CMSchelin, The CrowdStrike TAs must be deployed locally as opposed to through a deployment server. This is in part because the credentials are stored locally - which is why the work around you attempted did not work. The API Secret value is stored in the the KV store and is encrypted. This is to prevent the exact scenario that you are attempting to do - simply copy the passwords.conf file over. If that was something that was possible then anyone could pull that file, drop it into a Splunk system and collect your data - attacker, competitor, former employee, etc. The encryption keys from the original Splunk system are what's needed to decrypt that information. Thanks Tim
... View more