Install the Splunk Add-on for Crowdstrike FDR
Use one of the following methods to collect CrowdStrike FDR events stored in Crowdstrike Amazon Web Services : Install the Splunk Add-on for CrowdStrike FDR on heavy forwarders
- Install the Splunk Add-on for CrowdStrike FDR on an IDM.
- Install the Splunk Add-on for CrowdStrike FDR on search heads to perform search-time field extractions and resolutions.
- On the Enterprise Cloud Platform, use search heads as heavy forwarders and choose to install only on the search head.
To process events in the Splunk Add-on for CrowdStrike FDR, you must have the following configured:
- An FDR AWS Collection
- A CrowdStrike event filter
- A Crowdstrike FDR SQS based S3 consumer input
Use the tables in this topic to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise. See the installation walkthrough section at the bottom of this page for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.
This table provides a reference for installing this add-on to a distributed deployment of Splunk Enterprise.
|Splunk instance type||Supported||Required||Comments|
Distributed deployment compatibility
This table provides reference for the compatibility of this add-on with Splunk distributed deployment features.
|Distributed deployment feature||Supported||Comments|
|Search Head Clusters||Yes|
|Deployment Server||Conditional||Can be used to manage the deployment of the configured add-on to multiple clients but won't be involved in data collection.|
Where to install this add-on
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of the Splunk platform.
|Splunk platform component||Supported||Required||Action Required/Comments|
|Search Heads||Yes||Yes||Install this add-on to all search heads where you want to collect information. |
As a best practice, turn visibility off on your search heads to prevent data duplication errors. Duplication errors can result from running inputs on your search heads instead of, or in addition to, on your data collection node.
|Indexers||Yes||Conditional||Not required if you use heavy forwarders to collect data.|
|Heavy Forwarders||Yes||Conditional||This add-on can use heavy forwarders to perform data collection using modular inputs and to perform the setup and authentication in Splunk Web.|
|Inputs Data Manager||Yes||No||This add-on is supported by Splunk Inputs Data Manager (IDM)|
|Self Service App Install (SSAI)||Conditional||No||This add-on is supported by Self Service App Install (SSAI). This add-on is not supported by Self Service App Install (SSAI) if you are using an IDM.|
See "Installing add-ons" in Splunk Add-Ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:
Installation and configuration overview for the Splunk Add-on for Crowdstrike FDR
Configure inputs for the Splunk Add-on for CrowdStrike FDR
This documentation applies to the following versions of Splunk® Supported Add-ons: released