| Operation ID | Description |
|---|
| Lists available repositories and views |
| Ingest data into the application repository asynchronously |
| Ingest data into the application repository |
| Execute a dynamic saved search |
| Get the results of a saved search |
| Execute a saved search |
| Populate a saved search |
| Get the results of a saved search as a file |
| List views |
WARNING
client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)
CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Lists available repositories and views
list_repos
| Method | Route |
|---|
 | /loggingapi/combined/repos/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| check_test_data |  | | query | boolean | Include whether test data is present in the application repository. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_repos(check_test_data=boolean)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ListReposV1(check_test_data=boolean)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ListReposV1", check_test_data=boolean)
print(response)
Ingest data into the application repository asynchronously
ingest_data_async
| Method | Route |
|---|
 | /loggingapi/entities/data-ingestion/ingest-async/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| data_content | | | formData | string | JSON data to ingest. |
| data_file | | | formData | file | Data file to ingest. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| repo | | | formData | string | Repository name to ingest data into. (If not part of a Foundry application.) |
| tag | | | formData | string or list of strings | Custom tag for ingested data in the form tag:value. |
| tag_source | | | formData | string | Tag the data with the specified source. |
| test_data | | | formData | boolean | Tag the data with test-ingest. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.ingest_data_async(tag="string",
tag_source="string",
test_data=boolean,
repo="string",
data_file=upload_file.read(),
data_content="string"
)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.IngestDataAsyncV1(tag="string",
tag_source="string",
test_data=boolean,
repo="string",
data_file=upload_file.read(),
data_content="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
form_data = {
"tag": "string",
"tag_source": "string",
"data_content": "string",
"test_data": boolean,
"repo": "string"
}
with open("file_name.ext", "rb") as upload_file:
file_tuple = [("data_file", ("data_file", upload_file.read(), "application/json"))]
response = falcon.command("IngestDataV1",
data=form_data,
files=file_tuple
)
print(response)
Ingest data into the application repository
ingest_data
| Method | Route |
|---|
| /loggingapi/entities/data-ingestion/ingest/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| data_content | | | formData | string | JSON data to ingest. |
| data_file | | | formData | file | Data file to ingest. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| tag | | | formData | string or list of strings | Custom tag for ingested data in the form tag:value. |
| tag_source | | | formData | string | Tag the data with the specified source. |
| test_data | | | formData | boolean | Tag the data with test-ingest. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.ingest_data(tag="string",
tag_source="string",
test_data=boolean,
data_file=upload_file.read(),
data_content="string"
)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.IngestDataV1(tag="string",
tag_source="string",
test_data=boolean,
data_file=upload_file.read(),
data_content="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
form_data = {
"tag": "string",
"tag_source": "string",
"data_content": "string",
"test_data": boolean
}
with open("file_name.ext", "rb") as upload_file:
file_tuple = [("data_file", ("data_file", upload_file.read(), "application/json"))]
response = falcon.command("IngestDataV1",
data=form_data,
files=file_tuple
)
print(response)
Execute a dynamic saved search
execute_dynamic
| Method | Route |
|---|
| /loggingapi/entities/saved-searches/execute-dynamic/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| app_id | | | query | string | Application ID |
| end | |  | body | string | Dynamic search end |
| include_schema_generation | | | query | boolean | Include generated schemas in the response |
| include_test_data | | | query | boolean | Include test data when executing searches |
| infer_json_types | | | query | boolean | Whether to try to infer data types in json event response instead of returning map[string]string. |
| match_response_schema | | | query | boolean | Whether to validate search results against their schema. |
| metadata | | | query | boolean | Whether to include metadata in the response |
| mode | | | query | string | Mode to execute the query under. |
| body | | | body | string | Full body payload in JSON format, not required if using other keywords. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| repo_or_view | | | body | string | Repository or view to search |
| search_query | | | body | string | Search query to perform |
| search_query_args | | | body | dictionary | Search query arguments to leverage when processing the query |
| start | | | body | string | Dynamic search start |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.execute_dynamic(app_id="string",
end="string",
include_schema_generation=boolean,
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
repo_or_view="string",
search_query="string",
seach_query_args = {},
start="string"
)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.CreateSavedSearchesDynamicExecuteV1(app_id="string",
end="string",
include_schema_generation=boolean,
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
repo_or_view="string",
search_query="string",
seach_query_args = {},
start="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"end": "string",
"repo_or_view": "string",
"search_query": "string",
"search_query_args": {},
"start": "string"
}
response = falcon.command("CreateSavedSearchesDynamicExecuteV1",
app_id="string",
include_schema_generation=boolean,
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
body=body_payload
)
print(response)
Get the results of a saved search
get_search_results
| Method | Route |
|---|
| /loggingapi/entities/saved-searches/execute/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| app_id | | | query | string | Application ID |
| job_id | | | query | string | Job ID for a previously executed async query |
| job_status_only | | | query | boolean | If set to true, result rows are dropped from the response and only the job status is returned |
| limit | | | query | string | Maximum number of records to return. |
| infer_json_types | | | query | boolean | Whether to try to infer data types in json event response instead of returning map[string]string. |
| match_response_schema | | | query | boolean | Whether to validate search results against their schema. |
| metadata | | | query | boolean | Whether to include metadata in the response |
| offset | | | query | string | Starting pagination offset of records to return. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| version | | | query | string | Version of resource being created |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_search_results(app_id="string",
job_id="string",
job_status_only=boolean,
limit="string",
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
offset="string",
version="string"
)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetSavedSearchesExecuteV1(app_id="string",
job_id="string",
job_status_only=boolean,
limit="string",
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
offset="string",
version="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetSavedSearchesExecuteV1",
app_id="string",
job_id="string",
job_status_only=boolean,
limit="string",
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
offset="string",
version="string"
)
print(response)
Execute a saved search
execute
| Method | Route |
|---|
| /loggingapi/entities/saved-searches/execute/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| app_id | | | query | string | Application ID |
| body | | | body | string | Full body payload in JSON format. Not required if using other keywords. |
| detailed | | | query | boolean | Whether to include search field details |
| end | | | body | string | Saved search end. |
| id | | | body | string | Saved search ID. |
| include_test_data | | | query | boolean | Include test data when executing searches |
| infer_json_types | | | query | boolean | Whether to try to infer data types in json event response instead of returning map[string]string. |
| match_response_schema | | | query | boolean | Whether to validate search results against their schema. |
| metadata | | | query | boolean | Whether to include metadata in the response |
| mode | | | body | string | Mode to execute the query under. If provided, takes precedence over the mode provided in the body. |
| name | | | body | string | Name of the saved search. |
| parameters | | | query | string | Full query string payload in JSON format. Not required if using other keywords. |
| search_parameters | | | body | dictionary | Parameters to use for the saved search. |
| start | | | body | string | Saved search start. |
| version | | | body | string | Version of resource being created |
| with_in | | | body | dictionary | Limit search results to field names matching the provided list. |
| with_limit | | | body | dictionary | Limit search results by a maximum count. |
| with_renames | | | body | list | Rename fields for display. |
| with_sort | | | body | dictionary | Apply sort criteria. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with_in_dictionary = {
"field": "string",
"values": [
"string"
]
}
with_limit_dictionary = {
"from": "string",
"limit": 0
}
with_renames_list = [
{
"as": "string",
"field": "string"
}
]
with_sort_dictionary = {
"fields": [
"string"
],
"limit": 0,
"order": [
"string"
],
"reverse": boolean,
"type": [
"string"
]
}
response = falcon.execute(app_id="string",
detailed=boolean,
end="string",
id="string",
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
name="string",
search_parameters={},
start="string",
version="string",
with_in = with_in_dictionary,
with_limit = with_limit_dictionary,
with_renames = with_renames_list,
with_sort = with_sort_dictionary
)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with_in_dictionary = {
"field": "string",
"values": [
"string"
]
}
with_limit_dictionary = {
"from": "string",
"limit": 0
}
with_renames_list = [
{
"as": "string",
"field": "string"
}
]
with_sort_dictionary = {
"fields": [
"string"
],
"limit": 0,
"order": [
"string"
],
"reverse": boolean,
"type": [
"string"
]
}
response = falcon.CreateSavedSearchesExecuteV1(app_id="string",
detailed=boolean,
end="string",
id="string",
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
name="string",
search_parameters={},
start="string",
version="string",
with_in = with_in_dictionary,
with_limit = with_limit_dictionary,
with_renames = with_renames_list,
with_sort = with_sort_dictionary
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with_in_dictionary = {
"field": "string",
"values": [
"string"
]
}
with_limit_dictionary = {
"from": "string",
"limit": 0
}
with_renames_list = [
{
"as": "string",
"field": "string"
}
]
with_sort_dictionary = {
"fields": [
"string"
],
"limit": 0,
"order": [
"string"
],
"reverse": boolean,
"type": [
"string"
]
}
body_payload = {
"end": "string",
"id": "string",
"mode": "string",
"name": "string",
"parameters": {},
"start": "string",
"version": "string",
"with_in": with_in_dictionary,
"with_limit": with_limit_dictionary,
"with_renames": with_renames_list,
"with_sort": with_sort_dictionary
}
response = falcon.command("CreateSavedSearchesExecuteV1",
app_id="string",
detailed=boolean,
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
body=body_payload
)
print(response)
Populate a saved search
populate
| Method | Route |
|---|
| /loggingapi/entities/saved-searches/ingest/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| app_id | | | query | string | Include generated schemas in the response |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.populate(app_id="string")
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.CreateSavedSearchesIngestV1(app_id="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("CreateSavedSearchesIngestV1", app_id="string")
print(response)
Get the results of a saved search as a file
download_results
| Method | Route |
|---|
| /loggingapi/entities/saved-searches/job-results-download/v1 |
- Consumes: application/json
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|
| job_id | | | query | string | Job ID for a previously executed async query |
| infer_json_types | | | query | boolean | Whether to try to infer data types in json event response instead of returning map[string]string. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| result_format | | | query | string | Result Format |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb", encoding="utf-8") as save_file:
save_file.write(falcon.download_results(job_id="string",
result_format="string",
infer_json_types=boolean
))
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb", encoding="utf-8") as save_file:
save_file.write(falcon.GetSavedSearchesJobResultsDownloadV1(job_id="string",
result_format="string",
infer_json_types=boolean
))
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb", encoding="utf-8") as save_file:
save_file.write(falcon.command("GetSavedSearchesJobResultsDownloadV1",
job_id="string",
result_format="string",
infer_json_types=boolean
))
List views
list_views
| Method | Route |
|---|
| /loggingapi/entities/views/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| check_test_data | | | query | boolean | Include whether test data is present in the application repository. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_views(check_test_data=boolean)
print(response)
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ListViewV1(check_test_data=boolean)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ListViewV1", check_test_data=boolean)
print(response)