Issue

There's a discrepancy between the CrowdStrike logs I expected and those actually ingested in Panther. How can I fix this?

Resolution

Ensure that you're using Panther's latest "universal" schema & ingestion option rather than the legacy log schemas for CrowdStrike FDR events.

Previously, multiple schemas were used to handle different event types from the source (e.g., Crowdstrike.AIDMaster, Crowdstrike.ManagedAssets, etc.).

We recommend transitioning to the newer Crowdstrike.FDREvent method, which consolidates all FDR event types into a single, streamlined format.
Here’s some context on the legacy approach vs. the new process, which may be helpful.

To begin using the Crowdstrike.FDREvent schema, re-create the log source from scratch by following these steps, and Panther will automatically apply the updated schema.

Note: If you’re currently using the old log types in your detections and queries, we’ve published an article on how to adapt your existing CrowdStrike detections and queries (created before version 1.52) to work with the new Crowdstrike.FDREvent log type.

Once you've confirmed that the new log source is ingesting data, you can safely delete the old one.

If you continue to see a discrepancy after trying the latest method, please contact our support team for further assistance.

Cause

This behavior may occur on newly updated log event formats that are not yet captured by the legacy schemas. However, the new Crowdstrike.FDREvent schema, is adaptable to such changes.