CrowdStrike Falcon

Splunk App
User and Configuration Guide

V2-7-20-TS
 Overview

This document outlines the deployment and configuration of CrowdStrike App available for
Splunk Enterprise and Splunk Cloud.

This app can be downloaded from Splunkbase: https://splunkbase.splunk.com/app/5094/

This app is designed to work with the data that’s collected by the officially supported
CrowdStrike Technical Add-Ons (TAs):

CrowdStrike Event Streams Technical Add-on: https://splunkbase.splunk.com/app/5082/

CrowdStrike Intel Indicators Technical Add-on: https://splunkbase.splunk.com/app/5083/

V2-7-20-TS
 Contents:
• Getting Started
o Deployment & Configuration
o General Overview
o Input Options
§ Time Frame and Customer ID
§ Intel Indicators Selections
• Dashboard Sections
o Dashboards and Drilldowns
o Detections and Events Section
o Incidents Section
o Audit Events Section
o Intel Indicators Section
• Troubleshooting and Support
o Potential Issues and Resolutions
o Getting Support

V2-7-20-TS
 Getting Started

Prior to deploying the CrowdStrike App ensure the following:

1. At least one of the supporting OAuth2 based technical add-ons (TAs) has been
successfully deployed, configured and is collecting data
2. The associated TAs have been successfully deployed to the system(s) that the App is
being deployed to
3. Identify the index(es) that contain the CrowdStrike data
4. An account with proper access to identified Splunk systems is available
5. If any access requirements/modifications will be necessary for the App or accounts
accessing it

V2-7-20-TS
1
Deployment & Configuration

The CrowdStrike App should be deployed on Search Head systems or Splunk Cloud as it’s
designed to present the data that’s being collected by the CrowdStrike TAs.

The searches that populate the dashboards leverage search macros to properly point to
the indexes that contain the CrowdStrike information. These search macros can be found by
navigating to ‘Settings’ -> ‘Advanced Search’ -> ‘Search Macro’ and selecting the CrowdStrike
App from the dropdown selector (if necessary, select ‘Created in App’ as well):

V2-7-20-TS
2
There are two search macros currently associated with this App:

• cs_es_get_index: This search macro is used to point to Event Streams TA data

• cs_ii_get_index: This search macro is used to point to Intel Indicator TA data

The default setting for the search macros are to point to all indexes, this may impact the search
time and resources need and should be changed to point to specific index or indexes containing
the specific TA data.

V2-7-20-TS
3
General Overview

There are four dashboard sections within the CrowdStrike App. The information that is
displayed in these dashboards are dependent on the Technical Add-Ons (TAs) that provide the
data:

Event Stream Add-on Intelligence Add-on

Detections and Events
Incidents
Audit Events
Intel Indicators

The ‘Detection and Events’ section is the default selection and will be displayed when the App is
initially open. Each of the dashboard sections represents a pulldown menu that will list the
main dashboards that are accessible. It is important to note that not all dashboards are directly
accessible, there are some dashboards that are only available as drilldowns.

V2-7-20-TS
4
Input Options

A majority of the dashboards will have input options, which are located at the top of the
dashboard. These input options provide the ability to refine or expand the amount of data
that’s being represented in the dashboards. Input options can vary depending on the type of
data that’s being displayed but here are some of the more common:

Time Frame and Customer ID

The Customer ID is populated by a search run within the selected time frame. If a new
time frame is selected the Customer ID options will dynamically update. In order to apply a new
time frame or select a specific Customer ID the ‘Submit’ button must be selected.

A majority of the dashboards have selection for the time frame and the Customer IDs
available for that time frame. When clicking into a drill down value the select time frame and
the Customer ID that have been selected will be retained and applied to the new dashboard:

V2-7-20-TS
5
 Some drill downs can be on a certain value, such as severity, which will also be carried
forward to the drill down:

Intel Indicators Selections

The Intel Indicators dashboard does have different input options based on the different
type of data that’s available. For example:

V2-7-20-TS
6
 Dashboard Sections
The app is divided into four main sections, each representing distinctly different
information:

1. Detection and Events:

The ‘Detections and Events’ section focuses on Falcon detections and events. For the
purpose of these dashboards these terms are defined as:
• Detections: Detections are identified by using the ‘event.DetectId’ field and
counted in a 1:1 ratio, this field will represent a distinct count of the field
value. E.g 10 events with the same event.DetectId value are considered 1
detection.
• Events: Events are also identified by using the ‘event.DetectId’ field, however
they are counted per occurrence as opposed to a distinct count. E.g. 10
events with the same event.DetectId value are considered 10 events.

2. Incidents:
The ‘Incidents’ section provides high level data on Falcon Incidents. The information
provided is also broken down to show the host count, incident count and the event(s)
count for the incident.

3. Audit Events:
The ‘Audit’ section provides detailed information about actions taken within the Falcon
UI and on/by the Falcon sensor. Authentication attempts to the UI and via API, policy
events, group event, Spotlight reports, Real Time Response activity and File Quarantine
actions are detailed here.

4. Intel Indicators:
The ‘Intel Indicators’ section provides details on CrowdStrike’s Intelligence Indicators
(Intelligence subscription required). The intelligence can be sorted and filter by
attributes such as confidence levels, indicator types, threat actors and malware families.

Dashboards and Drilldowns

Each section contains a set of main dashboards as well as drilldown dashboards. These
designations are defined as the following:
• Main Dashboard: A dashboard is directly accessible via the section dropdown
• Drilldown Dashboard: A dashboard that is accessible by clicking within another
dashboard

In several sections ‘Main Dashboards’ are also considered ‘Drilldown Dashboards’ as

they can be accessed by clicking on a value in a main dashboard.

V2-7-20-TS
7
Detections and Events Section

Data Source Event Streams TA

Search Macro `cs_es_get_index`
Main Dashboards 3
Drilldown Dashboards 7
Total Dashboards 8

Main Dashboards
Crowdstrike Detections and Events: Overview
Crowdstrike Detection Details
Crowdstrike Events Details
Drilldown Dashboards
Crowdstrike Detections Details
Crowdstrike Detections Allowed Breakdown
Crowdstrike Detections and Events
Crowdstrike Detections Blocked Breakdown
Crowdstrike Detections Partially Blocked Breakdown
Crowdstrike Events Allowed Breakdown
Crowdstrike Events Blocked Breakdown
Crowdstrike Events Details

V2-7-20-TS
8
Incidents Section

Data Source Event Streams TA

Search Macro `cs_es_get_index`
Main Dashboards 2
Drilldown Dashboards 1
Total Dashboards 2

Main Dashboards
Crowdstrike Incidents
Crowdstrike Incidents Details
Drilldown Dashboards
Crowdstrike Incidents Details

V2-7-20-TS
9
Audit Events Section

Data Source Event Streams TA

Search Macro `cs_es_get_index`
Main Dashboards 6
Drilldown Dashboards 22
Total Dashboards 28

Main Dashboards
CrowdStrike Audit Authentication Events
CrowdStrike Audit Policy Events
CrowdStrike Audit Group Events
CrowdStrike Audit Spotlight
CrowdStrike Audit Real Time Response
CrowdStrike Audit File Quarantine
Drilldown Dashboards
Crowdstrike Audit Authentication Failure
Crowdstrike Audit Authentication Successful
Crowdstrike Audit Policy Creations
Crowdstrike Audit Policy Deletions
Crowdstrike Audit Policy Disabled
Crowdstrike Audit Policy Enabled
Crowdstrike Audit Policy Updates
Crowdstrike Audit Groups Added
Crowdstrike Audit Groups Created
Crowdstrike Audit Groups Deleted
Crowdstrike Audit Groups Removed
Crowdstrike Audit Groups Rules Added
Crowdstrike Audit Groups Rules Removed
Crowdstrike Audit Groups Updated
Crowdstrike Audit Spotlight Report Created
Crowdstrike Audit Spotlight Report Deleted
Crowdstrike Audit File Release Requests
Crowdstrike Audit File Unrelease Requests

V2-7-20-TS
10
 Crowdstrike Audit File Unreleased
Crowdstrike Audit Files Deleted
Crowdstrike Audit Files Quarantined
Crowdstrike Audit Files Released

Intel Indicators Section

Data Source Intel Indicator TA

Search Macro `cs_ii_get_index`
Main Dashboards 4
Drilldown Dashboards 3
Total Dashboards 4

Main Dashboards
Crowdstrike Intel Actors
Crowdstrike Intel Indicators Malware Families
Crowdstrike Intel Indicators Overview
Crowdstrike Intel Indicators Type Severity Search
Drilldown Dashboards
Crowdstrike Intel Indicators Malware Families
Crowdstrike Intel Indicators Overview
Crowdstrike Intel Indicators Type Severity Search

V2-7-20-TS
11
 Troubleshooting and Support
CrowdStrike provides support for the Apps code and functionality.

Potential Issues and Resolutions

1. No data is present in the dashboards:

• Ensure that the proper TA has been successfully deployed, configured and is providing
data
• Ensure that the Search Macro has been properly configured
• Ensure that the user account(s) have the proper permissions to view the data and the
dashboards

2. Not all dashboards are populated:

• Validate that your CrowdStrike subscription provides that data
• Ensure that the proper TA has been successfully deployed, configured and is providing
data
• Increase the time frame and ensure that there is data of that type within that time
frame
• Ensure that the proper TA has been deployed to the Search Head/Splunk cloud and that
no inputs have been configured
3. The Intel Indicators dashboard is not populated:
• Ensure that you have a valid CrowdStrike Intelligence subscription
• Ensure that the Intel Indicator TA has been successfully deployed, configured and is
providing data

Getting Support

Prior to contacting CrowdStrike support please review the following:

1. Ensure that the proper TAs have been successfully deployed, configured and are
providing data
2. Ensure the account being used is able to access both the data and the dashboards
3. Validate that the App has the proper permissions to access the data
4. Verify that the search macros have been properly configured for the App
5. Record the following information about the Splunk system(s):
• Splunk environment type
• Splunk version
• App version
• TA version(s)
6. Navigate to https://supportportal.crowdstrike.com/

V2-7-20-TS
12
 7. Provide the collected information, as well as any addition relevant information in the
support request

V2-7-20-TS
13