Splunk with ES in a Distributed Deployment with In...

Monitoring Splunk

This question gets pretty complicated, and I'm not sure if anyone has needed to ask about this before. I couldn't find anything, so here goes.

We have a larger Splunk distributed deployment with Enterprise Security and clustered indexers. The Crowdstrike EDR agent has been running on all the systems in "Monitor" (no actions allowed) mode and seems to be doing fine, but now (due to reasons that are too complex to go into here) we need to configure the Crowdstrike policy to allow autonomous responses on those systems. Actions could include terminating connections, terminating running programs, quarantining files, and blocking ports.

I am worried that the indexer cluster (or other critical Splunk features, like the deployment server) could be permanently impacted if one or more of those autonomous actions are taken. We can't *not* configure the agent to allow those actions so at the very least I'd like to be aware of what could break, how, and how I can test for those things. Anyone have any ideas or suggestions?

Get Updates on the Splunk Community!

Splunk with ES in a Distributed Deployment with Index Cluster and EDR (Crowdstrike)

indexer clustering

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation