Skip to content
CrowdStrike Developer Center

CrowdStrike Parsing Standard

Easily ingest, parse, and normalize all third-party data with the CrowdStrike Parsing Standard (CPS). CPS helps you better analyze, visualize, and correlate the data represented in events that are detected in your environment.

Requirements

Section titled “Requirements”

Requires one or more of these subscriptions:

  • Falcon Next-Gen SIEM or Falcon Next-Gen SIEM 10GB
  • Falcon Complete

Default roles:

  • Falcon Administrator
  • Falcon Complete Administrator
  • NG SIEM Administrator
  • NG SIEM Analyst
  • NG SIEM Analyst - Read Only
  • NG SIEM Security Lead

CrowdStrike clouds: Available in all clouds

Understanding the CrowdStrike Parsing Standard

Section titled “Understanding the CrowdStrike Parsing Standard”

What is CPS?

Section titled “What is CPS?”

Streamline data analysis with the CrowdStrike Parsing Standard (CPS) for normalized and standardized event data from third-party sources.

The Crowdstrike Parsing Standard builds on the Elastic Common Schema (ECS), a mature and proven common schema for metrics, logs, traces, and resources. For more info about ECS, see Elastic Common Schema (ECS) 8.x.

Upon ingestion, data is parsed and can be mapped into using CPS, which provides a common language for correlation and analysis of data from different sources. The CPS-parsed data might include vendor-specific alerts, events, and indicators. Vendor-specific telemetry is also preserved and stored because it can contain relevant information for investigation and response.

CPS is designed to normalize and standardize event data for improved analysis, visualization, and correlation. By adopting a common schema, CPS enables you to simplify your search experience, alleviate data complexity, and gain deeper insights into security events found in your environment.

To learn about the latest changes to the CrowdStrike Parsing Standard, see CrowdStrike Parsing Standard Versions.

Parsing options

Section titled “Parsing options”

For many data sources, Next-Gen SIEM provides a library of third-party connectors where the parsing and mapping is done automatically.

For any other data sources, you must provide parsers and mappings. For more info, see Data Ingestion.

Normalizing data with CPS

Section titled “Normalizing data with CPS”

Extracting fields and tags during the parsing stage is essential for search performance.

Mapping different vendor field names, such as timestamp or IP, during the parsing stage to a unified field name helps you simplify your queries. Instead of switching between different fields that contain common information, such as ip_source and source-ip depending on the log format, you can use consistent field names across different vendors and log formats.

© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use