Collect data from Dropbox
Overview
Get a list of event streams from Dropbox.
Configuration
Parameters
Secrets
After entering the required parameters and secrets, you can choose to manually enter the Falcon API Alerts fields, or simply paste the given YAML:
Toggle this ON to enable a free text field where you can paste your CrowdStrike Falcon API YAML.
withTemporalWindow: true
temporalWindow:
duration: 5m
offset: 5m
tz: UTC
format: RFC3339
withAuthentication: true
authentication:
token:
request:
method: POST
url: https://${parameters.domain}/oauth2/token
headers:
- name: Content-Type
value: application/x-www-form-urlencoded
bodyType: urlEncoded
bodyParams:
- name: grant_type
value: refresh_token
- name: refresh_token
value: '${secrets.refresh_token}'
- name: client_id
value: '${secrets.client_id}'
- name: client_secret
value: '${secrets.client_secret}'
tokenPath: ".access_token"
authInjection:
in: header
name: Authorization
prefix: 'Bearer '
suffix: ''
withEnumerationPhase: false
collectionPhase:
paginationType: "cursor"
cursor: ".cursor"
initialRequest:
method: POST
url: "https://${parameters.domain}/2/team_log/get_events"
headers:
- name: Content-Type
value: application/json
bodyType: raw
bodyRaw: |
{
"time": {
"start_time": "${temporalWindow.from}",
"end_time": "${temporalWindow.to}"
}
}
nextRequest:
method: POST
url: "https://${parameters.domain}/2/team_log/get_events/continue"
headers:
- name: Content-Type
value: application/json
bodyRaw: |
{
"cursor": "${pagination.cursor}"
}
output:
select: ".events"
map: "."
outputMode: elementTemporal Window
Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.
Duration - 5 minutes (
5m) as default, adjust based on your needs.Offset -
5mFormat -
RFC3339
Authentication Phase
Toggle ON to configure the authentication phase. This is required to get the token to pull data using OAuth.
Type* -
tokenRequest Method* -
POSTURL* -
${parameters.domain}/oauth2/tokenHeaders
Name -
Content-typeValue -
application/x-www-form-urlencoded
BodyType* -
UrlEncodedBody params
Name -
grant_typeValue -
refresh_tokenName -
refresh_tokenValue -
${secrets.refresh_token}Name -
client_idValue -
${secrets.client_id}Name -
client_secretValue -
${secrets.clientSecret}
Token Path* -
.access_tokenAuth Injection
In* -
headerName* -
authorizationPrefix -
BearerSuffix -
''
Enumeration Phase
OFF
Collection Phase
Pagination Type* -
cursorCursor -
.cursorInitial Request
Method* -
POSTURL* -
https://${parameters.domain}/2/team_log/get_eventsHeaders -
Name -
Content-TypeValue -
application/json
Body Type -
rawBody Raw -
| { "time": { "start_time": "${temporalWindow.from}", "end_time": "${temporalWindow.to}" } }
Next Request
Method* -
POSTURL* -
https://${parameters.domain}/2/team_log/get_events/continueHeaders -
Name -
Content-TypeValue -
application/json
Body Type -
rawBody Raw -
| { "cursor": "${pagination.cursor}" }
Output
Select -
.eventsMap -
.Output Mode -
element
This HTTP Pull Listener now uses the business API to extract events.
Click Create labels to move on to the next step and define the required Labels if needed.
Last updated
Was this helpful?