icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading CrowdStrike Falcon Endpoint Add-on
SHA256 checksum (crowdstrike-falcon-endpoint-add-on_107.tgz) 0bc2fa0a754ec33c3eaa092aac9aa23375a93f0652a5238a1dff9138742ef64b SHA256 checksum (crowdstrike-falcon-endpoint-add-on_106.tgz) 1c5c95f78a26ef7fa1ba819cac607c542549fc489cab1b0dba98a59923899f39 SHA256 checksum (crowdstrike-falcon-endpoint-add-on_105.tgz) 7d85ec3596acb22a0643058e59ab307ffab7d478ab0f07829d13b9d520acabbc SHA256 checksum (crowdstrike-falcon-endpoint-add-on_104.tgz) 2516237a9eebeea74ee00daa4e1fe4bb7c2aab471ef7e799f697f9fdafa24983 SHA256 checksum (crowdstrike-falcon-endpoint-add-on_103.tgz) 53078468950fbdfd35a330b60eb443301b8cd2df6997d29892a5c7851beef424 SHA256 checksum (crowdstrike-falcon-endpoint-add-on_102.tgz) 291f70690a2c74987994322ceb85db936a0eebc00f85ccf2adefec37723f78c2 SHA256 checksum (crowdstrike-falcon-endpoint-add-on_101.tgz) 43469ecace0a7f47d26bbb43a91486a1d70a6b20a631c10636d48cb87f1ccb20
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

CrowdStrike Falcon Endpoint Add-on

This app has been archived. Learn more about app archiving.
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
NOTE THIS ADD-ON HAS BEEN REPLACED:
CUSTOMERS USING SPLUNK V8.X or V7.3.X AND CROWDSTRIKE'S OAUTH2 APIS SHOULD DEPLOY THIS ADD-ON: https://splunkbase.splunk.com/app/5082/


Technology Add-on for CrowdStrike use to fetch data from Falcon Indicator and indexes it in Splunk for further analysis.

CrowdStrike Falcon Endpoint Add-on

OVERVIEW

Technology add-on (TA) for CrowdStrike enables current CrowdStrike customers to ingest alert data from the Streaming API as well as view and push custom indicators via the Query API.
This TA also supports (and is required for) the CrowdStrike Falcon App for Splunk: https://splunkbase.splunk.com/app/3943/

  • Author - CrowdStrike
  • Creates Index - False
  • Compatible with:
    • Splunk Enterprise version: 6.4.x, 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.3.x, 8.0.x
    • OS: Platform independent
    • Splunk Cloud (Heavy Forwarder Required)

For more information about the CrowdStrike APIs please refer to ‘Docs’ under the ‘Support’ section in the Falcon Interface.


DEPLOYMENT

Prior to deploying this Technology Add-on review the following:

  1. To receive event data a valid and enabled set of credentials for the Streaming API is required. This consists of an API UUID and an API Key. These can be generated through the Falcon UI and if being generated for the first time CrowdStrike support should be notified to enable the Streaming API. NOTE regenerating this credential set WILL INVALIDATE AN EXISTING SET.
  2. To view and/or push custom indicators to the Falcon platform a valid set of credentials for the Query API is required. This consists of a username and password. Currently these can only be acquired through CrowdStrike support. Please refer to the Query API documentation for details on this process.
  3. Ensure that any Proxies or Firewalls that the API communications will traverse have been properly configured (see the ‘Configuration Section’ – ‘Configuring Proxies’). The APIs currently leverage certificate-based authentication (TLS over port 443) and should be exempted from any SSL proxying.
  4. Ensure that any Firewalls in the environment will allow the Streaming API connection to establish a long-life HTTPS connection. This connection is maintained to reduce latency of alert reporting.

    Please refer to the API documentation in the Falcon UI for specific URLs and IP addresses that should be whitelisted.


INSTALLATION

There are currently two components within a Splunk environment where this TA should be installed: Heavy Forwarders and Search Heads. Install the TA bundle by:

  1. Downloading the TA package
  2. In the UI navigate to: “Manage Apps’
  3. In the top right corner select ‘Install app from file’
  4. Select ‘Choose File’ and select the TA package
  5. Select ‘Upload’ and follow the prompts – restarting Splunk as necessary

CONFIGURATION

Configuring Proxies

Only perform this configuration if needed for authentication - SSL proxies are NOT supported
1. Navigate to Technology Add-on for CrowdStrike
2. In the sub-menu select "Configuration"
3. Select the ‘Proxy’ tab
4. Check the ‘Enable’ checkbox
5. Select the proxy type
6. Enter the host information for the proxy
7. Enter the port used by the proxy
8. Enter a valid username
9. Enter a valid password

Configuring CrowdStrike Account(s)

The TA can be configured with two different CrowdStrike APIs credentials:
* Streaming API: This will provide event and audit data
* Query API: This will provide custom indicator visibility and push capability

  1. Navigate to Technology Add-on for CrowdStrike,
  2. In the sub-menu select "Configuration"
  3. In the right corner select “Add Account”
  4. Enter a unique name for the configuration (NOTE: Names cannot contain blank spaces)
  5. Select the API account type
    • Streaming – The Streaming API requires an active API UUID and API Key and is used to receive alerts from the Falcon platform.
    • Query – The Query API is used by the ‘CrowdStrike Falcon App For Splunk’ to show and upload custom indicators to the Falcon platform.
  6. Enter either an API UUID or Username (depending on the API type selected)
  7. Enter either an API Key or Password (depending on the API type selected)
  8. Verify that the information that has been entered is correct and select ‘Add’
    Note at this point the TA will attempt to validate the entered credentials. If the credentials are not correct, not active or a connection cannot be established the account will not be added.

Configuring CrowdStrike Input(s)

In a distributed architecture and for Splunk Cloud this configuration should only be done on the Heavy Forwarders
DO NOT CONFIGURE INPUTS ON SEARCH HEADS OR SPLUNK CLOUD

  1. Navigate to Technology Add-on for CrowdStrike,
  2. In the sub-menu select "Inputs”
  3. In the right corner select “Create New Input”
  4. Enter a unique name for the configuration
  5. From the drop down select the appropriate account for the input type
  6. (optional) Enter the offset number after which to collect data
  7. (optional) Enter the start date from which to start the data collection
  8. Enter the time interval for input
  9. Select the index to store the data. NOTE The main index is used by default unless otherwise indicated. If a custom index in selected ensure that the “cs_get_index” macro is updated accordingly. If data is to be sent to a specific indexer ensure the outputs.conf file is adjusted with the Indexer’s IP address.

SPLUNK CLOUD CONSIDERTATIONS

This TA contains a data collection component and as such, per Splunk’s documentation, should be installed on a forwarder (only heavy forwarders are currently supported by CrowdStrike) for the data collection function:
“Apps and add-ons that contain a data collection component should be installed on forwarders for their data collection functions. See Install apps in your Splunk Cloud deployment.”

Using Custom Indexes

The TA creates a search macro that, by default, points to the ‘main’ index. If the data being collected is placed into a custom index this macro should be updated to reflect the index being used. The Endpoint and Intelligence TAs each leverage their own search macro. Search macros can be found under ‘settings’ -> ‘advanced search’.
To modify this settings, perform the following:
1. Select ‘Settings’
2. Select ‘Advanced Search’
3. Select ‘Search Macros’
4. Select the appropriate CrowdStrike Technical Add-on
5. Select the name of the macro
6. Under definition ensure that the index being referred to in quotations is the index the data resides in
NOTE: The CrowdStrike App for Splunk leverages search macros to populate dashboard information. Failure to properly configure these macros can result in no/incorrect information being displayed.


SAMPLE EVENT GENERATOR

The TA comes with sample data files, which can be used to generate sample data for testing. In order to generate sample data it requires the SA-Eventgen app(https://splunkbase.splunk.com/app/1924/). The TA will generate sample data for API calls at a 2 hour interval. You can modify this configuration from eventgen.conf file available under $SPLUNK_HOME/etc/apps/default/.


TROUBLESHOOTING

Using Search

After several minutes use the following search to validate that data is being received:

`cs_get_index` | stats count by sourcetype

NOTE the macro MUST be enclosed with backticks to run correctly (on most keyboards this key is located to the left to the number 1 key – these are not apostrophes.

Below are some sourcetypes types that maybe returned:

  • crowdstrike:falconhost:json
  • crowdstrike:falconhost:query:json

Using Log Files

  • $SPLUNK_HOME/var/log/splunk/ta-crowdstrike_falcon_host_api.log
  • $SPLUNK_HOME/var/log/splunk/ta-crowdstrike_ucc_lib.log files.
  • $SPLUNK_HOME/var/log/crowdstrike/

Connectivity Issues

  • Unable to save account input(s)
    • Ensure that the credentials matches the API type
    • Ensure that the API has been enabled by CrowdStrike Support
    • Ensure that Proxy settings have been properly configured in the TA
    • Ensure that Proxy and Firewall settings have been properly configured to allow unmodified communication
  • Receiving ‘401’ connection errors
    • Ensure that the credentials being leveraged have been entered correctly
    • Ensure that the correct credential sets are being used for the input
    • Ensure that the credentials have been activated by CrowdStrike support
    • Ensure that Proxy and Firewall settings are properly configured to allow unmodified communication
  • Not receiving data
    • Ensure that the API credentials have been activated by CrowdStrike support
    • Ensure that an input has been created
    • Ensure the proper credentials are assigned to the input
    • Ensure that Proxy settings have been properly configured in the TA
    • Ensure that Proxy and Firewall settings have been properly configured to allow unmodified communication
    • (Splunk Cloud) Ensure that the collection activity is being performed by a heavy forwarder

External Credential Validation

Leverage a platform such as ‘Postman’ or the ‘curl’ command to validate connectivity and that the credentials are correct. For example of commands to run refer to the appropriate API guide in the Falcon UI.


SUPPORT

Copyright (C) by CrowdStrike. All Rights Reserved.

Release Notes

Version 1.0.7
Nov. 22, 2019

Updated to support deployment to Splunk's Input Data Manager (IDM)

Version 1.0.6
July 31, 2018

Version 1.0.5
June 5, 2018

Version 1.0.4
May 30, 2018

Version 1.0.3
May 16, 2018

Version 1.0.2
May 4, 2018

Version 1.0.1
April 9, 2018

2,850
Installs
5,386
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.