Skip to main content
Splunk Lantern



CrowdStrike secures endpoints and cloud workloads, identity, and data to keep customers ahead of today’s adversaries and stop breaches. The CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence on evolving adversary tradecraft, and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting, and prioritized observability of vulnerabilities. 

The CrowdStrike Falcon Data Replicator (FDR) allows you to analyze, alert, and investigate based on your process start data. FDR files (logs and lookups) are output by CrowdStrike servers, and staged temporarily in AWS S3. The Splunk Add-on for Crowdstrike Falcon Data Replicator (FDR) collects endpoint event data from the S3 buckets and prepares it for search and retention in Splunk. This integration utilizes an AWS SQS queue to manage the pull of events to allow for scaling horizontally to accommodate large event volumes. You can filter to ingest the events you deem the most valuable and enrich FDR events with host identifiers to make correlation and investigation easier. 

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: