CrowdStrike Falcon Data Replicator - Learn more about the CrowdStrike Falcon Data Replicator standard data source and content pack integrations in Cortex XSIAM. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation
Product
Cortex XSIAM
Creation date
2025-07-15
Last date published
2026-06-16
Category
Administrator Guide
Abstract

Learn more about the CrowdStrike Falcon Data Replicator standard data source and content pack integrations in Cortex XSIAM.

You can configure collecting raw EDR event data from CrowdStrike Falcon Data Replicator (FDR) using a standard data source or with a content pack integration:

CrowdStrike Falcon Data Replicator vendor

Description

Standard collector overview

Forward raw EDR event data from CrowdStrike Falcon Data Replicator (FDR), streamed to Amazon S3, and Cortex XSIAM using the CrowdStrike Falcon Data Replicator data source. In addition to all standard SIEM capabilities, this integration unlocks some advanced Cortex XSIAM features, enabling comprehensive analysis of data from all sources, enhanced detection and response, and deeper visibility into CrowdStrike FDR data.

Link to standard collector instructions

Ingest raw EDR events from CrowdStrike Falcon Data Replicator

Links to content pack integration details

The CrowdStrike Falcon content pack contains automations to load the CrowdStrike process file content and transform the data . It also includes the following integration:

  • CrowdStrike Falcon: Use this integration to perform endpoint security operations such as fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment. It includes commands for immediate actions, including searching devices, resolving detections, running remote commands on hosts, and managing custom Indicators of Compromise (IOCs).