Onboard CrowdStrike data

Use Data Manager to onboard CrowdStrike data source.

Before you create a CrowdStrike input, complete the prerequisites Prerequisites for CrowdStrike data.

Use Data Manager to onboard CrowdStrike data source. The onboarding process guides you through selecting event types, configuring prerequisites, and setting up data routing parameters.

  1. Log into Splunk Cloud and select Data Manager > New Data Input.
  2. On the Add a new data input window, select Ingest.
  3. select CrowdStrike and then select Next.
    For CrowdStrike data, it is possible to ingest data only from single accounts.
  4. Select the event types you want to ingest and then select Next.

    Choose from the available event types based on your monitoring requirements. Sensor events are always selected because they are required for the integration. You can't turn off sensor events.

  5. Review the prerequisites page and select Next.
  6. On the Input CrowdStrike FDR information page, enter the following input-specific information:

    • Data input name: A descriptive name for this CrowdStrike input

    • AWS access key ID: AWS access key ID with permissions to access the SQS queue

    • AWS secret access key: Corresponding AWS secret access key

    Note: For FDR environments, each FDR instance requires a unique pair of access credentials. Access key reusability is not supported for FDR deployments.
  7. Configure the data routing parameters:
    1. In the Event type column, for each event type, select an index from the dop-down list.
    2. In the SQS queue URL field, enter the URL for the Amazon SQS queue associated with your CrowdStrike Falcon Data Replicator (FDR) feed. This feed provides event data. For example: https://sqs.us-east-1.amazonaws.com/123456789012/my-queue.
    3. In the Visibility timeout field, the duration in seconds an SQS message from the CrowdStrike queue remains invisible to other processes after being received.
      This ensures the message is processed within this timeframe and prevents multiple consumers from processing the same message simultaneously.
    4. In the Notification cut off time field, enter a date and time in the UTC (Coordinated Universal Time) format (for example, 2025-10-01 00:00). If no value is entered, ingestion starts with the oldest SQS message available.
      Events older than this threshold will not be processed.
    5. In the Default index field, select the default index where ingested data will be stored.
      This index receives events from source types when no specific index is defined. If an index is defined for a source type, events go to that specified index. This default index is used for sensor events.
  8. Select Review data input.
  9. On the Review data input page, check if the entered data are correct.
    • If the data are correct, select Create data input.
    • If you need to change some values, select Cancel.
  10. If you selected to create data input, the Data Management page opens. You can see the status of your CrowdStrike input. Select the input name to see its details. To edit this input, select edit. To open the Search tab and run searches on ingested data, select Open in Search.

After successful onboarding, the CrowdStrike input begins ingesting event data from the configured SQS queue and forwarding it to the specified Splunk index. You can view the deployment status and manage the input through the Data Manager interface.

Select an input name and the select the Open in Search button to open the Search tab in Splunk Cloud Platform and further analyze the promote data. For more information about the search options, see Exploring the Search views.