Technology add-on (TA) for CrowdStrike enables current CrowdStrike customers to ingest alert data from the Streaming API as well as view and push custom indicators via the Query API.
This TA also supports (and is required for) the CrowdStrike Falcon App for Splunk: https://splunkbase.splunk.com/app/3943/
Prior to deploying this Technology Add-on review the following:
Ensure that any Firewalls in the environment will allow the Streaming API connection to establish a long-life HTTPS connection. This connection is maintained to reduce latency of alert reporting.
Please refer to the API documentation in the Falcon UI for specific URLs and IP addresses that should be whitelisted.
There are currently two components within a Splunk environment where this TA should be installed: Heavy Forwarders and Search Heads. Install the TA bundle by:
Only perform this configuration if needed for authentication - SSL proxies are NOT supported
1. Navigate to Technology Add-on for CrowdStrike
2. In the sub-menu select "Configuration"
3. Select the ‘Proxy’ tab
4. Check the ‘Enable’ checkbox
5. Select the proxy type
6. Enter the host information for the proxy
7. Enter the port used by the proxy
8. Enter a valid username
9. Enter a valid password
The TA can be configured with two different CrowdStrike APIs credentials:
* Streaming API: This will provide event and audit data
* Query API: This will provide custom indicator visibility and push capability
In a distributed architecture and for Splunk Cloud this configuration should only be done on the Heavy Forwarders
DO NOT CONFIGURE INPUTS ON SEARCH HEADS OR SPLUNK CLOUD
This TA contains a data collection component and as such, per Splunk’s documentation, should be installed on a forwarder (only heavy forwarders are currently supported by CrowdStrike) for the data collection function:
“Apps and add-ons that contain a data collection component should be installed on forwarders for their data collection functions. See Install apps in your Splunk Cloud deployment.”
The TA creates a search macro that, by default, points to the ‘main’ index. If the data being collected is placed into a custom index this macro should be updated to reflect the index being used. The Endpoint and Intelligence TAs each leverage their own search macro. Search macros can be found under ‘settings’ -> ‘advanced search’.
To modify this settings, perform the following:
1. Select ‘Settings’
2. Select ‘Advanced Search’
3. Select ‘Search Macros’
4. Select the appropriate CrowdStrike Technical Add-on
5. Select the name of the macro
6. Under definition ensure that the index being referred to in quotations is the index the data resides in
NOTE: The CrowdStrike App for Splunk leverages search macros to populate dashboard information. Failure to properly configure these macros can result in no/incorrect information being displayed.
The TA comes with sample data files, which can be used to generate sample data for testing. In order to generate sample data it requires the SA-Eventgen app(https://splunkbase.splunk.com/app/1924/). The TA will generate sample data for API calls at a 2 hour interval. You can modify this configuration from eventgen.conf file available under $SPLUNK_HOME/etc/apps/default/.
After several minutes use the following search to validate that data is being received:
`cs_get_index` | stats count by sourcetype
NOTE the macro MUST be enclosed with backticks to run correctly (on most keyboards this key is located to the left to the number 1 key – these are not apostrophes.
Below are some sourcetypes types that maybe returned:
Leverage a platform such as ‘Postman’ or the ‘curl’ command to validate connectivity and that the credentials are correct. For example of commands to run refer to the appropriate API guide in the Falcon UI.
Updated to support deployment to Splunk's Input Data Manager (IDM)
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.