Skip to main content

Crowdstrike Falcon

The Crowdstrike Falcon Matano managed log source lets you ingest your Crowdstrike Falcon logs directly into Matano.

This integration supports CrowdStrike Falcon SIEM-Connector-v2.0.


Use the managed log source by specifying the managed.type property in your log_source.yml as CROWDSTRIKE_FALCON.

name: "crowdstrike_falcon"


For example, if you want to ingest Crowdstrike Falcon logs (default table) into a log source named crowdstrike_falcon you should structure your subdirectory as follows:

└── log_sources/
└── crowdstrike_falcon/
└── log_source.yml

For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.


The Crowdstrike Falcon managed log source supports the following tables:

  • default
    • Contains endpoint data and CrowdStrike Falcon platform audit data forwarded from the Falcon SIEM Connector.


S3 (default)

For a log source named crowdstrike_falcon, a file under the path crowdstrike_falcon/afe3c55a-8b05-4ac7-be76-b6fda08af95d/alerts.log will be routed to the default (crowdstrike_falcon) table.

S3 Path scheme to table:

  • * (all) -> default


Crowdstrike Falcon data is normalized to ECS fields. You can view the complete mappings to see the full schemas.