Event Stream
Overview
Get a list of event streams from CrowdStrike Falcon.
Configuration
Parameters
Secrets
After entering the required parameters and secrets, you can choose to manually enter the Falcon API Alerts fields, or simply paste the given YAML:
Toggle this ON to enable a free text field where you can paste your CrowdStrike Falcon API YAML.
withTemporalWindow: true
temporalWindow:
duration: 30m
offset: 0
tz: UTC
format: Epoch
withAuthentication: true
authentication:
token:
request:
method: POST
url: ${parameters.domain}/oauth2/token
headers:
- name: Content-Type
value: application/x-www-form-urlencoded
bodyType: urlEncoded
bodyParams:
- name: grant_type
value: client_credentials
- name: client_id
value: '${secrets.client_id}'
- name: client_secret
value: '${secrets.client_secret}'
tokenPath: ".access_token"
authInjection:
in: header
name: Authorization
prefix: 'Bearer '
suffix: ''
withEnumerationPhase: true
enumerationPhase:
paginationType: none
request:
responseType: json
method: GET
url: ${parameters.domain}/sensors/entities/datafeed/v2
queryParams:
- name: appId
value: my-datafeed-argos-onum-001
output:
select: ".resources[0]"
map: "{dataFeedURL, sessionToken: .sessionToken.token}"
outputMode: element
collectionPhase:
variables:
- source: input
name: dataFeedURL
expression: ".dataFeedURL"
format: ''
- source: input
name: sessionToken
expression: ".sessionToken"
format: ''
paginationType: none
request:
method: GET
url: "${inputs.dataFeedURL}"
headers:
- name: Accept
value: application/json
- name: Authorization
value: "Token ${inputs.sessionToken}"
queryParams:
- name: appId
value: my-datafeed-argos-onum-001
- name: whence
value: 2
responseType: ndjson
output:
select: "."
map: "."
outputMode: elementTemporal Window
Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.
Duration - 30 minutes (30
m) as default, adjust based on your needs.Offset - initial offset should be
0(the latest alert).Format -
Epoch
Authentication Phase
Toggle ON to configure the authentication phase. This is required to get the token to pull data using OAuth.
Type* -
tokenRequest Method* -
POST(we would need to generate the JWT using the secretsclient_idandclient_secretURL* -
${parameters.domain}/oauth2/tokenHeaders
Name -
Content-typeValue -
application/x-www-form-urlencoded
BodyType* -
UrlEncodedBody params
Name -
grant_typeValue -
client_credentialsName -
client_idValue -
'${secrets.clientID}'Name -
client_secretValue -
'${secrets.clientSecret}'
Token Path* -
.access_tokenAuth Injection
In* -
headerName* -
authorizationPrefix -
BearerSuffix -
''
Enumeration Phase
Toggle ON to configure the enumeration phase. This API endpoint requires an initial request that will provide a list of alert ids. In order to get the details about that information, it will require an additional request for those details.
Pagination Type* -
NoneRequest
Response Type* -
JSONMethod* -
GETURL* -
${parameters.domain}/sensors/entities/datafeed/v2Query Params
Name - appId
Value -
my-datafeed-argos-onum-001
Output
Select -
.resources[0]Map -
{dataFeedURL, sessionToken: .sessionToken.token}Output Mode -
element
Collection Phase
Variables
Source -
inputName -
dataFeedURLExpression -
.dataFeedURLFormat -
''Source -
inputName -
sessionTokenExpression -
.sessionTokenFormat -
''
Pagination Type* -
noneRequest
Method* -
GETURL* -
${inputs.dataFeedURL}Headers -
Name -
AcceptValue -
application/jsonName -
AuthorizationValue -
Token ${inputs.sessionToken}
Query Params
Name -
appIdValue -
my-datafeed-argos-onum-001Name -
whenceValue -
2
Output
Select -
.Map -
.Output Mode -
element
This HTTP Pull Listener now uses the data export API to extract events.
Click Create labels to move on to the next step and define the required Labels if needed.
Last updated
Was this helpful?