Install the Splunk Add-on for Crowdstrike FDR¶
Use one of the following methods to collect CrowdStrike FDR events stored in Crowdstrike Amazon Web Services :
- Install the Splunk Add-on for CrowdStrike FDR on heavy forwarders
- Install the Splunk Add-on for CrowdStrike FDR on an IDM
- Install the Splunk Add-on for CrowdStrike FDR on search heads to perform search-time field extractions and resolutions
- On the Enterprise Cloud Platform, use search heads as heavy forwarders and choose to install only on the search head
To process events in the Splunk Add-on for CrowdStrike FDR, you must have the following configured:
- An FDR AWS Collection
- A CrowdStrike event filter
- A CrowdStrike FDR SQS based S3 consumer input
Use the tables in this topic to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise. See the installation walkthrough section at the bottom of this page for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.
Distributed installation¶
This table provides a reference for installing this add-on to a distributed deployment of Splunk Enterprise.
Splunk instance type | Supported | Required | Comments |
---|---|---|---|
Search Heads | Yes | Yes | |
Indexers | Yes | Yes | |
Heavy Forwarders | Yes | Yes | |
Distributed deployment compatibility¶
This table provides reference for the compatibility of this add-on with Splunk distributed deployment features.
Distributed deployment feature | Supported | Comments |
---|---|---|
Search Head Clusters | Yes | |
Indexer Clusters | Yes | |
Deployment Server | Conditional | Can be used to manage the deployment of the configured add-on to multiple clients but won’t be involved in data collection. |
Where to install this add-on¶
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of the Splunk platform.
Splunk platform component |
Supported |
Required |
Action Required/Comments |
---|---|---|---|
Search Heads |
Yes |
Yes |
Install this add-on to all search heads where you want to collect
information. |
Indexers |
Yes |
Conditional |
Not required if you use heavy forwarders to collect data. |
Heavy Forwarders |
Yes |
Conditional |
This add-on can use heavy forwarders to perform data collection using modular inputs and to perform the setup and authentication in Splunk Web. |
Universal Forwarders |
No |
No |
|
Inputs Data Manager |
Yes |
No |
This add-on is supported by Splunk Inputs Data Manager (IDM) |
Self Service App Install (SSAI) |
Conditional |
No |
This add-on is supported by Self Service App Install (SSAI). This add-on is not supported by Self Service App Install (SSAI) if you are using an IDM. |
Installation walkthrough¶
See “Installing add-ons” in Splunk Add-Ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios: