Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,294,581
Community Members
 
Community Events
165
Community Groups

How to create and API alert via CrowdStrike Webhook

Hello together,

I´m quite new with OpsGenie and APIs, so sorry for a maybe stupid question.

At the moment I´m trying to utilize our Security Solution CrowdStrike Falcon to send notifications via a workflow ((1) New Messages! (crowdstrike.com)).

When a new alert is detected the dedicated notification group should be informed. This happens via configured WebHook at CrowdStrike Falcon. For this Webhook I need an API URL to create an alert on OpsGenie side. I´ve create in OpsGenie the API integration for this and have my API key.

Now I´m thinking that my URL is maybe not correct but I´m not able to determine where my fault is there now. Also I need to use EU cloud (https://api.eu.opsgenie.com) for the URL.

Who, I hope I wrote it as clear as possible and it would be great when someone maybe has a hint for me.

Thanks a lot, Alexander

3 answers

1 vote

Hi Alexander,
 
Great question! Since Opsgenie does not have a pre-built integration with CrowdStrike, it sounds like you are on the right track leveraging the Opsgenie default API Integration to integrate with this external system. Using the API Integration, if you want to to send alerts from CrowdStrike to Opsgenie, you will have to make API requests to Opsgenie alert API from CrowdStrike, using the Opsgenie fields. Details on how to format the requests to our Alert API can be found here: https://docs.opsgenie.com/docs/alert-api
 
The HTTP POST request URL should be: https://api.eu.opsgenie.com/v2/alerts

Hope this helps! Please let me know if you still have questions regarding this API integration.

 

Best,

Skyler

Hello Skyler,

thank you very much for your assistance here. It´s still not running and I assume it´s something in the json https://api.eu.opsgenie.com/v2/alerts -H "Content-Type: application/json" -H ... but I´m not sure. It´s new for me and I did not so many in the past with API...

Best regards and sorry for the delay,

Alexander

Hi Alexander, 

 

Happy to help, and thank you for providing this update. The endpoint is https://api.eu.opsgenie.com and the Headers required are the Authorization: GenieKey [API Key that you copied from the integration] & Content-Type: application/json.


Then, you would need to format the body of the request with the Opsgenie alert fields (message, alias, description, etc.). If CrowdStrike is not able to make requests in this format, then you could also instead try setting up the integration via email if Crowdstrike can send out emails for alerts. Please let me know if you have any questions on any of the items I've mentioned here, and hopefully this gets you pointed in the right direction!

 

Best regards,

Skyler

Hi Skyler,

It so happens to be that I'm actually picking up after Alexander here so I'd like to follow up on this.

Let's say that API key header can be provided (as ?apiKey=xxx-xxx-xx, as described by Matthew below) and content type is indeed application/json. Is there a way to transform the received whatever key/value json body structure before feeding it to Opsgenie on the Opsgenie side? That is to say Crowdstrike just spurts out whatever they have configured so can this be leveraged on the Opsgenie side or that's not on par with how REST API works (complete newbie here).

Btw, this is the error I'm getting when trying to send something to the Opsgenie API integration:

{
  "response_body": {
    "errors": {
      "message": "Message can not be empty."
    },
    "message": "Request body is not processable. Please check the errors.",
    "requestId": "a3c12231-4610-4718-864e-dc4693939c61",
    "took": 0.001
  }
}

 

Thanks,
Art

I heard back from CrowdStrike that they could not support it....so I wrote an integration myself that uses AWS Lambda to reformat the API call.  (I'm trying to guilt them into supporting OpsGenie themselves).

You can find the code and directions for setting it up here:  https://github.com/flakshack/crowdstrike-opsgenie-relay

I'm also working on this and have opened a case with CrowdStrike.  I'm able to create an alert in OpsGenie using the API via curl and Postman without any problems.

As you discovered, the only configurations on the CrowdStrike side are the URL of the web-hook, and later in the notifications workflow, the ability to choose which data fields it will POST to the web-hook.

As I see it, this presents 2 problems:

1.  Without the ability to authenticate via header, we'd need to be able to pass the "Authorization" API key on the URL. 

My coworker discovered that this can be solved by putting the Authorization header on the URL using the apiKey parameter (which works from curl).  For example:

https://api.opsgenie.com/v2/alerts?apiKey=000000-00000-00000-0000-0000000000

 

2.  We need to be able to map the fields from CrowdStrike (i.e.  "Hostname", "Action taken", "Command Line", "Severity", "IP Address", etc.) to the correct fields in OpsGenie.

From Skyler's reply above, I would assume that there is no mechanism in OpsGenie to perform this field-mapping or templating.  I'm waiting for a reply from CrowdStrike, but I assume the answer is that this is not possible.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
Community showcase
Posted in Jira Service Management

Jira Service Management Documentation Opportunities

Hello everyone, Hope everyone is safe! A few months ago we posted an article sharing all the new articles and documentation that we, the AMER Jira Service Management team created. As mentioned ...

266 views 0 6
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you