/
Endpoints accessed by the CrowdStrike Intelligence collector
Document toolboxDocument toolbox

Endpoints accessed by the CrowdStrike Intelligence collector

Owned by Laszlo Frazer
Last updated: Mar 11, 2025
3 min read

Available from v1.0.0

Data Source

Subtype

Service

Table

Data Source

Subtype

Service

Table

Hosts

-

hosts

edr.crowdstrike.falconstreaming.agents

Description

Hosts are endpoints that run the Falcon sensor. You can get information and details about these agents.

End point

  1. Listing: {base_url}/devices/queries/devices/v1

  2. Details: {base_url}/devices/entities/devices/v2

Check the {base_url} in the config parameters details for further information.

Incidents

-

incidents

edr.crowdstrike.falconstreaming.incidents

Description

Incidents are events that occur in an organization which can represent a cybersecurity threat or an attack.

End point

  1. Listing: {base_url}/incidents/queries/incidents/v1

  2. Details: {base_url}/incidents/entities/incidents/GET/v1

Check the {base_url} in the config parameters details for further information.

Spotlight
Vulnerabilities

-

vulnerabilities

  • table: edr.crowdstrike.falconstreaming.vulnerabilities

  • alias: edr.crowdstrike.falcon_spotlight.vulnerabilities

Description

Vulnerabilities are known security risks in an operating system, application, hardware, firmware, or other part of a computing stack.

End point

  1. Listing: {base_url}/spotlight/queries/vulnerabilities/v1

  2. Details: {base_url}/spotlight/entities/vulnerabilities/v2

Check the {base_url} in the config parameters details for further information.

Behaviors

-

behaviors

edr.crowdstrike.falconstreaming.behaviors

Description

Behaviors are patterns of data transmissions in a network that are out of the norm, used to detect anomalies before cyber attacks occur.

End point

  1. Listing: {base_url}/incidents/queries/behaviors/v1

  2. Details: {base_url}/incidents/entities/behaviors/GET/v1

Check the {base_url} in the config parameters details for further information.

File Vantage

-

filevantage

edr.crowdstrike.falcon_filevantage.change

Description

Collect data about changes to files, folders, and registries with Falcon FileVantage APIs. Store this data to help you meet certain compliance recommendations and requirements as listed in the Sarbanes-Oxley Act, National Institute for Standards and Technology (NIST), Health Insurance Portability and Accountability Act (HIPAA), and others.

End point

  1. Listing: {base_url}/filevantage/queries/changes/v2

  2. Details: {base_url}/filevantage/entities/changes/v21

Check the {base_url} in the config parameters details for further information.

For more information on how the events are parsed, visit our page.

Available from v1.3.0

Data Source

Subtype

Service

Table

Data Source

Subtype

Service

Table

Event Stream (eStream)

AuthActivity AuditEvent

estream

edr.crowdstrike.falconstreaming.auth_activity

IncidentSummaryEvent

estream

edr.crowdstrike.falconstreaming.incident_summary

RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent

estream

edr.crowdstrike.falconstreaming.remote_response_session

CustomerIOCEvent

estream

edr.crowdstrike.falconstreaming.customer_ioc

Event_ExternalAPIEvent

estream

edr.crowdstrike.falconstreaming.external_api

DetectionSummaryEvent

status:deprecated by crowdstrike

estream

edr.crowdstrike.falconstreaming.detection_summary

status:use epp detection summary See v1.11.0

UserActivityAuditEvent

estream

Depending on the event's event.ServiceName property (in lowercase):

  • groupsedr.crowdstrike.falconstreaming.user_activity_groups

  • devicesedr.crowdstrike.falconstreaming.user_activity_devices

  • detectionsedr.crowdstrike.falconstreaming.user_activity_detections

  • quarantined_filesedr.crowdstrike.falconstreaming.user_activity_quarantined_files

  • ip_whitelistedr.crowdstrike.falconstreaming.user_activity_ip_whitelist

  • prevention_policyedr.crowdstrike.falconstreaming.user_activity_prevention_policy

  • sensor_update_policyedr.crowdstrike.falconstreaming.user_activity_sensor_update_policy

  • device_control_policyedr.crowdstrike.falconstreaming.user_activity_device_control_policy

Description

The Streaming API provides several types of events.

End point

The endpoints are dynamically generated by following this (simplified) approach:

  1. Once an authentication token has been obtained, a request to {base_url}/sensors/entities/datafeed/v2 is performed to obtain the "Data Feeds".

    1. Check the {base_url} in the config parameters details for further information.

  2. Each Data Feed will contain a URL and a session token. A request to each of these URLs (along with their corresponding token) will return a streaming response in which every non-empty line represents a different event.

    1. Every Data Feed will also contain a "refresh stream" URL, which is accessed every less than 30 minutes.

    2. All the Data Feeds are processed in parallel. The amount of available Data Feeds depend on the CrowdStrike account's configuration.

For more information on how the events are parsed, visit our page.

Available from v1.10.0

Data Source

Subtype

Service

Table

Data Source

Subtype

Service

Table

Alerts

-

alerts

edr.crowdstrike.falconstreaming.alert

Description

Alerts are events that occur in an organization which can represent a cybersecurity threat or an attack.

End point

  1. Listing: {base_url}/alerts/queries/alerts/v2

  2. Details: {base_url}/alerts/entities/alerts/GET/v2
    Check the {base_url} in the config parameters details for further information.

For more information on how the events are parsed, visit our page.

Available from v1.11.0

Data Source

Subtype

Service

Table

Data Source

Subtype

Service

Table

Event Stream (eStream)

EPPDetectionSummaryEvent

estream

edr.crowdstrike.falconstreaming.epp_detection_summary

Description

Platform detection summaries.

End point

The endpoints are dynamically generated by following this (simplified) approach:

  1. Once an authentication token has been obtained, a request to {base_url}/sensors/entities/datafeed/v2 is performed to obtain the "Data Feeds".

    1. Check the {base_url} in the config parameters details for further information.

  2. Each Data Feed will contain a URL and a session token. A request to each of these URLs (along with their corresponding token) will return a streaming response in which every non-empty line represents a different event.

    1. Every Data Feed will also contain a "refresh stream" URL, which is accessed every less than 30 minutes.

    2. All the Data Feeds are processed in parallel. The amount of available Data Feeds depend on the CrowdStrike account's configuration.

For more information on how the events are parsed, visit our page.

Available from v1.12.0

Data Source

Subtype

Service

Table

Data Source

Subtype

Service

Table

Indicators

-

indicators

edr.crowdstrike.falconstreaming.indicators

Description

The Indicators endpoints allows you to query for various types of indicators: indicators related to various adversaries, indicators of a specific confidence level, indicators associated with reports, and so on.

End point

  1. Listing: {base_url}/intel/queries/indicators/v1

  2. Details: {base_url}/intel/entities/indicators/GET/v1

Check the {base_url} in the config parameters details for further information.

Related content