# CrowdStrike Event Stream Logs - Falcon API

This data pipeline extracts the Event Stream logs from Crowdstrike technology using the Falcon API.

<figure><img src="/files/Bn9SeXzQ065rDpzs58uO" alt=""><figcaption></figcaption></figure>

This Pipeline integrates with Logs from the Crowdstrike Platform using the[ **HTTP Pull**](broken://pages/bZ07iBY7MKqfhB9A0NAf) Listener, transforming it from JSON to CSV format.

## Listen

The Listener pulls events using the **Configure as YAML** option, using the following YAML:

```
withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 0
  tz: UTC
  format: RFC3339
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: ${parameters.domain}/oauth2/token
      headers:
        - name: Content-Type
          value: application/x-www-form-urlencoded
      bodyType: urlEncoded
      bodyParams:
        - name: grant_type
          value: client_credentials
        - name: client_id
          value: '${secrets.client_id}'
        - name: client_secret
          value: '${secrets.client_secret}'
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: true
enumerationPhase:
  paginationType: offsetLimit
  limit: 100
  request:
    responseType: json
    method: GET
    url: ${parameters.domain}/alerts/queries/alerts/v2
    queryParams:
      - name: offset
        value: ${pagination.offset}
      - name: limit
        value: ${pagination.limit}
      - name: filter
        value: created_timestamp:>'${temporalWindow.from}'+created_timestamp:<'${temporalWindow.to}'
  output:
    select: ".resources"
    map: "."
    outputMode: collection
collectionPhase:
  variables:
    - source: input
      name: resources
      expression: "."
      format: "json"
  paginationType: none
  request:
    method: POST
    url: ${parameters.domain}/alerts/entities/alerts/v2
    headers:
      - name: Accept
        value: application/json
      - name: Content-Type
        value: application/json
    responseType: json
    bodyType: raw
    bodyRaw: |
      {
        "composite_ids": ${inputs.resources}
      }
  output:
    select: ".resources"
    map: "."
    outputMode: element
```

{% hint style="info" %}
See the dedicated article on how to set up Falcon API connection [here](broken://pages/UDDxFv2wkcg71qSKpTXr).
{% endhint %}

## Transform CrowdStrike data

### Parser

The parser extracts the individual fields coming from the CrowdStrike JSON into more detailed fields, including status, data and index.

<figure><img src="/files/3x8UgOWn0V1weL6JclVo" alt=""><figcaption></figcaption></figure>

### Message Builder

We use the [**Message Builder** ](/the-workspace/pipelines/actions/formatting/message-builder.md)action to transform the fields to CSV format, using a comma as the delimiter.&#x20;

Select **CSV** as the **output format** and you can now send on your CSV containing CrowdStrike logs to your preferred destination using a sink.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.onum.com/marketplace/falcon-onum-marketplace/pulling-pipelines/crowdstrike-event-stream-logs-falcon-api.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.