Splunk® Supported Add-ons

Splunk Add-on for CrowdStrike FDR

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

About the Splunk Add-on for CrowdStrike

Version 1.4.0
Vendor Products CrowdStrike FDR (Falcon Data Replicator)
Visible No. This add-on does not contain any views.

The Splunk Add-on for CrowdStrike FDR lets you collect event data stored in CrowdStrike and bring it into your own Splunk instance for retention and further analysis.

Crowdstrike FDR events must be fetched from an AWS S3 bucket that is provisioned for you. The integration utilizes AWS SQS to support scaling horizontally if required.

If you deploy to Splunk Cloud Victoria, make sure that you are running version 8.2.2201 or later of Splunk Cloud Victoria. version 8.2.2201 provides a key performance optimization for high FDR event volumes.

Index-time host resolution is not supported in Splunk Cloud Platform (SCP) stacks. For Splunk Cloud Platform stacks, utilize a heavy forwarder with connectivity to the search heads to deploy index-time host resolution or migrate to an SCP Victoria stack version 8.2.2201 or later.

Download the Splunk Add-on for Crowdstrike FDR from Splunkbase at http://splunkbase.splunk.com/app/5579.

Last modified on 21 March, 2023
  NEXT
Hardware and software requirements for the Splunk Add-in for CrowdStrike FDR

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters