WebsiteBlogLogin

Users

Overview

List of users visible to the currently-scoped User.

Configuration

Parameters

  • parameters.domain will store the value of the API URL, excluding the endpoint paths like /v1/cp/oauth/token or /v1/cp/domains

Secrets

  • secrets.client_id will reference to Agari's Client ID

  • secrets.client_secret will reference to Agari's Client Secret.

After entering the required parameters and secrets, you can choose to manually enter the fields, or simply paste the given YAML:

Configure as YAML

Toggle this ON to enable a free text field where you can paste your YAML. 

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: RFC3339
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: ${parameters.domain}/v1/cp/oauth/token
      headers:
        - name: Content-Type
          value: application/x-www-form-urlencoded
        - name: Accept
          value: application/json
      bodyType: urlEncoded
      bodyParams:
        - name: client_id
          value: '${secrets.client_id}'
        - name: client_secret
          value: '${secrets.client_secret}'
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: false
collectionPhase:
  paginationType: offsetLimit
  limit: 200
  request:
    responseType: json
    method: GET
    url: ${parameters.domain}/v1/cp/users
    queryParams:
      - name: offset
        value: ${pagination.offset}
      - name: limit
        value: ${pagination.limit}
  output:
    select: "."
    map: "."
    outputMode: element

Manually configure

If you would rather configure each field, follow the steps below.

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

  • Duration - 5 minutes (5m) as default, adjust based on your needs.

  • Offset - initial offset should be 5m used to specify the index, or starting point, for the collection of items in the response.

  • Format - RFC3339

Authentication Phase

Toggle ON to configure the authentication phase. This is required to get the token to pull data using OAuth.

  • Type* - token

  • Request Method* - POST (we would need to generate the JWT using the secrets client_id and client_secret)

  • URL* - ${parameters.domain}/v1/cp/oauth/token

  • Headers

    • Name - Content-type

    • Value - application/x-www-form-urlencoded

    • Name - Accept

    • Value - application/json

  • BodyType* - UrlEncoded

    • Body params

      • Name - client_id

      • Value -'${secrets.client_ID}'

      • Name - client_secret

      • Value - '${secrets.client_Secret

  • Token Path* - .access_token

  • Auth Injection

    • In* - header

    • Name* - authorization

    • Prefix - Bearer

    • Suffix - ''

Enumeration Phase

OFF

Collection Phase

  • Pagination Type* - offsetLimitTo page through a collection of items, set the offset parameter to the first item of the next page. The offset calculation for the next page is: current_offset + current_count. The end of the collection is reached when the count of returned items is less than the limit.

  • Limit - 200 (Maximum number of collection items to include in a response)

  • Request

    • Response Type - JSON

    • Method* - GET

    • URL* - ${parameters.domain}/v1/cp/users

    • Query Params -

      • Name - offset

      • Value - ${pagination.offset}

      • Name - limit

      • Value - ${pagination.limit}

  • Output

    • Select - .

    • Map - .

    • Output Mode - element

This HTTP Pull Listener now uses the data export API to extract alert events.

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousOrganizationsNextCollect data from CrowdStrike Falcon NG-SIEM

Last updated

Was this helpful?