Skip to content
CrowdStrike Developer Center

Stream & Analyze Data

Security data is only valuable when you can search it, correlate it, and act on it. CrowdStrike gives you Next-Gen SIEM for CQL queries across petabytes of telemetry, Event Streams for real-time data pipelines, Falcon Data Replicator (FDR) for bulk export, and Foundry LogScale for third-party log ingestion. The SDKs connect your code to all of it.

SIEM Connectors

Stream Falcon events into Splunk, Elastic, or your custom data lake.

Real-Time Pipelines

Process Event Streams for immediate notification on critical events.

Data Export

Replicate Falcon telemetry to cloud storage via FDR.

CQL Dashboards

Query petabytes of security telemetry in Next-Gen SIEM.

LogScale Ingestion

Ingest third-party log sources alongside native Falcon data.

Correlation Rules

Combine Falcon detections with data from other security tools.

API Service Collections

Section titled “API Service Collections”

Data Pipelines & SIEM

Section titled “Data Pipelines & SIEM”

The core APIs for streaming, querying, and exporting security telemetry.

  • NGSIEM - Execute CQL queries against CrowdStrike Next-Gen SIEM. Search, filter, and aggregate security events at scale.
  • Event Streams - Subscribe to real-time event streams for continuous data ingestion. Receive detections, audit events, and platform notifications as they happen.
  • FDR - Access Falcon Data Replicator for bulk telemetry export to your data lake or SIEM.
  • Foundry LogScale - Interact with LogScale for high-performance log management and querying.

Correlation & Rules

Section titled “Correlation & Rules”

Build custom detection logic and correlation rules on top of your data.

  • Correlation Rules - Create and manage custom correlation rules that trigger on specific event patterns.
  • Custom IOA - Define custom Indicators of Attack that generate detections based on behavioral patterns.

Reporting & Scheduling

Section titled “Reporting & Scheduling”

Automate data extraction and reporting on a schedule.

  • Scheduled Reports - Configure recurring reports that extract and deliver data automatically.
  • Report Executions - Track report run status and retrieve completed results.

Supporting APIs

Section titled “Supporting APIs”
  • Alerts - Query alert data for correlation with external event sources.
  • Hosts - Enrich streaming events with host context and device metadata.
  • Intel - Correlate streaming events with threat intelligence for adversary attribution.

Developer Resources

Section titled “Developer Resources”

Falcon Foundry

Section titled “Falcon Foundry”

Several Foundry samples directly address data integration. The LogScale sample ingests third-party data into LogScale. The ServiceNow ITSM sample demonstrates connecting external platforms and routing data through Fusion SOAR workflows.

Falcon MCP

Section titled “Falcon MCP”

The Falcon MCP NGSIEM module executes CQL queries against Next-Gen SIEM through AI assistants. Use it to search events, test queries interactively, and explore telemetry before building automated pipelines.

Falcon Next-Gen SIEM

Section titled “Falcon Next-Gen SIEM”

If you’re ingesting third-party log sources into LogScale, you’ll need to write parsers that normalize the data into a searchable format. The Parser Template gives you a working starter with four downloadable examples (AWS CloudTrail, AWS RDS MySQL, AWS WAF, Zscaler Deception). Your parsers must follow the CrowdStrike Parsing Standard - which maps fields to Elastic Common Schema (ECS) with documented deviations - and use standardized values from the Module Guidelines and Vendor Guidelines.

© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use