All Configurations¶
Below is a table that list all configuration for this add-on.
| Name | Type | Web Location | CLI Location* | Description |
|---|---|---|---|---|
| Crowdstrike Devices Lookup - Gen | Saved Search | Settings > Searches reports, and alerts | savedsearches.conf | Populates the lookup file crowdstrike_devices. |
| Crowdstrike Devices Lookup - Cleanup | Saved Search | Settings > Searches reports, and alerts | savedsearches.conf | removes old entries from kvstore lookup: crowdstrike_devices. |
| crowdstrike_devices | lookup | Settings > Lookups > Lookup definitions | transforms.conf | Lookup definition for the KVStore collection crowdstrike_devices_collection. |
| crowdstrike_devices_collection | KVStore collection | n/a** | collections.conf | KVStore configuration. |
| sa_crowdstrike_index | Search macro | Settings > Advanced Search > Search Macros | macros.conf | Index definition for the crowdstrike index that contains the sourcetype crowdstrike:device:json. |
| sa_crowdstrike_retention | Search macro | Settings> Advanced Search > Search Macros | macros.conf | The amount of time for the device not being updated before it is removed from the lookup. default "-2d" |
| identity_manager://crowdstrike_devices | Asset lookup configuration | Enterprise Security > Configure > Data Enrichment > Asset and Identity Management > Asset Lookups | inputs.conf | Asset configuration lookup to load Crowdstrike devices into the asset database. |
*CLI locations are relative to
../default. Any update to CLI configuration files should be done in the local directory.
**If you have the Splunk App for Lookup File Editing, the KVStore collection crowdstrike_devices_collection is viewable within the Web interface.
Last update: February 18, 2023