All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to do log filtering on Splunk Add-on for Crowdstrike FDR?

fredd
Explorer
‎02-11-2022 04:31 AM

Hello,

I have a question about the Splunk Add-on for Crowdstrike FDR developed by Splunk - I would like to filter out events in addition to what the add-on provides - that is filtering by event_simpleName. My exact use case is I want to drop events with IsOnRemovableDisk\"\:\"1 in the raw message. I tried to do it using props/transforms applying to the appropriate sourcetype, yet it does not seem to be applied at all. Even with such a simple config like this:

props.conf:

 

[crowdstrike:events:sensor]
TRANSFORMS-usb = do_not_index

 

transforms.conf:

 

[do_not_index]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

 


Where I expected all the events to be dropped, it does not get applied and all the events except what is configured with the Event Filter in the add-on are ingested into Splunk.

Am I missing anything there? Is it even possible to filter events more in detail with Splunk Add-on for Crowdstrike FDR based on the raw data of events?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

m_pham
Splunk Employee
Splunk Employee
‎02-19-2022 05:32 PM

I might be wrong but can you try putting your configs under this stanza?

props.conf

[forward_to_crowdstrike_fdr_ta]
TRANSFORMS-usb = do_not_index

View solution in original post

Reply
Solved! Jump to solution
Solution

m_pham
Splunk Employee
Splunk Employee
‎02-19-2022 05:32 PM

I might be wrong but can you try putting your configs under this stanza?

props.conf

[forward_to_crowdstrike_fdr_ta]
TRANSFORMS-usb = do_not_index
Reply
Solved! Jump to solution

fredd
Explorer
‎02-21-2022 01:55 AM

That is the right answer, thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...