Splunk Enterprise

Does anyone here have any experience running the Crowdstrike Falcon Sensor in their Splunk environment?

Wiessiet
Path Finder

Does anyone here have any experience running the Crowdstrike Falcon Sensor in their Splunk environment? I've found the following: https://docs.splunk.com/Documentation/Splunk/8.2.5/ReleaseNotes/RunningSplunkalongsideWindowsantivir... but it references on-access AV, and Crowdstrike is a behavioral AV and that likely isn't totally applicable. I have a case open with Splunk with this same question but I wondered if the community had any experience; do's/don'ts; best practices; etc. My gut is that I won't see a substantive performance impact but I'd love to have a little more knowledge before I start deploying the agent.

Trying to search for this online has proven neigh impossible since CS-->Splunk integration is very common and almost all the search hits focus on ingesting CS logs, not actually running the agent on a Splunk environment.

For reference I have a modestly sized distributed architecture with three search-heads and three indexers (not clustered) in addition to a deployment and multiple forwarders.

Labels (1)
Tags (2)
0 Karma

dschroeter
Explorer

Did you ever got any answer on this?

0 Karma

Wiessiet
Path Finder

I never did, no, but I went forward with configuring this myself. I run a test environment for Splunk, so I was able to confirm that there didn't seem to be any adverse affects from running the sensor on my hosts. Since deploying it in production I've had zero issues and zero detections of any kind. I created a dedicated host group with tags to manage my Splunk environment separately (if necessary) but I haven't had to. I have pretty default linux sensor settings and it has been working fine. I'm happy to share any specific configurations I have in place if you need any guidance.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...