Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

How to create and API alert via CrowdStrike Webhook

Alexander.Grimm
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
August 27, 2021

Hello together,

I´m quite new with OpsGenie and APIs, so sorry for a maybe stupid question.

At the moment I´m trying to utilize our Security Solution CrowdStrike Falcon to send notifications via a workflow ((1) New Messages! (crowdstrike.com)).

When a new alert is detected the dedicated notification group should be informed. This happens via configured WebHook at CrowdStrike Falcon. For this Webhook I need an API URL to create an alert on OpsGenie side. I´ve create in OpsGenie the API integration for this and have my API key.

Now I´m thinking that my URL is maybe not correct but I´m not able to determine where my fault is there now. Also I need to use EU cloud (https://api.eu.opsgenie.com) for the URL.

Who, I hope I wrote it as clear as possible and it would be great when someone maybe has a hint for me.

Thanks a lot, Alexander

3 answers

1 vote
Skyler Ataide
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 27, 2021

Hi Alexander,
 
Great question! Since Opsgenie does not have a pre-built integration with CrowdStrike, it sounds like you are on the right track leveraging the Opsgenie default API Integration to integrate with this external system. Using the API Integration, if you want to to send alerts from CrowdStrike to Opsgenie, you will have to make API requests to Opsgenie alert API from CrowdStrike, using the Opsgenie fields. Details on how to format the requests to our Alert API can be found here: https://docs.opsgenie.com/docs/alert-api
 
The HTTP POST request URL should be: https://api.eu.opsgenie.com/v2/alerts

Hope this helps! Please let me know if you still have questions regarding this API integration.

 

Best,

Skyler

Alexander.Grimm
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 23, 2021

Hello Skyler,

thank you very much for your assistance here. It´s still not running and I assume it´s something in the json https://api.eu.opsgenie.com/v2/alerts -H "Content-Type: application/json" -H ... but I´m not sure. It´s new for me and I did not so many in the past with API...

Best regards and sorry for the delay,

Alexander

Skyler Ataide
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 24, 2021

Hi Alexander, 

 

Happy to help, and thank you for providing this update. The endpoint is https://api.eu.opsgenie.com and the Headers required are the Authorization: GenieKey [API Key that you copied from the integration] & Content-Type: application/json.


Then, you would need to format the body of the request with the Opsgenie alert fields (message, alias, description, etc.). If CrowdStrike is not able to make requests in this format, then you could also instead try setting up the integration via email if Crowdstrike can send out emails for alerts. Please let me know if you have any questions on any of the items I've mentioned here, and hopefully this gets you pointed in the right direction!

 

Best regards,

Skyler

Artjoms Iljins
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
January 19, 2022

Hi Skyler,

It so happens to be that I'm actually picking up after Alexander here so I'd like to follow up on this.

Let's say that API key header can be provided (as ?apiKey=xxx-xxx-xx, as described by Matthew below) and content type is indeed application/json. Is there a way to transform the received whatever key/value json body structure before feeding it to Opsgenie on the Opsgenie side? That is to say Crowdstrike just spurts out whatever they have configured so can this be leveraged on the Opsgenie side or that's not on par with how REST API works (complete newbie here).

Btw, this is the error I'm getting when trying to send something to the Opsgenie API integration:

{
  "response_body": {
    "errors": {
      "message": "Message can not be empty."
    },
    "message": "Request body is not processable. Please check the errors.",
    "requestId": "a3c12231-4610-4718-864e-dc4693939c61",
    "took": 0.001
  }
}

 

Thanks,
Art

0 votes
M. Scott Vintinner October 5, 2021

I heard back from CrowdStrike that they could not support it....so I wrote an integration myself that uses AWS Lambda to reformat the API call.  (I'm trying to guilt them into supporting OpsGenie themselves).

You can find the code and directions for setting it up here:  https://github.com/flakshack/crowdstrike-opsgenie-relay

0 votes
M. Scott Vintinner September 28, 2021

I'm also working on this and have opened a case with CrowdStrike.  I'm able to create an alert in OpsGenie using the API via curl and Postman without any problems.

As you discovered, the only configurations on the CrowdStrike side are the URL of the web-hook, and later in the notifications workflow, the ability to choose which data fields it will POST to the web-hook.

As I see it, this presents 2 problems:

1.  Without the ability to authenticate via header, we'd need to be able to pass the "Authorization" API key on the URL. 

My coworker discovered that this can be solved by putting the Authorization header on the URL using the apiKey parameter (which works from curl).  For example:

https://api.opsgenie.com/v2/alerts?apiKey=000000-00000-00000-0000-0000000000

 

2.  We need to be able to map the fields from CrowdStrike (i.e.  "Hostname", "Action taken", "Command Line", "Severity", "IP Address", etc.) to the correct fields in OpsGenie.

From Skyler's reply above, I would assume that there is no mechanism in OpsGenie to perform this field-mapping or templating.  I'm waiting for a reply from CrowdStrike, but I assume the answer is that this is not possible.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events