# CrowdStrike Event Stream Logs - Falcon API

This data pipeline extracts the Event Stream logs from Crowdstrike technology using the Falcon API.

<figure><img src="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2F6LE5BQ8rH02qgnh6ZJNA%2F2025-06-10_11-45-39.png?alt=media&#x26;token=0cc1c7fb-b5d7-4d27-8ebd-68c7f7c87809" alt=""><figcaption></figcaption></figure>

This Pipeline integrates with Logs from the Crowdstrike Platform using the[ **HTTP Pull**](https://docs.onum.com/marketplace/falcon-onum-marketplace/pulling-pipelines/broken-reference) Listener, transforming it from JSON to CSV format.

## Listen

The Listener pulls events using the **Configure as YAML** option, using the following YAML:

```
withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 0
  tz: UTC
  format: RFC3339
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: ${parameters.domain}/oauth2/token
      headers:
        - name: Content-Type
          value: application/x-www-form-urlencoded
      bodyType: urlEncoded
      bodyParams:
        - name: grant_type
          value: client_credentials
        - name: client_id
          value: '${secrets.client_id}'
        - name: client_secret
          value: '${secrets.client_secret}'
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: true
enumerationPhase:
  paginationType: offsetLimit
  limit: 100
  request:
    responseType: json
    method: GET
    url: ${parameters.domain}/alerts/queries/alerts/v2
    queryParams:
      - name: offset
        value: ${pagination.offset}
      - name: limit
        value: ${pagination.limit}
      - name: filter
        value: created_timestamp:>'${temporalWindow.from}'+created_timestamp:<'${temporalWindow.to}'
  output:
    select: ".resources"
    map: "."
    outputMode: collection
collectionPhase:
  variables:
    - source: input
      name: resources
      expression: "."
      format: "json"
  paginationType: none
  request:
    method: POST
    url: ${parameters.domain}/alerts/entities/alerts/v2
    headers:
      - name: Accept
        value: application/json
      - name: Content-Type
        value: application/json
    responseType: json
    bodyType: raw
    bodyRaw: |
      {
        "composite_ids": ${inputs.resources}
      }
  output:
    select: ".resources"
    map: "."
    outputMode: element
```

{% hint style="info" %}
See the dedicated article on how to set up Falcon API connection [here](https://docs.onum.com/marketplace/falcon-onum-marketplace/pulling-pipelines/broken-reference).
{% endhint %}

## Transform CrowdStrike data

### Parser

The parser extracts the individual fields coming from the CrowdStrike JSON into more detailed fields, including status, data and index.

<figure><img src="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2FrME4KsGHSD8S9Fc5SZVE%2Fdark-large%20(25).png?alt=media&#x26;token=82a4506e-5c2a-496d-ad20-f1237ba17ec7" alt=""><figcaption></figcaption></figure>

### Message Builder

We use the [**Message Builder** ](https://docs.onum.com/the-workspace/pipelines/actions/formatting/message-builder)action to transform the fields to CSV format, using a comma as the delimiter.&#x20;

Select **CSV** as the **output format** and you can now send on your CSV containing CrowdStrike logs to your preferred destination using a sink.