CrowdStrike
Last updated
Was this helpful?
Last updated
Was this helpful?
Integrate with API Logs from the CrowdStrike Platform using the HTTP Pull Listener using the data Integration API.
In the HTTP Pull listener, you need to specify how and where to collect the data and how to establish a connection with the CrowdStrike platform. You will need a CrowdStrike YAML.
Enter the basic information for the new Listener.
Name*
Enter a name for the new Listener.
Description
Optionally, enter a description for the Listener.
Tags
Add tags to easily identify your Listener. Hit the Enter key after you define each tag.
Name
Enter the name of the parameter to search for in the YAML below, used later as ${name} e.g. domain.
Value
Enter the value or variable to fill in when the given parameter name has been found, e.g. domainname. With the name set as domain and the value set as the domain name, the expression to execute on the YAML would be: ${parameters.domain}., which will be automatically replaced by the variable. Add as many name and value pairs as required.
Name
Enter the name of the parameter to search for in the YAML below, used later as ${name}.
Value
Config as YAML
Toggle this ON to enable a free text field where you can paste your CrowdStrike YAML.
An example log would be:
withTemporalWindow: true
temporalWindow:
duration: 5m
offset: 0
tz: UTC
format: RFC3339
withAuthentication: true
authentication:
type: token
token:
request:
method: POST
url: ${parameters.domain}/oauth2/token
headers:
- name: Content-Type
value: application/x-www-form-urlencoded
bodyType: urlEncoded
bodyParams:
- name: grant_type
value: client_credentials
- name: client_id
value: '${secrets.client_id}'
- name: client_secret
value: '${secrets.client_secret}'
tokenPath: ".access_token"
authInjection:
in: header
name: Authorization
prefix: 'Bearer '
suffix: ''
withEnumerationPhase: true
enumerationPhase:
paginationType: offsetLimit
limit: 100
request:
responseType: json
method: GET
url: ${parameters.domain}/alerts/queries/alerts/v2
queryParams:
- name: offset
value: ${pagination.offset}
- name: limit
value: ${pagination.limit}
- name: filter
value: created_timestamp:>'${temporalWindow.from}'+created_timestamp:<'${temporalWindow.to}'
output:
select: ".resources"
map: "."
outputMode: collection
collectionPhase:
variables:
- source: input
name: resources
expression: "."
format: "json"
paginationType: none
request:
method: POST
url: ${parameters.domain}/alerts/entities/alerts/v2
headers:
- name: Accept
value: application/json
- name: Content-Type
value: application/json
responseType: json
bodyType: raw
bodyRaw: |
{
"composite_ids": ${inputs.resources}
}
output:
select: ".resources"
map: "."
outputMode: elementThis HTTP Pull Listener now uses the data export API to extract events.
Click Create labels to move on to the next step and define the required Labels if needed.
Select the containing the connection credentials if you have added them previously, or select New Secret to add it. This will add this value as the variable when the field name is found in the YAML. Add as many as required.
