to Hunters

Prerequisites

  • Create an AWS SQS and S3-Bucket.

  • Use:

    • Falcon Insight XDR

    • Falcon Data Replicator

Step 1: Connect Hunters to your CrowdStrike portal

  • Log into the CrowdStrike Falcon Portal. (you can follow this official Crowdstrike guide as well)

  • In the Falcon console, from the left-side menu, click Support and resources → Resources and tools → Falcon Data Replicator

    • On that page you should see:

      • FDR feeds tab (this is the one you want)

      • Possibly Audit log

      • Possibly FFC feeds (only if entitled)

    • If you don’t see “Falcon Data Replicator” at all:

      • You do not have the FDR subscription

      • Or you are not a Falcon Administrator

  • Important clarification: you do NOT need FFC → You need only FDR feed (First-party / CrowdStrike sensor data)

  • There is NO separate “data replication setup” wizard anymore

    • FDR works like this now:

      • You create an FDR feed

      • CrowdStrike automatically provisions:

        • S3 bucket (unless you bring your own)

        • SQS queue

      • You consume the data

  • Find (or create) your FDR feed:

  • Go to Support and resources → Resources and tools → Falcon Data Replicator → FDR feeds → Now check:

    • If you see an existing feed → Open the info panel → Note the S3 storage location , SQS URL , Client ID → CrowdStrike is already sending data.

    • If you see no feeds → Create feed → Source: First-party data

      • Default settings (recommended initially)

      • Copy the Client ID + Secret immediately

      • Step 3 - Decide storage model

        • CrowdStrike hosts S3, 7-day retention

        • Your own S3 bucket, requires support ticket (for first-party data), requires bucket policy

    • Build your consumer (modern approach) recommended:

      • SQS → Lambda

      • Or SQS → ECS/Fargate (high volume)

        • Read SQS message

        • Fetch files from CrowdStrike S3

        • Copy to your S3 bucket

        • Delete SQS message

Step 2: Create a data source on Hunters

  • Route your CrowdStrike raw events into an AWS S3 bucket.

  • Once the export is completed and the logs are collected to S3, follow the steps in this section.

image

image

— CrowdStrike Raw Events —