Splunk Enterprise Security

Endpoint Correlation Searches.


We are in the process of deploying our endpoint logging strategy. Right now, we are using CrowdStrike as our EDR. As far as I can tell if we wanted to use the logs collected by the CrowdStrike agent and forward that into Splunk we have to pay for the FDR license, which at the moment due to budget constraints we cannot.

When I look at the correlation searches that utilize the Endpoint Data model most of those detections are based on data that originates from Endpoint Detection and Response (EDR) agents. Since in our case we cannot utilize that data coming from CrowdStrike, could we use Sysmon instead to collect the data that we need to implement those corrections searches?

This is one of the use cases that I was interested in implementing


Labels (1)
0 Karma

New Member

Please check this addon:


Documentation says is CIM compatible:

"The Splunk Add-on for Sysmon allows a Splunk software administrator to create a Splunk software data input and CIM-compliant field extractions for Microsoft Sysmon."

If the addon feeds the Endpoint.Processes datamodel, then the use case you are interested in might work.


0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...