This addon works with SPLUNK >V7.X and V8.X AND CROWDSTRIKE'S OAUTH2
The add-on is built with Splunk Add-on Builder
Release Notes - Version 1.0.0 (Initial Release)
CrowdStrike Devices Add-on
Technology Add-on (TA) for CrowdStrike Devices enables current CrowdStrike customers to ingest devices data into Splunk.
Compatible with: Splunk Enterprise version: 7.0.x, 7.1.x, 7.3.x, 8.0.x
1.In order to successfully ingest event data a valid Client ID and Client Secret are going to be needed. Based on this authentication a token is generated and used for each API Call.
Install the Add-on on Heavy Forwarders or Splunk Enterprise Standalone Instance. Downloading the TA package
1. In the UI navigate to: “Manage Apps”
2. In the top right corner select “Install app from file”
3. Select ‘Choose File’ and select the TA package (.spl)
4. Select ‘Upload’ and follow the prompts – restarting Splunk.
Configuring CrowdStrike Account(s)
1. In Configuration\account navigate to “Add” button in right
- Account name * - Set name for the account
- Username * - Fill in with a valid Client ID
- Password * - Fill in with a valid Client Secret
Configuring CrowdStrike Devices Input(s)
The inputs should be configured only on heavy-forwarders or Splunk Enterprise standalone instance.
There are 3 REST APIs endpoints that are used:
INFO:In order to authenticate successfully, the client application need to use authentication header with each API call. The authentication header provides a token, which originally should be obtained by calling the Logon service via username and password.
The default LOG level is set to: INFO
The data should be indexed in the index which you selected or the main one.
If not try to check the internal log:
Using Log Files
Error codes category regarding REST:
- 1xx: Informational – Communicates transfer protocol-level information.
- 2xx: Success – Indicates that the client’s request was accepted successfully.
- 3xx: Redirection – Indicates that the client must take some additional action in order to complete their request.
- 4xx: Client Error – This category of error status codes points the finger at clients.
- 5xx: Server Error – The server takes responsibility for these error status codes.
- Support Offered: Yes
- Support Email: email@example.com
- Copyright (C) by BRIGHT Consulting JSC. All Rights Reserved.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.