| Operation ID | Description |
|---|
| Upload a lookup file to NGSIEM. |
| Download lookup file from NGSIEM. |
| Download lookup file in namespaced package from NGSIEM. |
| Download lookup file in package from NGSIEM. |
| Initiate a NGSIEM search. |
| Get status of a NGSIEM search. |
| Stop a NGSIEM search. |
WARNING
client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)
CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Upload a lookup file to NGSIEM.
upload_file
| Method | Route |
|---|
 | /humio/api/v1/repositories/{repository}/files |
- Consumes: multipart/form-data
| Name | Service | Uber | Type | Data type | Description |
|---|
| lookup_file |  |  | formData | string | Location of the file object to be uploaded. |
| repository | | | path | string | Name of the repository. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.upload_file(lookup_file="string", repository="string")
print(response)
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.UploadLookupV1(lookup_file="string", repository="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
lookup_file = "string"
with open(lookup_file, "rb") as upload_file:
file_extended = {"file": upload_file}
response = falcon.command("UploadLookupV1", repository="string", files=file_extended)
print(response)
Download lookup file from NGSIEM.
get_file
| Method | Route |
|---|
 | /humio/api/v1/repositories/{repository}/files/{filename} |
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|
| filename | | | path | string | Name of the lookup file. |
| repository | | | path | string | Name of the repository. |
| stream | | | query | boolean | Enable streaming download of the returned file. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
save_file.write(falcon.get_file(repository="string", filename="string", stream=boolean))
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
save_file.write(falcon.GetLookupV1(repository="string", filename="string", stream=boolean))
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
save_file.write(falcon.command("GetLookupV1", repository="string", filename="string", stream=boolean))
Download lookup file in namespaced package from NGSIEM.
get_file_from_package_with_namespace
| Method | Route |
|---|
| /humio/api/v1/repositories/{repository}/files/{namespace}/{package}/{filename} |
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|
| filename | | | path | string | Name of the lookup file. |
| namespace | | | path | string | Name of the namespace. |
| package | | | path | string | Name of the package. |
| repository | | | path | string | Name of the repository. |
| stream | | | query | boolean | Enable streaming download of the returned file. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
response = falcon.get_file_from_package_with_namespace(repository="string",
namespace="string",
package="string",
filename="string",
stream=boolean
)
save_file.write(response)
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
response = falcon.GetLookupFromPackageWithNamespaceV1(repository="string",
namespace="string",
package="string",
filename="string",
stream=boolean
)
save_file.write(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
response = falcon.command("GetLookupFromPackageWithNamespaceV1",
repository="string",
namespace="string",
package="string",
filename="string",
stream=boolean
)
save_file.write(response)
Download lookup file in package from NGSIEM.
get_file_from_package
| Method | Route |
|---|
| /humio/api/v1/repositories/{repository}/files/{package}/{filename} |
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|
| filename | | | path | string | Name of the lookup file. |
| package | | | path | string | Name of the package. |
| repository | | | path | string | Name of the repository. |
| stream | | | query | boolean | Enable streaming download of the returned file. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
response = falcon.get_file_from_package(repository="string",
package="string",
filename="string",
stream=boolean
)
save_file.write(response)
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
response = falcon.GetLookupFromPackageV1(repository="string",
package="string",
filename="string",
stream=boolean
)
save_file.write(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
response = falcon.command("GetLookupFromPackageV1",
repository="string",
package="string",
filename="string",
stream=boolean
)
save_file.write(response)
Initiate a NGSIEM search.
start_search
| Method | Route |
|---|
| /humio/api/v1/repositories/{repository}/queryjobs |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| allow_event_skipping | | | body | boolean | Flag indicating if event skipping is allowed. |
| arguments | | | body | dictionary | Search arguments in JSON format. |
| around | | | body | dictionary | Search proximity arguments. |
| autobucket_count | | | body | integer | Number of events per bucket. |
| body | |  | body | dictionary | Full body payload provided as a dictionary. |
| end | | | body | string | Last event limit. |
| ingest_end | | | body | integer | Ingest maximum. |
| ingest_start | | | body | integer | Ingest start. |
| is_live | | | body | boolean | Flag indicating if this is a live search. |
| query_string | | | body | string | Search query string. |
| repository | | | path | string | Name of the repository. |
| search | | | body | dictionary | Search query to perform. Can be used in replace of other keywords. |
| start | | | body | string | Search starting time range. |
| timezone | | | body | string | Timezone applied to the search. |
| timezone_offset_minutes | | | body | integer | Timezone offset. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.start_search(repository="string",
is_live=False,
start="1d",
query_string="#event_simpleName=*"
)
print(response)
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.StartSearchV1(repository="string",
is_live=False,
start="1d",
query_string="#event_simpleName=*"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
search_query = {
"isLive" : False,
"start" : "1d",
"queryString" : "#event_simpleName=*"
}
response = falcon.command("StartSearchV1", repository="string", body=search_query)
print(response)
Get status of a NGSIEM search.
get_search_status
| Method | Route |
|---|
| /humio/api/v1/repositories/{repository}/queryjobs/{id} |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| repository | | | path | string | Name of the repository. |
| search_id | | | path | string | ID of the query. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_search_status(repository="string", search_id="string")
print(response)
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetSearchStatusV1(repository="string", search_id="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetSearchStatusV1", repository="string", search_id="string")
print(response)
Stop a NGSIEM search.
stop_search
| Method | Route |
|---|
 | /humio/api/v1/repositories/{repository}/queryjobs/{id} |
- Consumes: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| repository | | | path | string | Name of the repository. |
| id | | | path | string | ID of the query. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.stop_search(repository="string", id="string")
print(response)
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.StopSearchV1(repository="string", id="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("StopSearchV1", repository="string", id="string")
print(response)