CrowdStrike Logscale

the crowdstrike logscale connector enables automated interactions with the logscale platform, such as querying, ingesting data, and managing alerts crowdstrike logscale is a powerful log management and analysis platform that enables security teams to collect, monitor, and analyze data across their digital infrastructure this connector provides swimlane turbine users with the ability to automate the ingestion, querying, and management of alerts and data within logscale by integrating with crowdstrike logscale, users can streamline their security operations, enhance incident response, and leverage advanced search capabilities to gain actionable insights from their data prerequisites before you can utilize the crowdstrike logscale connector for turbine, ensure you have the following http bearer token authentication with these parameters url endpoint url for the crowdstrike logscale instance token bearer token to authenticate api requests asset setup the asset for this connector requires the following input token capabilities this connector provides the following capabilities create alert create query jobs delete alert by id delete file for cloud users delete file for on premises users delete query job by id execute query get alert by id get alerts ingest raw data ingest raw json data ingest structured data ingest unstructured data initiate search poll query job by id and so on important key points in the case of using create query jobs and execute query tasks, we are allowed to pass the start and end fields in the json body request in the following two ways absolute time with absolute time, you specify a number that expresses the precise time in milliseconds since the unix epoch (unix time) in the utc/zulu time zone this method is shown in the following example { "querystring" "", "start" 1473449370018, "end" 1473535816755 } relative time with relative time, you specify the start and end time as a relative time such as 1minute or 24hours logscale supports this using relative time modifiers logscale treats the start and end times as relative times if you specify them as strings when providing a timestamp, relative time modifiers are specified relative to "now" this method is shown in the following examples { "querystring" "error", "start" "24hours", "end" "now" } when using the update alert by id task, throttlefield input parameter details are available in the following link https //library humio com/data analysis/automated alerts throttle period html#automated alerts throttle period field based notes for more information on tanium is found at https //library humio com/ api documentation link https //library humio com/integrations/api authentication html https //library humio com/integrations/api search html https //library humio com/integrations/api graphql html https //library humio com/integrations/api alert html https //library humio com/integrations/api ingest html https //library humio com/integrations/api lookup html configurations http bearer authentication authenticates using bearer token such as a jwt, etc configuration parameters parameter description type required url a url to the target host string required token the api key, token, etc string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create alert generates a new alert within the specified dataspace in crowdstrike logscale, requiring path parameters and json body inputs endpoint url /api/v1/repositories/{{dataspace}}/alerts method post input argument name type required description path parameters dataspace string required parameters for the create alert action name string optional name of the resource query object optional parameter for create alert query querystring string optional parameter for create alert query start string optional parameter for create alert description string optional parameter for create alert throttletimemillis number optional parameter for create alert silenced boolean optional parameter for create alert notifiers array optional parameter for create alert labels array optional parameter for create alert input example {"json body" {"name" "test","query" {"querystring" "foobar","start" "1h"},"description" "this is a test","throttletimemillis" 600000,"silenced"\ false,"notifiers" \["grpmxur2me8045sz39qcsowjxt3fj7rt"],"labels" \["test"]},"path parameters" {"dataspace" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} create query jobs run a query in crowdstrike logscale using the specified repository name and query string, with the ability to check status later endpoint url /api/v1/repositories/{{repository name}}/queryjobs method post input argument name type required description path parameters repository name string required parameters for the create query jobs action querystring string optional parameter for create query jobs start string optional parameter for create query jobs end string optional parameter for create query jobs islive boolean optional parameter for create query jobs timezoneoffsetminutes number optional parameter for create query jobs arguments object optional parameter for create query jobs input example {"json body" {"querystring" "loglevel=error","start" "1473449370018","end" "1473535816755","islive"\ false,"timezoneoffsetminutes" 60,"arguments" {}},"path parameters" {"repository name" ""}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"id" "string"}} delete alert by id removes a specified alert from crowdstrike logscale using the provided dataspace and id endpoint url /api/v1/repositories/{{dataspace}}/alerts/{{id}} method delete input argument name type required description path parameters dataspace string required parameters for the delete alert by id action path parameters id string required parameters for the delete alert by id action input example {"path parameters" {"dataspace" "","id" "hzuxvyeitdisea06eqzeo52gcd8po0or"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} delete file for cloud users deletes a specified file from all repositories in crowdstrike logscale for cloud users, requiring the repository name and filename endpoint url /api/v1/repositories/{{repository name}}/files/{{filename}} method delete input argument name type required description path parameters repository name string required parameters for the delete file for cloud users action path parameters filename string required parameters for the delete file for cloud users action input example {"path parameters" {"repository name" "","filename" "myfile csv"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} delete file on premises users deletes a specified shared file for on premises users in crowdstrike logscale, requiring the filename as a path parameter endpoint url /api/v1/uploadedfiles/shared/{{filename}} method delete input argument name type required description path parameters filename string required parameters for the delete file on premises users action input example {"path parameters" {"filename" "myfile csv"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} delete query job by id cancels a specific running query job in crowdstrike logscale using the repository name and job id endpoint url /api/v1/repositories/{{repository name}}/queryjobs/{{id}} method delete input argument name type required description path parameters repository name string required parameters for the delete query job by id action path parameters id string required parameters for the delete query job by id action input example {"path parameters" {"repository name" "","id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} execute query executes a query in crowdstrike logscale using the specified repository name and query string endpoint url /api/v1/repositories/{{repository name}}/query method post input argument name type required description path parameters repository name string required parameters for the execute query action querystring string optional parameter for execute query start string optional parameter for execute query end string optional parameter for execute query islive boolean optional parameter for execute query timezoneoffsetminutes number optional parameter for execute query arguments object optional parameter for execute query input example {"json body" {"querystring" "loglevel=error","start" "1473449370018","end" "1473535816755","islive"\ false,"timezoneoffsetminutes" 60,"arguments" {}},"path parameters" {"repository name" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get alert by id retrieve detailed information for a specific alert in crowdstrike logscale using the provided dataspace and id endpoint url /api/v1/repositories/{{dataspace}}/alerts/{{id}} method get input argument name type required description path parameters dataspace string required parameters for the get alert by id action path parameters id string required parameters for the get alert by id action input example {"path parameters" {"dataspace" "","id" "hzuxvyeitdisea06eqzeo52gcd8po0or"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} get alerts retrieve a list of alerts from a specified dataspace in crowdstrike logscale endpoint url /api/v1/repositories/{{dataspace}}/alerts method get input argument name type required description path parameters dataspace string required parameters for the get alerts action input example {"path parameters" {"dataspace" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} ingest raw data ingest raw data into crowdstrike logscale, typically used when callbacks from other systems control the request body endpoint url /api/v1/ingest/raw method post input argument name type required description data body string required response data input example {"data body" "my raw message generated at \\"2016 06 06t12 00 00+02 00\\""} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} ingest raw json data ingest raw json formatted data into crowdstrike logscale for analysis the 'data body' input is required endpoint url /api/v1/ingest/json method post input argument name type required description data body string required response data input example {"data body" "\[\\"first event\\", \\"second event\\"]"} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} ingest structured data ingest pre structured data into crowdstrike logscale for analysis and storage requires a json body input endpoint url /api/v1/ingest/humio structured method post output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} ingest unstructured data ingest unstructured log data into crowdstrike logscale to facilitate structured searching and analysis endpoint url /api/v1/ingest/humio unstructured method post output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} initiate search initiates a search in crowdstrike logscale using a specified query string and targets a repository endpoint url /humio/api/v1/repositories/{{repository}}/queryjobs method post input argument name type required description path parameters repository string required name of repository to be searched alloweventskipping boolean optional if set to true, alloweventskipping enables some logscale functions, such as head() and tail(), to stop processing all data in the selected timeframe and exit the query early, if more data would no longer change the result of the query the recommended setting for the value is true, as this can improve performance of the query in some cases however, please note that some metadata may no longer have the same semantics as before for example, events visited will no longer represent all matching events, but instead just the events visited for the query to finish arguments object optional dictionary of arguments specified in queries with ?param or ?{param=defaultvalue} syntax provided arguments must be a simple dictionary of string values if an argument is given explicitly as in ?query(param=value) then that value overrides values provided here around object optional used to define the pagination of events in the result set within the given query when using pagination used for cursor based paginating of filter query result this cannot be used with aggregate results as all rows are always returned for more information see api search request around around eventid string required the id of the event to use as the reference point around timestamp number required the timestamp to use as the reference for pagination around numberofeventsbefore number required number of events to show before the event id around numberofeventsafter number required number of events to show after the event id autobucketcount number optional determines the number of buckets the system should create during live query searches, when no other explicit bucketing aggregate is specified (such as bucket(), timechart()) higher autobucket counts means finer granularity, but at the cost of increased memory usage during search default value 90 start string optional the start date and time this parameter tells logscale not to return results from before this date and time see how to specify a time islive boolean optional sets whether this query is live defaults to false live queries are continuously updated end string optional the end date and time this parameter tells logscale not to return results from after this date and time see how to specify a time querystring string optional the actual query see query language syntax for details ingestend string optional specifies the end time based on when the data was ingested ingeststart string optional specifies the start time based on when the data was ingested languageversion string optional the version of the query language to use timezoneoffsetminutes number optional set the time zone offset used for bucket() and timechart() time slices, which is significant if the corresponding span is multiples of days defaults to 0 (utc); positive numbers are to the east of utc, so for utc+01 00 timezone the value 60 should be passed isalertquery boolean optional indicates whether the query comes from an alert or not isinteractive boolean optional whether the search is being run interactively, i e , from with the logscale or another ui showqueryeventdistribution boolean optional if true logscale will return an additional resultset containing a histogram of the number of events over the time interval this field is deprecated use results instead if both this field an results is specified, results takes precedence timezone string optional the timezone to be used when returning dates useingesttime boolean optional when set to true, uses the ingest time rather than event timestamp as the basis for the time span input example {"json body" {"alloweventskipping"\ false,"arguments" {},"around" {"eventid" "","timestamp" 0,"numberofeventsbefore" 100,"numberofeventsafter" 100},"autobucketcount" 0,"start" "1h","islive"\ false,"end" "now","querystring" "count()","ingestend" "","ingeststart" "","languageversion" "","timezoneoffsetminutes" 0,"isalertquery"\ false,"isinteractive"\ false,"showqueryeventdistribution"\ false,"timezone" "","useingesttime"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase hashedqueryonview string output field hashedqueryonview id string unique identifier output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "thu, 23 jan 2024 20 37 23 gmt"},"reason" "ok","json body" {"hashedqueryonview" "","id" ""}} poll query job by id poll the status of a running query job in crowdstrike logscale using the repository name and job id endpoint url /api/v1/repositories/{{repository name}}/queryjobs/{{id}} method get input argument name type required description path parameters repository name string required parameters for the poll query job by id action path parameters id string required parameters for the poll query job by id action input example {"path parameters" {"repository name" "","id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} submit graphql query executes a specified graphql query within crowdstrike logscale to retrieve structured data endpoint method post output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} update alert by id updates a specific alert in crowdstrike logscale using the provided dataspace and id as path parameters endpoint url /api/v1/repositories/{{dataspace}}/alerts/{{id}} method put input argument name type required description path parameters dataspace string required parameters for the update alert by id action path parameters id string required parameters for the update alert by id action name string optional name of the resource query object optional parameter for update alert by id query querystring string optional parameter for update alert by id query start string optional parameter for update alert by id description string optional parameter for update alert by id throttletimemillis number optional parameter for update alert by id throttlefield string optional parameter for update alert by id silenced boolean optional parameter for update alert by id notifiers array optional parameter for update alert by id labels array optional parameter for update alert by id input example {"json body" {"name" "different test","query" {"querystring" "foobar","start" "1h"},"description" "this is a test","throttletimemillis" 600000,"throttlefield" "server","silenced"\ false,"notifiers" \["grpmxur2me8045sz39qcsowjxt3fj7rt"],"labels" \["test"]},"path parameters" {"dataspace" "","id" "hzuxvyeitdisea06eqzeo52gcd8po0or"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} upload file to repository uploads a file to the specified crowdstrike logscale repository using the repository name path parameter endpoint url /api/v1/repositories/{{repository name}}/files method post input argument name type required description path parameters repository name string required parameters for the upload file to repository action attachments array required file to be uploaded attachments file string optional parameter for upload file to repository attachments file name string optional name of the resource input example {"path parameters" {"repository name" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} upload shared file in all repos upload a file to be shared across all repositories in crowdstrike logscale, applicable only for on premises users endpoint url /api/v1/uploadedfiles/shared method post input argument name type required description attachments array required file to be uploaded attachments file string optional parameter for upload shared file in all repos attachments file name string optional name of the resource input example {"attachments" \[{"file" "string","file name" "example name"}]} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" {}} response headers header description example content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated thu, 23 jan 2024 20 37 23 gmt