Skip to main content
Splunk Lantern

Crowdstrike

 

The CrowdStrike Falcon Data Replicator (FDR) allows you to analyze, alert, and investigate based on your process start data. FDR files (logs and lookups) are output by CrowdStrike servers, and staged temporarily in AWS S3. The Splunk Add-on for Crowdstrike Falcon Data Replicator (FDR) collects endpoint event data from the S3 buckets and prepares it for search and retention in Splunk. This integration utilizes an AWS SQS queue to manage the pull of events to allow for scaling horizontally to accommodate large event volumes. You can filter to ingest the events you deem the most valuable and enrich FDR events with host identifiers to make correlation and investigation easier. 

Configuration

Guidance for onboarding data can be found in the Spunk Documentation: 

Refer to the documentation, and note the following:

Application

When your Splunk deployment is ingesting CrowdStrike FDR data, you can use the data to achieve the following: