Overview
SA-CrowdStrike Devices for Enterprise Security is a Splunk add-on that bridges CrowdStrike Falcon's device inventory with Splunk Enterprise Security's asset framework. Security teams using ES rely on a rich, accurate asset database to correlate alerts and investigate incidents — this integration automates the population of that database with endpoint data directly from CrowdStrike.
The add-on pulls device records from the CrowdStrike Falcon API, normalizes them to ES's expected asset schema, and writes them into the asset_lookup that powers correlation searches across the SIEM. This eliminates manual CSV uploads and ensures asset data stays current as endpoints are added, retired, or changed.
How It Works
A modular input authenticates to the CrowdStrike Falcon API using OAuth2 client credentials and pages through the device inventory. Each device record is transformed — hostnames, IP addresses, MAC addresses, OS details, and sensor version are all mapped to the correct ES fields. The add-on handles pagination, rate limiting, and incremental updates so only changed records are re-processed on subsequent runs. Documentation and configuration guidance are published at the project site.