Skip to content

Event Streams

Joshua Hiller edited this page Dec 10, 2024 · 21 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Event Streams service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation ID Description
refreshActiveStreamSession
PEP 8 refresh_active_stream
Refresh an active event stream. Use the URL shown in a listAvailableStreamsOAuth2 response.
listAvailableStreamsOAuth2
PEP 8 list_available_streams
Discover all event streams in your environment

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

refreshActiveStreamSession

Refresh an active event stream. Use the URL shown in a listAvailableStreamsOAuth2 response.

PEP8 method name

refresh_active_stream

Endpoint

Method Route
POST /sensors/entities/datafeed-actions/v1/{}

Required Scope

event-streams:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
action_name
Service Class Support

Uber Class Support
query string The name of the action to perform. The only allowed value is refresh_active_stream_session. Defaults to this value if not present when using the Service Class.
app_id
Service Class Support

Uber Class Support
query string Label that identifies your connection.

Max: 32 alphanumeric characters (a-z, A-Z, 0-9).

Will also accept the keyword appId to specify this value.
partition
Service Class Support

Uber Class Support
path integer Partition to request data for. If you are using the Service Class, this will default to 0 when not specified.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import EventStreams

# Do not hardcode API credentials!
falcon = EventStreams(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

PARTITION = 0   #Refresh the partition we are working with

response = falcon.refresh_active_stream(action_name="string",
                                        app_id="string",
                                        partition=PARTITION
                                        )
print(response)
Service class example (Operation ID syntax)
from falconpy import EventStreams

# Do not hardcode API credentials!
falcon = EventStreams(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

PARTITION = 0   #Refresh the partition we are working with

response = falcon.refreshActiveStreamSession(action_name="string",
                                             app_id="string",
                                             partition=PARTITION
                                             )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

PARTITION = 0   #Refresh the partition we are working with

response = falcon.command("refreshActiveStreamSession",
                          app_id="string",
                          partition=PARTITION,
                          action_name="string"
                          )
print(response)

listAvailableStreamsOAuth2

Discover all event streams in your environment

PEP8 method name

list_available_streams

Endpoint

Method Route
GET /sensors/entities/datafeed/v2

Required Scope

event-streams:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
app_id
Service Class Support

Uber Class Support
query string Label that identifies your connection.

Max: 32 alphanumeric characters (a-z, A-Z, 0-9).

Will also accept the keyword appId to specify this value.
format
Service Class Support

Uber Class Support
query string Format for streaming events.

Valid values: json, flatjson
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import EventStreams

# Do not hardcode API credentials!
falcon = EventStreams(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.list_available_streams(app_id="string", format="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import EventStreams

# Do not hardcode API credentials!
falcon = EventStreams(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.listAvailableStreamsOAuth2(app_id="string", format="string")
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("listAvailableStreamsOAuth2", app_id="string", format="string")
print(response)

CrowdStrike Falcon

Clone this wiki locally