CrowdStrike introduction

Splunk Add-on for CrowdStrike FDR

Install the add-on on your search heads and indexers before you create a CrowdStrike input in Data Inputs. For ingest-time processing, you do not need to configure the add-on or modify any transformation configuration files. The add-on installation provides everything that Data Inputs requires to ingest and transform CrowdStrike data.

If you use search-time enrichment for sensor events (that is, you don't enable device enrichment), you must configure the add-on configuration files on all search heads for optimal performance. Update the following files in the Splunk Add-on for CrowdStrike FDR:

• macros.conf: Update with the index names that you configured for your CrowdStrike data inputs.
• savedsearches.conf: Verify that saved searches are enabled and running correctly.

The Splunk Add-on for CrowdStrike FDR provides the following functionality for CrowdStrike data ingestion:

• Ingest-time transformations that process incoming CrowdStrike events
• Search-time enrichment infrastructure, including saved searches and lookups that require configuration of macros.conf and savedsearches.conf on search heads
• Configuration files that the system applies during data ingestion

Download Splunk Add-on for CrowdStrike FDR from Splunkbase.

For more information about Add-on for CrowdStrike FDR, go to Splunk Add-on for CrowdStrike FDRs.

Shared configurations

A shared configuration is a named, reusable configuration object that you create and manage within the input configuration screen. Multiple inputs can reference the same shared configuration. When you change a shared configuration, all inputs that use it reflect those changes.

Two types of shared configurations are available:

• Sensor event filter: controls which sensor event types Data Inputs ingests
• Device properties filter: controls which device fields Data Inputs includes in or drops from enriched events

Each shared configuration has a read-only flag. When you mark a shared configuration as read-only, no one can edit or delete it. You can still update inputs that reference a read-only configuration, but the system blocks any attempt to change the fields that the configuration manages.

System-preset configurations

Data Inputs includes two system-preset shared configurations:

You cannot edit or delete system-preset configurations. To use a customized version, clone the preset, this creates an editable copy while leaving the original intact.

Sensor event filters

Sensor event filters control which CrowdStrike Falcon security events Data Inputs ingests into Splunk, reducing noise and focusing on high-value detections. You can configure sensor event filters during input creation or editing.

Sensor event filters are optional. If you don't select a filter, Data Inputs ingests all sensor event types. When you configure filters, you have the following options:

• Use the default sensor event filter (system-preset).
• Select an existing shared filter.
• Clone an existing filter to create an input-specific variant.
• Create a new filter with custom values.

Each filter operates in one of two modes:

• Include: Data Inputs ingests only the specified event types.
• Drop: Data Inputs ingests all event types except the specified ones.

You enter event types as free-text values in the filter configuration field. Type each event type name and press Enter or Space to add it as a token. You can add multiple values in a single filter. At least one value is required.

Data Inputs provides a default sensor events filter. This filter uses Drop mode with heartbeat event types (SensorHeartbeat, OciImageHeartbeat, OciContainerHeartbeat), matching the behavior of the previous add-on implementation. This filter is read-only. To create a customized version, clone it.

Sensor event filters are shared resources. When you update a shared filter, the changes propagate to all inputs that reference it. You must assign a unique filter name, and you cannot change the name after creation.

Cloning a sensor event filter creates a new independent copy with the same mode and event type values. The clone receives a new name and you can fully edit it. Cloning is the only way to create an editable copy of a system-preset filter.

Data Inputs doesn't persist filter changes until you save the parent input. If you discard the input edit, the system also discards your filter changes. When you delete an input, Data Inputs removes an associated sensor events filter only if no other inputs reference it.

Device enrichment

Device enrichment adds CrowdStrike device context to your ingested events. This feature is turned off by default. When you enable it, Data Inputs uses a CrowdStrike API client to retrieve device properties and enrich event data during ingestion.

When you turn on device enrichment, you must provide a CrowdStrike client configuration. You can create a new configuration, select an existing shared configuration, or clone an existing one for custom modifications. CrowdStrike client configurations are shared resources, so when you edit a configuration, the change affects all inputs that reference it.

You can optionally apply device property filters to control which device properties Data Inputs includes in the enriched data. Each device property filter defines a filtration mode and a set of device property fields.

Device property filters operate in one of two modes:

• Enrich: Data Inputs includes all device properties, the specified ones receive additional enrichment.
• Drop: Data Inputs includes all device properties except the specified ones.

Data Inputs provides a default device properties filter. This filter includes the same set of device fields as the previous add-on implementation: agent_version, connection_ip, connection_mac_address, default_gateway_ip, external_ip, hostname, last_seen, local_ip, mac_address, os_version, platform_name, provision_status, serial_number, status. This filter is read-only. To create a customized version, clone it.

You can select the following device properties in a device properties filter:

agent_load_flags, agent_local_time, agent_version, bios_manufacturer, bios_version, build_number, chassis_type, chassis_type_desc, cid, config_id_base, config_id_build, config_id_platform, connection_ip, connection_mac_address, cpu_signature, default_gateway_ip, device_id, external_ip, first_seen, group_hash, hostname, instance_id, kernel_version, last_seen, local_ip, mac_address, major_version, minor_version, modified_timestamp, os_build, os_product_name, os_version, platform_id, platform_name, pointer_size, product_type, product_type_desc, provision_status, reduced_functionality_mode, serial_number, service_pack_minor, service_provider, service_provider_account_id, status, system_manufacturer, system_product_name, zone_group.

Device property filters are shared resources. Multiple inputs can reference the same device properties filter. When you edit a filter globally, the update applies to all referencing inputs. You must assign a unique filter name, and you cannot change the name after creation.

Cloning a device properties filter creates a new independent copy with the same mode and property selection. The clone receives a new name and you can fully edit it. Cloning is the only way to create an editable copy of a system-preset filter.

If you do not select a device property filter, Data Inputs uses the full set of available device properties.

CrowdStrike API client

Device enrichment and index-time field enrichment require you to configure a CrowdStrike API client on the input. The client authenticates with the CrowdStrike Falcon API to fetch and cache device information.

The CrowdStrike API client configuration includes the following fields:

• Name: Display name for this client configuration.
• Client ID: CrowdStrike API client identifier.
• Client Secret: CrowdStrike API client secret.
• Base API: Base URL of the CrowdStrike Falcon API for your region.
• Sync frequency: How often Data Inputs fetches updated device data.

The client must have Hosts - Read access. This is the only required scope. Data Inputs uses it to fetch and cache device properties for enrichment and does not require write access.

Data Inputs validates the client credentials and scope when you save the input. If the secret is invalid or the Hosts read scope is not assigned, you cannot save the input until you resolve the issue.

You can edit the CrowdStrike API client configuration globally from the input details page. Because multiple inputs can share the client, any change you make applies to all inputs that reference it. There is no clone option for the API client, only global edit is available.

Data Inputs doesn't persist API client changes until you save the parent input. If you discard the input edit, the system also discards your client changes.

Data Inputs monitors the API client state throughout the input lifecycle. It checks that the client credentials remain valid and that the required scope is still in place. If either check fails, for example, because someone rotated the secret outside Data Inputs or removed the API scope, the input details page displays a warning and Data Inputs pauses device enrichment until you update the client with valid credentials.

Index-time field enrichment

Data Inputs uses an input schema version that is compatible with the CrowdStrike add-on, enabling the add-on to perform index-time field enrichment. When you enable device enrichment and configure a CrowdStrike API client, Data Inputs makes the enrichment data available to the add-on at index time for field-level enrichment of ingested events.

About CrowdStrike data ingestion

You can ingest security event data from CrowdStrike data sources into your Splunk environment through Data Inputs. The integration uses the CrowdStrike Falcon Data Replicator (FDR) feed.

Event types

CrowdStrike provides the following event types that you can ingest:

• Sensor events are always included and you cannot turn them off. The default configurations in Splunk Add-on for CrowdStrike FDR filter these events to exclude sensor heartbeats and other unnecessary data.
• CrowdStrike external security events triggered by actions outside Falcon sensors, such as console logons.
• CrowdStrike zero trust host assessment (ZTA) telemetry for device posture.
• CrowdStrike aidmaster inventory updates for registered Falcon agents.
• CrowdStrike managed asset inventory (for example, host network interfaces and external IPs).
• CrowdStrike "notmanaged" inventory showing nearby unmanaged devices that Falcon hosts observe.
• Application inventory updates (file hashes and locations for software running on hosts).
• User inventory updates (CrowdStrike user SIDs, names, and other identity attributes).

Key features

• One-to-one input model: each input connects to one CrowdStrike FDR feed
• Configurable event type selection
• Automatic validation of AWS credentials and SQS queue accessibility
• Real-time deployment status monitoring
• Configurable sensor event filters to control which Falcon security events you ingest
• Device enrichment with CrowdStrike API client integration and device property filters
• Shared resource management for sensor event filters, device property filters, and CrowdStrike client configurations
• System-preset configurations (read-only defaults matching previous add-on behavior) available out of the box
• Index-time field enrichment aligned with Splunk Add-on for CrowdStrike FDRs
• Input status with real-time health indicators showing warnings for invalid credentials, connector errors, and in-progress operations, with a guided recovery path
• Improved input configuration screen with shared configuration assignments visible and manageable inline
• Support for notification cut off time to prevent processing old events