FALCON 202: Investigating and Querying Event Data With Falcon EDR
FALCON 202: Investigating and Querying Event Data with Falcon EDR is an intermediate-level course focused on advanced threat hunting and investigation techniques using CrowdStrike Falcon® Insight XDR. Through instructor-led walkthroughs and hands-on exercises, participants learn how to move from individual signals to structured investigations by analyzing event data, visualizing activity, correlating related events, and pivoting across users, hosts, processes, and infrastructure.
The course emphasizes how analysts think and work, from understanding event data and building investigation-driven queries to identifying abnormal behavior, developing hypotheses, and expanding investigations through correlation and pivoting. Participants gain practical experience using Falcon’s reporting, visualization, analysis, and automation capabilities to uncover suspicious activity, understand scope and impact, and support proactive threat hunting.
Course Highlights:
- Apply investigation-driven query techniques using CrowdStrike Query Language (CQL) and the Events Full Reference
- Analyze event data and behavioral patterns to identify suspicious or abnormal activity
- Leverage built-in reports, timelines, and visualizations to accelerate investigations and improve understanding
- Correlate related events across time, entities, and datasets to uncover meaningful patterns
- Develop and test threat hunting hypotheses using IOAs, IOCs, and Automated Leads
- Pivot intentionally across investigation data to expand visibility and avoid tunnel vision
