-
Notifications
You must be signed in to change notification settings - Fork 439
/
Copy pathmanifest.yml
88 lines (88 loc) · 3.49 KB
/
manifest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
title: Collect Alert logs from CrowdStrike.
type: logs
streams:
- input: cel
title: Falcon Alerts
description: Collect Unified Alerts from CrowdStrike Falcon Intelligence.
enabled: false
template_path: cel.yml.hbs
vars:
- name: initial_interval
type: text
title: Initial Interval
description: How far back to pull the Alert logs from CrowdStrike. Supported units for this parameter are h/m/s.
multi: false
required: true
show_user: true
default: 24h
- name: interval
type: text
title: Interval
description: Duration between requests to the CrowdStrike API. Supported units for this parameter are h/m/s.
default: 5m
multi: false
required: true
show_user: true
- name: batch_size
type: integer
title: Batch Size
description: Batch size for the response of the CrowdStrike API. It must be between 1 - 10000.
default: 10000
multi: false
required: true
show_user: false
- name: http_client_timeout
type: text
title: HTTP Client Timeout
description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.
multi: false
required: true
show_user: false
default: 30s
- name: query
type: text
title: FQL Query
description: This is an additional FQL query that may be included in requests to the API. You should not include any reference to the `timestamp` property. See the [FalconPy documentation](https://www.falconpy.io/Usage/Falcon-Query-Language.html) for details.
multi: false
required: false
show_user: false
- name: enable_request_tracer
type: bool
title: Enable request tracing
multi: false
required: false
show_user: false
description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_filename) for details.
- name: tags
type: text
title: Tags
multi: true
required: true
show_user: false
default:
- forwarded
- crowdstrike-alert
- name: preserve_original_event
required: true
show_user: true
title: Preserve original event
description: Preserves a raw copy of the original event, added to the field `event.original`.
type: bool
multi: false
default: false
- name: preserve_duplicate_custom_fields
required: true
show_user: false
title: Preserve duplicate custom fields
description: Preserve crowdstrike.alert fields that were copied to Elastic Common Schema (ECS) fields.
type: bool
multi: false
default: false
- name: processors
type: yaml
title: Processors
multi: false
required: false
show_user: false
description: >-
Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.