This technical add-on is designed to connect to a CrowdStrike provided Falcon Data Replicator environment. It leverages the SQS queue to determine if there are available data files to download. Once identified the TA will attempt to download the data file, decompress it and post the data into Splunk.
The data provided by FDR is not "real time" and not recommended for use in alerting use cases. The CrowdStrike Event Streams API is designed to facilitate rapid audit and alert data transfer, the Splunk Add-On for the Event Streams API can be found here: CrowdStrike Falcon Event Streams Technical Add-On
For customers interested collecting the AID Master data from FDR, it's also recommended to review the information that is available via the Falcon Devices API. The CrowdStrike Falcon Devices TA can facilitate ingestion of that data into Splunk and can be found here: CrowdStrike Falcon Devices Technical Add-On
Splunk v8+ with Python 3
CrowdStrike Provide FDR S3 and SQS infrastructures
CrowdStrike US based, EU and GovCloud environments
Multiple customer environments
CrowdStrike Falcon Event Streams Technical Add-On
CrowdStrike Falcon Devices Technical Add-On
CrowdStrike Intel Indicator Technical Add-On
CrowdStrike Falcon Data Replicator (FDR) S3 Technical Add-On
CrowdStrike Falcon Spotlight Data Technical Add-on
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.