CrowdStrike Falcon CrowdStrike Subreddit

Using the Foundry Logscale service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation IDDescription
ListReposV1
PEP8list_repos
Lists available repositories and views
IngestDataAsyncV1
PEP8ingest_data_async
Ingest data into the application repository asynchronously
IngestDataV1
PEP8ingest_data
Ingest data into the application repository
CreateSavedSearchesDynamicExecuteV1
PEP8execute_dynamic
Execute a dynamic saved search
GetSavedSearchesExecuteV1
PEP8get_search_results
Get the results of a saved search
CreateSavedSearchesExecuteV1
PEP8execute
Execute a saved search
CreateSavedSearchesIngestV1
PEP8populate
Populate a saved search
GetSavedSearchesJobResultsDownloadV1
PEP8download_results
Get the results of a saved search as a file
ListViewV1
PEP8list_views
List views

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

ListReposV1

Lists available repositories and views

PEP8 method name

list_repos

Endpoint

MethodRoute
GET/loggingapi/combined/repos/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
check_test_dataService Class SupportUber Class SupportquerybooleanInclude whether test data is present in the application repository.

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.list_repos(check_test_data=boolean)
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.ListReposV1(check_test_data=boolean)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ListReposV1", check_test_data=boolean)
print(response)

IngestDataAsyncV1

Ingest data into the application repository asynchronously

PEP8 method name

ingest_data_async

Endpoint

MethodRoute
POST/loggingapi/entities/data-ingestion/ingest-async/v1

Content-Type

  • Consumes: multipart/form-data
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
data_fileService Class SupportUber Class SupportformDatafileData file to ingest.
parametersService Class SupportUber Class SupportquerydictionaryFull query string parameters payload in JSON format.
repoService Class SupportUber Class SupportformDatastringRepository name to ingest data into. (If not part of a Foundry application.)
tagService Class SupportUber Class SupportformDatastring or list of stringsCustom tag for ingested data in the form tag:value.
tag_sourceService Class SupportUber Class SupportformDatastringTag the data with the specified source.
test_dataService Class SupportUber Class SupportformDatabooleanTag the data with test-ingest.

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with open("file_name.ext", "rb") as upload_file:
    response = falcon.ingest_data_async(tag="string",
                                        tag_source="string",
                                        test_data=boolean,
                                        repo="string",
                                        data_file=upload_file.read()
                                        )
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with open("file_name.ext", "rb") as upload_file:
    response = falcon.IngestDataAsyncV1(tag="string",
                                        tag_source="string",
                                        test_data=boolean,
                                        repo="string",
                                        data_file=upload_file.read()
                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with open("file_name.ext", "rb") as upload_file:
    response = falcon.command("IngestDataAsyncV1",
                              tag="string",
                              tag_source="string",
                              test_data=boolean,
                              repo="string",
                              data_file=upload_file.read()
                              )
print(response)

IngestDataV1

Ingest data into the application repository

PEP8 method name

ingest_data

Endpoint

MethodRoute
POST/loggingapi/entities/data-ingestion/ingest/v1

Content-Type

  • Consumes: multipart/form-data
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
data_fileService Class SupportUber Class SupportformDatafileData file to ingest.
parametersService Class SupportUber Class SupportquerydictionaryFull query string parameters payload in JSON format.
tagService Class SupportUber Class SupportformDatastring or list of stringsCustom tag for ingested data in the form tag:value.
tag_sourceService Class SupportUber Class SupportformDatastringTag the data with the specified source.
test_dataService Class SupportUber Class SupportformDatabooleanTag the data with test-ingest.

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with open("file_name.ext", "rb") as upload_file:
    response = falcon.ingest_data(tag="string",
                                  tag_source="string",
                                  test_data=boolean,
                                  data_file=upload_file.read()
                                  )
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with open("file_name.ext", "rb") as upload_file:
    response = falcon.IngestDataV1(tag="string",
                                   tag_source="string",
                                   test_data=boolean,
                                   data_file=upload_file.read()
                                   )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with open("file_name.ext", "rb") as upload_file:
    response = falcon.command("IngestDataV1",
                              tag="string",
                              tag_source="string",
                              test_data=boolean,
                              data_file=upload_file.read()
                              )
print(response)

CreateSavedSearchesDynamicExecuteV1

Execute a dynamic saved search

PEP8 method name

execute_dynamic

Endpoint

MethodRoute
POST/loggingapi/entities/saved-searches/execute-dynamic/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
app_idService Class SupportUber Class SupportquerystringApplication ID
endService Class SupportUber Class SupportbodybooleanDynamic search end
include_schema_generationService Class SupportUber Class SupportquerybooleanInclude generated schemas in the response
include_test_dataService Class SupportUber Class SupportquerybooleanInclude test data when executing searches
infer_json_typesService Class SupportUber Class SupportquerybooleanWhether to try to infer data types in json event response instead of returning map[string]string.
match_response_schemaService Class SupportUber Class SupportquerybooleanWhether to validate search results against their schema.
metadataService Class SupportUber Class SupportquerybooleanWhether to include metadata in the response
modeService Class SupportUber Class SupportquerystringMode to execute the query under.
bodyService Class SupportUber Class SupportbodystringFull body payload in JSON format, not required if using other keywords.
parametersService Class SupportUber Class SupportquerydictionaryFull query string parameters payload in JSON format.
repo_or_viewService Class SupportUber Class SupportbodystringRepository or view to search
search_queryService Class SupportUber Class SupportbodystringSearch query to perform
search_query_argsService Class SupportUber Class SupportbodydictionarySearch query arguments to leverage when processing the query
startService Class SupportUber Class SupportbodystringDynamic search start

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.execute_dynamic(app_id="string",
                                  end="string",
                                  include_schema_generation=boolean,
                                  include_test_data=boolean,
                                  infer_json_types=boolean,
                                  match_response_schema=boolean,
                                  metadata=boolean,
                                  mode="string",
                                  repo_or_view="string",
                                  search_query="string",
                                  seach_query_args = {},
                                  start="string"
                                  )
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.CreateSavedSearchesDynamicExecuteV1(app_id="string",
                                                      end="string",
                                                      include_schema_generation=boolean,
                                                      include_test_data=boolean,
                                                      infer_json_types=boolean,
                                                      match_response_schema=boolean,
                                                      metadata=boolean,
                                                      mode="string",
                                                      repo_or_view="string",
                                                      search_query="string",
                                                      seach_query_args = {},
                                                      start="string")
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "end": "string",
    "repo_or_view": "string",
    "search_query": "string",
    "search_query_args": {},
    "start": "string"
}

response = falcon.command("CreateSavedSearchesDynamicExecuteV1",
                          app_id="string",
                          include_schema_generation=boolean,
                          include_test_data=boolean,
                          infer_json_types=boolean,
                          match_response_schema=boolean,
                          metadata=boolean,
                          mode="string",
                          body=body_payload
                          )
print(response)

GetSavedSearchesExecuteV1

Get the results of a saved search

PEP8 method name

get_search_results

Endpoint

MethodRoute
GET/loggingapi/entities/saved-searches/execute/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
app_idService Class SupportUber Class SupportquerystringApplication ID
job_idService Class SupportUber Class SupportquerystringJob ID for a previously executed async query
limitService Class SupportUber Class SupportquerystringMaximum number of records to return.
infer_json_typesService Class SupportUber Class SupportquerybooleanWhether to try to infer data types in json event response instead of returning map[string]string.
match_response_schemaService Class SupportUber Class SupportquerybooleanWhether to validate search results against their schema.
metadataService Class SupportUber Class SupportquerybooleanWhether to include metadata in the response
offsetService Class SupportUber Class SupportquerystringStarting pagination offset of records to return.
parametersService Class SupportUber Class SupportquerydictionaryFull query string parameters payload in JSON format.
versionService Class SupportUber Class SupportquerystringVersion of resource being created

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.get_search_results(app_id="string",
                                     job_id="string",
                                     limit="string",
                                     infer_json_types=boolean,
                                     match_response_schema=boolean,
                                     metadata=boolean,
                                     offset="string",
                                     version="string"
                                     )
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.GetSavedSearchesExecuteV1(app_id="string",
                                            job_id="string",
                                            limit="string",
                                            infer_json_types=boolean,
                                            match_response_schema=boolean,
                                            metadata=boolean,
                                            offset="string",
                                            version="string"
                                            )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("GetSavedSearchesExecuteV1",
                          app_id="string",
                          job_id="string",
                          limit="string",
                          infer_json_types=boolean,
                          match_response_schema=boolean,
                          metadata=boolean,
                          offset="string",
                          version="string"
                          )
print(response)

CreateSavedSearchesExecuteV1

Execute a saved search

PEP8 method name

execute

Endpoint

MethodRoute
POST/loggingapi/entities/saved-searches/execute/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
app_idService Class SupportUber Class SupportquerystringApplication ID
bodyService Class SupportUber Class SupportbodystringFull body payload in JSON format. Not required if using other keywords.
detailedService Class SupportUber Class SupportquerybooleanWhether to include search field details
endService Class SupportUber Class SupportbodystringSaved search end.
idService Class SupportUber Class SupportbodystringSaved search ID.
include_test_dataService Class SupportUber Class SupportquerybooleanInclude test data when executing searches
infer_json_typesService Class SupportUber Class SupportquerybooleanWhether to try to infer data types in json event response instead of returning map[string]string.
match_response_schemaService Class SupportUber Class SupportquerybooleanWhether to validate search results against their schema.
metadataService Class SupportUber Class SupportquerybooleanWhether to include metadata in the response
modeService Class SupportUber Class SupportbodystringMode to execute the query under. If provided, takes precedence over the mode provided in the body.
nameService Class SupportUber Class SupportbodystringName of the saved search.
parametersService Class SupportUber Class SupportquerystringFull query string payload in JSON format. Not required if using other keywords.
search_parametersService Class SupportUber Class SupportbodydictionaryParameters to use for the saved search.
startService Class SupportUber Class SupportbodystringSaved search start.
versionService Class SupportUber Class SupportbodystringVersion of resource being created
with_inService Class SupportUber Class SupportbodydictionaryLimit search results to field names matching the provided list.
with_limitService Class SupportUber Class SupportbodydictionaryLimit search results by a maximum count.
with_renamesService Class SupportUber Class SupportbodylistRename fields for display.
with_sortService Class SupportUber Class SupportbodydictionaryApply sort criteria.

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with_in_dictionary = {
    "field": "string",
    "values": [
       "string"
    ]
}
with_limit_dictionary = {
    "from": "string",
    "limit": 0
}
with_renames_list =  [
    {
        "as": "string",
        "field": "string"
    }
]
with_sort_dictionary = {
    "fields": [
        "string"
    ],
    "limit": 0,
    "order": [
        "string"
    ],
    "reverse": boolean,
    "type": [
       "string"
    ]
}

response = falcon.execute(app_id="string",
                          detailed=boolean,
                          end="string",
                          id="string",
                          include_test_data=boolean,
                          infer_json_types=boolean,
                          match_response_schema=boolean,
                          metadata=boolean,
                          mode="string",
                          name="string",
                          search_parameters={},
                          start="string",
                          version="string",
                          with_in = with_in_dictionary,
                          with_limit = with_limit_dictionary,
                          with_renames = with_renames_list,
                          with_sort = with_sort_dictionary
                          )
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with_in_dictionary = {
    "field": "string",
    "values": [
       "string"
    ]
}
with_limit_dictionary = {
    "from": "string",
    "limit": 0
}
with_renames_list =  [
    {
        "as": "string",
        "field": "string"
    }
]
with_sort_dictionary = {
    "fields": [
        "string"
    ],
    "limit": 0,
    "order": [
        "string"
    ],
    "reverse": boolean,
    "type": [
       "string"
    ]
}

response = falcon.CreateSavedSearchesExecuteV1(app_id="string",
                                               detailed=boolean,
                                               end="string",
                                               id="string",
                                               include_test_data=boolean,
                                               infer_json_types=boolean,
                                               match_response_schema=boolean,
                                               metadata=boolean,
                                               mode="string",
                                               name="string",
                                               search_parameters={},
                                               start="string",
                                               version="string",
                                               with_in = with_in_dictionary,
                                               with_limit = with_limit_dictionary,
                                               with_renames = with_renames_list,
                                               with_sort = with_sort_dictionary
                                               )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with_in_dictionary = {
    "field": "string",
    "values": [
       "string"
    ]
}
with_limit_dictionary = {
    "from": "string",
    "limit": 0
}
with_renames_list =  [
    {
        "as": "string",
        "field": "string"
    }
]
with_sort_dictionary = {
    "fields": [
        "string"
    ],
    "limit": 0,
    "order": [
        "string"
    ],
    "reverse": boolean,
    "type": [
       "string"
    ]
}

body_payload = {
    "end": "string",
    "id": "string",
    "mode": "string",
    "name": "string",
    "parameters": {},
    "start": "string",
    "version": "string",
    "with_in": with_in_dictionary,
    "with_limit": with_limit_dictionary,
    "with_renames": with_renames_list,
    "with_sort": with_sort_dictionary
}

response = falcon.command("CreateSavedSearchesExecuteV1",
                          app_id="string",
                          detailed=boolean,
                          include_test_data=boolean,
                          infer_json_types=boolean,
                          match_response_schema=boolean,
                          metadata=boolean,
                          body=body_payload
                          )
print(response)

CreateSavedSearchesIngestV1

Populate a saved search

PEP8 method name

populate

Endpoint

MethodRoute
POST/loggingapi/entities/saved-searches/ingest/v1

Content-Type

  • Consumes: multipart/form-data
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
app_idService Class SupportUber Class SupportquerystringInclude generated schemas in the response
parametersService Class SupportUber Class SupportquerydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.populate(app_id="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.CreateSavedSearchesIngestV1(app_id="string")
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("CreateSavedSearchesIngestV1", app_id="string")
print(response)

GetSavedSearchesJobResultsDownloadV1

Get the results of a saved search as a file

PEP8 method name

download_results

Endpoint

MethodRoute
GET/loggingapi/entities/saved-searches/job-results-download/v1

Content-Type

  • Consumes: application/json
  • Produces: application/octet-stream

Keyword Arguments

NameServiceUberTypeData typeDescription
job_idService Class SupportUber Class SupportquerystringJob ID for a previously executed async query
infer_json_typesService Class SupportUber Class SupportquerybooleanWhether to try to infer data types in json event response instead of returning map[string]string.
parametersService Class SupportUber Class SupportquerydictionaryFull query string parameters payload in JSON format.
result_formatService Class SupportUber Class SupportquerystringResult Format

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with open("some_file.ext", "wb", encoding="utf-8") as save_file:
    save_file.write(falcon.download_results(job_id="string",
                                            result_format="string",
                                            infer_json_types=boolean
                                            ))
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

with open("some_file.ext", "wb", encoding="utf-8") as save_file:
    save_file.write(falcon.GetSavedSearchesJobResultsDownloadV1(job_id="string",
                                                                result_format="string",
                                                                infer_json_types=boolean
                                                                ))
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with open("some_file.ext", "wb", encoding="utf-8") as save_file:
    save_file.write(falcon.command("GetSavedSearchesJobResultsDownloadV1",
                                   job_id="string",
                                   result_format="string",
                                   infer_json_types=boolean
                                   ))

ListViewV1

List views

PEP8 method name

list_views

Endpoint

MethodRoute
GET/loggingapi/entities/views/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
check_test_dataService Class SupportUber Class SupportquerybooleanInclude whether test data is present in the application repository.

Usage

Service class example (PEP8 syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.list_views(check_test_data=boolean)
print(response)
Service class example (Operation ID syntax)
from falconpy import FoundryLogScale

# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
                         client_secret=CLIENT_SECRET
                         )

response = falcon.ListViewV1(check_test_data=boolean)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("ListViewV1", check_test_data=boolean)
print(response)