Splunk® Supported Add-ons

Splunk Add-on for CrowdStrike FDR

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure inputs for the Splunk Add-on for CrowdStrike FDR

The Splunk Add-on for CrowdStrike FDR lets you configure two types of inputs:

  1. Crowdstrike FDR host information sync (not required): This input lets you synchronize host resolution information with local collection so that you can resolve CrowdStrike agent hosts in events at index time. By default host resolution takes place at search time.
  2. Crowdstrike FDR SQS based S3 consumer (required): This input consumes events from the Crowdstrike AWS feed. You must configure this input to get data into splunk. Before you create a new input of this type consider fulfilling the following configuration steps:
    1. Configure an FDR AWS collection.
    2. Configure a CrowdStrike event filter.

Configure your FDR Amazon Web Services collection

Specify your CrowdStrike FDR AWS feed connection information. In most cases only one collection is needed. All inputs that you create to consume events can reuse this information to connect the FDR AWS feed.

  1. Open the Splunk Add-on for Crowdstrike FDR Configuration page on your heavy forwarder or IDM. You must repeat the following task for each heavy forwarder or IDM. If you are on the Splunk Cloud Platform, perform this task in Splunk Web.
  2. Select the FDR AWS Collection tab and click Add.
  3. Specify an FDR AWS collection name.
  4. Select the AWS region where your CrowdStrike feed is located. To find this information, as well as the AWS access key id and AWS secret access key id, refer to your CrowdStrike Falcon Dashboard.
  5. Enter your AWS access key id. You can find this key ID in your CrowdStrike Falcon Dashboard
  6. Enter your AWS secret access key id. You can find this key ID in your CrowdStrike Falcon Dashboard
  7. Click Add.

Configure a CrowdStrike event filter

Specify a filter to define which CrowdStrike agent events should be consumed or dropped. By default, new inputs use a predefined filter that drops all heartbeat events.

  1. Open the Splunk Add-on for Crowdstrike FDR Configuration page on your heavy forwarder or IDM. You must repeat the following task for each heavy forwarder or IDM. If you are on the Splunk Cloud Platform, perform this task in Splunk Web.
  2. Select the CrowdStrike event filter tab. You can create a new filter, or clone or edit an existing predefined filter.
  3. Click Add button on the page top right to create a new filter.
  4. Provide a CrowdStrike event filter name.
  5. Select a filter type. If you selected Drop matching events, Splunk Add-on for CrowdStrike FDR ingests all events except those that match the provided Filter value'. If you select Ingest only matching events, the Splunk Add-on for CrowdStrike FDRl ingests events matching the specified Filter value.
  6. Specify a Filter value. Provide a space-separated list of CrowdStrike FDR events' event_simpleName property values. You can create this list in an editor of your choice and then copy it into the Filter value field. You can find a full list of names in the "Event Data Dictionary" in your CrowdStrike Falcon support documentation.
  7. Click Add.

Crowdstrike FDR SQS based S3 consumer

  1. Open the Splunk Add-on for Crowdstrike FDR Configuration page on your heavy forwarder, IDM, or SH on Splunk Cloud Victoria. Repeat the following task for each heavy forwarder or IDM. However, on Splunk Cloud Victoria search heads, configuration is replicated on clusters automatically, so there is no need to configure each search head separately.
  2. Click Create New Input.
  3. In the dropdown menu select Crowdstrike FDR SQS based S3 consumer
  4. Specify an Input name.
  5. Select your FDR AWS Collection.
  6. Type the AWS SQS queue URL that is specific to your CrowdStrike FDR AWS feed. You can find this information in API Clients and Keys on your CrowdStrike Falcon Dashboard .
  7. Optionally type a date time value for "Ignore SQS messages older than" field. This field tells TA to ignore SQS messages created earlier than the date time specified, which leads to skipping corresponding event batches. It expects a UTC time in the following format: YYYY-MM-DD HH:MM. Splunk Add-on for CrowdStrike FDR returns excluded to the SQS queue after visibility timeout expiration and can be read from SQS queue again. AWS deletes these messages together with all the rest unconsumed SQS messages after the retention period defined by Crowdstrike
  8. Select a SQS Message Visibility Timeout. Select this value based on the event load generated by your CrowdStrike environment. The default value is six hours based on environments with 10TB of consumed events per day and takes into account best throughput achieved during performance tests. Please see performance test (add link) results for more information.
  9. For Sensor event filter, select your Crowdstrike FDR event filter that you configured previously. Keep in mind that that this filter only applies to events coming from sensors, which are events with sourcetype=crowdstrike:events:sensor
  10. Check External security events if you want to index external FDR events. These events are triggered when a user logs into your CrowdStrike FDR Dashboard.
  11. Check ZTA events if you want "zero trust host assessment" events to be indexed.
  12. Check Inventory AIDMaster Events if you want to index AIDMaster events. These events are selected by default and are used for agent host name resolution. Note If you choose not to collect AIDMaster events, host resolution will not work because there will be no data to resolve agent host information. Avoid stopping AIDMaster events after a period of collection, as host resolution will keep working based on outdated AIDMaster information
  13. Check Inventory managedassets events if you want to index FDR managedassets events.
  14. Ooptionally check Inventory notmanaged events to index FDR notmanaged events.
  15. Provide your destination Splunk Index. This is where collected events are sent once collection begins.
  16. Provide an Interval, in seconds, to tell Splunk how often to check that the input is running. Splunk will start the input if it is not running. The default value is 200 seconds.
  17. Click Add.

Configure Crowdstrike FDR host information sync

  1. Open the Splunk Add-on for Crowdstrike FDR Inputs page on your heavy forwarder or IDM. You must repeat the following task for each heavy forwarder or IDM. Note that for Splunk Cloud Platform, this functionality may not work for search head clusters.
  2. Click Create New Input.
  3. In the dropdown menu select Crowdstrike FDR host information sync.
  4. Specify an input name.
  5. In Search head host, provide the IP address or FQDN of any search head in the environment search head cluster. This is used to access collection storing agent host resolution information. On the Splunk Cloud Platform this can be localhost.
  6. If your environment is configured with a custom port, provide the Splunk REST API port for the Search head port. The default value is the default Splunk REST API port 8089.
  7. In the Search head user field, provide the Splunk user name created for the search head host. Do not use a personal Splunk user account.
  8. For Search head password, provide the password for the user account specified in the previous step.
  9. Check Use failover Search head if you plan to use another search head as a failover in the event that the primary search head is not accessible.
  10. If you checked 'Use failover Search head, specify values for the failover search head:
    • Failover Search head host
    • Failover Search head port
    • Failover Search head user
    • Failover Search head password'
  11. For Inventory sync interval", specify the number of seconds to wait between sync iterations.
  12. Click Add.

Index-time host resolution is not supported in Splunk Cloud Platform (SCP) stacks. These customers must utilize a heavy forwarder with connectivity to their search heads in SCP to deploy index-time host resolution or migrate to an SCP Victoria stack version 8.2.2201 or later.

Crowdstrike FDR host resolution flow

Security events provided by Crowdstrike FDR in the AWS S3 bucket do not contain information about the host they originate from. However, these events do contain an identifier of the agent (sensor) installed on a host. Host resolution enriches CrowdStrike sensor events with sensor and agent host information by mapping agent identifiers in an event to the same identifier in inventory events. Here is an example of the host resolution flow:

  1. Host resolution information is collected from CrowdStrike AIDMaster events and stored as a collection in the search head cluster by periodically running a scheduled saved search. Note that agent identifiers can change due to agent upgrades. This means that indexed inventory information can have records containing different agent identifiers pointing to the same host.
  2. Every time a user runs a search, Splunk Add-on for CrowdStrike FDR attempts to add host information for the agent identifier. This happens only for sensor events for which host information has not been resolved at index time.
  3. If the Splunk Add-on for CrowdStrike FDR input is configured to never collect AIDMaster events, for example if the index does not have AIDMaster events collected, then search results will not be enriched with agents' host information. If the index has AIDMaster events collected but for some reason input was reconfigured to stop ingesting them, then host resolution will be based on outdated agent host information. You should take this into consideration if you decide to stop ingesting AIDMaster events.
  4. If Crowdstrike FDR host information sync input is configured and running, it will sync host resolution information stored in the search head cluster with the local lookup file. As soon as this lookup is synched for the first time, Splunk Add-on for CrowdStrike FDR starts resolving host information at index time. Host information resolved at index time becomes static and is indexed as a part of a sensor event. This can improve speed of getting search results but also increases the index size. <Note:> Stopping Crowdstrike FDR SQS based S3 consumer input does not clean up local host resolution lookup.

How to stop index time host resolution

To clean the host resolution on the Splunk Cloud Platform, reach out to your support representative. To clean lookup files (local collection) on each heavy forwarder or IDM:

  1. Make sure Crowdstrike FDR SQS based S3 consumer is stopped
  2. locate crowdstrike_ta_index_time_host_resolution_lookup.csv under application lookups: etc/apps/Splunk_TA_CrowdStrike_FDR/lookups/
  3. Open the file to edit and remove all lines except the first one. Do not remove the csv headers line.
  4. Save the file.


Configure a host resolution search interval =

By default, saved search collection host resolution runs every eleven minutes. CrowdStrike data updates every 30 minutes but it is not possible to know exact moments when the updates happen. Eleven minutes is considered the best minimum window that does not affect the host. However, if you feel this scheduled search does not have a noticeable impact on your host, you can use Splunk Web to check inventory updates more often. This can be done at a search head:

  1. Go to Setting > KNOWLEDGE > Searches, reports, and alerts.
  2. Set App filter to "Splunk Add-on for CrowdStrike FDR (Splunk_TA_CrowdStrike_FDR)" Set Owner filter to "All" or "Nobody".
  3. Find "crowdstrike_ta_build_host_resolution_table", in the Action column and click "Edit".
  4. Select "Edit Schedule" to change only the schedule.
  5. Select "Advanced Edit" to change all the parameters, find the "cron_schedule" parameter and type a new cron expression. See splunk documentation for more details about cron expressions
  6. Click Save.


Set a retention period for Host resolution searches

The host resolution search parameter "dispatch.earliest_time" defines how far back to search when building the list of agent identifiers. This parameter is set to 0 by default, which tells the system to search all data. However, AIDMaster data can accumulate and eventually make searches slower and consume more resources. To mitigate this, you can add a limit using the "dispatch.earliest_time" parameter to set a new retention persperiodion, for example, the retention period adopted by the organization. Perform the following task on a search head:

  1. Go to Setting > KNOWLEDGE > Searches, reports, and alerts.
  2. Set the App filter to "Splunk Add-on for CrowdStrike FDR (Splunk_TA_CrowdStrike_FDR)"
  3. Set the Owner filter to "All" or "Nobody".
  4. Find "crowdstrike_ta_build_host_resolution_table", in the "Action" column.
  5. Click Edit and select "Advanced Edit" to change all the parameters.
  6. Find the "dispatch.earliest_time" parameter and type a new value. for details and examples on dispatch.earliest_time parameter in savedsearch.conf file splunk documentation
  7. Click Save.

Index for host resolution

The Host resolution index collects host resolution information. It is defined by the "crowdstrike_ta_index" macro. The default value is equal to * (asterisk), which is safe when only one index is used for CrowdStrike data.

To improve search time, change this value to a specific index. In cases where CrowdStrike data is collected from different feeds into different indexes, this parameter must be set to a specific index to make sure the search is accurate. Use the following steps to configure the search index:

  1. Go to Menu > Settings > Advanced Search.
  2. Click Search macros.
  3. Set App filter to "Splunk Add-on for CrowdStrike FDR(Splunk_TA_CrowdStrike_FDR)"
  4. Set Owner filter to "Any" or "No owner".
  5. Click 'crowdstrike_ta_index' link in the Name column
  6. In the Definition field expressions replace asterisk (*) with the required index
  7. Click Save.

About Index time versus search time host resolution

Index time host resolution increases the size of the Splunk index by storing additional fields and can improve search speed. With index-time host resolution, information about hosts refers to the host states at the time of event consumption.

  • With index-time host resolution, host information may not be resolved. This can happen, for example, when the host agent identifier is changed due to sensor upgrade and is already sending security events, but the aidmaster inventory update is not yet processed or received from CrowdStrike FDR.

With search-time host resolution, information about hosts refers to the host states at the time of a search. If the add-on fails to resolve host information at index time, the data is resolved at search time.

What to do if a processed message is visible again in SQS queue

When processing time of a single batch takes more than visibility timeout is defined for related SQS messages, it becomes visible in the queue again. Other jobs can ingest the same data again. This results in event duplication in the indexer. To mitigate this:

  1. Increase visibility timeout for each message. The default value is six hours, which according to executed performance tests should be enough time to process an event batch consisting of 400 files (25MB per file) using an m4 family instance with a single input.
  2. Scale out data collection horizontally by adding additional heavy forwarders and use less inputs for each heavy forwarder.
Last modified on 26 April, 2022
PREVIOUS
Install the Splunk Add-on for Crowdstrike FDR
  NEXT
Source types for the Splunk Add-on for Crowdstrike

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters