Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Does anyone here have any experience running the Crowdstrike Falcon Sensor in their Splunk environment?

Wiessiet
Path Finder
‎03-02-2022 11:40 AM

Does anyone here have any experience running the Crowdstrike Falcon Sensor in their Splunk environment? I've found the following: https://docs.splunk.com/Documentation/Splunk/8.2.5/ReleaseNotes/RunningSplunkalongsideWindowsantivir... but it references on-access AV, and Crowdstrike is a behavioral AV and that likely isn't totally applicable. I have a case open with Splunk with this same question but I wondered if the community had any experience; do's/don'ts; best practices; etc. My gut is that I won't see a substantive performance impact but I'd love to have a little more knowledge before I start deploying the agent.

Trying to search for this online has proven neigh impossible since CS-->Splunk integration is very common and almost all the search hits focus on ingesting CS logs, not actually running the agent on a Splunk environment.

For reference I have a modestly sized distributed architecture with three search-heads and three indexers (not clustered) in addition to a deployment and multiple forwarders.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

dschroeter
Explorer
‎03-17-2023 06:56 AM

Did you ever got any answer on this?

0 Karma
Reply

Wiessiet
Path Finder
‎03-17-2023 07:02 AM

I never did, no, but I went forward with configuring this myself. I run a test environment for Splunk, so I was able to confirm that there didn't seem to be any adverse affects from running the sensor on my hosts. Since deploying it in production I've had zero issues and zero detections of any kind. I created a dedicated host group with tags to manage my Splunk environment separately (if necessary) but I haven't had to. I have pretty default linux sensor settings and it has been working fine. I'm happy to share any specific configurations I have in place if you need any guidance.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...