CrowdStrike Event Stream Logs - Falcon API
This data pipeline extracts the Event Stream logs from Crowdstrike technology using the Falcon API.

This Pipeline integrates with Logs from the Crowdstrike Platform using the HTTP Pull Listener, transforming it from JSON to CSV format.
Listen
The Listener pulls events using the Configure as YAML option, using the following YAML:
withTemporalWindow: true
temporalWindow:
duration: 5m
offset: 0
tz: UTC
format: RFC3339
withAuthentication: true
authentication:
type: token
token:
request:
method: POST
url: ${parameters.domain}/oauth2/token
headers:
- name: Content-Type
value: application/x-www-form-urlencoded
bodyType: urlEncoded
bodyParams:
- name: grant_type
value: client_credentials
- name: client_id
value: '${secrets.client_id}'
- name: client_secret
value: '${secrets.client_secret}'
tokenPath: ".access_token"
authInjection:
in: header
name: Authorization
prefix: 'Bearer '
suffix: ''
withEnumerationPhase: true
enumerationPhase:
paginationType: offsetLimit
limit: 100
request:
responseType: json
method: GET
url: ${parameters.domain}/alerts/queries/alerts/v2
queryParams:
- name: offset
value: ${pagination.offset}
- name: limit
value: ${pagination.limit}
- name: filter
value: created_timestamp:>'${temporalWindow.from}'+created_timestamp:<'${temporalWindow.to}'
output:
select: ".resources"
map: "."
outputMode: collection
collectionPhase:
variables:
- source: input
name: resources
expression: "."
format: "json"
paginationType: none
request:
method: POST
url: ${parameters.domain}/alerts/entities/alerts/v2
headers:
- name: Accept
value: application/json
- name: Content-Type
value: application/json
responseType: json
bodyType: raw
bodyRaw: |
{
"composite_ids": ${inputs.resources}
}
output:
select: ".resources"
map: "."
outputMode: element
Transform CrowdStrike data
Parser
The parser extracts the individual fields coming from the CrowdStrike JSON into more detailed fields, including status, data and index.

Message Builder
We use the Message Builder action to transform the fields to CSV format, using a comma as the delimiter.
Select CSV as the output format and you can now send on your CSV containing CrowdStrike logs to your preferred destination using a sink.
Last updated
Was this helpful?