CrowdStrike Falcon LogScale
App Vendor: CrowdStrike
App Category: Analytics & SIEM
Connector Version: 1.0.2
API Version: 1.0.0
About App
CrowdStrike Falcon LogScale offers security teams powerful log management and real-time analytics capabilities. It enables security teams to efficiently analyze large volumes of data, detect potential threats, and respond swiftly to enhance overall security posture.
The CrowdStrike Falcon LogScale app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Quick Search Query | The action performs a search without instantly generating any ID. |
Create Query with ID | The action creates a query with an ID. |
Fetch Query Results using Query ID | The action fetches the status and result of the query using the ID generated while creating the query. |
Delete Query by ID | The action deletes the query. |
Configuration Parameters
The following configuration parameters are required for the CrowdStrike Falcon LogScale app to communicate with the CrowdStrike Falcon LogScale enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL. Example: https://your_url or http://base_url | Text | Required | |
API Token | Enter the API token for authentication. | Password | Required | |
Repository Name | Enter the repository name for test connectivity. | Text | Required | |
SSL Verification | Optional preference to either verify or skip the SSL certificate verification. | Boolean | Optional | Allowed values:
Default value: False |
Action: Quick Search Query
The action is used to search without instantly generating any ID. The query returns the matching logs based on the parameters passed along with an ID for the query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the query to search for logs in a repository. Example: /foo/ | Text | Required | |
Repository name | Enter the repository name. The default value comes from the instance configured for this app. Example: crowdstrike-falcon-logscale-audit | Text | Optional | The Repository Name is configured while creating an instance. The same value is reflected here, by default. |
Start time | Enter the start time after which the results are returned. Example: 24hours | Text | Optional | |
End time | Enter the end time before which the results are returned. Example: now | Text | Optional | |
Extra parameters | Enter any additional parameters to filter the search results. | Key Value | Optional | Allowed values:example:
|
Example Request
[
{
"extra_params": {
"islive": "True"
},
"query_string": "\\foo\\"
}
]Action: Create Query with ID
The action creates a query with an ID generated.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query String | Enter the query string. Example: "/foo/" | Text | Required | |
Repository Name | Enter the repository name. The default value comes from the instance configured for this app. Example: "humio-audit" | Text | Optional | The Repository Name is configured while creating an instance. The same value is reflected here, by default. |
Start Time | Enter the start time after which the results are returned. Example: 24hours | Text | Required | |
End Time | Enter the end time before which the results are returned. Example: now | Text | Required | |
Extra Parameters | Enter any additional parameters to create a query. | Key Value | Optional | Allowed values:
|
Example Request
[
{
"end": "now",
"start": "24hours",
"query_string": "searchtest"
}
]Action: Fetch Query Results using Query ID
The action fetches the status and result of the query using the ID generated while creating the query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID. Example: p3-uwolfvvmne8ztp9odrvwmx0b | Text | Required | You can retrieve the Query ID using the Create Query with ID action. |
Repository Name | Enter the repository name. The default value comes from the instance configured for this app. Example: crowdstrike-falcon-logscale-audit | Text | Optional | The Repository Name is configured while creating an instance. The same value is reflected here, by default. |
Example Request
[
{
"query_id": "P10-0CbmXk8c0q7HglHoB1gKh2AS",
"repository_name": "crowdstrike-falcon-logscale-audit"
}
]Action: Delete Query by ID
The action deletes the query.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query ID | Enter the query ID. Example: p3-uwolfvvmne8ztp9odrvwmx0b | Text | Required | You can retrieve the Query ID using the Create Query with ID action. |
Repository Name | Enter the repository name. The default value comes from the instance configured for this app. Example: crowdstrike-falcon-logscale-audit | Text | Optional | The Repository Name is configured while creating an instance. The same value is reflected here, by default. |
Example Request
[
{
"query_id": "P10-0CbmXk8c0q7HglHoB1gKh2AS",
"repository_name": "crowdstrike-falcon-logscale-audit"
}
]