Splunk® Supported Add-ons

Splunk Add-on for CrowdStrike FDR

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

About the Splunk Add-on for CrowdStrike

Version 1.5.0
Vendor Products CrowdStrike FDR (Falcon Data Replicator)
Visible No. This add-on does not contain any views.

The Splunk Add-on for CrowdStrike FDR lets you collect event data stored in CrowdStrike and bring it into your own Splunk instance for retention and further analysis.

Crowdstrike FDR events must be fetched from an AWS S3 bucket that is provisioned for you. The integration utilizes AWS SQS to support scaling horizontally if required.

If you deploy to Splunk Cloud Victoria, make sure that you are running version 8.2.2201 or later of Splunk Cloud Victoria. version 8.2.2201 provides a key performance optimization for high FDR event volumes.

For version 1.5.0 and later, note the following:

  • A new type of index-time host resolution is available. It works in Splunk Cloud Platform (SCP) stacks and in Splunk Enterprise. See Index time host resolution' for more information.
  • Select your host resolution in SQS based S3 consumer or in SQS based manager

Download the Splunk Add-on for Crowdstrike FDR from Splunkbase at http://splunkbase.splunk.com/app/5579.

Last modified on 14 December, 2023
  NEXT
Hardware and software requirements for the Splunk Add-in for CrowdStrike FDR

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters