Skip to content

Quick Start

Important

This supporting add-on must be installed alongside Splunk Enterprise Security. Ensure the prequisites have been completed before proceeding.

This add-on has a savedsearch and identity configuration input enabled by default.

Overview

  1. Updated default macro.
  2. Force Initial Build.
  3. Enable identity correlation.
  4. (optional) Disable existing identity sources.
  5. (optional) Update default savedsearch schedule.

Update default macro

Danger, Will Robinson

Failure to update the macro to the correct setting will cause no identities to be available in Splunk Enterprise Security.

Macro Default Description
sa_crowdstrike_identities_index index=crowdstrike Index definition for CrowdStrike identity index.

Update Macro Procedure

Update the index definition to the correct index that contains the crowdstrike:identities sourcetype.

Perform one of the following:

  1. (recommended) Update via Splunk ES General Settings.
  2. Update via Macro Definition.

ES General Settings

option 1 (recommended option)

  1. (In Splunk Enterprise Security) Navigate to Configure > General > General Settings.
  2. From the "App" dropdown select SA-CrowdStrikeIdentities.
  3. Update the SA-CrowdStrikeIdentities Index definition and click "Save."

Macro Definition

option 2

  1. Navigate to Settings > Advanced Search > Search Macros.
  2. From the "App" dropdown choose SA-CrowdStrikeIdentities.
  3. Set the "Owner" dropdown to any.
  4. Click the macro named sa_crowdstrike_identities_index to update the index definition.

Force Initial Build

The initial build of the CrowdStrike identities will not occur until the first scheduled runtime (see Update default savedsearch schedule). To force the initial build perform the following:

  1. Navigate to Settings > Searches, reports, and alerts.
  2. Set the "App" dropdown to SA-CrowdStrikeIdentities.
  3. Set the "Owner" dropdown to All.
  4. Click "Run" under actions for the search CrowdStrike Identities Lookup - Gen.

Note

The search will run in a new tab over the default time period of 60 minutes. Expand the time frame to a larger window if the number of identities in the last 60 minutes does not seem accurate. The default search is configured to run hourly to continually append new identities reported from CrowdStrike.

Enable asset correlation

Confirm asset correlation has been setup in Enterprise Security.

  1. Navigate to Enterprise Security > Configure > Data Enrichment > Asset and Identity Management.
  2. Switch to the "Correlation Setup" tab.
  3. Either enable for all sourcetypes (Recommended) or selectively by sourcetype.
    • If you choose to enable select sourcetypes, ensure the stash sourcetype is also selected so Notable events will be enriched with asset information.
  4. Save.

Disable existing identity sources

optional

It may be possible that you have existing Identity Lookups defined. If CrowdStrike is the main "source of truth" in your environment the existing lookups may no longer be needed.

Update default savedsearch schedule

optional

The default saved search runs on the 29th minute of every hour to update and continually build the CrowdStrike identities. To update the default schedule perform the following steps:

  1. Navigate to Settings > Searches, reports, and alerts.
  2. Set the "App" dropdown to SA-CrowdStrikeIdentities.
  3. Set the "Owner" dropdown to All.
  4. Click "Edit" under actions for the search CrowdStrike Identities Lookup - Gen.
  5. Click "Edit Schedule" and update the schedule and necessary.
Last update: June 9, 2023