CrowdStrike Alerts

The Observo AI CrowdStrike Alerts Source enables seamless ingestion of security alert data from the CrowdStrike Falcon platform into Observo AI for real-time threat analysis and observability, supporting JSON-formatted alerts with OAuth2 authentication, checkpointing, pagination, and secure TLS communication.

Purpose

The Observo AI CrowdStrike Alerts Source enables users to pull alert data from the CrowdStrike Falcon platform into Observo AI for analysis and processing. This source supports ingesting security alerts, such as threat detections and incident notifications, typically in JSON format, and is designed for integration with SIEM, threat-hunting, and other security tools. This integration helps organizations streamline their security data pipelines, enhance threat detection, and optimize data processing for observability and analytics.

Prerequisites

Before configuring the CrowdStrike Alerts source in Observo AI, ensure the following requirements are met to facilitate seamless data ingestion:

  • Observo AI Platform Setup:

    • The Observo AI platform must be installed and operational, with support for CrowdStrike Alerts as a data source.

    • Verify that the platform supports JSON data formats, as CrowdStrike Alerts are typically delivered in JSON. Additional formats may require specific parser configurations.

  • CrowdStrike Falcon Account and API Access:

    • An active CrowdStrike Falcon account with access to the Falcon Alerts API is required. Contact your CrowdStrike team to obtain API credentials.

    • Obtain the API Client ID and API Client Secret for authentication with the Falcon API.

    • Ensure the account has permissions to access alert-related endpoints such as /alerts/queries/alerts/v1 or /alerts/entities/alerts/v1.

  • API Permissions:

    • Required API scopes for the CrowdStrike API credentials:

      • Alerts:read: To retrieve alert data.

      • Optionally, Alerts:write if actions on alerts such as updating status are needed.

    • Verify these permissions in the CrowdStrike Falcon console under API Clients and Keys.

  • Authentication:

    • Prepare the following authentication method:

      • OAuth2 Authentication: Use the CrowdStrike API Client ID and Client Secret to obtain an access token for API requests.

      • Store the Client Secret securely within Observo AI’s secure storage or as an environment variable.

  • Network and Connectivity:

    • Ensure Observo AI can communicate with the CrowdStrike Falcon API endpoint such as api.crowdstrike.com or region-specific endpoints like api.us-2.crowdstrike.com.

    • Check for firewall rules, proxy settings, or network policies that may block outbound HTTPS traffic to the CrowdStrike API on port 443.

Prerequisite
Description
Notes

Observo AI Platform

Must be installed and support CrowdStrike Alerts sources

Verify JSON support; additional parsers may be needed

CrowdStrike Falcon Account

Active account with API access

Obtain API Client ID and Secret from CrowdStrike

API Permissions

Required for accessing Alerts API

Include Alerts:read scope; Alerts:write optional

Authentication

OAuth2 with Client ID and Secret

Store credentials securely

Network

Connectivity to CrowdStrike API

Ensure HTTPS connectivity to API endpoint

Integration

The Integration section outlines the configurations for the CrowdStrike Alerts source. To configure CrowdStrike Alerts as a source in Observo AI, follow these steps to set up and test the data flow:

  1. Log in to Observo AI:

    • Navigate to the Sources tab.

    • Click the Add Source button and select Create New.

    • Choose CrowdStrike Alerts from the list of available sources to begin configuration.

  2. General Settings:

    • Name: A unique identifier for the source, such as crowdstrike-alerts-source-1.

    • Description (Optional): Provide a description for the source.

    • Endpoint: HTTP endpoint to collect data from. Supports templating with $LAST_VALUE$ when using checkpointing. Default: https://api.crowdstrike.com/alerts/combined/alerts/v1?

      Examples

      http://logs.example.com

      http://example.com/logs?since=$LAST_VALUE$

      Steps to access this Endpoint in the Falcon Console

      • Log in to the Falcon Console: Navigate to https://falcon.crowdstrike.com and sign in with your credentials.

      • Click on the Support menu (often represented by a question mark icon or found in the user profile dropdown).

      • Select API Clients and Keys.Within the API documentation section, navigate to the Alerts category.

      • Look for the POST /alerts/combined/alerts/v1 endpoint.

    • Collection Interval (Optional): Duration between consecutive data collection requests. Default: 1m

      Examples

      10s

      1m

    • Request Headers (Optional)): Headers to include in the HTTP request. Use the format {key: value}. Default: (Add additional key/value pairs as needed)

      Accept
      application/json

      Content-type

      application/json

    • Method: HTTP request method to use for requests. Supports GET and POST methods. Default: Post

    • Body: Request body for POST method. Supports templating with $LAST_VALUE$ when using checkpointing. Default: {"filter": "timestamp:>=$LAST_VALUE$"}

      Example

      {"query": "fetch_logs", "from": "$LAST_VALUE$"}

    • Response Log Path: JSON path to logs array in responses. Leave empty if the response is a direct array of logs. Default: resources

      Examples

      data

      resource.logs

  3. Authentication (Update Required):

    • Client ID: Enter the Client ID for OAuth2 authentication. Default: dummy-client-id

    • Client Secret: Client secret for OAuth2 authentication. Default: dummy-client

    • Token URL: URL to get the OAuth2 token. Default: https://api.crowdstrike.com/oauth2/token (adjust for region-specific endpoints).

    • Scopes (Optional): Scopes to request for OAuth2 authentication.

    • Authentication Headers: Headers to include in the HTTP request. Use the format {key: value} Default: (Add additional key/value pairs as needed)

  4. Checkpoint:

    • Enable Checkpoint (True): Enable incremental log collection using checkpointing.

    • Tracking Column: JSON path to the field used for tracking progress such as 'timestamp'. The value from the last log entry will be used. Default: created_timestamp

      Examples

      timestamp

      message.time

      Data.created_at

    • Initial Value: Starting value for the tracking column. Will be used for the first collection. Default: 2025-04-06T00:00:00Z

  5. Pagination:

    • Enable Pagination (False): Enable pagination support for handling paginated responses.

    • Pagination Type (Empty): Type of pagination to use. 'Page-Based' for traditional page numbers, 'Attribute-Based' for cursor or token-based pagination. Select either Page-Based or Attribute-Based.

      Options

      Page-Based

      Attribute-Based

    • Page Parameter Name: Query parameter name for the page number. Default: after

      Examples

      page (results in ?page=1)

      page_number

      pageNum

    • Size Parameter Name: Query parameter name for the page size. Default: limit

      Examples

      size (results in ?size=50)

      limit

      page_size

    • Page Size: Number of records to request per page. Default: 50

    • Start Page: Page number to start pagination from. Works in conjunction with zero-based setting. Default: 0

    • Maximum Pages: Maximum number of pages to retrieve in one collection cycle. Set to 0 for unlimited. Default: 50

    • Total Pages Path: JSON path to total pages count in response.

      Examples

      Meta.total_pages becomes {"meta": {"total_pages": 5}}

      pagination.pages

      Page_info.total

    • Total Count Path: JSON path to total pages count in response.

      Example

      meta.total_pages' for {"meta": {"total_pages": 5}}

    • Zero-Based Indexing (False): If true, page numbering starts at 0. If false, it starts at 1.

    • Response Attributes: JSON paths to attributes in the response body that contain next page information. Default: meta.pagination.after

      Examples: (Add additional as needed)

      meta.nextCursor (for cursor-based pagination)

      pagination.nextPage

      Links.next

    • Header Attributes: Names of HTTP headers that contain next page information.

      Examples: (Add additional as needed)

      X-Next-Page (for GitHub-style pagination)

      X-Next-Cursor

      Link

    • Request Interval: Time to wait between pagination requests. Use a duration string like '100ms' or '1s'. Default: 100ms

  6. TLS Configuration (Optional):

    • CA File: The CA certificate provided as an inline string in PEM format.

    • ​​Include System CA Certs Pool (True): Include the system CA certificates pool in the list of CAs used to verify the server certificate.

    • Cert File: Path to the TLS cert to use for TLS required connections.

    • Key File: Path to the TLS key to use for TLS required connections.

    • Insecure (True): Skip TLS verification when connecting to the endpoint. This is insecure and should not be used in production.

    • Insecure Skip Verify (True): Enable TLS but not verify the certificate.

    • Server Name Override: The server name to use to verify the hostname on the returned certificates.

  7. Advanced Settings (Optional):

    • Proxy URL: URL of the proxy server to use when connecting to the endpoint.

    • Read Buffer Size: Size of the read buffer in bytes.

    • Write Buffer Size: Size of the write buffer in bytes.

    • Timeout: Timeout for the HTTP request. Use a number followed by a unit, such as '30s' or '1m'. Default: 10s

    • Compression (Empty): Compression algorithm to use for the request body.

      Options (Select one)

      Gzip

      Zlib

      Deflat

      Snappy

      Zstd

      Lz4

    • Max Idle Connections: Maximum number of idle connections to keep open to the endpoint.

    • Idle Connection Timeout: Timeout for idle connections to the endpoint. Use a number followed by a unit, such as '30s' or '1m'.

    • HTTP 2 Read Idle Timeout: Timeout for HTTP/2 read idle connections to the endpoint. Use a number followed by a unit, such as '30s' or '1m'.

    • HTTP 2 Read Ping Timeout: Timeout for HTTP/2 read ping connections to the endpoint. Use a number followed by a unit, such as '30s' or '1m'.

  8. Parser Config:

    • Enable Source Log parser: (False)

    • Toggle Enable Source Log parser Switch to enable

      • Select appropriate Parser from the Source Log Parser dropdown

      • Add additional Parsers as needed

  9. Pattern Extractor:

    • Refer to Observo AI’s Pattern Extractor documentation for details on configuring pattern-based data extraction.

  10. Archival Destination:

    • Toggle Enable Archival on Source Switch to enable

    • Under Archival Destination, select from the list of Archival Destinations (Required)

  11. Save and Test Configuration:

    • Save the configuration settings in Observo AI.

    • Send sample alert data from the CrowdStrike Falcon API and verify that it is ingested into Observo AI, checking the Analytics tab for data flow.

Example Scenarios

GridNova, a fictitious utility company deploying millions of smart devices, uses CrowdStrike Falcon to monitor endpoint security across their IT infrastructure, including systems managing smart device communications. They want to ingest CrowdStrike alert data (e.g., threat detections in JSON format) from the Falcon API into Observo AI for real-time threat analysis and observability. The configuration uses the us-1 region API endpoint, OAuth2 authentication with CrowdStrike-provided credentials, checkpointing for incremental data collection, pagination to handle large alert volumes, and TLS for secure communication. This setup ensures GridNova can detect and respond to security threats impacting their smart device network, such as unauthorized access attempts or malware infections.

Standard CrowdStrike Alerts Source Setup

Here is a standard CrowdStrike Alerts Source configuration example. Only the required sections and their associated field updates are displayed in the table below:

General Settings

Field
Value
Notes

Name

crowdstrike-alerts-gridnova-1

Unique identifier for the CrowdStrike Alerts source, indicating GridNova’s security monitoring.

Description

Ingest CrowdStrike Falcon alerts for GridNova smart device threat detection

Optional, provides context for the source’s purpose.

Endpoint

https://api.crowdstrike.com/alerts/combined/alerts/v1?filter=timestamp:\>=$LAST_VALUE$

HTTP endpoint for collecting alerts, using $LAST_VALUE$ for checkpointing.

Collection Interval

1m

Default duration (1 minute) between data collection requests, suitable for real-time monitoring.

Request Headers

{ "Accept": "application/json", "Content-type": "application/json" }

Headers ensure JSON format for requests and responses.

Method

POST

Default HTTP method for sending requests with a body.

Body

{"filter": "timestamp:>=$LAST_VALUE$"}

POST request body using $LAST_VALUE$ for incremental alert fetching.

Response Log Path

resources

Default JSON path to the logs array in the API response.

Authentication

Field
Value
Notes

Client ID

gridnova-crowdstrike-2025-uuid123

CrowdStrike API Client ID for OAuth2 authentication, provided by CrowdStrike.

Client Secret

xyz789secret2025abcdefEXAMPLE

CrowdStrike API Client Secret, securely stored in Observo AI.

Token URL

https://api.crowdstrike.com/oauth2/token

OAuth2 token endpoint for the us-1 region, matching GridNova’s CrowdStrike setup.

Scopes

Alerts:read

Required scope to retrieve alert data; Alerts:write not needed for ingestion.

Authentication Headers

{ "grant_type": "client_credentials" }

Default headers for OAuth2 token requests, ensuring proper authentication.

Checkpoint

Field
Value
Notes

Enable Checkpoint

True

Enabled to support incremental log collection, preventing duplicate processing.

Tracking Column

created_timestamp

JSON path to the timestamp field for tracking alert progress.

Initial Value

2025-06-01T00:00:00Z

Starting timestamp for the first collection, ensuring all relevant alerts are captured.

Pagination

Field
Value
Notes

Enable Pagination

True

Enabled to handle paginated API responses for large alert volumes.

Pagination Type

Attribute-Based

Uses cursor-based pagination, common for CrowdStrike API.

Page Parameter Name

after

Default query parameter for cursor-based pagination (e.g., ?after=xyz).

Size Parameter Name

limit

Default query parameter for page size (e.g., ?limit=50).

Page Size

50

Default number of records per page, balancing throughput and API limits.

Start Page

0

Default starting page for pagination.

Maximum Pages

50

Default maximum pages per collection cycle, suitable for high-volume alerts.

Total Pages Path

meta.total_pages

JSON path to total pages in response (e.g., {"meta": {"total_pages": 5}}).

Total Count Path

meta.total_count

JSON path to total count of records in response.

Zero-Based Indexing

False

Page numbering starts at 1, per CrowdStrike API convention.

Response Attributes

meta.pagination.after

JSON path to the next page cursor (e.g., {"meta": {"pagination": {"after": "xyz"}}}).

Header Attributes

(Empty)

Not used, as CrowdStrike uses a response body for pagination.

Request Interval

100ms

Default interval between pagination requests, minimizing API rate limits.

TLS Configuration

Field
Value
Notes

CA File

-----BEGIN CERTIFICATE----- MIID... (PEM format)

Inline PEM string for the CA certificate, ensuring secure API communication.

Include System CA Certs Pool

True

Includes system CA certificates for verifying the CrowdStrike API server certificate.

Cert File

-----BEGIN CERTIFICATE----- MIIC... (PEM format)

Inline PEM string for the client certificate to identify Observo AI.

Key File

-----BEGIN PRIVATE KEY----- MIIE... (PEM format)

Inline PEM string for the private key, securely stored.

Insecure

True

Enables skipping TLS verification for testing; not recommended for production.

Insecure Skip Verify

True

Skips certificate verification for testing; set to False in production for security.

Server Name Override

api.crowdstrike.com

Server name to verify the hostname on returned certificates, matching the API endpoint.

Test Configuration:

  • Click “Save” to store the configuration settings in Observo AI.

  • Send sample alert data via the CrowdStrike Falcon API (e.g., simulated threat detections). Verify ingestion by monitoring the Analytics tab in the Observo AI pipeline for event counts and throughput.

Notes:

  • Authentication: The Client ID (gridnova-crowdstrike-2025-uuid123) and Client Secret (xyz789secret2025abcdefEXAMPLE) are fictional but follow CrowdStrike’s OAuth2 standards. GridNova must obtain these from the CrowdStrike Falcon console and store them securely in Observo AI.

  • TLS Configuration: PEM certificate/key strings are placeholders; actual values must be provided by CrowdStrike or GridNova’s security team. Insecure and Insecure Skip Verify are set to True for testing but should be False in production to ensure secure communication.

  • Checkpointing: Uses created_timestamp to track alerts incrementally, starting from 2025-06-01T00:00:00Z to capture relevant data. This prevents reprocessing and supports high-volume ingestion.

  • Pagination: Attribute-Based pagination with after and limit parameters handles large alert volumes efficiently, respecting CrowdStrike’s API rate limits.

  • Network: Ensure firewall rules allow HTTPS access to api.crowdstrike.com on port 443. Proxy settings should be verified if used.

  • Troubleshooting: If issues occur (e.g., “Invalid credentials” or “Rate limit exceeded”), verify the Client ID/Secret, API scopes, and adjust Collection Interval or Request Interval to avoid rate limits. Use the Analytics tab and CrowdStrike Falcon console for diagnostics, as per the Troubleshooting section.

  • Resources: Refer to CrowdStrike Resource Center and Falcon API documentation for additional guidance.

Troubleshooting

If issues arise with the CrowdStrike Alerts source in Observo AI, use the following steps to diagnose and resolve them:

  • Verify Configuration Settings:

    • Ensure all fields, such as API Region, Client ID, Client Secret, and Filter, are correctly entered and match the CrowdStrike Falcon account setup.

    • Confirm that the API Region matches your account’s region such as us-1, us-2, eu-1.

  • Check Authentication:

    • Verify that the API Client ID and Client Secret are valid and have not been revoked or expired.

    • Regenerate the API credentials in the CrowdStrike Falcon console if necessary and update the Observo AI configuration.

    • Ensure the API credentials have the required Alerts:read scope.

  • Validate Network Connectivity:

    • Check for firewall rules, proxy settings, or network policies that may block access to the CrowdStrike API endpoint such as api.crowdstrike.com.

    • Test connectivity using tools like curl or the CrowdStrike API client with similar proxy configurations to verify access to the Alerts API.

  • Common Error Messages:

    • "Inaccessible host": May indicate TLS version mismatches such as TLS 1.3 issues or DNS problems. Ensure the host supports the required TLS version and check DNS settings.

    • "Invalid credentials": Verify that the Client ID and Client Secret are correctly configured and have the necessary API scopes.

    • "Rate limit exceeded": Check the CrowdStrike API rate limits and adjust the Request Rate Limit Num or Poll Interval settings to avoid exceeding limits.

  • Monitor Logs and Data:

    • Verify that alert data is being ingested by monitoring Observo AI logs for errors or warnings related to API requests.

    • Use the Analytics tab in the targeted Observo AI pipeline to monitor data volume and ensure expected throughput.

    • Check the CrowdStrike Falcon console’s Alerts section to confirm the presence of alert data matching the configured filters.

Issue
Possible Cause
Resolution

Alerts not ingested

Incorrect API region or filter configuration

Verify API region and filter syntax

Authentication errors

Invalid or expired Client ID/Secret

Regenerate API credentials and update configuration

Connectivity issues

Firewall or proxy blocking access

Test network connectivity to API endpoint

"Inaccessible host"

TLS or DNS issues

Ensure TLS compatibility and check DNS

"Invalid credentials"

Authentication misconfiguration

Verify Client ID/Secret and API scopes

"Rate limit exceeded"

API request frequency too high

Adjust poll interval or rate limit settings

Resources

For additional guidance and detailed information, refer to the following resources:

PreviousCollectorNextCrowdStrike S3

Last updated

Was this helpful?