CrowdStrike App for Splunk
OVERVIEW
The CrowdStrike App for Splunk provides visualizations for the data collected by the CrowdStrike Falcon Endpoint and CrowdStrike Falcon Intelligence Add-ons as well as an interface to view and upload IOCs to custom lists.
- Author - CrowdStrike
- Version - 1.0.4
- Build - 1
- Creates Index - False
- Compatible with:
- Splunk Enterprise version: 6.4.x, 6.5.x, 6.6.x, 7.0.x and 7.1.x
- OS: Platform independent
- Splunk Cloud
- Prerequisites: (At least one is required – both are recommended)
DEPLOYMENT
Prior to deploying this App review the following:
- At least one of the supporting Add-ons (CrowdStrike Falcon Endpoint/ CrowdStrike Falcon Intelligence Add-on) is properly installed, configured and functional on appropriate Heavy Forwarders.
- Add-ons that have been deployed to Heavy Forwarders should also be installed on the Search Heads.
Note: Do NOT configure inputs for any Add-ons installed on Search Heads. Only accounts should be configured.
- For IoC uploading: The CrowdStrike Falcon Endpoint Add-on must be properly installed, configured and functional on the Search Head. The Search Heads also need to be able to access the Query API over port 443 (please refer to the API documentation for more information).
Note: Do NOT configure inputs for any Add-ons installed on Search Heads. Only accounts should be configured.
- If leveraging custom indexes, ensure that all Search Macros have been updated accordingly on the Search Heads.
INSTALLATION
There is only one location in a Splunk environment where this App should be installed: Search Heads. Install the App bundle by:
- Downloading the App package
- In the UI navigate to: “Manage Apps’
- In the top right corner select ‘Install app from file’
- Select ‘Choose File’ and select the App package
- Select ‘Upload’ and follow the prompts – restarting Splunk as necessary
CONFIGURATION
Using Custom Indexes
The App leverages search macros from the Add-ons that, by default, point to the ‘main’ index. If the data being collected is placed into a custom index this macro should be updated to reflect the index being used. The CrowdStrike Falcon Endpoint and CrowdStrike Falcon Intelligence Add-ons each leverage their own search macro. Search macros can be found under ‘settings’ -> ‘advanced search’.
To modify this setting, perform the following:
- Select ‘Settings’
- Select ‘Advanced Search’
- Select ‘Search Macros’
- Select the appropriate CrowdStrike Technical Add-on
- Select the name of the macro
- Under definition ensure that the index being referred to in quotations is the index the data resides in
NOTE: Since the CrowdStrike App for Splunk leverages search macros to populate dashboard information failure to properly configure these macros can result in no/incorrect information being displayed.
Data Model Configuration
Data models for the CrowdStrike Falcon Intelligence Add-on should be accelerated to improve performance. To accelerate Data models, follow the steps below:
- Go to "Settings" -> "Data Models"
- Select "CrowdStrike Falcon App for Splunk(CrowdStrike)" app in the filter.
- Select “Created in the App” in the dropdown displaying “Visible in App”
- Locate the data model titled “Falcon Intelligence”
- Click on "Edit" action.
- Click on "Edit Acceleration".
- Check the "Accelerate" checkbox and select "Summary Range" ("1 Day" is recommended).
- Click on "Save".
Rebuilding Data Model
In the event that there is no need to use the already indexed accelerated Data Model, the Data Model can be configured to rebuild from scratch for the specified acceleration period. To rebuild the Data Model follow the steps below:
- Go to "Settings" -> "Data Models"
- Select "CrowdStrike Falcon App for Splunk(CrowdStrike)" app in the filter.
- Select “Created in the App” in the dropdown displaying “Visible in App”
- Locate the data model titled “Falcon Intelligence”
- Expand the row by clicking “>" arrow in the first column of the row. This will display the Data Model information, specifically the "Acceleration" section.
- From the "Acceleration" section click on "Rebuild" link.
- Monitor the status of "Rebuild" in the field "Status" of "Acceleration" section.
- Reload the page to get latest rebuild status.
TROUBLESHOOTING
No Data is Displayed in the Dashboard
- Ensure that the correct Add-ons have been deployed, configured and enabled on the appropriate Heavy Forwarders
- Ensure that the APIs have been enabled by CrowdStrike Support
- Ensure that if custom indexes are being used that the Search Macros have been configured accordingly
- Ensure that NO inputs have been configured for any Add-ons installed on the Search Heads
No Intelligence Data is Displayed in the Dashboard (Sensor Data is Present)
- Ensure that the Intelligence Add-on has been deployed, configured and enabled on the appropriate Heavy Forwarders
- Ensure that the Intelligence API has been enabled by CrowdStrike Support
- Ensure that if a custom index is being used that the Search Macro has been updated accordingly
- Ensure that you have an active Intelligence subscription
Using Search
After several minutes use the following search to validate that data is being received:
`cs_get_index` | stats count by sourcetype
`cs_get_intelligence_index` | stats count by sourcetype
NOTE the macro MUST be enclosed with backticks to run correctly (on most keyboards this key is located to the left to the number 1 key – these are not apostrophes.
Below are some sourcetypes types that maybe returned:
- crowdstrike:falconhost:json
- crowdstrike:falconhost:query:json
- crowdstrike:falcon:intelligence
Using Log Files
- $SPLUNK_HOME/var/log/splunk/ta-crowdstrike_falcon_host_api.log
- $SPLUNK_HOME/var/log/splunk/ta-crowdstrike_ucc_lib.log files
- $SPLUNK_HOME/var/log/splunk/ta-crowdstrike_falcon_host_api.log
- $SPLUNK_HOME/var/log/splunk/ta-crowdstrike_util.log
- $SPLUNK_HOME/var/log/crowdstrike/ta_crowdstrike_falcon_intel_falcon_intelligence_data_input.log
Connectivity Issues
- Unable to save accounts (authentication error)
- Ensure that the credentials match the API type
- Ensure that the API has been enabled by CrowdStrike Support
- Ensure that Proxy settings have been properly configured in the Add-on
- Ensure that Proxy and Firewall settings have been properly configured to allow unmodified communication
- Receiving ‘401’ connection errors on the Add-ons
- Ensure that the credentials being leveraged have been entered correctly
- Ensure that the correct credential sets are being used for the input on the Add-on
- Ensure that the credentials have been activated by CrowdStrike support
- Ensure that Proxy and Firewall settings are properly configured to allow unmodified communication
- Not receiving data
- Ensure that the API credentials have been activated by CrowdStrike support
- Ensure that an input has been created on the Add-on
- Ensure the proper credentials are assigned to the input
- Ensure that Proxy settings have been properly configured in the TA
- Ensure that Proxy and Firewall settings have been properly configured to allow unmodified communication
- (Splunk Cloud) Ensure that the collection activity is being performed by a heavy forwarder
External Credential Validation
Leverage a platform such as ‘Postman’ or the ‘curl’ command to validate connectivity and that the credentials are correct. For example of commands to run refer to the appropriate API guide in the Falcon UI.
SUPPORT
Copyright (C) by CrowdStrike. All Rights Reserved.