Hey All,
I am trying to onboard crowdstrike fdr logs using splunk addon Splunk Add-on for CrowdStrike FDR - Splunk Add-on for CrowdStrike FDR | Splunkbase
I want to enrich the aidmaster logs. I want to show ComputerName using aid in splunk logs.
I have installed addd-on on forwarder and configured input as below:
With this input configuration, we can see fdr logs, but the event coverage for ComputerName is very less - 0.36.
In short, we are not able to get ComputerName information for aids properly.
I have few queries:
1) Do I need some changes on SH as well?
2) Do I need to make any change in savedsearches.conf of the add-on for the ComputerName to be shown?
Thanks in advance!
We got this resolved. We installed app on SH and added index having data from add-on in the macro shown in below screenshot
We started getting data in the index because the app has savedsearches that runs on the basis of macro and outputlookup it to the kv store.
We got this resolved. We installed app on SH and added index having data from add-on in the macro shown in below screenshot
We started getting data in the index because the app has savedsearches that runs on the basis of macro and outputlookup it to the kv store.