Skip to main content
Question

CrowdStrike Falconstream Logs

  • April 8, 2026
  • 1 reply
  • 22 views
rpdt

What is the difference between collecting the CrowdStrike Falcon logs vs the CrowdStrike FalconStream logs? I notice there are parsers for both, but was wondering whether one provided any particular advantage over the other?

 

We are after the logs which provide the most detail about the environment, and are also looking at using Bindplane. Any insight would be appreciated! 

1 reply

hzmndt
Staff
Forum|alt.badge.img+11
  • hzmndt
  • Staff
  • April 9, 2026

Based on the information retrieved, here's the difference between collecting CrowdStrike Falcon logs and CrowdStrike FalconStream logs within the Google Secops context:

  1. CrowdStrike Falcon Logs (General Term): This refers to the various types of logs generated by CrowdStrike Falcon. Google Security Operations (Chronicle) supports multiple types, including:

    • CS_EDR (Endpoint Detection and Response): These logs come from the Falcon Data Replicator (FDR). This method is considered the "Gold Standard" and provides high-volume, raw telemetry data, including deep details on endpoint activities like file access, registry modifications, network connections, and process executions. This is the most detailed log source and is essential for deep threat hunting and for enabling all features in Google SecOps, including Curated Detections. FDR logs are typically ingested from an AWS S3 bucket or Google Cloud Storage.
    • CS_ALERTS: Parses alerts from the CrowdStrike Alerts API. This provides higher-level summaries of security alerts.
    • CS_DETECTS: Parses Detection Summary events. Note: This endpoint is deprecated by CrowdStrike, and CS_ALERTS is recommended instead.
    • CS_IOC: Indicators of Compromise data from CrowdStrike Threat Intelligence.
    • CS_CEF_EDR: Logs formatted in CEF.

  2. CrowdStrike FalconStream Logs (CS_STREAM): This specifically refers to logs obtained via the Falcon Streaming API.

    • This method is generally used for lower-volume data, such as alerts, detections, and mobile events.
    • It often involves using CrowdStrike's SIEM Connector, which fetches data from the Streaming API and can forward it in formats like Syslog, LEEF, or CEF.
    • Bindplane can be used as an agent to receive these logs from the SIEM Connector and forward them to Google Security Operations, as detailed in the Collect CrowdStrike Falcon Stream logs documentation.
    • While useful, logs from the Streaming API (CS_STREAM) are generally less detailed than the raw telemetry from FDR (CS_EDR) and are not sufficient for Google SecOps Curated Detections to function.

Key Differences & Advantages:

  • Detail Level: CS_EDR (from FDR) provides the most detail. It contains raw endpoint telemetry, crucial for in-depth analysis and threat hunting. CS_STREAM provides alerts and event summaries, which are less granular.
  • Use Case:
    • Choose CS_EDR (FDR) if you need the richest dataset for security analysis, threat hunting, and to leverage the full capabilities of Google Security Operations, including Curated Detections.
    • Choose CS_STREAM (Streaming API) if you primarily need to ingest alerts and summarized events, or for lower-volume data.
  • Bindplane: Bindplane can be used in conjunction with the CrowdStrike SIEM Connector to collect CS_STREAM logs. It acts as an intermediary to receive the syslog/CEF output and send it to Google Security Operations.

Given you are after the logs which provide the most detail about the environment, you should prioritize ingesting CrowdStrike Falcon EDR logs (CS_EDR) from the Falcon Data Replicator (FDR).

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.