Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Does anyone here have any experience running the Crowdstrike Falcon Sensor in their Splunk environment?

Wiessiet
Path Finder
‎03-02-2022 11:40 AM

Does anyone here have any experience running the Crowdstrike Falcon Sensor in their Splunk environment? I've found the following: https://docs.splunk.com/Documentation/Splunk/8.2.5/ReleaseNotes/RunningSplunkalongsideWindowsantivir... but it references on-access AV, and Crowdstrike is a behavioral AV and that likely isn't totally applicable. I have a case open with Splunk with this same question but I wondered if the community had any experience; do's/don'ts; best practices; etc. My gut is that I won't see a substantive performance impact but I'd love to have a little more knowledge before I start deploying the agent.

Trying to search for this online has proven neigh impossible since CS-->Splunk integration is very common and almost all the search hits focus on ingesting CS logs, not actually running the agent on a Splunk environment.

For reference I have a modestly sized distributed architecture with three search-heads and three indexers (not clustered) in addition to a deployment and multiple forwarders.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

dschroeter
Explorer
‎03-17-2023 06:56 AM

Did you ever got any answer on this?

0 Karma
Reply

Wiessiet
Path Finder
‎03-17-2023 07:02 AM

I never did, no, but I went forward with configuring this myself. I run a test environment for Splunk, so I was able to confirm that there didn't seem to be any adverse affects from running the sensor on my hosts. Since deploying it in production I've had zero issues and zero detections of any kind. I created a dedicated host group with tags to manage my Splunk environment separately (if necessary) but I haven't had to. I have pretty default linux sensor settings and it has been working fine. I'm happy to share any specific configurations I have in place if you need any guidance.

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...