Skip to content

About the Splunk Add-on for CrowdStrike

Version 2.0.1
Vendor Products CrowdStrike FDR (Falcon Data Replicator)
Visible No. This add-on does not contain any views.

The Splunk Add-on for CrowdStrike FDR lets you collect event data stored in CrowdStrike and bring it into your own Splunk instance for retention and further analysis.

Crowdstrike FDR events must be fetched from an AWS S3 bucket that is provisioned for you. The integration utilizes AWS SQS to support scaling horizontally if required.

If you deploy to Splunk Cloud Victoria, make sure that you are running version 8.2.2201 or later of Splunk Cloud Victoria. version 8.2.2201 provides a key performance optimization for high FDR event volumes.

For version 2.0.1 and later, note the following:

  • A new type of index-time host resolution is available. It works in Splunk Cloud Platform (SCP) stacks and in Splunk Enterprise. See Index time host resolution’ for more information.
  • Select your host resolution in SQS based S3 consumer or in SQS based manager

Download the Splunk Add-on for Crowdstrike FDR from Splunkbase at http://splunkbase.splunk.com/app/5579.