This data pipeline extracts the Event Stream logs from Crowdstrike technology using the Falcon API.
withTemporalWindow: true
temporalWindow:
duration: 5m
offset: 0
tz: UTC
format: RFC3339
withAuthentication: true
authentication:
type: token
token:
request:
method: POST
url: ${parameters.domain}/oauth2/token
headers:
- name: Content-Type
value: application/x-www-form-urlencoded
bodyType: urlEncoded
bodyParams:
- name: grant_type
value: client_credentials
- name: client_id
value: '${secrets.client_id}'
- name: client_secret
value: '${secrets.client_secret}'
tokenPath: ".access_token"
authInjection:
in: header
name: Authorization
prefix: 'Bearer '
suffix: ''
withEnumerationPhase: true
enumerationPhase:
paginationType: offsetLimit
limit: 100
request:
responseType: json
method: GET
url: ${parameters.domain}/alerts/queries/alerts/v2
queryParams:
- name: offset
value: ${pagination.offset}
- name: limit
value: ${pagination.limit}
- name: filter
value: created_timestamp:>'${temporalWindow.from}'+created_timestamp:<'${temporalWindow.to}'
output:
select: ".resources"
map: "."
outputMode: collection
collectionPhase:
variables:
- source: input
name: resources
expression: "."
format: "json"
paginationType: none
request:
method: POST
url: ${parameters.domain}/alerts/entities/alerts/v2
headers:
- name: Accept
value: application/json
- name: Content-Type
value: application/json
responseType: json
bodyType: raw
bodyRaw: |
{
"composite_ids": ${inputs.resources}
}
output:
select: ".resources"
map: "."
outputMode: element
The parser extracts the individual fields coming from the CrowdStrike JSON into more detailed fields, including status, data and index.
