NGSIEM - CrowdStrike/falconpy GitHub Wiki
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Upload a lookup file to NGSIEM. | ||||
|
Download lookup file from NGSIEM. | ||||
|
Download lookup file in namespaced package from NGSIEM. | ||||
|
Download lookup file in package from NGSIEM. | ||||
|
Initiate a NGSIEM search. | ||||
|
Get status of a NGSIEM search. | ||||
|
Stop a NGSIEM search. | ||||
|
Get dashboard template by ID. | ||||
|
Create dashboard from template. | ||||
|
Update dashboard from template. | ||||
|
Delete dashboard. | ||||
|
Get lookup file by ID. | ||||
|
Create lookup file. | ||||
|
Update lookup file. | ||||
|
Delete lookup file. | ||||
|
Get parser template by ID. | ||||
|
Create Parser in NGSIEM from template. | ||||
|
Get parser by ID. | ||||
|
Create Parser in NGSIEM. | ||||
|
Update parser. | ||||
|
Delete Parser in NGSIEM. | ||||
|
Update a parser auto update policy. | ||||
|
Install a CrowdStrike-managed out-of-the-box (OOTB) parser. | ||||
|
Install multiple CrowdStrike-managed out-of-the-box (OOTB) parsers. | ||||
|
Retrieve Saved Query in NGSIEM as LogScale YAML Template by ID. | ||||
|
Create Saved Query from LogScale YAML Template in NGSIEM. | ||||
|
Update Saved Query from LogScale YAML Template in NGSIEM. | ||||
|
Delete Saved Query in NGSIEM. | ||||
|
List dashboards. | ||||
|
List lookup files. | ||||
|
List parsers. | ||||
|
List saved queries. | ||||
|
Update entries in an existing Lookup File in NGSIEM. | ||||
|
List and search data connections. | ||||
|
List available data connectors. | ||||
|
Get data connection provisioning status. | ||||
|
Update data connection status. | ||||
|
Get Ingest token for data connection. | ||||
|
Regenerate Ingest token for data connection. | ||||
|
Get data connection by ID. | ||||
|
Create a new data connection. | ||||
|
Update a data connection. | ||||
|
Delete a data connection. | ||||
|
List configurations for a data connector. | ||||
|
Create a new configuration for a data connector. | ||||
|
Patch configurations for a data connector. | ||||
|
Delete data connection config. | ||||
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Upload a lookup file to NGSIEM.
upload_file
| Method | Route |
|---|---|
 |
/humio/api/v1/repositories/{repository}/files |
- Consumes: multipart/form-data
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| lookup_file |  |
 |
formData | string | Location of the file object to be uploaded. Service class will also accept file for this argument. |
| repository | |
|
path | string | Name of the repository. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.upload_file(lookup_file="string", repository="string")
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.UploadLookupV1(lookup_file="string", repository="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
lookup_file = "string"
with open(lookup_file, "rb") as upload_file:
file_extended = {"file": upload_file}
response = falcon.command("UploadLookupV1", repository="string", files=file_extended)
print(response)Back to Table of Contents
Download lookup file from NGSIEM.
get_file
| Method | Route |
|---|---|
 |
/humio/api/v1/repositories/{repository}/files/{filename} |
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filename | |
|
path | string | Name of the lookup file. |
| repository | |
|
path | string | Name of the repository. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
save_file.write(falcon.get_file(repository="string", filename="string"))from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
save_file.write(falcon.GetLookupV1(repository="string", filename="string"))from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
save_file.write(falcon.command("GetLookupV1", repository="string", filename="string"))Back to Table of Contents
Download lookup file in namespaced package from NGSIEM.
get_file_from_package_with_namespace
| Method | Route |
|---|---|
|
/humio/api/v1/repositories/{repository}/files/{namespace}/{package}/{filename} |
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filename | |
|
path | string | Name of the lookup file. |
| namespace | |
|
path | string | Name of the namespace. |
| package | |
|
path | string | Name of the package. |
| repository | |
|
path | string | Name of the repository. |
| stream | |
|
query | boolean | Enable streaming download of the returned file. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
response = falcon.get_file_from_package_with_namespace(repository="string",
namespace="string",
package="string",
filename="string",
stream=boolean
)
save_file.write(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
response = falcon.GetLookupFromPackageWithNamespaceV1(repository="string",
namespace="string",
package="string",
filename="string",
stream=boolean
)
save_file.write(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
response = falcon.command("GetLookupFromPackageWithNamespaceV1",
repository="string",
namespace="string",
package="string",
filename="string",
stream=boolean
)
save_file.write(response)Back to Table of Contents
Download lookup file in package from NGSIEM.
get_file_from_package
| Method | Route |
|---|---|
|
/humio/api/v1/repositories/{repository}/files/{package}/{filename} |
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filename | |
|
path | string | Name of the lookup file. |
| package | |
|
path | string | Name of the package. |
| repository | |
|
path | string | Name of the repository. |
| stream | |
|
query | boolean | Enable streaming download of the returned file. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
response = falcon.get_file_from_package(repository="string",
package="string",
filename="string",
stream=boolean
)
save_file.write(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
response = falcon.GetLookupFromPackageV1(repository="string",
package="string",
filename="string",
stream=boolean
)
save_file.write(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb") as save_file:
response = falcon.command("GetLookupFromPackageV1",
repository="string",
package="string",
filename="string",
stream=boolean
)
save_file.write(response)Back to Table of Contents
Initiate a NGSIEM search.
start_search
| Method | Route |
|---|---|
|
/humio/api/v1/repositories/{repository}/queryjobs |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| allow_event_skipping | |
|
body | boolean | Flag indicating if event skipping is allowed. |
| arguments | |
|
body | dictionary | Search arguments in JSON format. |
| around | |
|
body | dictionary | Search proximity arguments. |
| autobucket_count | |
|
body | integer | Number of events per bucket. |
| body | |
 |
body | dictionary | Full body payload provided as a dictionary. |
| end | |
|
body | string | Last event limit. |
| ingest_end | |
|
body | integer | Ingest maximum. |
| ingest_start | |
|
body | integer | Ingest start. |
| is_live | |
|
body | boolean | Flag indicating if this is a live search. |
| query_string | |
|
body | string | Search query string. |
| repository | |
|
path | string | Name of the repository. |
| search | |
|
body | dictionary | Search query to perform. Can be used in replace of other keywords. |
| start | |
|
body | string | Search starting time range. |
| timezone | |
|
body | string | Timezone applied to the search. |
| timezone_offset_minutes | |
|
body | integer | Timezone offset. |
| use_ingest_time | |
|
body | boolean | Flag indicating if ingest time should be used. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.start_search(repository="string",
is_live=boolean,
start="1d",
query_string="#event_simpleName=*"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.StartSearchV1(repository="string",
is_live=boolean,
start="1d",
query_string="#event_simpleName=*"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
search_query = {
"isLive" : False,
"start" : "1d",
"queryString" : "#event_simpleName=*"
}
response = falcon.command("StartSearchV1", repository="string", body=search_query)
print(response)Back to Table of Contents
Get status of a NGSIEM search.
get_search_status
| Method | Route |
|---|---|
|
/humio/api/v1/repositories/{repository}/queryjobs/{id} |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| repository | |
|
path | string | Name of the repository. |
| search_id | |
|
path | string | ID of the query. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_search_status(repository="string", search_id="string")
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetSearchStatusV1(repository="string", search_id="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetSearchStatusV1", repository="string", search_id="string")
print(response)Back to Table of Contents
Stop a NGSIEM search.
stop_search
| Method | Route |
|---|---|
 |
/humio/api/v1/repositories/{repository}/queryjobs/{id} |
- Consumes: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| repository | |
|
path | string | Name of the repository. |
| id | |
|
path | string | ID of the query. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.stop_search(repository="string", id="string")
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.StopSearchV1(repository="string", id="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("StopSearchV1", repository="string", id="string")
print(response)Back to Table of Contents
Get dashboard template by ID.
get_dashboard_template
| Method | Route |
|---|---|
|
/ngsiem-content/entities/dashboards-template/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Dashboard ID value. |
| search_domain | |
|
query | string | Name of search domain (view or repo), options; all, falcon, third-party, dashboards. |
| parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_dashboard_template(ids="string", search_domain="string")
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetDashboardTemplate(ids="string", search_domain="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetDashboardTemplate", ids="string", search_domain="string")
print(response)Back to Table of Contents
Create Dashboard from LogScale YAML Template in NGSIEM.
create_dashboard_from_template
| Method | Route |
|---|---|
|
/ngsiem-content/entities/dashboards-template/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| search_domain | |
|
formData | string | Name of search domain (view or repo), options; all, falcon, third-party. |
| name | |
|
formData | string | Name of the dashboard. |
| yaml_template | |
|
formData | string | LogScale dashboard YAML template content, see schema at https://schemas.humio.com/. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
yaml_content = """
name: Sample Dashboard
description: A sample dashboard for testing
widgets:
- query: "source=falcon | stats count"
type: chart
"""
response = falcon.create_dashboard_from_template(search_domain="falcon",
name="My Dashboard",
yaml_template=yaml_content
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
yaml_content = """
name: Sample Dashboard
description: A sample dashboard for testing
widgets:
- query: "source=falcon | stats count"
type: chart
"""
response = falcon.CreateDashboardFromTemplate(search_domain="falcon",
name="My Dashboard",
yaml_template=yaml_content
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
yaml_content = """
name: Sample Dashboard
description: A sample dashboard for testing
widgets:
- query: "source=falcon | stats count"
type: chart
"""
response = falcon.command("CreateDashboardFromTemplate",
search_domain="falcon",
name="My Dashboard",
yaml_template=yaml_content
)
print(response)Back to Table of Contents
Update Dashboard from LogScale YAML Template in NGSIEM. Please note a successful update will result in a new ID value being returned.
update_dashboard_from_template
| Method | Route |
|---|---|
 |
/ngsiem-content/entities/dashboards-template/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| search_domain | |
|
formData | string | Name of search domain (view or repo), options; all, falcon, third-party. |
| ids | |
|
formData | string | ID of the dashboard. |
| yaml_template | |
|
formData | string | LogScale dashboard YAML template content, see schema at https://schemas.humio.com/. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_dashboard_from_template(search_domain="string",
name="string",
yaml_template="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.UpdateDashboardFromTemplate(search_domain="string",
name="string",
yaml_template="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("UpdateDashboardFromTemplate",
search_domain="string",
name="string",
yaml_template="string"
)
print(response)Back to Table of Contents
Delete Dashboard in NGSIEM.
delete_dashboard
| Method | Route |
|---|---|
|
/ngsiem-content/entities/dashboards/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Dashboard ID value. |
| search_domain | |
|
query | string | Name of search domain (view or repo), options; all, falcon, third-party. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.delete_dashboard(ids="string",
search_domain="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.DeleteDashboard(ids="string",
search_domain="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("DeleteDashboard",
ids="string",
search_domain="string"
)
print(response)Back to Table of Contents
Retrieve Lookup File in NGSIEM.
get_lookup_file
| Method | Route |
|---|---|
|
/ngsiem-content/entities/lookupfiles/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filename | |
|
query | string | Lookup file filename. |
| search_domain | |
|
query | string | Name of search domain (view or repo), options; all, falcon, third-party, dashboards, parsers-repository. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_lookup_file(filename="string",
search_domain="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetLookupFile(filename="string",
search_domain="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetLookupFile",
filename="string",
search_domain="string"
)
print(response)Back to Table of Contents
Create Lookup File in NGSIEM.
create_lookup_file
| Method | Route |
|---|---|
|
/ngsiem-content/entities/lookupfiles/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| search_domain | |
|
formData | string | Name of search domain (view or repo), options; all, falcon, third-party, parsers-repository. |
| filename | |
|
formData | string | Filename of the lookup file to create. |
| file | |
|
formData | string | File content to upload. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file", "rb") as file:
binary_data = file.read()
response = falcon.create_lookup_file(search_domain="string",
filename="file",
file=binary_data
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file", "rb") as file:
binary_data = file.read()
response = falcon.CreateLookupFile(search_domain="string",
filename="file",
file=binary_data
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file", "rb") as file:
binary_data = file.read()
response = falcon.command("CreateLookupFile",
search_domain="string",
filename="file",
file=binary_data
)
print(response)Back to Table of Contents
Update Lookup File in NGSIEM.
update_lookup_file
| Method | Route |
|---|---|
|
/ngsiem-content/entities/lookupfiles/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| search_domain | |
|
formData | string | Name of search domain (view or repo), options; all, falcon, third-party, parsers-repository. |
| filename | |
|
formData | string | Filename of the lookup file to update. |
| file | |
|
formData | string | File content to upload. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_lookup_file(search_domain="string",
filename="string",
file="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.UpdateLookupFile(search_domain="string",
filename="string",
file="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"search_domain": "string",
"filename": "string",
"file": "string"
}
response = falcon.command("UpdateLookupFile", data=body_payload)
print(response)Back to Table of Contents
Delete Lookup File in NGSIEM.
delete_lookup_file
| Method | Route |
|---|---|
|
/ngsiem-content/entities/lookupfiles/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filename | |
|
query | string | Lookup file filename. |
| search_domain | |
|
query | string | Name of search domain (view or repo), options; all, falcon, third-party, parsers-repository. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.delete_lookup_file(filename="string",
search_domain="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.DeleteLookupFile(filename="string",
search_domain="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("DeleteLookupFile",
filename="string",
search_domain="string"
)
print(response)Back to Table of Contents
Retrieve Parser in NGSIEM as LogScale YAML Template.
get_parser_template
| Method | Route |
|---|---|
|
/ngsiem-content/entities/parsers-template/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Parser ID value |
| repository | |
|
query | string | Name of repository, options; parsers-repository |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_parser_template(ids="string",
repository="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetParserTemplate(ids="string",
repository="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetParserTemplate",
ids="string",
repository="string"
)
print(response)Back to Table of Contents
Create Parser from LogScale YAML Template in NGSIEM.
create_parser_from_template
| Method | Route |
|---|---|
|
/ngsiem-content/entities/parsers-template/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| repository | |
|
formData | string | Name of repository, options; parsers-repository. |
| name | |
|
formData | string | Name of the parser. |
| yaml_template | |
|
formData | string | LogScale Parser YAML template content, see schema at https://schemas.humio.com/. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.create_parser_from_template(repository="string",
name="string",
yaml_template="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.CreateParserFromTemplate(repository="string",
name="string",
yaml_template="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"repository": "string",
"name": "string",
"yaml_template": "string"
}
response = falcon.command("CreateParserFromTemplate", data=body_payload)
print(response)Back to Table of Contents
Retrieve Parser in NGSIEM.
get_parser
| Method | Route |
|---|---|
|
/ngsiem-content/entities/parsers/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Parser ID value |
| repository | |
|
query | string | Name of repository, options; parsers-repository |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_parser(ids="string",
repository="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetParser(ids="string",
repository="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetParser",
ids="string",
repository="string"
)
print(response)Back to Table of Contents
Create Parser in NGSIEM.
create_parser
| Method | Route |
|---|---|
|
/ngsiem-content/entities/parsers/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | |
|
body | dictionary | Full body payload in JSON format |
| fields_to_be_removed_before_parsing | |
|
body | string or list | List of fields to remove before parsing. String or list of strings. |
| fields_to_tag | |
|
body | string or list | List of fields to tag. String or list of strings. |
| name | |
|
body | string | Parser name. |
| repository | |
|
body | string | Parser repository. |
| script | |
|
body | string | Parser script. |
| test_cases | |
|
body | list | List of test cases to apply to the parser. List of dictionaries. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.create_parser(name="MyParser",
repository="parsers-repository",
script="parseJson()",
fields_to_tag=["field1", "field2"]
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.CreateParser(name="MyParser",
repository="parsers-repository",
script="parseJson()",
fields_to_tag=["field1", "field2"]
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"name": "MyParser",
"repository": "parsers-repository",
"script": "parseJson()",
"fields_to_tag": ["field1", "field2"]
}
response = falcon.command("CreateParser", body=body_payload)
print(response)Back to Table of Contents
Update Parser in NGSIEM. Please note that name changes are not supported, but rather should be created as a new parser.
update_parser
| Method | Route |
|---|---|
|
/ngsiem-content/entities/parsers/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | |
|
body | dictionary | Full body payload in JSON format |
| fields_to_be_removed_before_parsing | |
|
body | string or list | List of fields to remove before parsing. String or list of strings. |
| fields_to_tag | |
|
body | string or list | List of fields to tag. String or list of strings. |
| id | |
|
body | string | ID of the parser to be updated. |
| name | |
|
body | string | Parser name. |
| repository | |
|
body | string | Parser repository. |
| script | |
|
body | string | Parser script. |
| test_cases | |
|
body | list | List of test cases to apply to the parser. List of dictionaries. |
| parameters |  |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_parser(id="parser_id_string",
script="parseJson() | updated script",
fields_to_tag=["field1", "field2", "field3"]
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.UpdateParser(id="parser_id_string",
script="parseJson() | updated script",
fields_to_tag=["field1", "field2", "field3"]
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"id": "parser_id_string",
"script": "parseJson() | updated script",
"fields_to_tag": ["field1", "field2", "field3"]
}
response = falcon.command("UpdateParser", body=body_payload)
print(response)Back to Table of Contents
Delete Parser in NGSIEM.
delete_parser
| Method | Route |
|---|---|
|
/ngsiem-content/entities/parsers/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Parser ID value |
| repository | |
|
query | string | Name of repository, options; parsers-repository |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.delete_parser(ids="string",
repository="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.DeleteParser(ids="string",
repository="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("DeleteParser",
ids="string",
repository="string"
)
print(response)Back to Table of Contents
Update a parser auto update policy.
Enables or disables auto-updates for parsers.
update_parser_auto_update_policy
| Method | Route |
|---|---|
 |
/ngsiem-content/entities/parsers/autoupdate/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | |
|
body | dictionary | Full body payload in JSON format. |
| autoupdate_policy | |
|
body | string | The auto update policy setting ('on' or 'off'). |
| reason | |
|
body | string | Reason for changing the auto update policy. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_parser_auto_update_policy(autoupdate_policy="on",
reason="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.UpdateParserAutoUpdatePolicy(autoupdate_policy="on",
reason="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"autoupdate_policy": "on",
"reason": "string"
}
response = falcon.command("UpdateParserAutoUpdatePolicy", body=body_payload)
print(response)Back to Table of Contents
Install a CrowdStrike-managed out-of-the-box (OOTB) parser.
Provisions a pre-built parser with a specific version for the requesting customer ID (CID). The parser is installed as-is and cannot be modified by the customer.
install_parser
| Method | Route |
|---|---|
|
/ngsiem-content/entities/parsers/install/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | |
|
body | dictionary | Full body payload in JSON format. |
| parser_id | |
|
body | string | The unique identifier of the parser to install. |
| version | |
|
body | string | The version of the parser to install. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.install_parser(parser_id="string",
version="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.InstallParser(parser_id="string",
version="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"parser_id": "string",
"version": "string"
}
response = falcon.command("InstallParser", body=body_payload)
print(response)Back to Table of Contents
Install multiple CrowdStrike-managed out-of-the-box (OOTB) parsers.
Provisions multiple pre-built parsers with their specific versions for the requesting customer ID (CID). The parsers are installed as-is and cannot be modified by the customer. Maximum 100 parsers per request.
bulk_install_parsers
| Method | Route |
|---|---|
|
/ngsiem-content/entities/parsers/bulk-install/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | |
|
body | dictionary | Full body payload in JSON format. |
| parsers | |
|
body | list | List of parser objects containing parser_id and version. List of dictionaries. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.bulk_install_parsers(parsers=[
{
"parser_id": "string",
"version": "string"
}
])
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.BulkInstallParsers(parsers=[
{
"parser_id": "string",
"version": "string"
}
])
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"parsers": [
{
"parser_id": "string",
"version": "string"
}
]
}
response = falcon.command("BulkInstallParsers", body=body_payload)
print(response)Back to Table of Contents
Retrieve Saved Query in NGSIEM as LogScale YAML Template by ID.
get_saved_query_template
| Method | Route |
|---|---|
|
/ngsiem-content/entities/savedqueries-template/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Saved query ID value |
| search_domain | |
|
query | string | Name of search domain (view or repo), options; all, falcon, third-party, dashboards |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_saved_query_template(ids="string",
search_domain="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetSavedQueryTemplate(ids="string",
search_domain="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetSavedQueryTemplate",
ids="string",
search_domain="string"
)
print(response)Back to Table of Contents
Create Saved Query from LogScale YAML Template in NGSIEM.
create_saved_query
| Method | Route |
|---|---|
|
/ngsiem-content/entities/savedqueries-template/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| search_domain | |
|
formData | string | Name of search domain (view or repo), options; all, falcon, third-party |
| yaml_template | |
|
formData | string | LogScale Saved Query YAML template content, see schema at https://schemas.humio.com/ |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.create_saved_query(search_domain="string",
yaml_template="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.CreateSavedQuery(search_domain="string",
yaml_template="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("CreateSavedQuery",
search_domain="string",
yaml_template="string"
)
print(response)Back to Table of Contents
Update Saved Query from LogScale YAML Template in NGSIEM.
update_saved_query_from_template
| Method | Route |
|---|---|
|
/ngsiem-content/entities/savedqueries-template/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| search_domain | |
|
formData | string | Name of search domain (view or repo), options; all, falcon, third-party |
| ids | |
|
formData | string | ID of the saved query |
| yaml_template | |
|
formData | string | LogScale Saved Query YAML template content, see schema at https://schemas.humio.com/ |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_saved_query_from_template(search_domain="string",
ids="string",
yaml_template="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.UpdateSavedQueryFromTemplate(search_domain="string",
ids="string",
yaml_template="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("UpdateSavedQueryFromTemplate",
search_domain="string",
ids="string",
yaml_template="string"
)
print(response)Back to Table of Contents
Delete Saved Query in NGSIEM.
delete_saved_query
| Method | Route |
|---|---|
|
/ngsiem-content/entities/savedqueries/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Saved query ID value |
| search_domain | |
|
query | string | Name of search domain (view or repo), options; all, falcon, third-party |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.delete_saved_query(ids="string",
search_domain="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.DeleteSavedQuery(ids="string",
search_domain="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("DeleteSavedQuery",
ids="string",
search_domain="string"
)
print(response)Back to Table of Contents
List dashboards.
list_dashboards
| Method | Route |
|---|---|
|
/ngsiem-content/queries/dashboards/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit | |
|
query | string | Maximum number of results to return (default: 50, max: 9999) |
| offset | |
|
query | string | Number of results to offset the returned results by (default: 0, max: 9999) |
| filter | |
|
query | string | FQL filter to apply to the name of the content, only currently support text match on name field: name:~'value' |
| search_domain | |
|
query | string | Name of search domain (view or repo), options; all, falcon, third-party, dashboards |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_dashboards(limit="string",
offset="string",
filter="string",
search_domain="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ListDashboards(limit="string",
offset="string",
filter="string",
search_domain="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ListDashboards",
limit="string",
offset="string",
filter="string",
search_domain="string"
)
print(response)Back to Table of Contents
List lookup files.
list_lookup_files
| Method | Route |
|---|---|
|
/ngsiem-content/queries/lookupfiles/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit | |
|
query | string | Maximum number of results to return (default: 50, max: 9999) |
| offset | |
|
query | string | Number of results to offset the returned results by (default: 0, max: 9999) |
| filter | |
|
query | string | FQL filter to apply to the name of the content, only currently support text match on name field: name:~'value' |
| search_domain | |
|
query | string | Name of search domain (view or repo), options; all, falcon, third-party, dashboards, parsers-repository |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_lookup_files(limit="string",
offset="string",
filter="string",
search_domain="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ListLookupFiles(limit="string",
offset="string",
filter="string",
search_domain="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ListLookupFiles",
limit="string",
offset="string",
filter="string",
search_domain="string"
)
print(response)Back to Table of Contents
List parsers.
list_parsers
| Method | Route |
|---|---|
|
/ngsiem-content/queries/parsers/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit | |
|
query | string | Maximum number of results to return (default: 50, max: 9999) |
| offset | |
|
query | string | Number of results to offset the returned results by (default: 0, max: 9999) |
| filter | |
|
query | string | FQL filter to apply to the name of the content, only currently support text match on name field: name:~'value' |
| repository | |
|
query | string | Name of repository, options; parsers-repository |
| update_available | |
|
query | string | Filter parsers by update availability. Allowed values: true, false |
| parser_type | |
|
query | string | Filter parsers by type. Allowed values: ootb, custom |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_parsers(limit="string",
offset="string",
filter="string",
repository="string",
update_available="string",
parser_type="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ListParsers(limit="string",
offset="string",
filter="string",
repository="string",
update_available="string",
parser_type="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ListParsers",
limit="string",
offset="string",
filter="string",
repository="string",
update_available="string",
parser_type="string"
)
print(response)Back to Table of Contents
List saved queries.
list_saved_queries
| Method | Route |
|---|---|
|
/ngsiem-content/queries/savedqueries/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| limit | |
|
query | string | Maximum number of results to return (default: 50, max: 9999) |
| offset | |
|
query | string | Number of results to offset the returned results by (default: 0, max: 9999) |
| filter | |
|
query | string | FQL filter to apply to the name of the content, only currently support text match on name field: name:~'value' |
| search_domain | |
|
query | string | Name of search domain (view or repo), options; all, falcon, third-party, dashboards |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_saved_queries(limit="string",
offset="string",
filter="string",
search_domain="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ListSavedQueries(limit="string",
offset="string",
filter="string",
search_domain="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ListSavedQueries",
limit="string",
offset="string",
filter="string",
search_domain="string"
)
print(response)Back to Table of Contents
Update entries in an existing Lookup File in NGSIEM.
update_lookup_file_entries
| Method | Route |
|---|---|
|
/ngsiem-content/entities/lookupfiles-entries/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| search_domain | |
|
formData | string | Name of search domain (view or repo), options; all, falcon, third-party, parsers-repository. |
| filename | |
|
formData | string | Filename of the lookup file to update. |
| file | |
|
formData | string | The file content for updating or appending the entries. |
| update_mode | |
|
formData | string | How to update the file entries, options; append, update. |
| key_columns | |
|
formData | string | For update mode, the comma separated list of key columns to use when matching entries (REQUIRED when update_mode=update). |
| ignore_case | |
|
formData | string | For update mode, whether to ignore case when matching keys (REQUIRED when update_mode=update), options; true, false. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_lookup_file_entries(search_domain="string",
filename="string",
file="string",
update_mode="string",
key_columns="string",
ignore_case="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.UpdateLookupFileEntries(search_domain="string",
filename="string",
file="string",
update_mode="string",
key_columns="string",
ignore_case="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"search_domain": "string",
"filename": "string",
"file": "string",
"update_mode": "string",
"key_columns": "string",
"ignore_case": "string"
}
response = falcon.command("UpdateLookupFileEntries", data=body_payload)
print(response)Back to Table of Contents
List and search data connections.
list_data_connections
| Method | Route |
|---|---|
|
/ngsiem/combined/connections/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | |
|
query | string | Optional filter criteria in FQL format. |
| offset | |
|
query | integer | Starting position for pagination. |
| limit | |
|
query | integer | Maximum number of items to return. |
| sort | |
|
query | string | Sort field and direction. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_data_connections(filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ExternalListDataConnections(filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ExternalListDataConnections",
filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)Back to Table of Contents
List available data connectors.
list_data_connectors
| Method | Route |
|---|---|
|
/ngsiem/combined/connectors/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | |
|
query | string | Optional filter criteria in FQL format. |
| offset | |
|
query | integer | Starting position for pagination. |
| limit | |
|
query | integer | Maximum number of items to return. |
| sort | |
|
query | string | Sort field and direction. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_data_connectors(filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ExternalListDataConnectors(filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ExternalListDataConnectors",
filter="string",
offset=integer,
limit=integer,
sort="string"
)
print(response)Back to Table of Contents
Get data connection provisioning status.
get_provisioning_status
| Method | Route |
|---|---|
|
/ngsiem/entities/connections/status/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string or list | Unique identifier of the data connection. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_provisioning_status(ids="string")
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ExternalGetDataConnectionStatus(ids="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ExternalGetDataConnectionStatus", ids="string")
print(response)Back to Table of Contents
Update data connection status.
update_connection_status
| Method | Route |
|---|---|
|
/ngsiem/entities/connections/status/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Unique identifier of the data connection. |
| body | |
|
body | dictionary | Full body payload in JSON format. |
| status | |
|
body | string | Status value. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.update_connection_status(ids="string",
status="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ExternalUpdateDataConnectionStatus(ids="string",
status="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"status": "string"
}
response = falcon.command("ExternalUpdateDataConnectionStatus",
ids="string",
body=body_payload
)
print(response)Back to Table of Contents
Get Ingest token for data connection.
get_ingest_token
| Method | Route |
|---|---|
|
/ngsiem/entities/connections/token/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Unique identifier of the data connection. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_ingest_token(ids="string")
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ExternalGetDataConnectionToken(ids="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ExternalGetDataConnectionToken", ids="string")
print(response)Back to Table of Contents
Regenerate Ingest token for data connection.
regenerate_ingest_token
| Method | Route |
|---|---|
|
/ngsiem/entities/connections/token/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Unique identifier of the data connection. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.regenerate_ingest_token(ids="string")
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ExternalRegenerateDataConnectionToken(ids="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ExternalRegenerateDataConnectionToken", ids="string")
print(response)Back to Table of Contents
Get data connection by ID.
get_connection_by_id
| Method | Route |
|---|---|
|
/ngsiem/entities/connections/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string or list | Unique identifier of the data connection. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_connection_by_id(ids="string")
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ExternalGetDataConnectionByID(ids="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ExternalGetDataConnectionByID", ids="string")
print(response)Back to Table of Contents
Create a new data connection.
create_data_connection
| Method | Route |
|---|---|
|
/ngsiem/entities/connections/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | |
|
body | dictionary | Full body payload in JSON format. |
| config | |
|
body | dictionary | Configuration dictionary. |
| config_id | |
|
body | string | Configuration ID. |
| connector_id | |
|
body | string | Connector ID. |
| connector_type | |
|
body | string | Connector type. |
| description | |
|
body | string | Connection description. |
| enable_host_enrichment | |
|
body | boolean | Enable host enrichment. |
| enable_user_enrichment | |
|
body | boolean | Enable user enrichment. |
| name | |
|
body | string | Connection name. |
| parser | |
|
body | string | Parser. |
| vendor_name | |
|
body | string | Vendor name. |
| vendor_product_name | |
|
body | string | Vendor product name. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
config = {
"auth": {},
"name": "string",
"params": {}
}
response = falcon.create_data_connection(config=config,
config_id="string",
connector_id="string",
connector_type="string",
description="string",
enable_host_enrichment=boolean,
enable_user_enrichment=boolean,
name="string",
parser="string",
vendor_name="string",
vendor_product_name="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
config = {
"auth": {},
"name": "string",
"params": {}
}
response = falcon.ExternalCreateDataConnection(config=config,
config_id="string",
connector_id="string",
connector_type="string",
description="string",
enable_host_enrichment=boolean,
enable_user_enrichment=boolean,
name="string",
parser="string",
vendor_name="string",
vendor_product_name="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"config": {
"auth": {},
"name": "string",
"params": {}
},
"config_id": "string",
"connector_id": "string",
"connector_type": "string",
"description": "string",
"enable_host_enrichment": boolean,
"enable_user_enrichment": boolean,
"name": "string",
"parser": "string",
"vendor_name": "string",
"vendor_product_name": "string"
}
response = falcon.command("ExternalCreateDataConnection", body=body_payload)
print(response)Back to Table of Contents
Update a data connection.
update_data_connection
| Method | Route |
|---|---|
|
/ngsiem/entities/connections/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Unique identifier of the data connection. |
| body | |
|
body | dictionary | Full body payload in JSON format. |
| config | |
|
body | dictionary | Configuration dictionary. |
| config_id | |
|
body | string | Configuration ID. |
| description | |
|
body | string | Connection description. |
| enable_host_enrichment | |
|
body | boolean | Enable host enrichment. |
| enable_user_enrichment | |
|
body | boolean | Enable user enrichment. |
| name | |
|
body | string | Connection name. |
| parser | |
|
body | string | Parser. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
config = {
"auth": {},
"name": "string",
"params": {}
}
response = falcon.update_data_connection(ids="string",
config=config,
config_id="string",
description="string",
enable_host_enrichment=boolean,
enable_user_enrichment=boolean,
name="string",
parser="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
config = {
"auth": {},
"name": "string",
"params": {}
}
response = falcon.ExternalUpdateDataConnection(ids="string",
config=config,
config_id="string",
description="string",
enable_host_enrichment=boolean,
enable_user_enrichment=boolean,
name="string",
parser="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"config": {
"auth": {},
"name": "string",
"params": {}
},
"config_id": "string",
"description": "string",
"enable_host_enrichment": boolean,
"enable_user_enrichment": boolean,
"name": "string",
"parser": "string"
}
response = falcon.command("ExternalUpdateDataConnection",
ids="string",
body=body_payload
)
print(response)Back to Table of Contents
Delete a data connection.
delete_data_connection
| Method | Route |
|---|---|
|
/ngsiem/entities/connections/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Unique identifier of the data connection. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.delete_data_connection(ids="string")
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ExternalDeleteDataConnection(ids="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ExternalDeleteDataConnection", ids="string")
print(response)Back to Table of Contents
List configurations for a data connector.
list_connector_configs
| Method | Route |
|---|---|
|
/ngsiem/entities/connectors/configs/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Unique identifier of the data connector. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_connector_configs(ids="string")
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ExternalListConnectorConfigs(ids="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ExternalListConnectorConfigs", ids="string")
print(response)Back to Table of Contents
Create a new configuration for a data connector.
create_connector_config
| Method | Route |
|---|---|
|
/ngsiem/entities/connectors/configs/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | |
|
body | dictionary | Full body payload in JSON format. |
| config | |
|
body | dictionary | Configuration details for the connector including authentication and parameters. |
| connector_id | |
|
body | string | Unique identifier of the data connector. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
config = {
"auth": {},
"name": "string",
"params": {}
}
response = falcon.create_connector_config(config=config,
connector_id="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
config = {
"auth": {},
"name": "string",
"params": {}
}
response = falcon.ExternalCreateConnectorConfig(config=config,
connector_id="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"config": {
"auth": {},
"name": "string",
"params": {}
},
"connector_id": "string"
}
response = falcon.command("ExternalCreateConnectorConfig", body=body_payload)
print(response)Back to Table of Contents
Patch configurations for a data connector.
patch_connector_config
| Method | Route |
|---|---|
|
/ngsiem/entities/connectors/configs/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | |
|
query | string | Unique id of the config to update. |
| body | |
|
body | dictionary | Full body payload in JSON format. |
| config | |
|
body | dictionary | Configuration details for the connector including authentication and parameters. |
| connector_id | |
|
body | string | Unique identifier of the data connector. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
config = {
"auth": {},
"name": "string",
"params": {}
}
response = falcon.patch_connector_config(ids="string",
config=config,
connector_id="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
config = {
"auth": {},
"name": "string",
"params": {}
}
response = falcon.ExternalPatchConnectorConfig(ids="string",
config=config,
connector_id="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"config": {
"auth": {},
"name": "string",
"params": {}
},
"connector_id": "string"
}
response = falcon.command("ExternalPatchConnectorConfig",
ids="string",
body=body_payload
)
print(response)Back to Table of Contents
Delete data connection config.
delete_connector_configs
| Method | Route |
|---|---|
|
/ngsiem/entities/connectors/configs/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| connector_id | |
|
query | string | Unique identifier of the connector. |
| ids | |
|
query | string or list of strings | Unique identifiers of the config(s) to delete. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.delete_connector_configs(connector_id="string",
ids="string"
)
print(response)from falconpy import NGSIEM
# Do not hardcode API credentials!
falcon = NGSIEM(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ExternalDeleteConnectorConfigs(connector_id="string",
ids="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ExternalDeleteConnectorConfigs",
connector_id="string",
ids="string"
)
print(response)Back to Table of Contents
