icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading CrowdStrike App for Splunk
SHA256 checksum (crowdstrike-app-for-splunk_104.tgz) b5af00207d625d6b4fd2bc70277dc13f2965ef34e2d2eaa0ffab718bda9d1c6f SHA256 checksum (crowdstrike-app-for-splunk_103.tgz) 95f08b1f04c3894a5c2adcb3b2e2988b8c31ed085cb6935ddf0caa3d4c141f65 SHA256 checksum (crowdstrike-app-for-splunk_102.tgz) 6bbc5581bbdb0e964e2b3c8ff8577e374389c5495572f02fb3fc3e5435903c2e SHA256 checksum (crowdstrike-app-for-splunk_101.tgz) 868281035c6d0cac42bdffafb1b8590a8ccc3ddc270b6ec8f75225214d2b4572 SHA256 checksum (crowdstrike-app-for-splunk_100.tgz) 76333c7ea79bf8d4ca14a9de493ed592b98f7c7c99bd3630165a594a37cce910
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

CrowdStrike App for Splunk

Splunk Cloud
This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for youhere.
Overview
Details
NOTE THIS APP HAS BEEN REPLACED:
CUSTOMERS USING SPLUNK V8.X AND CROWDSTRIKE'S NEW OAUTH2 TA(s) SHOULD DEPLOY THIS APP: https://splunkbase.splunk.com/app/5094/


The CrowdStrike App for Splunk allows users to upload IOCs to the Falcon Platform, run searches on indexed data and provides out of the box dashboards.

CrowdStrike App for Splunk

OVERVIEW

The CrowdStrike App for Splunk provides visualizations for the data collected by the CrowdStrike Falcon Endpoint and CrowdStrike Falcon Intelligence Add-ons as well as an interface to view and upload IOCs to custom lists.

  • Author - CrowdStrike
  • Version - 1.0.4
  • Build - 1
  • Creates Index - False
  • Compatible with:
    • Splunk Enterprise version: 6.4.x, 6.5.x, 6.6.x, 7.0.x and 7.1.x
    • OS: Platform independent
    • Splunk Cloud
  • Prerequisites: (At least one is required – both are recommended)

DEPLOYMENT

Prior to deploying this App review the following:

  1. At least one of the supporting Add-ons (CrowdStrike Falcon Endpoint/ CrowdStrike Falcon Intelligence Add-on) is properly installed, configured and functional on appropriate Heavy Forwarders.
  2. Add-ons that have been deployed to Heavy Forwarders should also be installed on the Search Heads.
    Note: Do NOT configure inputs for any Add-ons installed on Search Heads. Only accounts should be configured.
  3. For IoC uploading: The CrowdStrike Falcon Endpoint Add-on must be properly installed, configured and functional on the Search Head. The Search Heads also need to be able to access the Query API over port 443 (please refer to the API documentation for more information).
    Note: Do NOT configure inputs for any Add-ons installed on Search Heads. Only accounts should be configured.
  4. If leveraging custom indexes, ensure that all Search Macros have been updated accordingly on the Search Heads.

INSTALLATION

There is only one location in a Splunk environment where this App should be installed: Search Heads. Install the App bundle by:

  1. Downloading the App package
  2. In the UI navigate to: “Manage Apps’
  3. In the top right corner select ‘Install app from file’
  4. Select ‘Choose File’ and select the App package
  5. Select ‘Upload’ and follow the prompts – restarting Splunk as necessary

CONFIGURATION

Using Custom Indexes

The App leverages search macros from the Add-ons that, by default, point to the ‘main’ index. If the data being collected is placed into a custom index this macro should be updated to reflect the index being used. The CrowdStrike Falcon Endpoint and CrowdStrike Falcon Intelligence Add-ons each leverage their own search macro. Search macros can be found under ‘settings’ -> ‘advanced search’.
To modify this setting, perform the following:

  1. Select ‘Settings’
  2. Select ‘Advanced Search’
  3. Select ‘Search Macros’
  4. Select the appropriate CrowdStrike Technical Add-on
  5. Select the name of the macro
  6. Under definition ensure that the index being referred to in quotations is the index the data resides in

NOTE: Since the CrowdStrike App for Splunk leverages search macros to populate dashboard information failure to properly configure these macros can result in no/incorrect information being displayed.

Data Model Configuration

Data models for the CrowdStrike Falcon Intelligence Add-on should be accelerated to improve performance. To accelerate Data models, follow the steps below:

  1. Go to "Settings" -> "Data Models"
  2. Select "CrowdStrike Falcon App for Splunk(CrowdStrike)" app in the filter.
  3. Select “Created in the App” in the dropdown displaying “Visible in App”
  4. Locate the data model titled “Falcon Intelligence”
  5. Click on "Edit" action.
  6. Click on "Edit Acceleration".
  7. Check the "Accelerate" checkbox and select "Summary Range" ("1 Day" is recommended).
  8. Click on "Save".

Rebuilding Data Model

In the event that there is no need to use the already indexed accelerated Data Model, the Data Model can be configured to rebuild from scratch for the specified acceleration period. To rebuild the Data Model follow the steps below:

  1. Go to "Settings" -> "Data Models"
  2. Select "CrowdStrike Falcon App for Splunk(CrowdStrike)" app in the filter.
  3. Select “Created in the App” in the dropdown displaying “Visible in App”
  4. Locate the data model titled “Falcon Intelligence”
  5. Expand the row by clicking “>" arrow in the first column of the row. This will display the Data Model information, specifically the "Acceleration" section.
  6. From the "Acceleration" section click on "Rebuild" link.
  7. Monitor the status of "Rebuild" in the field "Status" of "Acceleration" section.
  8. Reload the page to get latest rebuild status.

TROUBLESHOOTING

No Data is Displayed in the Dashboard

  • Ensure that the correct Add-ons have been deployed, configured and enabled on the appropriate Heavy Forwarders
  • Ensure that the APIs have been enabled by CrowdStrike Support
  • Ensure that if custom indexes are being used that the Search Macros have been configured accordingly
  • Ensure that NO inputs have been configured for any Add-ons installed on the Search Heads

No Intelligence Data is Displayed in the Dashboard (Sensor Data is Present)

  • Ensure that the Intelligence Add-on has been deployed, configured and enabled on the appropriate Heavy Forwarders
  • Ensure that the Intelligence API has been enabled by CrowdStrike Support
  • Ensure that if a custom index is being used that the Search Macro has been updated accordingly
  • Ensure that you have an active Intelligence subscription

Using Search

After several minutes use the following search to validate that data is being received:

`cs_get_index` | stats count by sourcetype
`cs_get_intelligence_index` | stats count by sourcetype

NOTE the macro MUST be enclosed with backticks to run correctly (on most keyboards this key is located to the left to the number 1 key – these are not apostrophes.

Below are some sourcetypes types that maybe returned:

  • crowdstrike:falconhost:json
  • crowdstrike:falconhost:query:json
  • crowdstrike:falcon:intelligence

Using Log Files

  • $SPLUNK_HOME/var/log/splunk/ta-crowdstrike_falcon_host_api.log
  • $SPLUNK_HOME/var/log/splunk/ta-crowdstrike_ucc_lib.log files
  • $SPLUNK_HOME/var/log/splunk/ta-crowdstrike_falcon_host_api.log
  • $SPLUNK_HOME/var/log/splunk/ta-crowdstrike_util.log
  • $SPLUNK_HOME/var/log/crowdstrike/ta_crowdstrike_falcon_intel_falcon_intelligence_data_input.log

Connectivity Issues

  • Unable to save accounts (authentication error)
    • Ensure that the credentials match the API type
    • Ensure that the API has been enabled by CrowdStrike Support
    • Ensure that Proxy settings have been properly configured in the Add-on
    • Ensure that Proxy and Firewall settings have been properly configured to allow unmodified communication
  • Receiving ‘401’ connection errors on the Add-ons
    • Ensure that the credentials being leveraged have been entered correctly
    • Ensure that the correct credential sets are being used for the input on the Add-on
    • Ensure that the credentials have been activated by CrowdStrike support
    • Ensure that Proxy and Firewall settings are properly configured to allow unmodified communication
  • Not receiving data
    • Ensure that the API credentials have been activated by CrowdStrike support
    • Ensure that an input has been created on the Add-on
    • Ensure the proper credentials are assigned to the input
    • Ensure that Proxy settings have been properly configured in the TA
    • Ensure that Proxy and Firewall settings have been properly configured to allow unmodified communication
    • (Splunk Cloud) Ensure that the collection activity is being performed by a heavy forwarder

External Credential Validation

Leverage a platform such as ‘Postman’ or the ‘curl’ command to validate connectivity and that the credentials are correct. For example of commands to run refer to the appropriate API guide in the Falcon UI.


SUPPORT

Copyright (C) by CrowdStrike. All Rights Reserved.

Release Notes

Version 1.0.4
July 31, 2018

Version 1.0.3
June 25, 2018

Version 1.0.2
June 13, 2018

Version 1.0.1
April 23, 2018

* Version 1.0.1
- Removed dependancy of Technology Addon and added requests module in main APP to do API call

* Version 1.0.0
- Audit Dashboard
- Indicator Summary Dashboard
- Asset Details Dashboard
- Detection Details Dashboard
- Falcon Intelligence Indicator Details Dashboard
- Upload IOC to Falcon

Version 1.0.0
April 6, 2018

1,150
Installs
2,672
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.