Release history for the Splunk Add-on for Crowdstrike¶
Version 2.0.2 is the latest version of the Splunk Add-on for Crowdstrike. See Release Notes. for the latest updates.
Version 2.0.1¶
Version 2.0.1 of the Splunk Add-on for Crowdstrike FDR was released on October 03, 2024. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 9.0.x, 9.1.x, 9.2.x |
CIM | 5.X |
Platforms | Platform independent |
Vendor Products | Crowdstrike FDR |
New features¶
Version 2.0.1 of the Splunk Add-on for Crowdstrike FDR contains the following new and changed features:
Updated vendor endpoint
Fixed Issues¶
Version 2.0.1 of the Splunk Add-on for CrowdStrike FDR contains the following, if any, issues.
Known issues¶
Version 2.0.1 of the Splunk Add-on for CrowdStrike FDR contains the following, if any, issues.
Third-party software attributions¶
Version 2.0.1 of the Splunk Add-on for CrowdStike FDR contains the following third-party libraries.
Third-party software attributions for the Splunk Add-on for CrowdStike FDR
Version 2.0.0¶
Version 2.0.0 of the Splunk Add-on for Crowdstrike FDR was released on July 31, 2024. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 9.0.x, 9.1.x, 9.2.x |
CIM | 5.X |
Platforms | Platform independent |
Vendor Products | Crowdstrike FDR |
New features¶
Version 2.0.0 of the Splunk Add-on for Crowdstrike FDR contains the following new and changed features:
New monitoring dashboard
New events for CIM normalization
Updated events CIM normalization
FedRAMP certification
IPv6 compatibility
Fixed Issues¶
Version 2.0.0 of the Splunk Add-on for CrowdStrike FDR contains the following, if any, issues.
Known issues¶
Version 2.0.0 of the Splunk Add-on for CrowdStrike FDR contains the following, if any, issues.
Third-party software attributions¶
Version 2.0.0 of the Splunk Add-on for CrowdStike FDR contains the following third-party libraries.
Version 1.5.0¶
Version 1.5.0 of the Splunk Add-on for Crowdstrike FDR was released on November 27, 2023. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 8.2.x, 9.0.x and 9.1.x |
CIM | N/A |
Platforms | Platform independent |
Vendor Products | Crowdstrike FDR |
New features¶
Version 1.5.0 of the Splunk Add-on for Crowdstrike FDR contains the following new and changed features:
New modular input Device API Inventory Sync Service.
New events CIM normalisation.
New Device field filter.
Index-time host resolution configuration for SQS based manager and for SQS based consumer.
Fixed Issues¶
Version 1.5.0 of the Splunk Add-on for CrowdStrike FDR contains the following, if any, issues.
Known issues¶
Version 1.5.0 of the Splunk Add-on for CrowdStrike FDR contains the following, if any, issues.
Third-party software attributions¶
Version 1.5.0 of the Splunk Add-on for CrowdStike FDR contains the following third-party libraries.
Version 1.4.0¶
Version 1.4.0 of the Splunk Add-on for Crowdstrike FDR was released on March 7, 2023. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 8.1, 8.2 |
CIM | N/A |
Platforms | Platform independent |
Vendor Products | Crowdstrike FDR |
New features¶
Version 1.4.0 of the Splunk Add-on for Crowdstrike FDR contains the following new and changed features:
- MAC and local ip information provided by CrowdStrike FDR managedassets events is added to host resolution process both at search and index time
- Added search time file/application resolution based on CrowdStrike FDR appinfo events
- Added search time user resolution based on CrowdStrike FDR userinfo events
- Increased TRUNCATE value to 200000 in props.conf for stanza crowdstrike:events:sensor
Fixed Issues¶
Version 1.4.0 of the Splunk Add-on for CrowdStrike FDR contains the following, if any, issues.
Known issues¶
Version 1.4.0 of the Splunk Add-on for CrowdStrike FDR contains the following, if any, issues.
Version 1.3.0 of the Splunk Add-on for CrowdStrike FDR contains the following, if any, fixed issues.
Third-party software attributions¶
Version 1.4.0 of the Splunk Add-on for CrowdStike FDR contains the following third-party libraries.
Version 1.3.0¶
Version 1.3.0 of the Splunk Add-on for Crowdstrike FDR was released on December 15, 2022. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 8.1, 8.2 |
CIM | N/A |
Platforms | Platform independent |
Vendor Products | Crowdstrike FDR |
New features¶
Version 1..0 of the Splunk Add-on for Crowdstrike FDR contains the following new and changed features:
- Added CIM normalization for additional sensor events
- Added support for appinfo and userinfo events
- Added new modular inputs for Ingest scaling enhancement
- Added possibility to specify separate dedicated index for each sourcetype
- Implemented internal recover checkpoints in the new modular inputs
- Adds Ingest troubleshooting/monitoring dashboard
- Adds modinput for monitoring available event batches/files at CrowdStrike FDR AWS S3 bucket
- Macro crowdstrike_ta_index macro defining index for host resolution saved search has been renamed to crowdstrike_ta_aidmaster_index. Additionally several other sourcetype based macros have been created: crowdstrike_ta_managedassets_index, crowdstrike_ta_managedassets_appinfo, crowdstrike_ta_managedassets_userinfo.
- TRUNCATE value increased to 200000 for crowdstrike:events:sensor sourcetype
Version 1.2.0 of the Splunk Add-on for Crowdstrike FDR contains the following new and changed features:
- TRUNCATE value increased to 150000
- Enhanced logging. New logging allows estimating raw data ingestion value per input stanza. Log messages format has been changed to allow search time auto extraction of important information.
- Configurable ingest start time - allows to ignore/skip batches created earlier than specified time threshold. Can be set via the modular input UI in “Ignore SQS messages older than” field.
- Added proxy support for communication with AWS REST API endpoints
- Added us-gov-east-1 and us-gov-west-1 regions in AWS collection configuration
- Added additional verification to avoid index time resolution lookup overwrite if the collection sync process was not successful. This should prevent lookup corruption and possible ingestion blocking.
Fixed Issues¶
Version 1.3.0 of the Splunk Add-on for Crowdstrike FDR contains the following, if any, fixed issues.
- Fixed CIM field
process_name
extraction from CommandLine values with quotes - Fixed CIM field
dest
extraction
Known issues¶
Version 1.3.0 of the Splunk Add-on for CrowdStrike FDR contains the following issues.
- In Splunk version 9.0.* Splunk does not properly terminate modular inputs running on Ubuntu when they are disabled by a user, restarted due to configuration change or Splunk services are restarted. However when modular input is enabled again (or in any other situation when Splunk restores modular input in running state) Splunk successfully creates a new modular input process. As a result the old and the new modular input process become running in parallel which can cause uncontrolled resource usage or, in the worst scenario, unpredictable modular input behavior.
In version 1.3.0, a workaround has been implemented to handle this issue. The add-on’s modular inputs periodically monitor their configuration checking if it’s still available and is not disabled. This allows it to successfully handle Splunk instance restarts and when corresponding modular input is disabled. However the workaround can be fooled if status changes to disabled and then back to enabled too fast, or when Splunk restarts modular input process after configuration change. To avoid this please follow the recommendations below: If modular input is disabled please wait at least 5-10 seconds before enabling it again to give it time to recognize its state has changed to disabled and shutdown If you plan to change modular input configuration please disable it first, change the configuration and then enable it again. If you forgot to disable modular input before configuration change or you discovered several running processes dedicated to the same modular input stanza, please disable corresponding modular input and wait for 10-30 seconds. All “clones” of the modular input will have enough time to recognize its state has changed to disabled and shutdown. Then enable the modular input again.
Third-party software attributions¶
Version 1.3.0 of the Splunk Add-on for Amazon Web Services incorporates the following third-party libraries. boto3 - http://docs.splunk.com/Documentation/AddOns/released/Overview/boto3 requests - http://docs.splunk.com/Documentation/AddOns/released/Overview/requests222
Version 1.2.0¶
Version 1.2.0 of the Splunk Add-on for Crowdstrike FDR was released on xxxx xx, 2022. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 8.1, 8.2 |
CIM | N/A |
Platforms | Platform independent |
Vendor Products | Crowdstrike FDR |
New features¶
Version 1.2.0 of the Splunk Add-on for Crowdstrike FDR contains the following new and changed features:
- TRUNCATE value increased to 150000
- Enhanced logging. New logging allows estimating raw data ingestion value per input stanza. Log messages format has been changed to allow search time auto extraction of important information.
- Configurable ingest start time - allows to ignore/skip batches created earlier than specified time threshold. Can be set via the modular input UI in “Ignore SQS messages older than” field.
- Added proxy support for communication with AWS REST API endpoints
- Added us-gov-east-1 and us-gov-west-1 regions in AWS collection configuration
- Added additional verification to avoid index time resolution lookup overwrite if the collection sync process was not successful. This should prevent lookup corruption and possible ingestion blocking.
Fixed Issues¶
Version 1.2.0 of the Splunk Add-on for Crowdstrike FDR contrains the following, if any, fixed issues.
Known issues¶
Version 1.2.0 of the Splunk Add-on for CrowdStrike FDR contains the following issues.
- In the Splunk Cloud Platform stack, by default there is no connectivity using Splunk REST API port 8089 from IDM to search heads. Additionally, IDM has limited index time field extraction capabilities (in comparison to a heavy forwarder). Both these factors do not allow the add-on to perform a solution for index-time host resolution. Consider using an external heavy forwarder to make index-time host resolution work.
- If a heavy forwarder is installed on the Windows 2019 Datacenter, then the INGEST_EVAL with lookup() instruction can cause a crash of the Splunk service. This issue means that the Splunk Add-on for Crowdstrike FDR can not be used in such environments. Consider using a Linux host instead
- If you are deploying this add-on to Splunk Cloud Victoria stacks please first validate that they are 8.2.2201+. Previous releases of Victoria do not include a key performance optimization that is important for high volume FDR even volumes. If your Splunk Cloud Victoria version is below 8.2.2201, for the best performance use the classic approach with IDM/HF.
Third-party software attributions¶
Version 1.2.0 of the Splunk Add-on for Amazon Web Services incorporates the following third-party libraries. boto3 - http://docs.splunk.com/Documentation/AddOns/released/Overview/boto3 requests - http://docs.splunk.com/Documentation/AddOns/released/Overview/requests222
Version 1.0.0¶
Splunk platform versions | 8.1, 8.2 |
CIM | N/A |
Platforms | Platform independent |
Vendor Products | Crowdstrike FDR |
Known issues¶
Version 1.0.0 of the Splunk Add-on for CrowdStrike FDR contains the following issues.
- In the Splunk Cloud Platform stack, by default there is no connectivity using Splunk REST API port 8089 from IDM to search heads. Additionally, IDM has limited index time field extraction capabilities (in comparison to a heavy forwarder). Both these factors do not allow the add-on to perform solution for index-time host resolution. Consider using an external heavy forwarder to make index-time host resolution work.
- If a heavy forwarder is installed on the Windows 2019 Datacenter, then the INGEST_EVAL with lookup() instruction can cause a crash of the Splunk service. This issue means that the Splunk Add-on for Crowdstrike FDR can not be used in such environments. Consider using a Linux host instead
Third-party software attributions¶
Version 1.0.0 of the Splunk Add-on for Crowdstrike does not incorporate any third-party software or libraries.