Before onboarding CrowdStrike data, ensure you have the following:

• AWS access key ID and secret access key with permissions to access the SQS queue
• SQS queue name where CrowdStrike notifications are sent
• Valid Splunk index for storing ingested data
• Add-on for CrowdStrike FDR installed in your Splunk environment (mandatory for proper event parsing). Install the add-on on the part of your Splunk Cloud deployment that performs the parsing, field extraction, or search-time processing for your data. This add-on must be installed, but does not need to be configured.

  • Download Splunk Add-on for CrowdStrike FDRs from Splunkbase.

  • To learn more about this add-on, see Splunk Add-on for CrowdStrike FDRs.

• Ensure that your stack is on-boarded for UCF-based inputs.