Hello,
I have a question about the Splunk Add-on for Crowdstrike FDR developed by Splunk - I would like to filter out events in addition to what the add-on provides - that is filtering by event_simpleName. My exact use case is I want to drop events with IsOnRemovableDisk\"\:\"1 in the raw message. I tried to do it using props/transforms applying to the appropriate sourcetype, yet it does not seem to be applied at all. Even with such a simple config like this: props.conf:
[crowdstrike:events:sensor]
TRANSFORMS-usb = do_not_index
transforms.conf:
[do_not_index]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
Where I expected all the events to be dropped, it does not get applied and all the events except what is configured with the Event Filter in the add-on are ingested into Splunk.
Am I missing anything there? Is it even possible to filter events more in detail with Splunk Add-on for Crowdstrike FDR based on the raw data of events?
... View more