CrowdStrike Falcon Data Replicator

CrowdStrike Falcon Data Replicator is a tool designed to facilitate the integration and export of endpoint telemetry and threat data from the CrowdStrike Falcon platform to external storage solutions or SIEM systems. It captures critical security events, alerts, and activity logs generated by the Falcon agents, allowing organizations to analyze and correlate data for enhanced threat detection, incident response, and compliance reporting.

Setup

The CrowdStrike Falcon Data Replicator source is different than other S3 sources. Instead of needing to configure your bucket, and a role, CrowdStrike provides all of this configuration and information for you.

The information you’ll need to provide from CrowdStrike is:

1. AWS Access Key ID - This is a normal AWS Access Key, and it’s provided by CrowdStrike to authenticate to your CrowdStrike data.
2. AWS Secret Access Key - The secret key associated with your AWS Access Key ID.
3. SQS Queue URL - This queue URL provides RunReveal with notifications that new CrowdStrike data is available to be read.
4. Region - The region your S3 bucket calls home.

All of this information is required for the FDR source to work properly. Once provided and the source is created, your CrowdStrike data should begin flowing to RunReveal immediately.

Querying your CrowdStrike Data

Your CrowdStrike data will be available in a few different places in RunReveal

• crowdstrike_aidmaster_logs — Basic host data collected from CrowdStrike.
• crowdstrike_data_logs — Contains raw data from your CrowdStrike sensors.
• crowdstrike_managed_logs — Information collected from managed assets.

Additionally all CrowdStrike data is available in the logs table with the sourceType of crowdstrike-fdr.

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.