Query raw data

  • Updated on Mar 7, 2025
  • Published on Jun 4, 2023

Overview

Use Notebooks to access raw data and to create and share documents that include live data from the Hunters platform. This allows for investigations, visualizations, and explanations of events and data within your organization.

Creating A Notebook

To start working with Notebooks, follow these easy steps:

  1. From the left menu pane, navigate to Data > Notebooks.
  2. Click New Notebook.
  3. Choose a name for your Notebook.
  4. Choose a connector for your Notebook.
📘 Multiple Connectors

Depending on your level of permissions and your environment, you may have more than one connector. By default, most users only have the standard connector to their security data lake.

Once created, you can edit, share, or delete Notebooks.

Looking Around

Table/Column Sidebar

The table/column sidebar on the left allows users to search their available data.
To switch between columns or tables, use the toggle switch at the top of the sidebar.

Notebook Main Content

On the right side is the Notebook main content, which allows users to write custom queries or text to their Notebooks.

Controls

At the top of the page are the following controls

  • Run All Cells - Runs all queries currently defined
  • Add New Notebook Entry (SQL, Text) - Adds a new box to the Notebook content
  • Save - Saves the Notebook
  • Close - Closes the Notebook and returns to the previous screen
  • Share - Shares the Notebook with team members
  • Find and Replace
  • Keyboard Shortcuts

Writing A Notebook

Now, it's time to write our first Notebook.

Creating A Query

  1. Create a text box, and enter a title for your query in the top bar.

    CrowdStrike Detections Last Month

  2. Give the query a human-readable description

    Review the CrowdStrike detections from the previous month.

  3. Add a new SQL field, and give it a descriptive title:

    crowdstrike_detections_previous_month

  4. Enter your query in the query box:

    SELECT CREATED_TIMESTAMP AS "Detection time", RAW:behaviors[0]:description AS "Description", RAW:behaviors[0].device_id AS "Agent ID"
FROM RAW.CROWDSTRIKE_DETECTS
WHERE CREATED_TIMESTAMP BETWEEN '2022-07-01 00:00:00' AND '2022-08-01 00:00:00'
ORDER BY CREATED_TIMESTAMP DESC

  5. Click Run SQL to run the query and view the query results.

  6. Click Save to save your Notebook changes.

🚧 Attention

Notebooks have the following limitations:

  • Query Timeout Limit: 30 Minutes
  • Query Character Limit: 5000 Characters