CrowdStrike integration

Overview

Integrate with API Logs from the CrowdStrike Platform using the Listener using the data Integration API.

Configuration

In the HTTP Pull listener, you need to specify how and where to collect the data and how to establish a connection with the CrowdStrike platform. You will need a CrowdStrike YAML.

Metadata

Enter the basic information for the new Listener.

Parameter

Description

Name*

Enter a name for the new Listener.

Description

Optionally, enter a description for the Listener.

Tags

Add tags to easily identify your Listener. Hit the Enter key after you define each tag.

Configuration

Parameters

Parameter

Description

Name

Enter the name of the parameter to search for in the YAML below, used later as ${name} e.g. domain.

Value

Enter the value or variable to fill in when the given parameter name has been found, e.g. domainname. With the name set as domain and the value set as the domain name, the expression to execute on the YAML would be: ${parameters.domain}., which will be automatically replaced by the variable. Add as many name and value pairs as required.

Secrets

Parameter

Description

Name

Enter the name of the parameter to search for in the YAML below, used later as ${name}.

Value

Config as YAML

Toggle this ON to enable a free text field where you can paste your CrowdStrike YAML.

An example log would be:

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 0
  tz: UTC
  format: RFC3339
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: ${parameters.domain}/oauth2/token
      headers:
        - name: Content-Type
          value: application/x-www-form-urlencoded
      bodyType: urlEncoded
      bodyParams:
        - name: grant_type
          value: client_credentials
        - name: client_id
          value: '${secrets.client_id}'
        - name: client_secret
          value: '${secrets.client_secret}'
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: true
enumerationPhase:
  paginationType: offsetLimit
  limit: 100
  request:
    responseType: json
    method: GET
    url: ${parameters.domain}/alerts/queries/alerts/v2
    queryParams:
      - name: offset
        value: ${pagination.offset}
      - name: limit
        value: ${pagination.limit}
      - name: filter
        value: created_timestamp:>'${temporalWindow.from}'+created_timestamp:<'${temporalWindow.to}'
  output:
    select: ".resources"
    map: "."
    outputMode: collection
collectionPhase:
  variables:
    - source: input
      name: resources
      expression: "."
      format: "json"
  paginationType: none
  request:
    method: POST
    url: ${parameters.domain}/alerts/entities/alerts/v2
    headers:
      - name: Accept
        value: application/json
      - name: Content-Type
        value: application/json
    responseType: json
    bodyType: raw
    bodyRaw: |
      {
        "composite_ids": ${inputs.resources}
      }
  output:
    select: ".resources"
    map: "."
    outputMode: element

This HTTP Pull Listener now uses the data export API to extract events.

PreviousSophos integration NextCortex integration

Last updated 2 days ago

Was this helpful?