Skip to content

Foundry LogScale

Joshua Hiller edited this page Jul 15, 2024 · 5 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Foundry Logscale service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
ListReposV1
PEP8 list_repos
Lists available repositories and views
IngestDataAsyncV1
PEP8 ingest_data_async
Ingest data into the application repository asynchronously
IngestDataV1
PEP8 ingest_data
Ingest data into the application repository
CreateSavedSearchesDynamicExecuteV1
PEP8 execute_dynamic
Execute a dynamic saved search
GetSavedSearchesExecuteV1
PEP8 get_search_results
Get the results of a saved search
CreateSavedSearchesExecuteV1
PEP8 execute
Execute a saved search
CreateSavedSearchesIngestV1
PEP8 populate
Populate a saved search
GetSavedSearchesJobResultsDownloadV1
PEP8 download_results
Get the results of a saved search as a file
ListViewV1
PEP8 list_views
List views

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

ListReposV1

Lists available repositories and views

PEP8 method name

list_repos

Endpoint

Method Route
GET /loggingapi/combined/repos/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
check_test_data Service Class Support Uber Class Support query boolean Include whether test data is present in the application repository.

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.list_repos(check_test_data=boolean)
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.ListReposV1(check_test_data=boolean)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ListReposV1", check_test_data=boolean)
print(response)

IngestDataAsyncV1

Ingest data into the application repository asynchronously

PEP8 method name

ingest_data_async

Endpoint

Method Route
POST /loggingapi/entities/data-ingestion/ingest-async/v1

Content-Type

  • Consumes: multipart/form-data
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
data_file Service Class Support Uber Class Support formData file Data file to ingest.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
repo Service Class Support Uber Class Support formData string Repository name to ingest data into. (If not part of a Foundry application.)
tag Service Class Support Uber Class Support formData string or list of strings Custom tag for ingested data in the form tag:value.
tag_source Service Class Support Uber Class Support formData string Tag the data with the specified source.
test_data Service Class Support Uber Class Support formData boolean Tag the data with test-ingest.

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with open("file_name.ext", "rb") as upload_file:
    response = falcon.ingest_data_async(tag="string",
                                        tag_source="string",
                                        test_data=boolean,
                                        repo="string",
                                        data_file=upload_file.read()
                                        )
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with open("file_name.ext", "rb") as upload_file:
    response = falcon.IngestDataAsyncV1(tag="string",
                                        tag_source="string",
                                        test_data=boolean,
                                        repo="string",
                                        data_file=upload_file.read()
                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with open("file_name.ext", "rb") as upload_file:
    response = falcon.command("IngestDataAsyncV1",
                              tag="string",
                              tag_source="string",
                              test_data=boolean,
                              repo="string",
                              data_file=upload_file.read()
                              )
print(response)

IngestDataV1

Ingest data into the application repository

PEP8 method name

ingest_data

Endpoint

Method Route
POST /loggingapi/entities/data-ingestion/ingest/v1

Content-Type

  • Consumes: multipart/form-data
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
data_file Service Class Support Uber Class Support formData file Data file to ingest.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
tag Service Class Support Uber Class Support formData string or list of strings Custom tag for ingested data in the form tag:value.
tag_source Service Class Support Uber Class Support formData string Tag the data with the specified source.
test_data Service Class Support Uber Class Support formData boolean Tag the data with test-ingest.

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with open("file_name.ext", "rb") as upload_file:
    response = falcon.ingest_data(tag="string",
                                  tag_source="string",
                                  test_data=boolean,
                                  data_file=upload_file.read()
                                  )
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with open("file_name.ext", "rb") as upload_file:
    response = falcon.IngestDataV1(tag="string",
                                   tag_source="string",
                                   test_data=boolean,
                                   data_file=upload_file.read()
                                   )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with open("file_name.ext", "rb") as upload_file:
    response = falcon.command("IngestDataV1",
                              tag="string",
                              tag_source="string",
                              test_data=boolean,
                              data_file=upload_file.read()
                              )
print(response)

CreateSavedSearchesDynamicExecuteV1

Execute a dynamic saved search

PEP8 method name

execute_dynamic

Endpoint

Method Route
POST /loggingapi/entities/saved-searches/execute-dynamic/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
app_id Service Class Support Uber Class Support query string Application ID
end Service Class Support Uber Class Support body boolean Dynamic search end
include_schema_generation Service Class Support Uber Class Support query boolean Include generated schemas in the response
include_test_data Service Class Support Uber Class Support query boolean Include test data when executing searches
infer_json_types Service Class Support Uber Class Support query boolean Whether to try to infer data types in json event response instead of returning map[string]string.
match_response_schema Service Class Support Uber Class Support query boolean Whether to validate search results against their schema.
metadata Service Class Support Uber Class Support query boolean Whether to include metadata in the response
mode Service Class Support Uber Class Support query string Mode to execute the query under.
body Service Class Support Uber Class Support body string Full body payload in JSON format, not required if using other keywords.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
repo_or_view Service Class Support Uber Class Support body string Repository or view to search
search_query Service Class Support Uber Class Support body string Search query to perform
search_query_args Service Class Support Uber Class Support body dictionary Search query arguments to leverage when processing the query
start Service Class Support Uber Class Support body string Dynamic search start

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.execute_dynamic(app_id="string",
                                  end="string",
                                  include_schema_generation=boolean,
                                  include_test_data=boolean,
                                  infer_json_types=boolean,
                                  match_response_schema=boolean,
                                  metadata=boolean,
                                  mode="string",
                                  repo_or_view="string",
                                  search_query="string",
                                  seach_query_args = {},
                                  start="string"
                                  )
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.CreateSavedSearchesDynamicExecuteV1(app_id="string",
                                                      end="string",
                                                      include_schema_generation=boolean,
                                                      include_test_data=boolean,
                                                      infer_json_types=boolean,
                                                      match_response_schema=boolean,
                                                      metadata=boolean,
                                                      mode="string",
                                                      repo_or_view="string",
                                                      search_query="string",
                                                      seach_query_args = {},
                                                      start="string")
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "end": "string",
    "repo_or_view": "string",
    "search_query": "string",
    "search_query_args": {},
    "start": "string"
}

response = falcon.command("CreateSavedSearchesDynamicExecuteV1",
                          app_id="string",
                          include_schema_generation=boolean,
                          include_test_data=boolean,
                          infer_json_types=boolean,
                          match_response_schema=boolean,
                          metadata=boolean,
                          mode="string",
                          body=body_payload
                          )
print(response)

GetSavedSearchesExecuteV1

Get the results of a saved search

PEP8 method name

get_search_results

Endpoint

Method Route
GET /loggingapi/entities/saved-searches/execute/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
app_id Service Class Support Uber Class Support query string Application ID
job_id Service Class Support Uber Class Support query string Job ID for a previously executed async query
limit Service Class Support Uber Class Support query string Maximum number of records to return.
infer_json_types Service Class Support Uber Class Support query boolean Whether to try to infer data types in json event response instead of returning map[string]string.
match_response_schema Service Class Support Uber Class Support query boolean Whether to validate search results against their schema.
metadata Service Class Support Uber Class Support query boolean Whether to include metadata in the response
offset Service Class Support Uber Class Support query string Starting pagination offset of records to return.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
version Service Class Support Uber Class Support query string Version of resource being created

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.get_search_results(app_id="string",
                                     job_id="string",
                                     limit="string",
                                     infer_json_types=boolean,
                                     match_response_schema=boolean,
                                     metadata=boolean,
                                     offset="string",
                                     version="string"
                                     )
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.GetSavedSearchesExecuteV1(app_id="string",
                                            job_id="string",
                                            limit="string",
                                            infer_json_types=boolean,
                                            match_response_schema=boolean,
                                            metadata=boolean,
                                            offset="string",
                                            version="string"
                                            )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("GetSavedSearchesExecuteV1",
                          app_id="string",
                          job_id="string",
                          limit="string",
                          infer_json_types=boolean,
                          match_response_schema=boolean,
                          metadata=boolean,
                          offset="string",
                          version="string"
                          )
print(response)

CreateSavedSearchesExecuteV1

Execute a saved search

PEP8 method name

execute

Endpoint

Method Route
POST /loggingapi/entities/saved-searches/execute/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
app_id Service Class Support Uber Class Support query string Application ID
body Service Class Support Uber Class Support body string Full body payload in JSON format. Not required if using other keywords.
detailed Service Class Support Uber Class Support query boolean Whether to include search field details
end Service Class Support Uber Class Support body string Saved search end.
id Service Class Support Uber Class Support body string Saved search ID.
include_test_data Service Class Support Uber Class Support query boolean Include test data when executing searches
infer_json_types Service Class Support Uber Class Support query boolean Whether to try to infer data types in json event response instead of returning map[string]string.
match_response_schema Service Class Support Uber Class Support query boolean Whether to validate search results against their schema.
metadata Service Class Support Uber Class Support query boolean Whether to include metadata in the response
mode Service Class Support Uber Class Support body string Mode to execute the query under. If provided, takes precedence over the mode provided in the body.
name Service Class Support Uber Class Support body string Name of the saved search.
parameters Service Class Support Uber Class Support query string Full query string payload in JSON format. Not required if using other keywords.
search_parameters Service Class Support Uber Class Support body dictionary Parameters to use for the saved search.
start Service Class Support Uber Class Support body string Saved search start.
version Service Class Support Uber Class Support body string Version of resource being created
with_in Service Class Support Uber Class Support body dictionary Limit search results to field names matching the provided list.
with_limit Service Class Support Uber Class Support body dictionary Limit search results by a maximum count.
with_renames Service Class Support Uber Class Support body list Rename fields for display.
with_sort Service Class Support Uber Class Support body dictionary Apply sort criteria.

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with_in_dictionary = {
    "field": "string",
    "values": [
       "string"
    ]
}
with_limit_dictionary = {
    "from": "string",
    "limit": 0
}
with_renames_list =  [
    {
        "as": "string",
        "field": "string"
    }
]
with_sort_dictionary = {
    "fields": [
        "string"
    ],
    "limit": 0,
    "order": [
        "string"
    ],
    "reverse": boolean,
    "type": [
       "string"
    ]
}

response = falcon.execute(app_id="string",
                          detailed=boolean,
                          end="string",
                          id="string",
                          include_test_data=boolean,
                          infer_json_types=boolean,
                          match_response_schema=boolean,
                          metadata=boolean,
                          mode="string",
                          name="string",
                          search_parameters={},
                          start="string",
                          version="string",
                          with_in = with_in_dictionary,
                          with_limit = with_limit_dictionary,
                          with_renames = with_renames_list,
                          with_sort = with_sort_dictionary
                          )
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with_in_dictionary = {
    "field": "string",
    "values": [
       "string"
    ]
}
with_limit_dictionary = {
    "from": "string",
    "limit": 0
}
with_renames_list =  [
    {
        "as": "string",
        "field": "string"
    }
]
with_sort_dictionary = {
    "fields": [
        "string"
    ],
    "limit": 0,
    "order": [
        "string"
    ],
    "reverse": boolean,
    "type": [
       "string"
    ]
}

response = falcon.CreateSavedSearchesExecuteV1(app_id="string",
                                               detailed=boolean,
                                               end="string",
                                               id="string",
                                               include_test_data=boolean,
                                               infer_json_types=boolean,
                                               match_response_schema=boolean,
                                               metadata=boolean,
                                               mode="string",
                                               name="string",
                                               search_parameters={},
                                               start="string",
                                               version="string",
                                               with_in = with_in_dictionary,
                                               with_limit = with_limit_dictionary,
                                               with_renames = with_renames_list,
                                               with_sort = with_sort_dictionary
                                               )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with_in_dictionary = {
    "field": "string",
    "values": [
       "string"
    ]
}
with_limit_dictionary = {
    "from": "string",
    "limit": 0
}
with_renames_list =  [
    {
        "as": "string",
        "field": "string"
    }
]
with_sort_dictionary = {
    "fields": [
        "string"
    ],
    "limit": 0,
    "order": [
        "string"
    ],
    "reverse": boolean,
    "type": [
       "string"
    ]
}

body_payload = {
    "end": "string",
    "id": "string",
    "mode": "string",
    "name": "string",
    "parameters": {},
    "start": "string",
    "version": "string",
    "with_in": with_in_dictionary,
    "with_limit": with_limit_dictionary,
    "with_renames": with_renames_list,
    "with_sort": with_sort_dictionary
}

response = falcon.command("CreateSavedSearchesExecuteV1",
                          app_id="string",
                          detailed=boolean,
                          include_test_data=boolean,
                          infer_json_types=boolean,
                          match_response_schema=boolean,
                          metadata=boolean,
                          body=body_payload
                          )
print(response)

CreateSavedSearchesIngestV1

Populate a saved search

PEP8 method name

populate

Endpoint

Method Route
POST /loggingapi/entities/saved-searches/ingest/v1

Content-Type

  • Consumes: multipart/form-data
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
app_id Service Class Support Uber Class Support query string Include generated schemas in the response
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.populate(app_id="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.CreateSavedSearchesIngestV1(app_id="string")
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("CreateSavedSearchesIngestV1", app_id="string")
print(response)

GetSavedSearchesJobResultsDownloadV1

Get the results of a saved search as a file

PEP8 method name

download_results

Endpoint

Method Route
GET /loggingapi/entities/saved-searches/job-results-download/v1

Content-Type

  • Consumes: application/json
  • Produces: application/octet-stream

Keyword Arguments

Name Service Uber Type Data type Description
job_id Service Class Support Uber Class Support query string Job ID for a previously executed async query
infer_json_types Service Class Support Uber Class Support query boolean Whether to try to infer data types in json event response instead of returning map[string]string.
parameters Service Class Support Uber Class Support query dictionary Full query string parameters payload in JSON format.
result_format Service Class Support Uber Class Support query string Result Format

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with open("some_file.ext", "wb", encoding="utf-8") as save_file:
    save_file.write(falcon.download_results(job_id="string",
                                            result_format="string",
                                            infer_json_types=boolean
                                            ))
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with open("some_file.ext", "wb", encoding="utf-8") as save_file:
    save_file.write(falcon.GetSavedSearchesJobResultsDownloadV1(job_id="string",
                                                                result_format="string",
                                                                infer_json_types=boolean
                                                                ))
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with open("some_file.ext", "wb", encoding="utf-8") as save_file:
    save_file.write(falcon.command("GetSavedSearchesJobResultsDownloadV1",
                                   job_id="string",
                                   result_format="string",
                                   infer_json_types=boolean
                                   ))

ListViewV1

List views

PEP8 method name

list_views

Endpoint

Method Route
GET /loggingapi/entities/views/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
check_test_data Service Class Support Uber Class Support query boolean Include whether test data is present in the application repository.

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.list_views(check_test_data=boolean)
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.ListViewV1(check_test_data=boolean)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ListViewV1", check_test_data=boolean)
print(response)

CrowdStrike Falcon

Clone this wiki locally