Overview
SA-CrowdStrike Identities for Enterprise Security extends CrowdStrike Falcon Identity Protection into Splunk's identity framework. Where the device add-on focuses on endpoints, this integration surfaces user and account data — giving SOC analysts the ability to correlate authentication events, lateral movement alerts, and behavioral anomalies against a known-good identity baseline sourced from CrowdStrike.
Splunk ES's identity framework enriches events with user metadata at search time. By keeping that framework populated with CrowdStrike's identity intelligence, analysts get richer context on every alert: which user, what roles they hold, whether they're flagged as high-risk, and what devices they're associated with.
How It Works
The add-on authenticates to the CrowdStrike Falcon Identity Protection API and retrieves user and account records. Each record is normalized to ES's identity schema — display names, email addresses, account types, and associated device relationships are all mapped correctly. The integration runs on a configurable schedule, performing incremental updates to keep the identity lookup fresh without overwhelming the API. Full configuration and usage documentation is published at the project site.