Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CrowdStrike Splunk API/TA Detections and Events Allowed/Blocked

cwar24
New Member
‎02-05-2024 12:23 PM

Hello,
Where does Splunk get the data from CrowdStrike to form the Splunk drilldown dashboards under Detections and Events called "CrowdStrike Detections Allowed/Blocked Breakdown" and "CrowdStrike Events Allowed/Blocked Breakdown"? My confusion is that in CrowdStrike Falcon console I don't see the terms "Blocked/Allowed" being used for detections or events and I need to know how Splunk is correlating those drilldown dashboard sections to CrowdStrike? What data does Splunk use from CrowdStrike to create those Blocked/Allowed sections in Splunk?

0 Karma
Reply

cwar24
New Member
‎02-06-2024 05:33 AM

Splunk CrowdStrike DashboardSplunk CrowdStrike Dashboard

Also, I think Splunk is using event.DetectID along with search action = allowed and event.DetectID along with search action = blocked but I don't know where these fields connect to on the CrowdStrike side. Here's an example of what I saw on the Splunk side: 

index=security "metadata.eventType"=DetectionSummaryEvent metadata.customerIDString=* | search action=allowed | stats dc(event.DetectId) as Detections | lookup index=security sourcetype=CrowdStrike:Event:Streams:JSON "metadata.eventType"=DetectionSummaryEvent metadata.customerIDString=* | search action=blocked | stats dc(event.DetectId) as Detections
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...