Release history for the Splunk Add-on for Crowdstrike

Version 1.3.0 is the latest version of the Splunk Add-on for Crowdstrike. See Release Notes for the latest updates.

Version 1.2.0

Version 1.2.0 of the Splunk Add-on for Crowdstrike FDR was released on xxxx xx, 2022. It is compatible with the following software, CIM versions, and platforms.

New features

Version 1.2.0 of the Splunk Add-on for Crowdstrike FDR contains the following new and changed features:

• TRUNCATE value increased to 150000
• Enhanced logging. New logging allows estimating raw data ingestion value per input stanza. Log messages format has been changed to allow search time auto extraction of important information.
• Configurable ingest start time - allows to ignore/skip batches created earlier than specified time threshold. Can be set via the modular input UI in "Ignore SQS messages older than" field.
• Added proxy support for communication with AWS REST API endpoints
• Added us-gov-east-1 and us-gov-west-1 regions in AWS collection configuration
• Added additional verification to avoid index time resolution lookup overwrite if the collection sync process was not successful. This should prevent lookup corruption and possible ingestion blocking.

Fixed Issues

Version 1.2.0 of the Splunk Add-on for Crowdstrike FDR contrains the following, if any, fixed issues.

Known issues

Version 1.2.0 of the Splunk Add-on for CrowdStrike FDR contains the following issues.

• In the Splunk Cloud Platform stack, by default there is no connectivity using Splunk REST API port 8089 from IDM to search heads. Additionally, IDM has limited index time field extraction capabilities (in comparison to a heavy forwarder). Both these factors do not allow the add-on to perform a solution for index-time host resolution. Consider using an external heavy forwarder to make index-time host resolution work.
• If a heavy forwarder is installed on the Windows 2019 Datacenter, then the INGEST_EVAL with lookup() instruction can cause a crash of the Splunk service. This issue means that the Splunk Add-on for Crowdstrike FDR can not be used in such environments. Consider using a Linux host instead
• If you are deploying this add-on to Splunk Cloud Victoria stacks please first validate that they are 8.2.2201+. Previous releases of Victoria do not include a key performance optimization that is important for high volume FDR even volumes. If your Splunk Cloud Victoria version is below 8.2.2201, for the best performance use the classic approach with IDM/HF.

Third-party software attributions

Version 1.2.0 of the Splunk Add-on for Amazon Web Services incorporates the following third-party libraries. boto3 - http://docs.splunk.com/Documentation/AddOns/released/Overview/boto3 requests - http://docs.splunk.com/Documentation/AddOns/released/Overview/requests222

Version 1.0.0

Known issues

Version 1.0.0 of the Splunk Add-on for CrowdStrike FDR contains the following issues.

• In the Splunk Cloud Platform stack, by default there is no connectivity using Splunk REST API port 8089 from IDM to search heads. Additionally, IDM has limited index time field extraction capabilities (in comparison to a heavy forwarder). Both these factors do not allow the add-on to perform solution for index-time host resolution. Consider using an external heavy forwarder to make index-time host resolution work.
• If a heavy forwarder is installed on the Windows 2019 Datacenter, then the INGEST_EVAL with lookup() instruction can cause a crash of the Splunk service. This issue means that the Splunk Add-on for Crowdstrike FDR can not be used in such environments. Consider using a Linux host instead

Third-party software attributions

Version 1.0.0 of the Splunk Add-on for Crowdstrike does not incorporate any third-party software or libraries.