There is a way to make a change to the parser to make alerts show up again as alerts. We turned them off as first-order objects because people were getting swamped with device alerts plus corresponding rule alerts. Often you can write rules referenci...

Aigh - yes. I had CS on my mind from a separate post. Minus the S3 bucket (though it's not outlandish to imagine someone having that data in an S3 bucket), the answers still apply.

If your Crowdstrike package includes AWS S3 storage of the events, you can establish a cloud-to-cloud transfer between that S3 bucket and Chronicle, bypassing the need for a GCS bucket. Other options include using an ingestion key with a log manageme...

CS_EDR is the data coming out of Crowdstrike Falcon Data Replicator; it's a massive firehose of raw telemetry as well as alerts. CS_DETECTS is part of the CS managed service where they are monitoring your endpoints and flagging findings. CS_STREAM is...

Yes, you should be able to do that. There are two ways to get to Reference Lists in Chronicle following the recent UI switch: in UDM Search (look for lists) or the Rules Editor (look at the bottom left and you should see an Open button, which will al...