forked from CrowdStrike/falconpy
-
Notifications
You must be signed in to change notification settings - Fork 0
Foundry LogScale
jshcodes edited this page Jul 15, 2024
·
7 revisions
Operation ID | Description | ||||
---|---|---|---|---|---|
|
Lists available repositories and views | ||||
|
Ingest data into the application repository asynchronously | ||||
|
Ingest data into the application repository | ||||
|
Execute a dynamic saved search | ||||
|
Get the results of a saved search | ||||
|
Execute a saved search | ||||
|
Populate a saved search | ||||
|
Get the results of a saved search as a file | ||||
|
List views |
WARNING
client_id
andclient_secret
are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Lists available repositories and views
list_repos
Method | Route |
---|---|
/loggingapi/combined/repos/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
check_test_data | query | boolean | Include whether test data is present in the application repository. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_repos(check_test_data=boolean)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ListReposV1(check_test_data=boolean)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ListReposV1", check_test_data=boolean)
print(response)
Ingest data into the application repository asynchronously
ingest_data_async
Method | Route |
---|---|
/loggingapi/entities/data-ingestion/ingest-async/v1 |
- Consumes: multipart/form-data
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
data_file | formData | file | Data file to ingest. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
repo | formData | string | Repository name to ingest data into. (If not part of a Foundry application.) | ||
tag | formData | string or list of strings | Custom tag for ingested data in the form tag:value. | ||
tag_source | formData | string | Tag the data with the specified source. | ||
test_data | formData | boolean | Tag the data with test-ingest. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.ingest_data_async(tag="string",
tag_source="string",
test_data=boolean,
repo="string",
data_file=upload_file.read()
)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.IngestDataAsyncV1(tag="string",
tag_source="string",
test_data=boolean,
repo="string",
data_file=upload_file.read()
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.command("IngestDataAsyncV1",
tag="string",
tag_source="string",
test_data=boolean,
repo="string",
data_file=upload_file.read()
)
print(response)
Ingest data into the application repository
ingest_data
Method | Route |
---|---|
/loggingapi/entities/data-ingestion/ingest/v1 |
- Consumes: multipart/form-data
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
data_file | formData | file | Data file to ingest. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
tag | formData | string or list of strings | Custom tag for ingested data in the form tag:value. | ||
tag_source | formData | string | Tag the data with the specified source. | ||
test_data | formData | boolean | Tag the data with test-ingest. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.ingest_data(tag="string",
tag_source="string",
test_data=boolean,
data_file=upload_file.read()
)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.IngestDataV1(tag="string",
tag_source="string",
test_data=boolean,
data_file=upload_file.read()
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.command("IngestDataV1",
tag="string",
tag_source="string",
test_data=boolean,
data_file=upload_file.read()
)
print(response)
Execute a dynamic saved search
execute_dynamic
Method | Route |
---|---|
/loggingapi/entities/saved-searches/execute-dynamic/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
app_id | query | string | Application ID | ||
end | body | boolean | Dynamic search end | ||
include_schema_generation | query | boolean | Include generated schemas in the response | ||
include_test_data | query | boolean | Include test data when executing searches | ||
infer_json_types | query | boolean | Whether to try to infer data types in json event response instead of returning map[string]string. | ||
match_response_schema | query | boolean | Whether to validate search results against their schema. | ||
metadata | query | boolean | Whether to include metadata in the response | ||
mode | query | string | Mode to execute the query under. | ||
body | body | string | Full body payload in JSON format, not required if using other keywords. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
repo_or_view | body | string | Repository or view to search | ||
search_query | body | string | Search query to perform | ||
search_query_args | body | dictionary | Search query arguments to leverage when processing the query | ||
start | body | string | Dynamic search start |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.execute_dynamic(app_id="string",
end="string",
include_schema_generation=boolean,
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
repo_or_view="string",
search_query="string",
seach_query_args = {},
start="string"
)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.CreateSavedSearchesDynamicExecuteV1(app_id="string",
end="string",
include_schema_generation=boolean,
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
repo_or_view="string",
search_query="string",
seach_query_args = {},
start="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"end": "string",
"repo_or_view": "string",
"search_query": "string",
"search_query_args": {},
"start": "string"
}
response = falcon.command("CreateSavedSearchesDynamicExecuteV1",
app_id="string",
include_schema_generation=boolean,
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
body=body_payload
)
print(response)
Get the results of a saved search
get_search_results
Method | Route |
---|---|
/loggingapi/entities/saved-searches/execute/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
app_id | query | string | Application ID | ||
job_id | query | string | Job ID for a previously executed async query | ||
limit | query | string | Maximum number of records to return. | ||
infer_json_types | query | boolean | Whether to try to infer data types in json event response instead of returning map[string]string. | ||
match_response_schema | query | boolean | Whether to validate search results against their schema. | ||
metadata | query | boolean | Whether to include metadata in the response | ||
offset | query | string | Starting pagination offset of records to return. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
version | query | string | Version of resource being created |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_search_results(app_id="string",
job_id="string",
limit="string",
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
offset="string",
version="string"
)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetSavedSearchesExecuteV1(app_id="string",
job_id="string",
limit="string",
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
offset="string",
version="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetSavedSearchesExecuteV1",
app_id="string",
job_id="string",
limit="string",
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
offset="string",
version="string"
)
print(response)
Execute a saved search
execute
Method | Route |
---|---|
/loggingapi/entities/saved-searches/execute/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
app_id | query | string | Application ID | ||
body | body | string | Full body payload in JSON format. Not required if using other keywords. | ||
detailed | query | boolean | Whether to include search field details | ||
end | body | string | Saved search end. | ||
id | body | string | Saved search ID. | ||
include_test_data | query | boolean | Include test data when executing searches | ||
infer_json_types | query | boolean | Whether to try to infer data types in json event response instead of returning map[string]string. | ||
match_response_schema | query | boolean | Whether to validate search results against their schema. | ||
metadata | query | boolean | Whether to include metadata in the response | ||
mode | body | string | Mode to execute the query under. If provided, takes precedence over the mode provided in the body. | ||
name | body | string | Name of the saved search. | ||
parameters | query | string | Full query string payload in JSON format. Not required if using other keywords. | ||
search_parameters | body | dictionary | Parameters to use for the saved search. | ||
start | body | string | Saved search start. | ||
version | body | string | Version of resource being created | ||
with_in | body | dictionary | Limit search results to field names matching the provided list. | ||
with_limit | body | dictionary | Limit search results by a maximum count. | ||
with_renames | body | list | Rename fields for display. | ||
with_sort | body | dictionary | Apply sort criteria. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with_in_dictionary = {
"field": "string",
"values": [
"string"
]
}
with_limit_dictionary = {
"from": "string",
"limit": 0
}
with_renames_list = [
{
"as": "string",
"field": "string"
}
]
with_sort_dictionary = {
"fields": [
"string"
],
"limit": 0,
"order": [
"string"
],
"reverse": boolean,
"type": [
"string"
]
}
response = falcon.execute(app_id="string",
detailed=boolean,
end="string",
id="string",
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
name="string",
search_parameters={},
start="string",
version="string",
with_in = with_in_dictionary,
with_limit = with_limit_dictionary,
with_renames = with_renames_list,
with_sort = with_sort_dictionary
)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with_in_dictionary = {
"field": "string",
"values": [
"string"
]
}
with_limit_dictionary = {
"from": "string",
"limit": 0
}
with_renames_list = [
{
"as": "string",
"field": "string"
}
]
with_sort_dictionary = {
"fields": [
"string"
],
"limit": 0,
"order": [
"string"
],
"reverse": boolean,
"type": [
"string"
]
}
response = falcon.CreateSavedSearchesExecuteV1(app_id="string",
detailed=boolean,
end="string",
id="string",
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
name="string",
search_parameters={},
start="string",
version="string",
with_in = with_in_dictionary,
with_limit = with_limit_dictionary,
with_renames = with_renames_list,
with_sort = with_sort_dictionary
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with_in_dictionary = {
"field": "string",
"values": [
"string"
]
}
with_limit_dictionary = {
"from": "string",
"limit": 0
}
with_renames_list = [
{
"as": "string",
"field": "string"
}
]
with_sort_dictionary = {
"fields": [
"string"
],
"limit": 0,
"order": [
"string"
],
"reverse": boolean,
"type": [
"string"
]
}
body_payload = {
"end": "string",
"id": "string",
"mode": "string",
"name": "string",
"parameters": {},
"start": "string",
"version": "string",
"with_in": with_in_dictionary,
"with_limit": with_limit_dictionary,
"with_renames": with_renames_list,
"with_sort": with_sort_dictionary
}
response = falcon.command("CreateSavedSearchesExecuteV1",
app_id="string",
detailed=boolean,
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
body=body_payload
)
print(response)
Populate a saved search
populate
Method | Route |
---|---|
/loggingapi/entities/saved-searches/ingest/v1 |
- Consumes: multipart/form-data
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
app_id | query | string | Include generated schemas in the response | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.populate(app_id="string")
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.CreateSavedSearchesIngestV1(app_id="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("CreateSavedSearchesIngestV1", app_id="string")
print(response)
Get the results of a saved search as a file
download_results
Method | Route |
---|---|
/loggingapi/entities/saved-searches/job-results-download/v1 |
- Consumes: application/json
- Produces: application/octet-stream
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
job_id | query | string | Job ID for a previously executed async query | ||
infer_json_types | query | boolean | Whether to try to infer data types in json event response instead of returning map[string]string. | ||
parameters | query | dictionary | Full query string parameters payload in JSON format. | ||
result_format | query | string | Result Format |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb", encoding="utf-8") as save_file:
save_file.write(falcon.download_results(job_id="string",
result_format="string",
infer_json_types=boolean
))
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb", encoding="utf-8") as save_file:
save_file.write(falcon.GetSavedSearchesJobResultsDownloadV1(job_id="string",
result_format="string",
infer_json_types=boolean
))
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb", encoding="utf-8") as save_file:
save_file.write(falcon.command("GetSavedSearchesJobResultsDownloadV1",
job_id="string",
result_format="string",
infer_json_types=boolean
))
List views
list_views
Method | Route |
---|---|
/loggingapi/entities/views/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
check_test_data | query | boolean | Include whether test data is present in the application repository. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_views(check_test_data=boolean)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ListViewV1(check_test_data=boolean)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ListViewV1", check_test_data=boolean)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- Certificate Based Exclusions
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Compliance Assessments
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- Detects
- Device Control Policies
- Discover
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust