Monitoring Splunk

Splunk with ES in a Distributed Deployment with Index Cluster and EDR (Crowdstrike)

New Member

This question gets pretty complicated, and I'm not sure if anyone has needed to ask about this before. I couldn't find anything, so here goes.

We have a larger Splunk distributed deployment with Enterprise Security and clustered indexers. The Crowdstrike EDR agent has been running on all the systems in "Monitor" (no actions allowed) mode and seems to be doing fine, but now (due to reasons that are too complex to go into here) we need to configure the Crowdstrike policy to allow autonomous responses on those systems. Actions could include terminating connections, terminating running programs, quarantining files, and blocking ports. 

I am worried that the indexer cluster (or other critical Splunk features, like the deployment server) could be permanently impacted if one or more of those autonomous actions are taken. We can't *not* configure the agent to allow those actions so at the very least I'd like to be aware of what could break, how, and how I can test for those things. Anyone have any ideas or suggestions?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...