Splunk® Supported Add-ons

Splunk Add-on for CrowdStrike FDR

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install the Splunk Add-on for Crowdstrike FDR

Use one of the following methods to collect CrowdStrike FDR events stored in Crowdstrike Amazon Web Services : Install the Splunk Add-on for CrowdStrike FDR on heavy forwarders

  • Install the Splunk Add-on for CrowdStrike FDR on an IDM.
  • Install the Splunk Add-on for CrowdStrike FDR on search heads to perform search-time field extractions and resolutions.
  • On the Enterprise Cloud Platform, use search heads as heavy forwarders and choose to install only on the search head.

To process events in the Splunk Add-on for CrowdStrike FDR, you must have the following configured:

  • An FDR AWS Collection
  • A CrowdStrike event filter
  • A Crowdstrike FDR SQS based S3 consumer input

Use the tables in this topic to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise. See the installation walkthrough section at the bottom of this page for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.

Distributed installation

This table provides a reference for installing this add-on to a distributed deployment of Splunk Enterprise.

Splunk instance type Supported Required Comments
Search Heads Yes Yes
Indexers Yes Yes
Heavy Forwarders Yes Yes

Distributed deployment compatibility

This table provides reference for the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes
Indexer Clusters Yes
Deployment Server Conditional Can be used to manage the deployment of the configured add-on to multiple clients but won't be involved in data collection.

Where to install this add-on

Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.

This table provides a reference for installing this specific add-on to a distributed deployment of the Splunk platform.

Splunk platform component Supported Required Action Required/Comments
Search Heads Yes Yes Install this add-on to all search heads where you want to collect information.

As a best practice, turn visibility off on your search heads to prevent data duplication errors. Duplication errors can result from running inputs on your search heads instead of, or in addition to, on your data collection node.

Indexers Yes Conditional Not required if you use heavy forwarders to collect data.
Heavy Forwarders Yes Conditional This add-on can use heavy forwarders to perform data collection using modular inputs and to perform the setup and authentication in Splunk Web.
Universal Forwarders No No
Inputs Data Manager Yes No This add-on is supported by Splunk Inputs Data Manager (IDM)
Self Service App Install (SSAI) Conditional No This add-on is supported by Self Service App Install (SSAI). This add-on is not supported by Self Service App Install (SSAI) if you are using an IDM.

Installation walkthrough

See "Installing add-ons" in Splunk Add-Ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:

Last modified on 26 April, 2022
PREVIOUS
Installation and configuration overview for the Splunk Add-on for Crowdstrike FDR
  NEXT
Configure inputs for the Splunk Add-on for CrowdStrike FDR

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters