Skip to main content

Crowdstrike Falcon

The Crowdstrike Falcon Matano managed log source lets you ingest your Crowdstrike Falcon logs directly into Matano.

This integration supports CrowdStrike Falcon SIEM-Connector-v2.0.

Usage

Use the managed log source by specifying the managed.type property in your log_source.yml as CROWDSTRIKE_FALCON.

name: "crowdstrike_falcon"

managed:
type: "CROWDSTRIKE_FALCON"

For example, if you want to ingest Crowdstrike Falcon logs (default table) into a log source named crowdstrike_falcon you should structure your subdirectory as follows:

my-matano-dir/
└── log_sources/
└── crowdstrike_falcon/
└── log_source.yml

For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.

Tables

The Crowdstrike Falcon managed log source supports the following tables:

  • default
    • Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from the Falcon SIEM Connector.

Ingest

S3 (default)

For a log source named crowdstrike_falcon, a file under the path crowdstrike_falcon/afe3c55a-8b05-4ac7-be76-b6fda08af95d/alerts.log will be routed to the default (crowdstrike_falcon) table.

S3 Path scheme to table:

  • * (all) -> default

Schema

Crowdstrike Falcon data is normalized to ECS fields. You can view the complete mappings to see the full schemas.