CrowdStrike introduction

Ingest data from CrowdStrike data sources into Data Manager.

When you ingest CrowdStrike data through Data Manager, the data is processed using transformations and infrastructure provided by the Splunk Add-on for CrowdStrike FDR. You must install the add-on before creating a CrowdStrike input in Data Manager.

Splunk Add-on for CrowdStrike FDR

Install the add-on on your indexers before you create a CrowdStrike input in Data Manager. You don't have to configure the add-on or modify any transformation configuration files. The add-on installation provides everything required for Data Manager to process CrowdStrike data.

The Splunk Add-on for CrowdStrike FDR provides the following functionality for CrowdStrike data ingestion:

  • Ingest-time transformations that process incoming CrowdStrike events
  • Search-time infrastructure, including predefined searches and lookups
  • Configuration files applied during data ingestion

Download Splunk Add-on for CrowdStrike FDR from Splunkbase .

For more information about Add-on for CrowdStrike FDR, go to Splunk Add-on for CrowdStrike FDRs.

Data enrichment options

The Data Manager CrowdStrike input doesn't support sensor event enrichment. However, you can use other search-time enrichment features, including saved searches and lookups provided by the add-on. This enrichment is available after you install the add-on.

About CrowdStrike data ingestion

You can ingest security event data from CrowdStrike data sources into your Splunk environment through Data Manager. The integration uses the CrowdStrike Falcon Data Replicator (FDR) feed.

Event types

CrowdStrike provides the following event types that you can ingest:

  • Sensor events are always included and cannot be turned off. These events are filtered to exclude sensor heartbeats and other unnecessary data based on default configurations in Splunk Add-on for CrowdStrike FDR.
  • CrowdStrike external security events triggered by actions outside Falcon sensors, such as console logons.
  • CrowdStrike zero trust host assessment (ZTA) telemetry for device posture.
  • CrowdStrike aidmaster inventory updates for registered Falcon agents.
  • CrowdStrike managed asset inventory (for example, host network interfaces and external IPs).
  • CrowdStrike "notmanaged" inventory showing nearby unmanaged devices observed by Falcon hosts.
  • Application inventory updates (file hashes and locations for software running on hosts).
  • User inventory updates (CrowdStrike user SIDs, names, and other identity attributes).

Key features

  • Single account onboarding for CrowdStrike data sources
  • Configurable event type selection
  • Automatic validation of AWS credentials and SQS queue accessibility
  • Real-time deployment status monitoring
  • Built-in sensor event filtering
  • Support for notification cutoff time to prevent processing old events