splunk
Splunk Add-on for CrowdStrike FDR
Splunk Cloud
Splunk Built
Overview
Details
The Splunk Add-on for CrowdStrike FDR lets you collect event data stored in CrowdStrike and bring it into your own Splunk instance for retention and further analysis.
The Add-on collects different logs and events from different sources monitored by the CrowdStrike platform and provides CIM-compatible knowledge to use with other Splunk apps.
Crowdstrike FDR events must be fetched from an AWS S3 bucket that is provisioned for you. The integration utilizes AWS SQS to support scaling horizontally if required.
Version 2.0.0 of the Splunk Add-on for Crowdstrike FDR contains the following new and changed features:
-New monitoring dashboard
-New events for CIM normalization
-Updated events CIM normalization
-FedRAMP certification
-IPv6 compatibility
Crowdstrike FDR events must be fetched from an AWS S3 bucket that is provisioned for you. The integration utilizes AWS SQS to support scaling horizontally if required.
Version 2.0.0 of the Splunk Add-on for Crowdstrike FDR contains the following new and changed features:
-New monitoring dashboard
-New events for CIM normalization
-Updated events CIM normalization
-FedRAMP certification
-IPv6 compatibility
IMPORTANT: If you are deploying this add-on to Splunk Cloud Victoria stacks please first validate that they are 8.2.2201+. Previous releases of Victoria do not include a key performance optimization that is important for high FDR event volumes.
Splunk does not support running CrowdStrike Falcon Data Replicator (FDR) S3 Technical Add-On or CrowdStrike Falcon Data Replicator (FDR) SQS Technical Add-On on the same deployment as Splunk Add-on for CrowdStrike FDR.
For details on the Splunk Add-on for CrowdStrike FDR, please refer to the Splunk Docs
Release Notes
Version 2.0.4
Feb. 13, 2025
Version 2.0.3
Dec. 23, 2024
Version 0.3.0
June 4, 2021