CrowdStrike Logscale

the crowdstrike logscale connector enables automated interactions with the logscale platform, such as querying, ingesting data, and managing alerts crowdstrike logscale is a powerful log management and analysis platform that enables security teams to collect, monitor, and analyze data across their digital infrastructure this connector provides swimlane turbine users with the ability to automate the ingestion, querying, and management of alerts and data within logscale by integrating with crowdstrike logscale, users can streamline their security operations, enhance incident response, and leverage advanced search capabilities to gain actionable insights from their data prerequisites before you can utilize the crowdstrike logscale connector for turbine, ensure you have the following http bearer token authentication with these parameters url endpoint url for the crowdstrike logscale instance token bearer token to authenticate api requests asset setup the asset for this connector requires the following input token capabilities this connector provides the following capabilities create alert create query jobs delete alert by id delete file for cloud users delete file for on premises users delete query job by id execute query get alert by id get alerts ingest raw data ingest raw json data ingest structured data ingest unstructured data initiate search poll query job by id and so on important key points in the case of using create query jobs and execute query tasks, we are allowed to pass the start and end fields in the json body request in the following two ways absolute time with absolute time, you specify a number that expresses the precise time in milliseconds since the unix epoch (unix time) in the utc/zulu time zone this method is shown in the following example { "querystring" "", "start" 1473449370018, "end" 1473535816755 } relative time with relative time, you specify the start and end time as a relative time such as 1minute or 24hours logscale supports this using relative time modifiers logscale treats the start and end times as relative times if you specify them as strings when providing a timestamp, relative time modifiers are specified relative to "now" this method is shown in the following examples { "querystring" "error", "start" "24hours", "end" "now" } when using the update alert by id task, throttlefield input parameter details are available in the following link throttle field details link https //library humio com/data analysis/automated alerts throttle period html#automated alerts throttle period field based api documentation link api authentication documentation link https //library humio com/integrations/api authentication htmlsearch api documentation link https //library humio com/integrations/api search htmlgraphql api documentation link https //library humio com/integrations/api graphql htmlalert api documentation link https //library humio com/integrations/api alert htmlingest api documentation link https //library humio com/integrations/api ingest htmllookup api documentation link https //library humio com/integrations/api lookup html configurations http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the api key, token, etc string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create alert generates a new alert within the specified dataspace in crowdstrike logscale, requiring path parameters and json body inputs endpoint url /api/v1/repositories/{{dataspace}}/alerts method post input argument name type required description input argument name type required description dataspace string required response data name string optional name of the resource query object optional parameter for create alert querystring string optional parameter for create alert start string optional parameter for create alert description string optional parameter for create alert throttletimemillis number optional parameter for create alert silenced boolean optional parameter for create alert notifiers array optional parameter for create alert labels array optional parameter for create alert output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] create query jobs run a query in crowdstrike logscale using the specified repository name and query string, with the ability to check status later endpoint url /api/v1/repositories/{{repository name}}/queryjobs method post input argument name type required description input argument name type required description repository name string required name of the resource querystring string required parameter for create query jobs start string optional parameter for create query jobs end string optional parameter for create query jobs islive boolean optional parameter for create query jobs timezoneoffsetminutes number optional parameter for create query jobs arguments object optional parameter for create query jobs output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "id" "string" } } ] delete alert by id removes a specified alert from crowdstrike logscale using the provided dataspace and id endpoint url /api/v1/repositories/{{dataspace}}/alerts/{{id}} method delete input argument name type required description input argument name type required description dataspace string required response data id string required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] delete file for cloud users deletes a specified file from all repositories in crowdstrike logscale for cloud users, requiring the repository name and filename endpoint url /api/v1/repositories/{{repository name}}/files/{{filename}} method delete input argument name type required description input argument name type required description repository name string required name of the resource filename string required name of the resource output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] delete file on premises users deletes a specified shared file for on premises users in crowdstrike logscale, requiring the filename as a path parameter endpoint url /api/v1/uploadedfiles/shared/{{filename}} method delete input argument name type required description input argument name type required description filename string required name of the resource output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] delete query job by id cancels a specific running query job in crowdstrike logscale using the repository name and job id endpoint url /api/v1/repositories/{{repository name}}/queryjobs/{{id}} method delete input argument name type required description input argument name type required description repository name string required name of the resource id string required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] execute query executes a query in crowdstrike logscale using the specified repository name and query string endpoint url /api/v1/repositories/{{repository name}}/query method post input argument name type required description input argument name type required description repository name string required name of the resource querystring string required parameter for execute query start string optional parameter for execute query end string optional parameter for execute query islive boolean optional parameter for execute query timezoneoffsetminutes number optional parameter for execute query arguments object optional parameter for execute query output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] get alert by id retrieve detailed information for a specific alert in crowdstrike logscale using the provided dataspace and id endpoint url /api/v1/repositories/{{dataspace}}/alerts/{{id}} method get input argument name type required description input argument name type required description dataspace string required response data id string required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] get alerts retrieve a list of alerts from a specified dataspace in crowdstrike logscale endpoint url /api/v1/repositories/{{dataspace}}/alerts method get input argument name type required description input argument name type required description dataspace string required response data output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] ingest raw data ingest raw data into crowdstrike logscale, typically used when callbacks from other systems control the request body endpoint url /api/v1/ingest/raw method post input argument name type required description input argument name type required description data body string required response data output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] ingest raw json data ingest raw json formatted data into crowdstrike logscale for analysis the 'data body' input is required endpoint url /api/v1/ingest/json method post input argument name type required description input argument name type required description data body string required response data output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] ingest structured data ingest pre structured data into crowdstrike logscale for analysis and storage requires a json body input endpoint url /api/v1/ingest/humio structured method post input argument name type required description input argument name type required description tags object required parameter for ingest structured data host string optional parameter for ingest structured data events array required parameter for ingest structured data timestamp string required parameter for ingest structured data attributes object optional parameter for ingest structured data key1 string optional parameter for ingest structured data output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] ingest unstructured data ingest unstructured log data into crowdstrike logscale to facilitate structured searching and analysis endpoint url /api/v1/ingest/humio unstructured method post input argument name type required description input argument name type required description fields object optional parameter for ingest unstructured data host string optional parameter for ingest unstructured data messages array required response message output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] initiate search initiates a search in crowdstrike logscale using a specified query string and targets a repository endpoint url /humio/api/v1/repositories/{{repository}}/queryjobs method post input argument name type required description input argument name type required description repository string required name of repository to be searched alloweventskipping boolean optional if set to true, alloweventskipping enables some logscale functions, such as head() and tail(), to stop processing all data in the selected timeframe and exit the query early, if more data would no longer change the result of the query the recommended setting for the value is true, as this can improve performance of the query in some cases however, please note that some metadata may no longer have the same semantics as before for example, events visited will no longer represent all matching events, but instead just the events visited for the query to finish arguments object optional dictionary of arguments specified in queries with ?param or ?{param=defaultvalue} syntax provided arguments must be a simple dictionary of string values if an argument is given explicitly as in ?query(param=value) then that value overrides values provided here around object optional used to define the pagination of events in the result set within the given query when using pagination used for cursor based paginating of filter query result this cannot be used with aggregate results as all rows are always returned for more information see api search request around eventid string required the id of the event to use as the reference point timestamp number required the timestamp to use as the reference for pagination numberofeventsbefore number required number of events to show before the event id numberofeventsafter number required number of events to show after the event id autobucketcount number optional determines the number of buckets the system should create during live query searches, when no other explicit bucketing aggregate is specified (such as bucket(), timechart()) higher autobucket counts means finer granularity, but at the cost of increased memory usage during search default value 90 start string optional the start date and time this parameter tells logscale not to return results from before this date and time see how to specify a time islive boolean optional sets whether this query is live defaults to false live queries are continuously updated end string optional the end date and time this parameter tells logscale not to return results from after this date and time see how to specify a time querystring string required the actual query see query language syntax for details ingestend string optional specifies the end time based on when the data was ingested ingeststart string optional specifies the start time based on when the data was ingested languageversion string optional the version of the query language to use timezoneoffsetminutes number optional set the time zone offset used for bucket() and timechart() time slices, which is significant if the corresponding span is multiples of days defaults to 0 (utc); positive numbers are to the east of utc, so for utc+01 00 timezone the value 60 should be passed isalertquery boolean optional indicates whether the query comes from an alert or not isinteractive boolean optional whether the search is being run interactively, i e , from with the logscale or another ui showqueryeventdistribution boolean optional if true logscale will return an additional resultset containing a histogram of the number of events over the time interval this field is deprecated use results instead if both this field an results is specified, results takes precedence timezone string optional the timezone to be used when returning dates useingesttime boolean optional when set to true, uses the ingest time rather than event timestamp as the basis for the time span output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase hashedqueryonview string output field hashedqueryonview id string unique identifier example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 23 jan 2024 20 37 23 gmt" }, "reason" "ok", "json body" { "hashedqueryonview" "", "id" "" } } ] poll query job by id poll the status of a running query job in crowdstrike logscale using the repository name and job id endpoint url /api/v1/repositories/{{repository name}}/queryjobs/{{id}} method get input argument name type required description input argument name type required description repository name string required name of the resource id string required unique identifier output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] submit graphql query executes a specified graphql query within crowdstrike logscale to retrieve structured data endpoint method post output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] update alert by id updates a specific alert in crowdstrike logscale using the provided dataspace and id as path parameters endpoint url /api/v1/repositories/{{dataspace}}/alerts/{{id}} method put input argument name type required description input argument name type required description dataspace string required response data id string required unique identifier name string optional name of the resource query object optional parameter for update alert by id querystring string optional parameter for update alert by id start string optional parameter for update alert by id description string optional parameter for update alert by id throttletimemillis number optional parameter for update alert by id throttlefield string optional parameter for update alert by id silenced boolean optional parameter for update alert by id notifiers array optional parameter for update alert by id labels array optional parameter for update alert by id output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] upload file to repository uploads a file to the specified crowdstrike logscale repository using the repository name path parameter endpoint url /api/v1/repositories/{{repository name}}/files method post input argument name type required description input argument name type required description repository name string required name of the resource attachments array required file to be uploaded file string optional parameter for upload file to repository file name string optional name of the resource output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] upload shared file in all repos upload a file to be shared across all repositories in crowdstrike logscale, applicable only for on premises users endpoint url /api/v1/uploadedfiles/shared method post input argument name type required description input argument name type required description attachments array required file to be uploaded file string optional parameter for upload shared file in all repos file name string optional name of the resource output parameter type description output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" {} } ] response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated thu, 23 jan 2024 20 37 23 gmt notes for more information on tanium is found at crowdstrike logscale main site https //library humio com/