Parameters for CrowdStrike Intelligence collector

short_unique_id

int

Mandatory

Min length: 1

Use this parameter to give an unique id to this input service.

override_base_url_value

str

Optional

Min length: 1

By default, the base URL is https://api.crowdstrike.com. This parameter allows you to customize the base URL.

client_id_value

str

Mandatory

Min length: 1

User Client ID to authenticate to the service.

secret_key_value

str

Mandatory

Min length: 1

User Secret Key to authenticate to the service.

request_period_in_seconds_value

int

Optional

Must be > 0

By default, this service will run every 600 seconds. This parameter allows you to customize this behavior.

start_timestamp_in_epoch_seconds_value

int

Mandatory

Format: Unix timestamps
Minimum value: 1609455600
Maximum value: Now()

Initial time period used when fetching data from the endpoint.

reset_persistence_auth_value

str

Optional

Format: YYYY-MM-DDTHH:mm:ss.SSSZ

Maximum value: current date

This parameter allows you to clear the persistence of the collector and restart the download pipeline. Updating this value will produce the loss of all persisted data and current pipelines.

override_offset_save_batch_size_in_events_value

int

Optional

Minimum value: 1
Maximum value: 1000

Although the stream services uses a streaming API (events are fetched continuously one by one), we send the collected events in batches for better performance. This parameter controls the amount of items to be sent per batch. The default value is 10.

override_max_seconds_after_last_ingestion_value

int

Optional

Minimum value: 1
Maximum value: 1000

If the collector did not ingest a batch of events in the last n seconds, the connection will be closed and all the streams will be restarted. This parameter configures this time span.

partition_offset_value

object

Optional

It has the following structure:

"initial_partition_offsets": {"<partition_id_value>": "<partition_offset_value>"}

Where:

• <partition_id_value>: The partition ID (0, 1, 2…) that will use this initial offset.

• <partition_offset_value>: The initial offset. This offset will not be included in the ingestion (it will start from the next offset).

The CrowdStrike Events Stream has partitions, and each one streams its events, hence managing its event offset. You can specify an initial offset to start receiving events from when querying for events. This parameter allows you to define initial offsets for the initial run of this service or when the state is being reset.

tagging_version_value

str

Optional

A version string (like "1.3.0") or "latest".

This parameter configures the tagging mechanism that every release might introduce.

1. If you want to keep the original tagging mechanism, remove this parameter.

2. If you want to use a specific mechanism created for a certain release, set your desired version.

3. If you want to always have the latest tagging mechanism without having backwards compatibility, use latest.

additional_tag_mappings_value

object

Optional

It has the following structure:

"additional_tag_mappings": {"<lowercased_event_type_value>": "<fourth_tag_level_value>"}

Where:

• <lowercased_event_type_value>: Every event's metadata.eventType (lowercased) JSON property.

• <fourth_tag_level_value>: The fourth level for the edr.crowdstrike.falconstreaming.{value} tag.

In case you want to have a custom destination tag for certain events that is not covered by default, you can set it up using this parameter.