CrowdStrike Falcon Endpoint Add-on
Overview
Details
CUSTOMERS USING SPLUNK V8.X or V7.3.X AND CROWDSTRIKE'S OAUTH2 APIS SHOULD DEPLOY THIS ADD-ON: https://splunkbase.splunk.com/app/5082/
Technology Add-on for CrowdStrike use to fetch data from Falcon Indicator and indexes it in Splunk for further analysis.
CrowdStrike Falcon Endpoint Add-on
OVERVIEW
Technology add-on (TA) for CrowdStrike enables current CrowdStrike customers to ingest alert data from the Streaming API as well as view and push custom indicators via the Query API.
This TA also supports (and is required for) the CrowdStrike Falcon App for Splunk: https://splunkbase.splunk.com/app/3943/
- Author - CrowdStrike
- Creates Index - False
- Compatible with:
- Splunk Enterprise version: 6.4.x, 6.5.x, 6.6.x, 7.0.x, 7.1.x, 7.3.x, 8.0.x
- OS: Platform independent
- Splunk Cloud (Heavy Forwarder Required)
For more information about the CrowdStrike APIs please refer to ‘Docs’ under the ‘Support’ section in the Falcon Interface.
DEPLOYMENT
Prior to deploying this Technology Add-on review the following:
- To receive event data a valid and enabled set of credentials for the Streaming API is required. This consists of an API UUID and an API Key. These can be generated through the Falcon UI and if being generated for the first time CrowdStrike support should be notified to enable the Streaming API. NOTE regenerating this credential set WILL INVALIDATE AN EXISTING SET.
- To view and/or push custom indicators to the Falcon platform a valid set of credentials for the Query API is required. This consists of a username and password. Currently these can only be acquired through CrowdStrike support. Please refer to the Query API documentation for details on this process.
- Ensure that any Proxies or Firewalls that the API communications will traverse have been properly configured (see the ‘Configuration Section’ – ‘Configuring Proxies’). The APIs currently leverage certificate-based authentication (TLS over port 443) and should be exempted from any SSL proxying.
-
Ensure that any Firewalls in the environment will allow the Streaming API connection to establish a long-life HTTPS connection. This connection is maintained to reduce latency of alert reporting.
Please refer to the API documentation in the Falcon UI for specific URLs and IP addresses that should be whitelisted.
INSTALLATION
There are currently two components within a Splunk environment where this TA should be installed: Heavy Forwarders and Search Heads. Install the TA bundle by:
- Downloading the TA package
- In the UI navigate to: “Manage Apps’
- In the top right corner select ‘Install app from file’
- Select ‘Choose File’ and select the TA package
- Select ‘Upload’ and follow the prompts – restarting Splunk as necessary
CONFIGURATION
Configuring Proxies
Only perform this configuration if needed for authentication - SSL proxies are NOT supported
1. Navigate to Technology Add-on for CrowdStrike
2. In the sub-menu select "Configuration"
3. Select the ‘Proxy’ tab
4. Check the ‘Enable’ checkbox
5. Select the proxy type
6. Enter the host information for the proxy
7. Enter the port used by the proxy
8. Enter a valid username
9. Enter a valid password
Configuring CrowdStrike Account(s)
The TA can be configured with two different CrowdStrike APIs credentials:
* Streaming API: This will provide event and audit data
* Query API: This will provide custom indicator visibility and push capability
- Navigate to Technology Add-on for CrowdStrike,
- In the sub-menu select "Configuration"
- In the right corner select “Add Account”
- Enter a unique name for the configuration (NOTE: Names cannot contain blank spaces)
- Select the API account type
- Streaming – The Streaming API requires an active API UUID and API Key and is used to receive alerts from the Falcon platform.
- Query – The Query API is used by the ‘CrowdStrike Falcon App For Splunk’ to show and upload custom indicators to the Falcon platform.
- Enter either an API UUID or Username (depending on the API type selected)
- Enter either an API Key or Password (depending on the API type selected)
- Verify that the information that has been entered is correct and select ‘Add’
Note at this point the TA will attempt to validate the entered credentials. If the credentials are not correct, not active or a connection cannot be established the account will not be added.
Configuring CrowdStrike Input(s)
In a distributed architecture and for Splunk Cloud this configuration should only be done on the Heavy Forwarders
DO NOT CONFIGURE INPUTS ON SEARCH HEADS OR SPLUNK CLOUD
- Navigate to Technology Add-on for CrowdStrike,
- In the sub-menu select "Inputs”
- In the right corner select “Create New Input”
- Enter a unique name for the configuration
- From the drop down select the appropriate account for the input type
- (optional) Enter the offset number after which to collect data
- (optional) Enter the start date from which to start the data collection
- Enter the time interval for input
- Select the index to store the data. NOTE The main index is used by default unless otherwise indicated. If a custom index in selected ensure that the “cs_get_index” macro is updated accordingly. If data is to be sent to a specific indexer ensure the outputs.conf file is adjusted with the Indexer’s IP address.
SPLUNK CLOUD CONSIDERTATIONS
This TA contains a data collection component and as such, per Splunk’s documentation, should be installed on a forwarder (only heavy forwarders are currently supported by CrowdStrike) for the data collection function:
“Apps and add-ons that contain a data collection component should be installed on forwarders for their data collection functions. See Install apps in your Splunk Cloud deployment.”
Using Custom Indexes
The TA creates a search macro that, by default, points to the ‘main’ index. If the data being collected is placed into a custom index this macro should be updated to reflect the index being used. The Endpoint and Intelligence TAs each leverage their own search macro. Search macros can be found under ‘settings’ -> ‘advanced search’.
To modify this settings, perform the following:
1. Select ‘Settings’
2. Select ‘Advanced Search’
3. Select ‘Search Macros’
4. Select the appropriate CrowdStrike Technical Add-on
5. Select the name of the macro
6. Under definition ensure that the index being referred to in quotations is the index the data resides in
NOTE: The CrowdStrike App for Splunk leverages search macros to populate dashboard information. Failure to properly configure these macros can result in no/incorrect information being displayed.
SAMPLE EVENT GENERATOR
The TA comes with sample data files, which can be used to generate sample data for testing. In order to generate sample data it requires the SA-Eventgen app(https://splunkbase.splunk.com/app/1924/). The TA will generate sample data for API calls at a 2 hour interval. You can modify this configuration from eventgen.conf file available under $SPLUNK_HOME/etc/apps/default/.
TROUBLESHOOTING
Using Search
After several minutes use the following search to validate that data is being received:
`cs_get_index` | stats count by sourcetype
NOTE the macro MUST be enclosed with backticks to run correctly (on most keyboards this key is located to the left to the number 1 key – these are not apostrophes.
Below are some sourcetypes types that maybe returned:
- crowdstrike:falconhost:json
- crowdstrike:falconhost:query:json
Using Log Files
- $SPLUNK_HOME/var/log/splunk/ta-crowdstrike_falcon_host_api.log
- $SPLUNK_HOME/var/log/splunk/ta-crowdstrike_ucc_lib.log files.
- $SPLUNK_HOME/var/log/crowdstrike/
Connectivity Issues
- Unable to save account input(s)
- Ensure that the credentials matches the API type
- Ensure that the API has been enabled by CrowdStrike Support
- Ensure that Proxy settings have been properly configured in the TA
- Ensure that Proxy and Firewall settings have been properly configured to allow unmodified communication
- Receiving ‘401’ connection errors
- Ensure that the credentials being leveraged have been entered correctly
- Ensure that the correct credential sets are being used for the input
- Ensure that the credentials have been activated by CrowdStrike support
- Ensure that Proxy and Firewall settings are properly configured to allow unmodified communication
- Not receiving data
- Ensure that the API credentials have been activated by CrowdStrike support
- Ensure that an input has been created
- Ensure the proper credentials are assigned to the input
- Ensure that Proxy settings have been properly configured in the TA
- Ensure that Proxy and Firewall settings have been properly configured to allow unmodified communication
- (Splunk Cloud) Ensure that the collection activity is being performed by a heavy forwarder
External Credential Validation
Leverage a platform such as ‘Postman’ or the ‘curl’ command to validate connectivity and that the credentials are correct. For example of commands to run refer to the appropriate API guide in the Falcon UI.
SUPPORT
- Support Offered: Yes
- Support Email: integrations@crowdstrike.com
Copyright (C) by CrowdStrike. All Rights Reserved.
Release Notes
Version 1.0.7
Updated to support deployment to Splunk's Input Data Manager (IDM)