icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA Crowdstrike Falcon Spotlight
SHA256 checksum (ta-crowdstrike-falcon-spotlight_100.tgz) 8400bdf36711970883508b8d3b9c477112898e3fd021e79c4d24a3ba04401718
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

TA Crowdstrike Falcon Spotlight

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
Technology Add-on (TA) for CrowdStrike Spotlight enables current CrowdStrike customers to ingest vulnerabilities data into Splunk.
Once the data is indexed you can do additional complex analysis and data correlation with other sources.

CrowdStrike Falcon Spotlight Add-on

This addon works with SPLUNK >V7.X and V8.X AND CROWDSTRIKE'S OAUTH2. Falcon Spotlight Technology Add-on for CrowdStrike is used to get data from Falcon Spotlight API and to index it in Splunk.

It`s built with Splunk Add-on Builder

  • App 3.0.1
  • App Build 2

OVERVIEW

Technology Add-on (TA) for CrowdStrike Spotlight enables current CrowdStrike customers to ingest vulnerabilities data into Splunk.

  • Creates Index - False
  • OS: Platform independent
  • Heavy Forwarder Required

Compatible with: Splunk Enterprise version: 7.1.x, 7.2.x, 7.3.x, 8.0.x, 8.1.x

DEPLOYMENT

1.In order to successfully ingest event data a valid Client ID and Client Secret are required. Based on the OAuth mechanism an authentication token is generated and used for each API Call.

INSTALLATION

Install the Add-on on Heavy Forwarders or Splunk Enterprise Standalone Instance. Downloading the TA package and follow the instructions below:
1. In the UI navigate to: “Manage Apps”
2. In the top right corner select “Install app from file”
3. Select ‘Choose File’ and select the TA package (.spl or .tar)
4. Select ‘Upload’ and follow the prompts to restart Splunk.

CONFIGURATTION

Configuring CrowdStrike Account(s)

  1. In Configuration\account navigate to “Add” button in right
  2. Account name - Set name for the account
  3. Username - Fill in with a valid Client Id
  4. Password - Fill in with a valid Client Secret

  5. In Configuration\add-on-settings (change the default value if needed) No matter that you are going to change the default value or not, click save.

props.conf config:

TIME_FORMAT = %Y-%m-%dT%H:%M:%SZ
TIME_PREFIX = "updated_timestamp": "
KV_MODE = json

Configuring CrowdStrike Input(s)

The inputs should be configured only on heavy-forwarders or Splunk Enterprise standalone instance. There are 3 REST APIs that are used:
- /oauth2/token
- /spotlight/queries/vulnerabilities/v1
- /spotlight/entities/vulnerabilities/v2

INFO: In order to authenticate successfully, the add-on needs to use authentication header with each API call. The authentication header provides a token, which originally should be obtained by calling the Logon service via username and password. 
Successfully issued API token is valid for 27 min. In the add-on there is a timer which helps obtain a new token on every 1300 seconds or (~21-22 minutes).
  1. Navigate to Falcon Spotlight Add-on for CrowdStrike
  2. In the sub-menu select "Inputs”
  3. In the right corner select “Create New Input”
  4. Enter a unique name for the configuration
  5. From the drop down select the appropriate account for the input type
  6. (optional) Don`t populate offset field.
  7. (optional) Enter the start date from which to start the data collection (Set initial starting point in time. Only the initial run needs this value. The delta is gathered by checkpoint which the add-on creates on each cycle of data ingestion Format: YYYY-MM-DDTHH:MM:SS
    )
  8. Enter the time interval for input
  9. Select the index to store the data.
    NOTE The main index is used by default unless specified otherwise. If data is to be sent to a specific indexer, ensure the outputs.conf file is adjusted with the Indexer’s IP address.

TROUBLESHOOTING

The default LOG level is set to: INFO

Using Searches

The data should be indexed in the index which you selected or the "main" one.
sourcetype=crowdstrike:falconhost:query:spotlight

If not try to check the internal log:
index=_internal sourcetype="ta:crowdstrike:falcon:spotlight:log"

Using Log Files

  • $SPLUNK_HOME/var/log/splunk/ta_crowdstrike_falcon_spotlight_falcon_spotlight.log

Error codes category regarding REST:
- 1xx: Informational – Communicates transfer protocol-level information.
- 2xx: Success – Indicates that the client’s request was accepted successfully.
- 3xx: Redirection – Indicates that the client must take some additional action in order to complete their request.
- 4xx: Client Error – This category of error status codes points the finger at clients.
- 5xx: Server Error – The server takes responsibility for these error status codes.

SUPPORT

Release Notes

Version 1.0.0
Oct. 9, 2020

# CrowdStrike Falcon Spotlight Add-on
This addon works with SPLUNK >V7.X and V8.X AND CROWDSTRIKE'S OAUTH2. Falcon Spotlight Technology Add-on for CrowdStrike is used to get data from Falcon Spotlight API and to index it in Splunk.

The addon is builded with Splunk Add-on Builder
- App 3.0.1
- App Build 2

## OVERVIEW
Technology Add-on (TA) for CrowdStrike Spotlight enables current CrowdStrike customers to ingest vulnerabilities data into Splunk.

- Creates Index - False
- OS: Platform independent
- Heavy Forwarder Required

Compatible with: Splunk Enterprise version: 7.1.x, 7.2.x, 7.3.x, 8.0.x, 8.1.x

## DEPLOYMENT
1.In order to successfully ingest event data a valid Client ID and Client Secret are required. Based on the OAuth mechanism an authentication token is generated and used for each API Call.

## INSTALLATION
Install the Add-on on Heavy Forwarders or Splunk Enterprise Standalone Instance. Downloading the TA package and follow the
instructions below:
1. In the UI navigate to: “Manage Apps”
2. In the top right corner select “Install app from file”
3. Select ‘Choose File’ and select the TA package (.spl or .tar)
4. Select ‘Upload’ and follow the prompts to restart Splunk.


## CONFIGURATTION
### Configuring CrowdStrike Account(s)
1. In Configuration\account navigate to “Add” button in right
* Account name - Set name for the account
* Username - Fill in with a valid Client Id
* Password - Fill in with a valid Client Secret
2. In Configuration\add-on-settings (change the default value if needed) No matter that you are going to change the default value or not, click save.

### Configuring CrowdStrike Input(s)

The inputs should be configured only on heavy-forwarders or Splunk Enterprise standalone instance. There are 3 REST APIs that are used:
- /oauth2/token
- /spotlight/queries/vulnerabilities/v1
- /spotlight/entities/vulnerabilities/v2


```
INFO: In order to authenticate successfully, the add-on needs to use authentication header with each API call. The authentication header provides a token, which originally should be obtained by calling the Logon service via username and password.
Successfully issued API token is valid for 27 min. In the add-on there is a timer which helps obtain a new token on every 1300 seconds or (~21-22 minutes).
```
1. Navigate to Falcon Spotlight Add-on for CrowdStrike
2. In the sub-menu select "Inputs”
3. In the right corner select “Create New Input”
4. Enter a unique name for the configuration
5. From the drop down select the appropriate account for the input type
6. (optional) Don`t populate offset field.
7. (optional) Enter the start date from which to start the data collection (Set initial starting point in time. Only the initial run needs this value. The delta is gathered by checkpoint which the add-on creates on each cycle of data ingestion Format: YYYY-MM-DDTHH:MM:SS
)
8. Enter the time interval for input
9. Select the index to store the data.
`NOTE The main index is used by default unless specified otherwise. If data is to be sent to a specific indexer, ensure the outputs.conf file is adjusted with the Indexer’s IP address.`

## TROUBLESHOOTING
The default LOG level is set to: INFO

### Using Searches
The data should be indexed in the index which you selected or the "main" one.
`sourcetype=crowdstrike:falconhost:query:spotlight`

If not try to check the internal log:
`index=_internal sourcetype="ta:crowdstrike:falcon:spotlight:log"`

### Using Log Files
- $SPLUNK_HOME/var/log/splunk/ta_crowdstrike_falcon_spotlight_falcon_spotlight.log

Error codes category regarding REST:
- 1xx: Informational – Communicates transfer protocol-level information.
- 2xx: Success – Indicates that the client’s request was accepted successfully.
- 3xx: Redirection – Indicates that the client must take some additional action in order to complete their request.
- 4xx: Client Error – This category of error status codes points the finger at clients.
- 5xx: Server Error – The server takes responsibility for these error status codes.


### SUPPORT
- Support Email: office@bright.consulting
- Copyright (C) by BRIGHT Consulting JSC. All Rights Reserved.

16
Installs
11
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.