CrowdStrike Splunk API/TA Detections and Events Al...

cwar24 · ‎02-05-2024

Hello,
Where does Splunk get the data from CrowdStrike to form the Splunk drilldown dashboards under Detections and Events called "CrowdStrike Detections Allowed/Blocked Breakdown" and "CrowdStrike Events Allowed/Blocked Breakdown"? My confusion is that in CrowdStrike Falcon console I don't see the terms "Blocked/Allowed" being used for detections or events and I need to know how Splunk is correlating those drilldown dashboard sections to CrowdStrike? What data does Splunk use from CrowdStrike to create those Blocked/Allowed sections in Splunk?

cwar24 · ‎02-06-2024

Splunk CrowdStrike Dashboard

Also, I think Splunk is using event.DetectID along with search action = allowed and event.DetectID along with search action = blocked but I don't know where these fields connect to on the CrowdStrike side. Here's an example of what I saw on the Splunk side:

index=security "metadata.eventType"=DetectionSummaryEvent metadata.customerIDString=* | search action=allowed | stats dc(event.DetectId) as Detections | lookup index=security sourcetype=CrowdStrike:Event:Streams:JSON "metadata.eventType"=DetectionSummaryEvent metadata.customerIDString=* | search action=blocked | stats dc(event.DetectId) as Detections

CrowdStrike Splunk API/TA Detections and Events Allowed/Blocked

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

CrowdStrike Splunk API/TA Detections and Events Allowed/Blocked

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...