CrowdStrike

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

CrowdStrike secures endpoints and cloud workloads, identity, and data to keep customers ahead of today’s adversaries and stop breaches.

Getting data in

Source	Add-ons and Apps	Guidance
Falcon The CrowdStrike Falcon platform leverages real-time indicators of attack, threat intelligence on evolving adversary tradecraft, and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting, and prioritized observability of vulnerabilities. The CrowdStrike Falcon Data Replicator (FDR) allows you to analyze, alert, and investigate based on your process start data. FDR files (logs and lookups) are output by CrowdStrike servers, and staged temporarily in AWS S3. The Splunk Add-on for Crowdstrike Falcon Data Replicator (FDR) collects endpoint event data from the S3 buckets and prepares it for search and retention in Splunk. This integration utilizes an AWS SQS queue to manage the pull of events to allow for scaling horizontally to accommodate large event volumes. You can filter to ingest the events you deem the most valuable and enrich FDR events with host identifiers to make correlation and investigation easier.	Splunk platform Splunk Add-on for CrowdStrike FDR CrowdStrike App CrowdStrike Falcon Event Streams Technical Add-On CrowdStrike Falcon Devices Technical Add-On CCX CrowdStrike Products Extensions (Falcon Event Streams and Spotlight) Splunk Enterprise Security SA-CrowdstrikeDevices for Enterprise Security Splunk SOAR CrowdStrike OAuth API	Configuration About the Splunk Add-on for CrowdStrike Splunk Lantern Articles Monitoring for indicators of ransomware attacks (Splunk Enterprise Security) Triaging Crowdstrike malware data (Splunk SOAR)
Intel Indicator CrowdStrike Intel Indicator refers to threat intelligence data provided by CrowdStrike, which includes indicators of compromise (IOCs) such as malicious IP addresses, domains, file hashes, and other artifacts. This intelligence helps organizations proactively detect and prevent cyberattacks by identifying known threats and suspicious activities.	Splunk platform CrowdStrike Intel Indicator Technical Add-On
Spotlight CrowdStrike Spotlight is a vulnerability management solution that identifies and prioritizes vulnerabilities across endpoints, providing continuous visibility into an organization's attack surface. It leverages the CrowdStrike Falcon agent to collect real-time data, helping security teams understand their exposure and remediate critical weaknesses efficiently.	Splunk platform CrowdStrike Falcon Spotlight Vulnerability Data

Source

Add-ons and Apps

Guidance

Falcon

The CrowdStrike Falcon platform leverages real-time indicators of attack, threat intelligence on evolving adversary tradecraft, and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting, and prioritized observability of vulnerabilities.

The CrowdStrike Falcon Data Replicator (FDR) allows you to analyze, alert, and investigate based on your process start data. FDR files (logs and lookups) are output by CrowdStrike servers, and staged temporarily in AWS S3.

The Splunk Add-on for Crowdstrike Falcon Data Replicator (FDR) collects endpoint event data from the S3 buckets and prepares it for search and retention in Splunk. This integration utilizes an AWS SQS queue to manage the pull of events to allow for scaling horizontally to accommodate large event volumes. You can filter to ingest the events you deem the most valuable and enrich FDR events with host identifiers to make correlation and investigation easier.

Splunk platform

Splunk Enterprise Security

SA-CrowdstrikeDevices for Enterprise Security

Splunk SOAR

CrowdStrike OAuth API

Configuration

About the Splunk Add-on for CrowdStrike

Splunk Lantern Articles

Monitoring for indicators of ransomware attacks (Splunk Enterprise Security)
Triaging Crowdstrike malware data (Splunk SOAR)

Intel Indicator

CrowdStrike Intel Indicator refers to threat intelligence data provided by CrowdStrike, which includes indicators of compromise (IOCs) such as malicious IP addresses, domains, file hashes, and other artifacts. This intelligence helps organizations proactively detect and prevent cyberattacks by identifying known threats and suspicious activities.

Splunk platform

CrowdStrike Intel Indicator Technical Add-On

Spotlight

CrowdStrike Spotlight is a vulnerability management solution that identifies and prioritizes vulnerabilities across endpoints, providing continuous visibility into an organization's attack surface. It leverages the CrowdStrike Falcon agent to collect real-time data, helping security teams understand their exposure and remediate critical weaknesses efficiently.

Splunk platform

CrowdStrike Falcon Spotlight Vulnerability Data