The CrowdStrike Falcon Data Replicator (FDR) allows you to analyze, alert, and investigate based on your process start data. FDR files (logs and lookups) are output by CrowdStrike servers, and staged temporarily in AWS S3. The Splunk Add-on for Crowdstrike Falcon Data Replicator (FDR) collects endpoint event data from the S3 buckets and prepares it for search and retention in Splunk. This integration utilizes an AWS SQS queue to manage the pull of events to allow for scaling horizontally to accommodate large event volumes. You can filter to ingest the events you deem the most valuable and enrich FDR events with host identifiers to make correlation and investigation easier.
Guidance for onboarding data can be found in the Spunk Documentation:
- Getting Data In (Splunk Enterprise)
- Getting Data In (Splunk Cloud)
- Get data into Splunk Observability Cloud
Refer to the documentation, and note the following:
- Add-on or app: Splunk Add-on for Crowdstrike FDR
- Source type: crowdstrike:events and crowdstrike:inventory
- Input type: Crowdstrike FDR host information sync and Crowdstrike FDR SQS based S3 consumer
- Sizing estimate: On average, environments might see this much compressed data per day:
- Windows hosts: 2.5 MB per host
- MacOS hosts: 2.5 MB per host
- Linux hosts: 8-10 MB per host.
- Additional add-ons and apps: