CrowdStrike Splunk API/TA Detections and Events Al...

cwar24 · ‎02-05-2024

Hello,
Where does Splunk get the data from CrowdStrike to form the Splunk drilldown dashboards under Detections and Events called "CrowdStrike Detections Allowed/Blocked Breakdown" and "CrowdStrike Events Allowed/Blocked Breakdown"? My confusion is that in CrowdStrike Falcon console I don't see the terms "Blocked/Allowed" being used for detections or events and I need to know how Splunk is correlating those drilldown dashboard sections to CrowdStrike? What data does Splunk use from CrowdStrike to create those Blocked/Allowed sections in Splunk?

cwar24 · ‎02-06-2024

Splunk CrowdStrike Dashboard

Also, I think Splunk is using event.DetectID along with search action = allowed and event.DetectID along with search action = blocked but I don't know where these fields connect to on the CrowdStrike side. Here's an example of what I saw on the Splunk side:

index=security "metadata.eventType"=DetectionSummaryEvent metadata.customerIDString=* | search action=allowed | stats dc(event.DetectId) as Detections | lookup index=security sourcetype=CrowdStrike:Event:Streams:JSON "metadata.eventType"=DetectionSummaryEvent metadata.customerIDString=* | search action=blocked | stats dc(event.DetectId) as Detections

CrowdStrike Splunk API/TA Detections and Events Allowed/Blocked

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation