CrowdStrike Event Stream
The CrowdStrike Event Stream provides a continuous flow of real-time security events and telemetry data generated by the CrowdStrike Falcon platform. This stream captures critical information such as detected threats, endpoint activity, and alert notifications. Organizations can leverage the Event Stream for immediate threat analysis, integrating with SIEM systems, or creating custom dashboards for enhanced visibility and response to security incidents.
CrowdStrike logs are ingested by utilizing the CrowdStrike streaming events service that they offer. Every 60 seconds we connect to your CrowsStrike event streams and ingest any events that are forwarded.
Setup
Login to your CrowdStrike account and navigate to API clients and keys under the Support and resources section.
Create a new OAuth2 API Client from this page. Give the client a name and optional description. RunReveal only requires Read access to Event Streams for ingestion to work.
Save the Client ID, Client Secret, and Base URL that is displayed once created. You will need these when setting up your RunReveal source.
In RunReveal, create a new CrowdStrike source. Give it a name and fill in the values from your API client.
Once added CrowdStrike events should start ingesting within a few minutes.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: crowdstrike_event_logs (49 columns)
crowdstrike_event_logs (49 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
| Column | Type |
|---|---|
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
success | Bool |
utcTimestamp | DateTime |
message | String |
source | String |
apiClientId | String |
cid | String |
requestMethod | String |
requestPath | String |
statusCode | String |
userAgent | String |
traceId | String |
elapsedMicroseconds | String |
region | String |