# Event Stream ## Overview Get a list of event streams from CrowdStrike Falcon. ## Configuration ### Parameters * `parameters.domain` will store the value of the API URL, excluding the endpoint paths like `/v1/cp/oauth/token` or `/v1/cp/event_stream` ### Secrets * `secrets.client_id` will reference the Client ID * `secrets.client_secret` will reference the Client Secret. Open the **Secret** fields and click **New secret** to create a new one: * Give the secret a **Name**. * Turn off the **Expiration date** option. * Click **Add new value** and paste the secret corresponding to the value. * Click **Save**.

{% hint style="info" %} Learn more about secrets in Onum in [this article](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management). {% endhint %} You can now select the secret you just created in the corresponding fields. After entering the required parameters and secrets, you can choose to manually enter the Falcon API **Alerts** fields, or simply paste the given YAML: {% tabs %} {% tab title="Config as YAML" %} Toggle this **ON** to enable a free text field where you can paste your **CrowdStrike Falcon API** YAML. ```yaml withTemporalWindow: true temporalWindow: duration: 30m offset: 0 tz: UTC format: Epoch withAuthentication: true authentication: type: token token: request: method: POST url: ${parameters.domain}/oauth2/token headers: - name: Content-Type value: application/x-www-form-urlencoded bodyType: urlEncoded bodyParams: - name: grant_type value: client_credentials - name: client_id value: '${secrets.client_id}' - name: client_secret value: '${secrets.client_secret}' tokenPath: ".access_token" authInjection: in: header name: Authorization prefix: 'Bearer ' suffix: '' withEnumerationPhase: true enumerationPhase: paginationType: none request: responseType: json method: GET url: ${parameters.domain}/sensors/entities/datafeed/v2 queryParams: - name: appId value: my-data output: select: ".resources[0]" map: "{dataFeedURL, sessionToken: .sessionToken.token}" outputMode: element collectionPhase: variables: - source: input name: dataFeedURL expression: ".dataFeedURL" format: '' - source: input name: sessionToken expression: ".sessionToken" format: '' paginationType: none request: method: GET url: "${inputs.dataFeedURL}" headers: - name: Accept value: application/json - name: Authorization value: "Token ${inputs.sessionToken}" queryParams: - name: appId value: my-data - name: whence value: 2 responseType: ndjson output: select: "." map: "." outputMode: element ``` {% endtab %} {% tab title="Manually configure" %} **Temporal Window** Toggle **ON** to add a temporal window for events. This repeatedly shifts the time window over which data is collected. * **Duration -** 30 minutes (30`m`) as default, adjust based on your needs. * **Offset -** initial offset should be `0` (the latest alert). * **Format** - `Epoch` **Authentication Phase** Toggle **ON** to configure the authentication phase. This is required to get the token to pull data using **OAuth**. * **Type****\***** -** `token` * **Request Method****\***** -** `POST` (we would need to generate the JWT using the secrets `client_id` and `client_secret` * **URL****\***** -** `${parameters.domain}/oauth2/token` * **Headers** * **Name** - `Content-type` * **Value** - `application/x-www-form-urlencoded` * **BodyType****\*** - `UrlEncoded` * **Body params** * **Name -** `grant_type` * **Value -** `client_credentials` * **Name -** `client_id` * **Value -**`'${secrets.client_id}'` * **Name -** `client_secret` * **Value -** `'${secrets.client_secret}'` * **Token Path****\*** - `.access_token` * **Auth Injection** * **In****\*** - `header` * **Name****\*** - `authorization` * **Prefix** - `Bearer` * **Suffix** - `''` **Enumeration Phase** Toggle **ON** to configure the enumeration phase. This API endpoint requires an initial request that will provide a list of alert ids. In order to get the details about that information, it will require an additional request for those details. * **Pagination Type****\***** -** `None` * **Request** * **Response Type****\***** -** `JSON` * **Method****\***** -** `GET` * **URL****\***** -** `${parameters.domain}/sensors/entities/datafeed/v2` * **Query Params** * **Name** - appId * **Value** - `my-data` * **Output** * **Select -** `.resources[0]` * **Map -**`{dataFeedURL, sessionToken: .sessionToken.token}` * **Output Mode** - `element` **Collection Phase** * **Variables** * **Source -** `input` * **Name** - `dataFeedURL` * **Expression** - `.dataFeedURL` * **Format** - `''` * **Source -** `input` * **Name** - `sessionToken` * **Expression** - `.sessionToken` * **Format** - `''` * **Pagination Type****\***** -** `none` * **Request** * **Method****\***** -** `GET` * **URL****\***** -** `${inputs.dataFeedURL}` * **Headers -** * **Name** - `Accept` * **Value -** `application/json` * **Name** - `Authorization` * **Value -** `Token ${inputs.sessionToken}` * **Query Params** * **Name** - `appId` * **Value -** `my-data` * **Name** - `whence` * **Value -** `2` * **Output** * **Select -** `.` * **Map -** `.` * **Output Mode** - `element` {% endtab %} {% endtabs %} This HTTP Pull Listener now uses the data export API to extract events. Click **Create labels** to move on to the next step and define the required [Labels](https://docs.onum.com/the-workspace/listeners/labels) if needed.