drop crowdstrike falcon event export · parse detections + process rollup · runs locally
detections · process events · hunting csv · jsonl · local export only
heuristic screener · vendor schema varies · not definitive proof