Crowdstrike Falcon

The Crowdstrike Falcon Matano managed log source lets you ingest your Crowdstrike Falcon logs directly into Matano.

This integration supports CrowdStrike Falcon SIEM-Connector-v2.0.

Usage

Use the managed log source by specifying the managed.type property in your log_source.yml as CROWDSTRIKE_FALCON.

name: "crowdstrike_falcon"

managed:
  type: "CROWDSTRIKE_FALCON"

For example, if you want to ingest Crowdstrike Falcon logs (default table) into a log source named crowdstrike_falcon you should structure your subdirectory as follows:

my-matano-dir/
└── log_sources/
    └── crowdstrike_falcon/
        └── log_source.yml

For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.

Tables

The Crowdstrike Falcon managed log source supports the following tables:

default
- Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from the Falcon SIEM Connector.

Ingest

S3 (default)

For a log source named crowdstrike_falcon, a file under the path crowdstrike_falcon/afe3c55a-8b05-4ac7-be76-b6fda08af95d/alerts.log will be routed to the default (crowdstrike_falcon) table.

S3 Path scheme to table:

* (all) -> default

Schema

Crowdstrike Falcon data is normalized to ECS fields. You can view the complete mappings to see the full schemas.

Usage​

Tables​

Ingest​

S3 (default)​

S3 Path scheme to table:​

Schema​