Skip to content
CrowdStrike Developer Center

Deprecated Parsers

CrowdStrike maintains a number of default parsers. When a parser is marked deprecated, we no longer maintain and update that parser. We strongly recommend using the latest version of default parsers for your data connector. Using a deprecated parser won’t stop data ingestion but can result in deteriorated detection coverage.

To ensure best detection coverage for your environment, follow these steps:

  1. Ensure that all correlation rules, dashboards, scheduled searches, and saved queries running in your environment that use the #type=<parser_name> field are updated to use CPS compliant parser fields #Vendor=<vendor_name> | #event.module=<product_name>. For example, if you have a saved query that uses the #type=vectra-ecs, update this query to use the fields #Vendor=vectra | #event.module=brain instead. If a vendor supports more than one product, you can run queries for multiple products that use the same parser. For example, to get results for multiple Akamai products that are using the akamai-zerotrust parser, run this query: #Vendor=akamai | #event.module=eaa OR #event.module=sia OR #event.module=mfa OR #event.module=guardicore.

    • Tip: To look up #Vendor and #event.module fields for a parser, go to Next-Gen SIEM > Log management > Advanced event search and search groupBy(#Vendor). Use the vendor value returned and search for #Vendor=<vendor_value> | groupby(#event.module). For example, to get the #Vendor CPS field for the Vectra AI parser, search for groupBy(vectra) which returns the value vectra and to get the #event.module field values, search #Vendor=vectra | groupBy(#event.module).

  2. Ensure that your data connectors are using the latest parsers. To update your connector, see Edit a connection. To see the default parser for each connector, see Third-Party Data Sources.

This table lists deprecated parsers and the corresponding default parsers we recommend for your data connectors:

Deprecated parserDefault parser (Recommended)
1password1password-enterprise
abnormal_security_ecsabnormal-emailsecurity
alteon-syslogradware-alteon
apm-syslogf5networks-bigip
asec-jsonakamai-asec
asimily-iomt-jsonasimily-iomt
azuread-ecsmicrosoft-azure-ad
cef-latestclaroty-ctd
centrix-iot-jsonarmis-centrixiot
cisco-ise-syslogcisco-ise
cisco_seg_ecscisco-seg
ciscoasa-ecscisco-asa
ciscoumbrellacisco-umbrella
citrix-netscaler-syslog, citrix-netscaler-waf-cefcitrix-netscaler-adc
clearpass-syslogaruba-clearpass
cloudflareone-ecscloudflare-one
cloudtrailaws-cloudtrail
corelight-ecscorelight-ids
corelight-jsoncorelight-ids
cwaf-cefimperva-cloudwaf
deceptionzscaler-deception
dlp-cefforcepoint-dlp
duo-activity-json, duo-admin-json, duo-authentication-json, duo-telephony-json, duo-trustmonitor-jsoncisco-duo
extrahop-ecsextrahop-revealx360
fireeye-nxtrellix-fireeye-nx
firepower-syslogcisco-firepower
forgerock-ecsforgerock-identity
fortimailfortinet-fortimail
fortinet-ecsfortinet-fortigate
fsx-xmlaws-fsx
Google_Chrome_Enterprisegoogle-chrome-enterprise
guardduty-jsonaws-guardduty
haproxy-sysloghaproxy
isilon-syslogdell-isilon
islandisland-enterprisebrowser
menlo-ecsmenlo-msip
microsoft_defendermicrosoft-defendero365-graphapi
mimecast-ecsmimecast-emailsecurity
ms-defender-graph-ecsmicrosoft-defendero365-graphapi
ms-defender-stream-ecsmicrosoft-defendero365-eventhubs
microsoft-windows-dhcpservermicrosoft-windows-dhcp-server
netskope-ecsnetskope-sse
nozomi-syslognozomi-ids
obsidian-jsonobsidian-securitydata
okta-ecsokta-sso
onelogin-jsononeidentity-onelogin
paloalto-ecspaloalto-ngfw
paloalto-firewall-syslogpaloalto-ngfw
pfsense-syslognetgate-pfsense
ping-ecspingidentity-pingone
prisma-sd-wanpaloalto-prisma-sdwan
proofpoint-tap-ecsproofpoint-tap
rubrik-jsonrubrik-securitycloud
s3access-space-delimitedaws-s3serveraccess
skyhigh-ecsskyhigh-sse
srx-syslogjuniper-srx
syslog-utcbroadcom-proxysg
syslog-utccisco-ios
syslog-utcinfoblox-nios
sysmonmicrosoft-sysmon
tausight-jsontausight-ephi
umbrellacisco-umbrella
vectra-ecsvectra-brain
vmware-esxi-ecsvmware-esxi
vpcflow_defaultaws-vpcflow
waf-jsonaws-waf
windows-dhcp-clientmicrosoft-windows-dhcp-client
windows-dhcp-server-csvmicrosoft-windows-dhcp-server
windows-dnsmicrosoft-windows-dns
zerotrust-jsoncloudflare-one
zscalernss-dns, zscalernss-fw, zscalernss-tunnel, zscalernss-webzscaler-internetaccess
zscaler-ecszscaler-internetaccess
zscaler-zpa-app-connector-status-json, zscaler-zpa-app-protection-json, zscaler-zpa-audit-json, zscaler-zpa-browser-access-json, zscaler-zpa-user-activity-json, zscaler-zpa-user-status-jsonzscaler-privateaccess
ai_analyst_alert-syslog, model_breach_alert-syslog, system_status_alert-syslogdarktrace-detect
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use