Incidents
Overview
Get a list of event streams from CrowdStrike Falcon.
Configuration
Parameters
parameters.domainwill store the value of the API URL, excluding the endpoint paths like/v1/cp/oauth/tokenor/v1/cp/incidents
Secrets
secrets.client_idwill reference the Client IDsecrets.client_secretwill reference the Client Secret.
Open the Secret fields and click New secret to create a new one:
Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the value.
Click Save.
Learn more about secrets in Onum in this article.
You can now select the secret you just created in the corresponding fields.
After entering the required parameters and secrets, you can choose to manually enter the Falcon API Alerts fields, or simply paste the given YAML:
Toggle this ON to enable a free text field where you can paste your CrowdStrike Falcon API YAML.
Temporal Window
Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.
Duration - 5 minutes (
5m) as default, adjust based on your needs.Offset -
5mFormat -
RFC3339
Authentication Phase
Toggle ON to configure the authentication phase. This is required to get the token to pull data using OAuth.
Type* -
tokenRequest Method* -
POST(we would need to generate the JWT using the secretsclient_idandclient_secret)URL* -
${parameters.domain}/oauth2/tokenHeaders
Name -
Content-typeValue -
application/x-www-form-urlencoded
BodyType* -
UrlEncodedBody params
Name -
grant_typeValue -
client_credentialsName -
client_idValue -
'${secrets.client_id}'Name -
client_secretValue -
'${secrets.client_secret}'
Token Path* -
.access_tokenAuth Injection
In* -
headerName* -
authorizationPrefix -
BearerSuffix -
''
Enumeration Phase
Toggle ON to configure the enumeration phase. This API endpoint requires an initial request that will provide a list of alert ids. In order to get the details about that information, it will require an additional request for those details.
Pagination Type* -
offset/limitLimit -
100Request
Response Type* -
JSONMethod* -
GETURL* -
${parameters.domain}/incidents/queries/incidents/v1Query Params
Name - offset
Value -
${pagination.offset}Name - limit
Value -
${pagination.limit}Name - filter
Value -
start:>='${temporalWindow.from}'+end:<'${temporalWindow.to}
Output
Select -
.resourcesMap -
.Output Mode -
collection
Collection Phase
Variables
Source -
inputName -
resourcesExpression -
.Format -
json
Pagination Type* -
noneRequest
Method* -
POSTURL* -
${parameters.domain}/incidents/entities/incidents/GET/v1Headers -
Name -
AcceptValue -
application/jsonName -
Content-TypeValue -
application/json
Response Type -
jsonBody Type -
rawBody raw -
| { "ids": ${inputs.resources} }Output
Select -
.resourcesMap -
.Output Mode -
element
This HTTP Pull Listener now uses the data export API to extract incidents.
Click Create labels to move on to the next step and define the required Labels if needed.
Last updated
Was this helpful?