Skip to main content

Hi Everyone,

As per Chronicle documenation , we have 4 below pre built parsers. Would you please let me know the difference bewteen them ? I can see two parsers for the same category EDR.

 

Vendor / Product Category Ingestion label Format Latest Update

CrowdStrike Detection MonitoringEDRCS_DETECTSJSON2023-07-21
View Change
CrowdStrike FalconEDRCS_EDRJSON2023-12-22
View Change
CrowdStrike Falcon StreamAlertsCS_STREAMKV (LEEF)2022-07-18
View Change
Crowdstrike IOCIOCCROWDSTRIKE_IOCJSON2023-08-23
View Change

The CS_DETECT feed and API supports the new Alerts API now.  


That confirms my findings that logs collected by both feeds are the same. The parsing by CS_ALERTS is slightly improved and I've submitted a request for those improvements to be added to CS_DETECT. Do we know why this parser was created if CS_DETECT already supports the new API?

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.