CrowdStrike Event Stream Logs - Falcon API

This data pipeline extracts the Event Stream logs from Crowdstrike technology using the Falcon API.

This Pipeline integrates with Logs from the Crowdstrike Platform using the HTTP Pull Listener, transforming it from JSON to CSV format.

Listen

The Listener pulls events using the Configure as YAML option, using the following YAML:

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 0
  tz: UTC
  format: RFC3339
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: ${parameters.domain}/oauth2/token
      headers:
        - name: Content-Type
          value: application/x-www-form-urlencoded
      bodyType: urlEncoded
      bodyParams:
        - name: grant_type
          value: client_credentials
        - name: client_id
          value: '${secrets.client_id}'
        - name: client_secret
          value: '${secrets.client_secret}'
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: true
enumerationPhase:
  paginationType: offsetLimit
  limit: 100
  request:
    responseType: json
    method: GET
    url: ${parameters.domain}/alerts/queries/alerts/v2
    queryParams:
      - name: offset
        value: ${pagination.offset}
      - name: limit
        value: ${pagination.limit}
      - name: filter
        value: created_timestamp:>'${temporalWindow.from}'+created_timestamp:<'${temporalWindow.to}'
  output:
    select: ".resources"
    map: "."
    outputMode: collection
collectionPhase:
  variables:
    - source: input
      name: resources
      expression: "."
      format: "json"
  paginationType: none
  request:
    method: POST
    url: ${parameters.domain}/alerts/entities/alerts/v2
    headers:
      - name: Accept
        value: application/json
      - name: Content-Type
        value: application/json
    responseType: json
    bodyType: raw
    bodyRaw: |
      {
        "composite_ids": ${inputs.resources}
      }
  output:
    select: ".resources"
    map: "."
    outputMode: element

See the dedicated article on how to set up Falcon API connection here.

Transform CrowdStrike data

Parser

The parser extracts the individual fields coming from the CrowdStrike JSON into more detailed fields, including status, data and index.

Message Builder

We use the Message Builder action to transform the fields to CSV format, using a comma as the delimiter.

Select CSV as the output format and you can now send on your CSV containing CrowdStrike logs to your preferred destination using a sink.

Last updated

Was this helpful?