elastic · navnit-elastic · Nov 11, 2025 · Nov 11, 2025 · Nov 11, 2025 · Nov 12, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.8.1"
+  changes:
+    - description: Update the CrowdStrike Integration documentation.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15927
 - version: "2.8.0"
   changes:
     - description: Add support for HTTP proxy configuration for Event Streams. Add support for proxy header configuration for CrowdStrike APIs.

@@ -9,7 +9,6 @@ inputs:
         - allow_deprecated_use: true
           data_stream:
             dataset: crowdstrike.falcon
-            type: logs
           exclude_files:
             - \.gz$
           multiline.match: after

@@ -13,7 +13,6 @@ inputs:
           crowdstrike_app_id: test_app_id
           data_stream:
             dataset: crowdstrike.falcon
-            type: logs
           processors: null
           program: |
             state.response.decode_json().as(body, {

@@ -1,5 +1,5 @@
 type: logs
-title: Crowdstrike falcon logs
+title: CrowdStrike Falcon logs
 streams:
   - input: logfile
     enabled: false
@@ -40,12 +40,12 @@ streams:
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
 
     template_path: log.yml.hbs
-    title: Crowdstrike falcon logs (log)
-    description: Collect Crowdstrike falcon logs using log input
+    title: CrowdStrike Falcon events
+    description: Collect CrowdStrike Falcon events through Falcon SIEM Connector.
   - input: streaming
     template_path: streaming.yml.hbs
-    title: CrowdStrike Falcon Logs
-    description: Collect Falcon logs from CrowdStrike Event Stream.
+    title: CrowdStrike Falcon events
+    description: Collect CrowdStrike Falcon events using Event Streams API.
     enabled: false
     vars:
       - name: url
@@ -80,7 +80,7 @@ streams:
       - name: app_id
         type: text
         title: App ID
-        description: App ID for the CrowdStrike.
+        description: App ID is an alphanumeric string to identify an event stream. App IDs can have a maximum of 32 characters. App IDs must be unique to each active event stream.
         multi: false
         required: true
         show_user: true

@@ -11,7 +11,7 @@ streams:
   - input: aws-s3
     template_path: aws-s3.yml.hbs
     title: Falcon Data Replicator logs
-    description: Collect Falcon Data Replicator logs using s3 input
+    description: Collect Falcon Data Replicator logs using AWS S3 and AWS SQS.
     enabled: false
     vars:
       - name: access_key_id
@@ -226,7 +226,7 @@ streams:
           `event.timezone` and `log.offset`.
   - input: logfile
     title: Falcon Data Replicator logs
-    description: Collect Falcon Data Replicator logs using a log file
+    description: Collect Falcon Data Replicator logs through file system.
     enabled: false
     vars:
       - name: paths

@@ -1,7 +1,7 @@
 name: crowdstrike
 title: CrowdStrike
-version: "2.8.0"
-description: Collect logs from Crowdstrike with Elastic Agent.
+version: "2.8.1"
+description: Collect logs from CrowdStrike with Elastic Agent.
 type: integration
 format_version: "3.4.0"
 categories: [security, edr_xdr]
@@ -49,7 +49,7 @@ screenshots:
 policy_templates:
   - name: crowdstrike
     title: CrowdStrike
-    description: Collect logs from CrowdStrike Falcon and FDR
+    description: Collect logs from CrowdStrike Falcon
     deployment_modes:
       default:
         enabled: true
@@ -60,14 +60,14 @@ policy_templates:
         team: security-service-integrations
     inputs:
       - type: logfile
-        title: "Collect CrowdStrike Falcon and FDR logs (input: logfile)"
-        description: "Collecting logs from CrowdStrike Falcon and FDR (input: logfile)"
+        title: Collect Falcon events and Falcon Data Replicator logs through file system
+        description: Collecting logs from Falcon SIEM Connector and Falcon Data Replicator through file system.
       - type: aws-s3
-        title: "Collect CrowdStrike Falcon Data Replicator logs (input: aws-s3)"
-        description: "Collecting logs from CrowdStrike Falcon Data Replicator (input: aws-s3)"
+        title: Collect Falcon Data Replicator logs using AWS S3
+        description: Collecting logs from Falcon Data Replicator using AWS S3.
       - type: streaming
-        title: Collect CrowdStrike Falcon Logs via Event Stream
-        description: Collecting CrowdStrike Falcon Logs via Event Stream.
+        title: Collect CrowdStrike Falcon Logs using Event Streams
+        description: Collecting CrowdStrike Falcon Logs using Event Streams.
         vars:
           - name: proxy_url
             type: text
@@ -84,8 +84,8 @@ policy_templates:
             show_user: false
             description: This specifies the headers to be sent to the proxy server.
       - type: cel
-        title: Collect CrowdStrike logs via API
-        description: Collecting CrowdStrike logs via API.
+        title: Collect CrowdStrike Falcon Alerts, Hosts and Vulnerabilities
+        description: Collect CrowdStrike Falcon Alerts, Hosts and Vulnerabilities.
         vars:
           - name: client_id
             type: text