Skip to content

Quick Start

This add-on has a saved search and Asset configuration input enabled by default.

Overview

  1. Updated default macro.
  2. Force Initial Build.
  3. Enable asset correlation.
  4. (optional) Update default saved search schedule.
  5. (optional) Disable existing asset sources.

Update default macro

Danger, Will Robinson

Failure to update the macro to the correct setting will cause no devices to be available in Splunk Enterprise Security.

Macro Default Description
sa_crowdstrike_index index=crowdstrike Index definition for Crowdstrike devices index.

Update Macro Procedure

Update the index definition to the correct index that contains the crowdstrike:device:json sourcetype.

Perform one of the following:

  1. (recommended) Update via Splunk ES General Settings.
  2. Update via Macro Definition.

ES General Settings

option 1 (recommended option)

  1. (In Splunk Enterprise Security) Navigate to Configure > General > General Settings.
  2. From the "App" dropdown select SA-CrowdstrikeDevices.
  3. Update the SA-CrowdstrikeDevices Index definition and click "Save."

Macro Definition

option 2

  1. Navigate to Settings > Advanced Search > Search Macros.
  2. From the "App" dropdown choose SA-CrowdstrikeDevices.
  3. Set the "Owner" dropdown to any.
  4. Click the macro named sa_crowdstrike_index to update the index definition.

Force Initial Build

The initial build of the Crowdstrike assets will not occur until the first scheduled runtime (see Update default saved search schedule). To force the initial build perform the following:

  1. Navigate to Settings > Searches, reports, and alerts.
  2. Set the "App" dropdown to SA-CrowdstrikeDevices.
  3. Set the "Owner" dropdown to All.
  4. Click "Run" under actions for the search Crowdstrike Devices Lookup - Gen.

Note

The search will run in a new tab over the default time period of 60 minutes. Expand the timeframe to a larger window if the number of hosts in the last 60 minutes does not seem accurate. The default search is configured to run hourly to continually append new devices reported from Crowdstrike.

Enable asset correlation

Confirm asset correlation has been setup in Enterprise Security.

  1. Navigate to Enterprise Security > Configure > Data Enrichment > Asset and Identity Management.
  2. Switch to the "Correlation Setup" tab.
  3. Either enable for all sourcetypes (Recommended) or selectively by sourcetype.
    • If you choose to enable select sourcetypes, ensure the stash sourcetype is also selected so Notable events will be enriched with asset information.
  4. Save.

Disable existing asset sources

optional

It may be possible that you have existing Asset Lookups defined. If Crowdstrike is widely deployed in your environment the existing lookups may no longer be needed.

Update default saved search schedule

optional

The default saved search runs on the 19th minute of every hour to update and continually build the Crowdstrike assets. To update the default schedule perform the following steps:

  1. Navigate to Settings > Searches, reports, and alerts.
  2. Set the "App" dropdown to SA-CrowdstrikeDevices.
  3. Set the "Owner" dropdown to All.
  4. Click "Edit" under actions for the search Crowdstrike Devices Lookup - Gen.
  5. Click "Edit Schedule" and update the schedule and necessary.
Last update: February 18, 2023