Prerequisites for CrowdStrike data
Before you onboard CrowdStrike data, ensure you have the following:
- A CrowdStrike Falcon Data Replicator (FDR) feed created for your CrowdStrike tenant. The FDR feed provides the S3 bucket and SQS queue details required for the integration.
- AWS access key ID and secret access key with permissions to access the SQS queue
- SQS queue name where CrowdStrike sends notifications
- Valid Splunk index for storing ingested data
- Add-on for CrowdStrike FDR installed in your Splunk environment (mandatory for proper event parsing). Install the add-on on the part of your Splunk Cloud deployment that performs the parsing, field extraction, or search-time processing for your data. You must install this add-on, but you do not need to configure it.
-
Download Splunk Add-on for CrowdStrike FDRs from Splunkbase.
-
To learn more about this add-on, see Splunk Add-on for CrowdStrike FDRs.
-
- (Required for device enrichment and index-time field enrichment) CrowdStrike API credentials with the following configuration:
- A CrowdStrike API client with hosts read scope. This is the only required scope.
- The client ID, client secret, and the base API URL for your CrowdStrike Falcon region.
Data Inputs uses the CrowdStrike API client to fetch and cache device properties for enrichment and does not require write access. Index-time field enrichment also depends on a valid API client secret, because Data Inputs must authenticate with the CrowdStrike Falcon API to retrieve the device data that the add-on uses at index time.