Foundry LogScale
| Operation ID | Description | ||||
|---|---|---|---|---|---|
|
Lists available repositories and views | ||||
|
Ingest data into the application repository asynchronously | ||||
|
Ingest data into the application repository | ||||
|
Execute a dynamic saved search | ||||
|
Get the results of a saved search | ||||
|
Execute a saved search | ||||
|
Populate a saved search | ||||
|
Get the results of a saved search as a file | ||||
|
List views | ||||
Lists available repositories and views
list_repos
| Method | Route |
|---|---|
 |
/loggingapi/combined/repos/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| check_test_data |  |
|
query | boolean | Include whether test data is present in the application repository. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_repos(check_test_data=boolean)
print(response)from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ListReposV1(check_test_data=boolean)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ListReposV1", check_test_data=boolean)
print(response)Ingest data into the application repository asynchronously
ingest_data_async
| Method | Route |
|---|---|
 |
/loggingapi/entities/data-ingestion/ingest-async/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| data_file | |
|
formData | file | Data file to ingest. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
| repo | |
|
formData | string | Repository name to ingest data into. (If not part of a Foundry application.) |
| tag | |
|
formData | string or list of strings | Custom tag for ingested data in the form tag:value. |
| tag_source | |
|
formData | string | Tag the data with the specified source. |
| test_data | |
|
formData | boolean | Tag the data with test-ingest. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.ingest_data_async(tag="string",
tag_source="string",
test_data=boolean,
repo="string",
data_file=upload_file.read()
)
print(response)from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.IngestDataAsyncV1(tag="string",
tag_source="string",
test_data=boolean,
repo="string",
data_file=upload_file.read()
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.command("IngestDataAsyncV1",
tag="string",
tag_source="string",
test_data=boolean,
repo="string",
data_file=upload_file.read()
)
print(response)Ingest data into the application repository
ingest_data
| Method | Route |
|---|---|
|
/loggingapi/entities/data-ingestion/ingest/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| data_file | |
|
formData | file | Data file to ingest. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
| tag | |
|
formData | string or list of strings | Custom tag for ingested data in the form tag:value. |
| tag_source | |
|
formData | string | Tag the data with the specified source. |
| test_data | |
|
formData | boolean | Tag the data with test-ingest. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.ingest_data(tag="string",
tag_source="string",
test_data=boolean,
data_file=upload_file.read()
)
print(response)from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.IngestDataV1(tag="string",
tag_source="string",
test_data=boolean,
data_file=upload_file.read()
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("file_name.ext", "rb") as upload_file:
response = falcon.command("IngestDataV1",
tag="string",
tag_source="string",
test_data=boolean,
data_file=upload_file.read()
)
print(response)Execute a dynamic saved search
execute_dynamic
| Method | Route |
|---|---|
|
/loggingapi/entities/saved-searches/execute-dynamic/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| app_id | |
|
query | string | Application ID |
| end | |
 |
body | boolean | Dynamic search end |
| include_schema_generation | |
|
query | boolean | Include generated schemas in the response |
| include_test_data | |
|
query | boolean | Include test data when executing searches |
| infer_json_types | |
|
query | boolean | Whether to try to infer data types in json event response instead of returning map[string]string. |
| match_response_schema | |
|
query | boolean | Whether to validate search results against their schema. |
| metadata | |
|
query | boolean | Whether to include metadata in the response |
| mode | |
|
query | string | Mode to execute the query under. |
| body | |
|
body | string | Full body payload in JSON format, not required if using other keywords. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
| repo_or_view | |
|
body | string | Repository or view to search |
| search_query | |
|
body | string | Search query to perform |
| search_query_args | |
|
body | dictionary | Search query arguments to leverage when processing the query |
| start | |
|
body | string | Dynamic search start |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.execute_dynamic(app_id="string",
end="string",
include_schema_generation=boolean,
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
repo_or_view="string",
search_query="string",
seach_query_args = {},
start="string"
)
print(response)from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.CreateSavedSearchesDynamicExecuteV1(app_id="string",
end="string",
include_schema_generation=boolean,
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
repo_or_view="string",
search_query="string",
seach_query_args = {},
start="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"end": "string",
"repo_or_view": "string",
"search_query": "string",
"search_query_args": {},
"start": "string"
}
response = falcon.command("CreateSavedSearchesDynamicExecuteV1",
app_id="string",
include_schema_generation=boolean,
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
body=body_payload
)
print(response)Get the results of a saved search
get_search_results
| Method | Route |
|---|---|
|
/loggingapi/entities/saved-searches/execute/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| app_id | |
|
query | string | Application ID |
| job_id | |
|
query | string | Job ID for a previously executed async query |
| limit | |
|
query | string | Maximum number of records to return. |
| infer_json_types | |
|
query | boolean | Whether to try to infer data types in json event response instead of returning map[string]string. |
| match_response_schema | |
|
query | boolean | Whether to validate search results against their schema. |
| metadata | |
|
query | boolean | Whether to include metadata in the response |
| offset | |
|
query | string | Starting pagination offset of records to return. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
| version | |
|
query | string | Version of resource being created |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_search_results(app_id="string",
job_id="string",
limit="string",
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
offset="string",
version="string"
)
print(response)from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetSavedSearchesExecuteV1(app_id="string",
job_id="string",
limit="string",
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
offset="string",
version="string"
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("GetSavedSearchesExecuteV1",
app_id="string",
job_id="string",
limit="string",
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
offset="string",
version="string"
)
print(response)Execute a saved search
execute
| Method | Route |
|---|---|
|
/loggingapi/entities/saved-searches/execute/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| app_id | |
|
query | string | Application ID |
| body | |
|
body | string | Full body payload in JSON format. Not required if using other keywords. |
| detailed | |
|
query | boolean | Whether to include search field details |
| end | |
|
body | string | Saved search end. |
| id | |
|
body | string | Saved search ID. |
| include_test_data | |
|
query | boolean | Include test data when executing searches |
| infer_json_types | |
|
query | boolean | Whether to try to infer data types in json event response instead of returning map[string]string. |
| match_response_schema | |
|
query | boolean | Whether to validate search results against their schema. |
| metadata | |
|
query | boolean | Whether to include metadata in the response |
| mode | |
|
body | string | Mode to execute the query under. If provided, takes precedence over the mode provided in the body. |
| name | |
|
body | string | Name of the saved search. |
| parameters | |
|
query | string | Full query string payload in JSON format. Not required if using other keywords. |
| search_parameters | |
|
body | dictionary | Parameters to use for the saved search. |
| start | |
|
body | string | Saved search start. |
| version | |
|
body | string | Version of resource being created |
| with_in | |
|
body | dictionary | Limit search results to field names matching the provided list. |
| with_limit | |
|
body | dictionary | Limit search results by a maximum count. |
| with_renames | |
|
body | list | Rename fields for display. |
| with_sort | |
|
body | dictionary | Apply sort criteria. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with_in_dictionary = {
"field": "string",
"values": [
"string"
]
}
with_limit_dictionary = {
"from": "string",
"limit": 0
}
with_renames_list = [
{
"as": "string",
"field": "string"
}
]
with_sort_dictionary = {
"fields": [
"string"
],
"limit": 0,
"order": [
"string"
],
"reverse": boolean,
"type": [
"string"
]
}
response = falcon.execute(app_id="string",
detailed=boolean,
end="string",
id="string",
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
name="string",
search_parameters={},
start="string",
version="string",
with_in = with_in_dictionary,
with_limit = with_limit_dictionary,
with_renames = with_renames_list,
with_sort = with_sort_dictionary
)
print(response)from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with_in_dictionary = {
"field": "string",
"values": [
"string"
]
}
with_limit_dictionary = {
"from": "string",
"limit": 0
}
with_renames_list = [
{
"as": "string",
"field": "string"
}
]
with_sort_dictionary = {
"fields": [
"string"
],
"limit": 0,
"order": [
"string"
],
"reverse": boolean,
"type": [
"string"
]
}
response = falcon.CreateSavedSearchesExecuteV1(app_id="string",
detailed=boolean,
end="string",
id="string",
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
mode="string",
name="string",
search_parameters={},
start="string",
version="string",
with_in = with_in_dictionary,
with_limit = with_limit_dictionary,
with_renames = with_renames_list,
with_sort = with_sort_dictionary
)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with_in_dictionary = {
"field": "string",
"values": [
"string"
]
}
with_limit_dictionary = {
"from": "string",
"limit": 0
}
with_renames_list = [
{
"as": "string",
"field": "string"
}
]
with_sort_dictionary = {
"fields": [
"string"
],
"limit": 0,
"order": [
"string"
],
"reverse": boolean,
"type": [
"string"
]
}
body_payload = {
"end": "string",
"id": "string",
"mode": "string",
"name": "string",
"parameters": {},
"start": "string",
"version": "string",
"with_in": with_in_dictionary,
"with_limit": with_limit_dictionary,
"with_renames": with_renames_list,
"with_sort": with_sort_dictionary
}
response = falcon.command("CreateSavedSearchesExecuteV1",
app_id="string",
detailed=boolean,
include_test_data=boolean,
infer_json_types=boolean,
match_response_schema=boolean,
metadata=boolean,
body=body_payload
)
print(response)Populate a saved search
populate
| Method | Route |
|---|---|
|
/loggingapi/entities/saved-searches/ingest/v1 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| app_id | |
|
query | string | Include generated schemas in the response |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.populate(app_id="string")
print(response)from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.CreateSavedSearchesIngestV1(app_id="string")
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("CreateSavedSearchesIngestV1", app_id="string")
print(response)Get the results of a saved search as a file
download_results
| Method | Route |
|---|---|
|
/loggingapi/entities/saved-searches/job-results-download/v1 |
- Consumes: application/json
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| job_id | |
|
query | string | Job ID for a previously executed async query |
| infer_json_types | |
|
query | boolean | Whether to try to infer data types in json event response instead of returning map[string]string. |
| parameters | |
|
query | dictionary | Full query string parameters payload in JSON format. |
| result_format | |
|
query | string | Result Format |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb", encoding="utf-8") as save_file:
save_file.write(falcon.download_results(job_id="string",
result_format="string",
infer_json_types=boolean
))from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb", encoding="utf-8") as save_file:
save_file.write(falcon.GetSavedSearchesJobResultsDownloadV1(job_id="string",
result_format="string",
infer_json_types=boolean
))from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
with open("some_file.ext", "wb", encoding="utf-8") as save_file:
save_file.write(falcon.command("GetSavedSearchesJobResultsDownloadV1",
job_id="string",
result_format="string",
infer_json_types=boolean
))List views
list_views
| Method | Route |
|---|---|
|
/loggingapi/entities/views/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| check_test_data | |
|
query | boolean | Include whether test data is present in the application repository. |
from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.list_views(check_test_data=boolean)
print(response)from falconpy import FoundryLogScale
# Do not hardcode API credentials!
falcon = FoundryLogScale(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.ListViewV1(check_test_data=boolean)
print(response)from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("ListViewV1", check_test_data=boolean)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- CAO Hunting
- Certificate Based Exclusions
- Cloud AWS Registration
- Cloud Azure Registration
- Cloud OCI Registration
- Cloud Connect AWS (deprecated)
- Cloud Security Assets
- Cloud Snapshots
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Image Compliance
- Container Images
- Container Packages
- Container Vulnerabilities
- Content Update Policies
- Correlation Rules
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner (deprecated)
- Delivery Settings
- Deployments
- Detects
- Device Content
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- FaaS Execution
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- Intelligence Feeds
- Intelligence Indicator Graph
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- NGSIEM
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Serverless Vulnerabilities
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
