Onboard CrowdStrike data

Use Data Inputs to onboard CrowdStrike data source.

Before you create a CrowdStrike input, complete the prerequisites Prerequisites for CrowdStrike data.

Use Data Inputs to onboard CrowdStrike data source. The onboarding process guides you through selecting event types, configuring prerequisites, and setting up data routing parameters.

  1. Log in to Splunk Cloud and select the Data Inputs app.
  2. On the Data Inputs page, select + Data Input.
  3. Make sure Ingest is selected, then select CrowdStrike and then select Next.
    For CrowdStrike data, you can ingest data only from single accounts.
  4. Select the event types you want to ingest and then select Next.

    Choose from the available event types based on your monitoring requirements. The integration always requires sensor events, so you cannot turn them off.

  5. Review the prerequisites page and select Next.
  6. On the Input CrowdStrike FDR information page, enter the following input-specific information:

    • Data input name: A descriptive name for this CrowdStrike input

    • AWS access key ID: AWS access key ID with permissions to access the SQS queue

    • AWS secret access key: Corresponding AWS secret access key

    Note: For FDR environments, each FDR instance requires a unique pair of access credentials. You cannot reuse access keys across FDR deployments.
  7. Configure the data routing parameters:
    1. In the Destination column, for each event type, select an index from the drop-down list.
    2. In the SQS queue URL field, enter the URL for the Amazon SQS queue associated with your CrowdStrike Falcon Data Replicator (FDR) feed. This feed provides event data. For example: https://sqs.us-east-1.amazonaws.com/123456789012/my-queue.
    3. In the Visibility timeout field, enter the duration in seconds that an SQS message from the CrowdStrike queue remains invisible to other processes after Data Inputs receives it.
      This setting ensures that Data Inputs processes the message within the specified timeframe and prevents multiple consumers from processing the same message simultaneously.
    4. In the Notification cut off time field, enter a date and time in the UTC (Coordinated Universal Time) format (for example, 2025-10-01 00:00). If you do not enter a value, ingestion starts with the oldest SQS message available.
      Data Inputs doesn't process events older than this threshold.
    5. In the Default index field, select the default index where Data Inputs stores ingested data.
      This index receives events from source types that do not have a specific index defined. If you define an index for a source type, events go to that specified index. Data Inputs uses this default index for sensor events.
  8. (Optional) In the Sensor event filters section, configure a filter to control which CrowdStrike Falcon security events Data Inputs ingests.

    Sensor event filters reduce noise by limiting ingestion to high-value detections. If you do not select a filter, Data Inputs ingests all sensor event types.

    Data Inputs pre-selects the Default Sensor Events Filter (system-preset) during input creation. This filter uses Drop mode with heartbeat event types (SensorHeartbeat, OciImageHeartbeat, OciContainerHeartbeat), matching the behavior of the previous add-on implementation. This filter is read-only. You can change the selection before saving.

    Do one of the following:

    • To use an existing filter, select Select filter and choose a filter from the list.

    • To create a new filter, select Add new filter and complete the following fields:

      • Name: Enter a unique name for the filter. You cannot change the name after you create the configuration.
      • Mode: Select Include to ingest only events that match the filter values, or Drop to exclude events that match the filter values.
      • Filter values: Enter one or more event type values. Type each event type name and press Enter or Space to add it as a token.

      Select Save to add the filter. The filter becomes a shared resource that you can select when you create other inputs.

    • To clone an existing filter (including system-preset read-only filters), select an existing filter and then select Clone. This creates a new independent copy with the same mode and event type values. The clone receives a new name and you can fully edit it. Cloning is the only way to create an editable copy of a system-preset filter.

    • To modify an existing filter for this input, select the filter and then select Edit.

    Note: When you create or edit a filter, you must provide at least one filter value. The filter name must be unique and the mode must be a supported value. If the assigned filter is read-only (system-preset), you cannot edit its fields, clone it first to make changes. Data Inputs doesn't persist filter changes until you save the parent input. If you discard the input edit, the system also discards your filter changes.
  9. (Optional) In the Device enrichment section, select Activate device enrichment settings to enrich ingested events with CrowdStrike device context.

    Device enrichment is turned off by default. When you turn on device enrichment, you must configure a CrowdStrike client.

    1. To configure a CrowdStrike client, do one of the following:

      • To create a new configuration, select Create new configuration and enter the following fields:

        • Name: A descriptive name for the CrowdStrike client.
        • Client ID: The client ID from your CrowdStrike API credentials.
        • Client Secret: The client secret from your CrowdStrike API credentials.
        • Base API: The base URL for your CrowdStrike API endpoint.
        • Sync frequency: How often Data Inputs synchronizes device data from CrowdStrike.

        Select Save to confirm. The new configuration becomes a shared resource that you can select when you create other inputs.

      • To use an existing configuration, select Use existing configuration and choose a configuration from the list. You can edit an existing configuration if needed.

      Note: The CrowdStrike API client must have Hosts read access. Data Inputs validates the client credentials and scope when you save the input. If the secret is invalid or the Hosts read scope is not assigned, you cannot save the input until you resolve the issue. CrowdStrike client configurations are shared resources. When you edit an existing configuration, the changes apply to all inputs that use it. There is no clone option for the API client, only global edit is available. Data Inputs doesn't persist API client changes until you save the parent input.
    2. (Optional) Configure device property filters to control which device properties Data Inputs includes in the enrichment.

      You can create a new device property filter, select an existing one, or clone and modify an existing filter.

      Data Inputs pre-selects the Default Device Properties Filter (system-preset) when you create a new input. This filter includes the same set of device fields as the previous add-on implementation. It is read-only. You can change the selection before saving.

      To create a new filter, select Add new filter and enter the following fields:

      • Name: Enter a unique name for the filter. You cannot change the name after creation.
      • Mode: Select the filtering mode:
        • Enrich: Data Inputs includes all device properties, the specified ones receive additional enrichment.
        • Drop: Data Inputs includes all device properties except the specified ones.
      • Filter values: Select the device properties to filter from the predefined list.

      To clone an existing filter (including system-preset read-only filters), select the filter and then select Clone. This creates a new independent copy with the same mode and property selection. The clone receives a new name and you can fully edit it. Cloning is the only way to create an editable copy of a system-preset filter.

      Select Save to confirm. If you do not select a device property filter, Data Inputs uses the full set of available device properties.

      Note: If the assigned filter is read-only (system-preset), you cannot edit its fields. Clone it first to make changes. Data Inputs doesn't persist filter changes until you save the parent input. If you discard the input edit, the system also discards your filter changes.
    Note: When you enable device enrichment, Data Inputs must first fetch and cache all device data from CrowdStrike before enrichment can begin. Depending on the number of devices in your CrowdStrike environment, this initial synchronization can take some time. Data ingestion with enrichment doesn't start until all enrichment data is available.
  10. Select Review data input.
  11. On the Review data input page, verify that the entered data is correct.
    • If the data is correct, select Create data input.
    • If you need to change some values, select Cancel.
  12. After you select to create the data input, the Data Inputs page opens. You can see the status of your CrowdStrike input. Select the input name to see its details. To edit this input, select edit. To open the Search tab and run searches on ingested data, select Open in Search.

After successful onboarding, the CrowdStrike input begins ingesting event data from the configured SQS queue and forwarding it to the specified Splunk index. You can view the deployment status and manage the input through the Data Inputs interface.

Select an input name and the select the Open in Search button to open the Search tab in Splunk Cloud Platform and further analyze the promote data. For more information about the search options, see Exploring the Search views.