Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does anyone here have any experience running the Crowdstrike Falcon Sensor in their Splunk environment?

Wiessiet
Path Finder
‎03-02-2022 11:40 AM

Does anyone here have any experience running the Crowdstrike Falcon Sensor in their Splunk environment? I've found the following: https://docs.splunk.com/Documentation/Splunk/8.2.5/ReleaseNotes/RunningSplunkalongsideWindowsantivir... but it references on-access AV, and Crowdstrike is a behavioral AV and that likely isn't totally applicable. I have a case open with Splunk with this same question but I wondered if the community had any experience; do's/don'ts; best practices; etc. My gut is that I won't see a substantive performance impact but I'd love to have a little more knowledge before I start deploying the agent.

Trying to search for this online has proven neigh impossible since CS-->Splunk integration is very common and almost all the search hits focus on ingesting CS logs, not actually running the agent on a Splunk environment.

For reference I have a modestly sized distributed architecture with three search-heads and three indexers (not clustered) in addition to a deployment and multiple forwarders.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

dschroeter
Explorer
‎03-17-2023 06:56 AM

Did you ever got any answer on this?

0 Karma
Reply

Wiessiet
Path Finder
‎03-17-2023 07:02 AM

I never did, no, but I went forward with configuring this myself. I run a test environment for Splunk, so I was able to confirm that there didn't seem to be any adverse affects from running the sensor on my hosts. Since deploying it in production I've had zero issues and zero detections of any kind. I created a dedicated host group with tags to manage my Splunk environment separately (if necessary) but I haven't had to. I have pretty default linux sensor settings and it has been working fine. I'm happy to share any specific configurations I have in place if you need any guidance.

0 Karma
Reply
Get Updates on the Splunk Community!

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...

Splunk AppDynamics Agents Webinar Series

Mark your calendars! On June 24th at 12PM PST, we’re going live with the second session of our Splunk ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...