NGSIEM - CrowdStrike/falconpy GitHub Wiki

CrowdStrike Falcon CrowdStrike Subreddit

Using the NGSIEM service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
UploadLookupV1
PEP8 upload_file
Upload a lookup file to NGSIEM.
GetLookupV1
PEP8 get_file
Download lookup file from NGSIEM.
GetLookupFromPackageWithNamespaceV1
PEP8 get_file_from_package_with_namespace
Download lookup file in namespaced package from NGSIEM.
GetLookupFromPackageV1
PEP8 get_file_from_package
Download lookup file in package from NGSIEM.
StartSearchV1
PEP8 start_search
Initiate a NGSIEM search.
GetSearchStatusV1
PEP8 get_search_status
Get status of a NGSIEM search.
StopSearchV1
PEP8 stop_search
Stop a NGSIEM search.

UploadLookupV1

Upload a lookup file to NGSIEM.

PEP8 method name

upload_file

Endpoint

Method Route
POST /humio/api/v1/repositories/{repository}/files

Required Scope

ngsiem:write

Content-Type

  • Consumes: multipart/form-data

Keyword Arguments

Name Service Uber Type Data type Description
lookup_file Service Class Support Uber Class Support formData string Location of the file object to be uploaded.
repository Service Class Support Uber Class Support path string Name of the repository.

Usage

Service class example (PEP8 syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

response = falcon.upload_file(lookup_file="string", repository="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

response = falcon.UploadLookupV1(lookup_file="string", repository="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

lookup_file = "string"

with open(lookup_file, "rb") as upload_file:
    file_extended = {"file": upload_file}
    response = falcon.command("UploadLookupV1", repository="string", files=file_extended)

print(response)

GetLookupV1

Download lookup file from NGSIEM.

PEP8 method name

get_file

Endpoint

Method Route
GET /humio/api/v1/repositories/{repository}/files/{filename}

Required Scope

ngsiem:read

Content-Type

  • Produces: application/octet-stream

Keyword Arguments

Name Service Uber Type Data type Description
repository Service Class Support Uber Class Support path string Name of the repository.
filename Service Class Support Uber Class Support path string Name of the lookup file.

Usage

Service class example (PEP8 syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

with open("some_file.ext", "wb") as save_file:
    save_file.write(falcon.get_file(repository="string", name="string"))
Service class example (Operation ID syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

with open("some_file.ext", "wb") as save_file:
    save_file.write(falcon.GetLookupV1(repository="string", name="string"))
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with open("some_file.ext", "wb") as save_file:
    save_file.write(falcon.command("GetLookupV1", repository="string", name="string"))

GetLookupFromPackageWithNamespaceV1

Download lookup file in namespaced package from NGSIEM.

PEP8 method name

get_file_from_package_with_namespace

Endpoint

Method Route
GET /humio/api/v1/repositories/{repository}/files/{namespace}/{package}/{filename}

Required Scope

ngsiem:read

Content-Type

  • Produces: application/octet-stream

Keyword Arguments

Name Service Uber Type Data type Description
repository Service Class Support Uber Class Support path string Name of the repository.
namespace Service Class Support Uber Class Support path string Name of the namespace.
package Service Class Support Uber Class Support path string Name of the package.
filename Service Class Support Uber Class Support path string Name of the lookup file.

Usage

Service class example (PEP8 syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

with open("some_file.ext", "wb") as save_file:
    response = falcon.get_file_from_package_with_namespace(repository="string",
                                                           namespace="string",
                                                           package="string",
                                                           filename="string"
                                                           )
    save_file.write(response)
Service class example (Operation ID syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

with open("some_file.ext", "wb") as save_file:
    response = falcon.GetLookupFromPackageWithNamespaceV1()
    save_file.write(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with open("some_file.ext", "wb") as save_file:
    response = falcon.command("GetLookupFromPackageWithNamespaceV1",
                              repository="string",
                              namespace="string",
                              package="string",
                              filename="string"
                              )
    save_file.write(response)

GetLookupFromPackageV1

Download lookup file in package from NGSIEM.

PEP8 method name

get_file_from_package

Endpoint

Method Route
GET /humio/api/v1/repositories/{repository}/files/{package}/{filename}

Required Scope

ngsiem:read

Content-Type

  • Produces: application/octet-stream

Keyword Arguments

Name Service Uber Type Data type Description
repository Service Class Support Uber Class Support path string Name of the repository.
package Service Class Support Uber Class Support path string Name of the package.
filename Service Class Support Uber Class Support path string Name of the lookup file.

Usage

Service class example (PEP8 syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

with open("some_file.ext", "wb") as save_file:
    response = falcon.get_file_from_package(repository="string",
                                            package="string",
                                            filename="string"
                                            )
    save_file.write(response)
Service class example (Operation ID syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

with open("some_file.ext", "wb") as save_file:
    response = falcon.GetLookupFromPackageV1(repository="string",
                                             package="string",
                                             filename="string"
                                             )
    save_file.write(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

with open("some_file.ext", "wb") as save_file:
    response = falcon.command("GetLookupFromPackageV1",
                              repository="string",
                              package="string",
                              filename="string"
                              )
    save_file.write(response)

StartSearchV1

Initiate a NGSIEM search.

PEP8 method name

start_search

Endpoint

Method Route
POST /humio/api/v1/repositories/{repository}/queryjobs

Required Scope

ngsiem:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
allow_event_skipping Service Class Support Uber Class Support body boolean Flag indicating if event skipping is allowed.
arguments Service Class Support Uber Class Support body dictionary Search arguments in JSON format.
around Service Class Support Uber Class Support body dictionary Search proximity arguments.
autobucket_count Service Class Support Uber Class Support body integer Number of events per bucket.
body Service Class Support Uber Class Support body dictionary Full body payload provided as a dictionary.
end Service Class Support Uber Class Support body string Last event limit.
ingest_end Service Class Support Uber Class Support body integer Ingest maximum.
ingest_start Service Class Support Uber Class Support body integer Ingest start.
is_live Service Class Support Uber Class Support body boolean Flag indicating if this is a live search.
query_string Service Class Support Uber Class Support body string Search query string.
repository Service Class Support Uber Class Support path string Name of the repository.
search Service Class Support Uber Class Support body dictionary Search query to perform. Can be used in replace of other keywords.
start Service Class Support Uber Class Support body string Search starting time range.
timezone Service Class Support Uber Class Support body string Timezone applied to the search.
timezone_offset_minutes Service Class Support Uber Class Support body integer Timezone offset.

Usage

Service class example (PEP8 syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

response = falcon.start_search(repository="string",
                               is_live=False,
                               start="1d",
                               query_string="#event_simpleName=*"
                               )
print(response)
Service class example (Operation ID syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

response = falcon.StartSearchV1(repository="string",
                                is_live=False,
                                start="1d",
                                query_string="#event_simpleName=*"
                                )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

search_query = {
    "isLive" : False,
    "start" : "1d",
    "queryString" : "#event_simpleName=*"
}

response = falcon.command("StartSearchV1", repository="string", body=search_query)

print(response)

GetSearchStatusV1

Get status of a NGSIEM search.

PEP8 method name

get_search_status

Endpoint

Method Route
GET /humio/api/v1/repositories/{repository}/queryjobs/{id}

Required Scope

ngsiem:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
repository Service Class Support Uber Class Support path string Name of the repository.
search_id Service Class Support Uber Class Support path string ID of the query.

Usage

Service class example (PEP8 syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

response = falcon.get_search_status(repository="string", search_id="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

response = falcon.GetSearchStatusV1(repository="string", search_id="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("GetSearchStatusV1", repository="string", search_id="string")

print(response)

StopSearchV1

Stop a NGSIEM search.

PEP8 method name

stop_search

Endpoint

Method Route
DELETE /humio/api/v1/repositories/{repository}/queryjobs/{id}

Required Scope

ngsiem:write

Content-Type

  • Consumes: application/json

Keyword Arguments

Name Service Uber Type Data type Description
repository Service Class Support Uber Class Support path string Name of the repository.
id Service Class Support Uber Class Support path string ID of the query.

Usage

Service class example (PEP8 syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

response = falcon.stop_search(repository="string", id="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import NGSIEM

# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
                client_secret=CLIENT_SECRET
                )

response = falcon.StopSearchV1(repository="string", id="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("StopSearchV1", repository="string", id="string")

print(response)

⚠️ **GitHub.com Fallback** ⚠️