Collect data from Dropbox

Overview

Get a list of event streams from Dropbox.

Configuration

Parameters

parameters.domain will store the value of the API URL, excluding the endpoint paths like /oauth2/token or /2/team_log/get_events

Secrets

refresh_tokenwill reference the Dropbox refresh token.
secrets.client_id will reference the Client ID
secrets.client_secret will reference the Client Secret.

To add a Secret, open the Secret fields and click New secret:

Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the value.
Click Save.

Learn more about secrets in Onum in this article.

You can now select the secret you just created in the corresponding fields.

After entering the required parameters and secrets, you can choose to manually enter the Falcon API Alerts fields, or simply paste the given YAML:

Toggle this ON to enable a free text field where you can paste your CrowdStrike Falcon API YAML.

withTemporalWindow: true
temporalWindow:
  duration: 5m
  offset: 5m
  tz: UTC
  format: RFC3339
withAuthentication: true
authentication:
  type: token
  token:
    request:
      method: POST
      url: https://${parameters.domain}/oauth2/token
      headers:
        - name: Content-Type
          value: application/x-www-form-urlencoded
      bodyType: urlEncoded
      bodyParams:
        - name: grant_type
          value: refresh_token
        - name: refresh_token
          value: '${secrets.refresh_token}'
        - name: client_id
          value: '${secrets.client_id}'
        - name: client_secret
          value: '${secrets.client_secret}'
    tokenPath: ".access_token"
    authInjection:
      in: header
      name: Authorization
      prefix: 'Bearer '
      suffix: ''
withEnumerationPhase: false
collectionPhase:
  paginationType: "cursor"
  cursor: ".cursor"
  initialRequest:
    method: POST
    url: "https://${parameters.domain}/2/team_log/get_events"
    headers:
      - name: Content-Type
        value: application/json
    bodyType: raw
    bodyRaw: |
      {
        "time": {
            "start_time": "${temporalWindow.from}",
            "end_time": "${temporalWindow.to}"
        }
      }
  nextRequest:
    method: POST
    url: "https://${parameters.domain}/2/team_log/get_events/continue"
    headers:
      - name: Content-Type
        value: application/json
    bodyRaw: |
      {
        "cursor": "${pagination.cursor}" 
      }
  output:
    select: ".events"
    map: "."
    outputMode: element

This HTTP Pull Listener now uses the business API to extract events.

Click Create labels to move on to the next step and define the required Labels if needed.

PreviousIncidents NextCollect data from FortiRecon

Last updated 24 days ago

Was this helpful?

Good morning

Overview

Configuration

Parameters

Secrets