Event Stream
Enables real-time streaming of events from CrowdStrike Falcon Console, allowing continuous monitoring and analysis of security events for rapid incident response and threat detection.
Sync Type: Incremental
Requirements
- Before you connect Monad to CrowdStrike, you need a Client ID and Client Secret. Log in to your CrowdStrike portal, and under Support & Resources, click on 'API Client and Keys' to create your credentials.
- Enter a Client Name, Description and API Scopes to define the API client. Ensure read roles for Event Streams are enabled.
- Click Done.
- Copy the ClientID and ClientSecret key. You'll need them when you set up the Monad connector.
Details
Monad uses a StreamStates field on the CrowdStrike API to track the offsets of the streams, allowing it to resume from the last processed event stream the next time the input connector is run. If the input connector has never been run, it will start all streams based on the configuration defined.
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Member CID | string | No | In environments where an entity (like an MSSP) manages security for multiple clients, each client is typically assigned a unique CID. This identifier allows the managing entity to access and operate within the specific customer's environment. This is crucial for scenarios where operational isolation between different clients' data and configurations is necessary. |
| Cloud | string | No | Your cloud type for CrowdStrike. Ex: 'autodiscover', 'us-1', 'us-2', 'eu-1', 'us-gov-1'. |
| App Name | string | Yes | The application name monad uses to connect to the CrowdStrike data stream. It's important that this name is unique to avoid conflicts with other applications connecting to the same stream. You're advised to use a unique identifier for this application. For example if you have 2 stream input connections they should not both named 'monad'. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| Client ID | string | Yes | Client ID for the CrowdStrike API. This is required to authenticate requests. |
| Client Secret | string | Yes | Client Secret for the CrowdStrike API. This is required to authenticate requests. |
Custom Schema Handling
If the source data doesn't align with any of the OpenSecurityControlFramework (OSCF) schemas, you can create a custom transformation using our JQ transform pipeline. For example:
{
metadata: {
schema_version: "1.0.0",
custom_framework: "my_framework"
},
controls: .[]
}
For more information on JQ and how to write your own JQ transformations see the JQ docs here.
If you believe this data source should be included in the standard OSCF schema set, please reach out to our team at support@monad.com. We're always looking to expand our coverage of security control frameworks based on community needs.
Sample Record
{
"event": {
"OperationName": "logged",
"ServiceName": "api_request",
"UTCTimestamp": 1720642757,
"UserId": "",
"UserIp": "48.123.130.94",
"Success": true,
"AuditKeyValues": [
{
"Key": "APIClientID",
"ValueString": "675c9071-049f-b093-ccdc-98fa5c947d90"
},
{
"Key": "request_content_type",
"ValueString": "text/plain"
},
{
"Key": "trace_id",
"ValueString": "bd6c1953-ef70-46dc-a2f4-3424844eea4f"
},
{
"Key": "cid",
"ValueString": "7b96de6bd86847bd9dad470057cbbc6a"
},
{
"Key": "consumes",
"ValueString": "[text/plain]"
},
{
"Key": "produces",
"ValueString": "[text/plain]"
},
{
"Key": "status_code",
"ValueString": "201"
}
]
},
"metadata": {
"customerIDString": "7b96de6bd86847bd9dad470057cbbc6a",
"offset": 1707,
"version": "1.0",
"eventType": "AuthActivityAuditEvent",
"eventCreationTime": 1754955990492
}
}