Universal Cloud REST API connector workflow for CrowdStrike Falcon Insight

You can customize your workflow and workflow parameters based on the default workflow.

A workflow is an XML document that describes the alert retrieval process. The workflow defines one or more parameters, which can be explicitly assigned values in the workflow XML or can derive values from the workflow parameter values XML document. The workflow consists of multiple actions that run sequentially.

CrowdStrike Falcon Insight default workflow

Use the following XML to populate the Workflow field in the Universal Cloud REST API connector parameters section.

Click the Copy to clipboard icon at the upper right of the code block, and then paste the content into the Workflow field.

<?xml version="1.0" encoding="UTF-8" ?>
<Workflow name="CrowdStrikeFalconInsight" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
    <Parameters>
        <Parameter name="clientID" label="API client ID" required="true" />
        <Parameter name="clientSecret" label="API client secret" required="true" secret="true" />
        <Parameter name="cloudHost" label="The CrowdStrike cloud host" required="true" />
    </Parameters>

    <Actions>
        <ClearStatus />

        <Initialize path="/limit" value="100" />
        <!-- 0 is the latest detection in this API.-->
        <Set path="/offset" value="0" />

        <!-- Initialize bookmark to 1 week back in milliseconds -->
        <Initialize path="/starttimeMilli" value="${time() - (60000 * 60 * 24 * 7)}"/>
        <Set path="/endtimeMilli" value="${time()}"/>

        <!-- Date time format down to fraction-of-second -->
        <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/starttimeMilli}" savePath="/starttime" />
        <FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss'Z'" timeZone="UTC" time="${/endtimeMilli}" savePath="/endtime" />

        <!-- Request OAuth2 token -->
        <CallEndpoint url="https://${/cloudHost}/oauth2/token" method="POST" savePath="/crowdstrikeDetections/auth">
            <RequestHeader name="Content-Type" value="application/x-www-form-urlencoded" />
            <RequestHeader name="Accept" value="application/json" />
            <UrlEncodedFormRequestBody>
                <Parameter name="client_id" value="${/clientID}" />
                <Parameter name="client_secret" value="${/clientSecret}" />
            </UrlEncodedFormRequestBody>
        </CallEndpoint>

        <!-- Catch any status code other than 201 (successfully issued token) -->
        <If condition="/crowdstrikeDetections/auth/status_code != 201">
            <Abort reason="${/crowdstrikeDetections/auth/status_code}: ${/crowdstrikeDetections/auth/status_message}" />
        </If>

        <!-- Filter ranges (date_updated > start and date_updated <= end) || (behaviors.timestamp > start and behaviors.timestamp <= end) -->
        <Set path="/filter" value="date_updated:>'${/starttime}'+date_updated:&lt;='${/endtime}',behaviors.timestamp:>'${/starttime}'+behaviors.timestamp:&lt;='${/endtime}'"/>

        <DoWhile condition="(/crowdstrikeDetections/detectionListResponse/body/meta/pagination/offset + /crowdstrikeDetections/detectionListResponse/body/meta/pagination/limit) &lt; /crowdstrikeDetections/detectionListResponse/body/meta/pagination/total"> <!-- offset + limit < total -->
            <CallEndpoint url="https://${/cloudHost}/detects/queries/detects/v1" method="GET" savePath="/crowdstrikeDetections/detectionListResponse">
                <BearerAuthentication token="${/crowdstrikeDetections/auth/body/access_token}" />

                <QueryParameter name="filter" value="${/filter}"/>
                <QueryParameter name="sort" value="date_updated.asc"/>
                <QueryParameter name="limit" value="${/limit}"/>
                <QueryParameter name="offset" value="${/offset}"/>

                <RequestHeader name="Accept" value="application/json" />
            </CallEndpoint>
            <Log type="DEBUG" message="We received a total of ${count(/crowdstrikeDetections/detectionListResponse/body/resources)} Detection(s)." />
            <Log type="DEBUG" message="RESPONSE:&#xA;${/crowdstrikeDetections/detectionListResponse}" />

            <!-- Catch any status code other than 200 -->
            <If condition="/crowdstrikeDetections/detectionListResponse/status_code != 200">
                <Abort reason="${/crowdstrikeDetections/detectionListResponse/status_code}: ${/crowdstrikeDetections/detectionListResponse/status_message}" />
            </If>

            <!-- Get detection details -->
            <If condition="count(/crowdstrikeDetections/detectionListResponse/body/resources) != 0">
                <CallEndpoint url="https://${/cloudHost}/detects/entities/summaries/GET/v1" method="POST" savePath="/crowdstrikeDetections/entityListResponse">
                    <BearerAuthentication token="${/crowdstrikeDetections/auth/body/access_token}" />

                    <RequestHeader name="Content-Type" value="application/json" />
                    <RequestHeader name="Accept" value="application/json" />
                    <RequestBody type="application/json" encoding="UTF-8">
                        {
                            "ids": ${/crowdstrikeDetections/detectionListResponse/body/resources}
                        }
                    </RequestBody>
                </CallEndpoint>

                <!-- Catch any status code other than 200 -->
                <If condition="/crowdstrikeDetections/entityListResponse/status_code != 200">
                    <Abort reason="${/crowdstrikeDetections/entityListResponse/status_code}: ${/crowdstrikeDetections/entityListResponse/status_message}" />
                </If>
                <Else>
                    <SetStatus type="INFO" message="Successfully queried for events." />
                </Else>

                <!-- Post the events -->
                <If condition="${count(/crowdstrikeDetections/entityListResponse/body/resources)} > 0">
                    <PostEvents path="/crowdstrikeDetections/entityListResponse/body/resources" source="${/clientID}" />
                </If>
            </If>
            <Else>
                <Log type="DEBUG" message="There were no detections to post in the selected time period. Continuing..."/>
            </Else>

            <!-- Update our new offset to be offset + count of returned resources -->
            <Log type="DEBUG" message="Setting the new offset to be old offset [${/offset}] plus resources returned on this iteration [${count(/crowdstrikeDetections/detectionListResponse/body/resources)}], for a value of ${/offset + count(/crowdstrikeDetections/detectionListResponse/body/resources)}."/>

            <Set path="/offset" value="${/offset + count(/crowdstrikeDetections/detectionListResponse/body/resources)}"/>
        </DoWhile>
        <!-- Update the bookmark for next start time to current time. -->
        <Set path="/starttimeMilli" value="${/endtimeMilli}" />
        <Delete path="/crowdstrikeDetections/auth" />
        <Delete path="/crowdstrikeDetections/detectionListResponse" />
        <Delete path="/crowdstrikeDetections/entityListResponse" />
    </Actions>

    <Tests>
        <DNSResolutionTest host="${/cloudHost}"/>
        <TCPConnectionTest host="${/cloudHost}"/>
        <SSLHandshakeTest host="${/cloudHost}" />
        <HTTPConnectionThroughProxyTest url="https://${/cloudHost}"/>
    </Tests>
</Workflow>

CrowdStrike Falcon Insight default workflow parameters

Use the following XML to populate the Workflow Parameter Values field in the Universal Cloud REST API connector parameters section.

Click the Copy to clipboard icon at the upper right of the code block, and then paste the content to a text file. Replace the values for <your-client-id>, <your-client-secret> and <your-cloud-base-url> with your own values. Then copy the updated content into the Workflow Parameter Values field.

<?xml version="1.0" encoding="UTF-8" ?>
<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
        <Value name="clientID" value="<your-client-id>"/>
        <Value name="clientSecret" value="<your-client-secret>"/>
        <Value name="cloudHost" value="<your-cloud-base-url>"/>
</WorkflowParameterValues>