Application Programming Interfaces (APIs)

There are several application programming interfaces, known as APIs, that are available for use with Falcon LogScale. Collectively, these are known as HTTP API. Everything you can do in LogScale's UI can be done through them. In fact, the UI is constructed using solely the public API.

Primary & Essential APIs

Below is a list of the primary and essential APIs available with Falcon LogScale. The headings are links to pages that will provide more information than the brief descriptions here.

API Authentication

Almost everything you might do with an application will require authetication. This is the first step. This API is used for doing that, for authenticating with LogScale.

Search API

This is the main endpoint for executing queries in LogScale. It streams results as soon as they're calculated. Depending on the query type filter or aggregate, the time of delivery changes.

GraphQL API

Absolutely everything that can be done in LogScale can be done using GraphQL. It literally is the API that LogScale software uses internally. This section is extensive and growing.

Automation APIs

These APIs are related to the automating of tasks in LogScale: typically, this is the running of saved queries, which can lead to generating an alert and taking action.

Alert API

With this API you can create, update, and delete alerts. You can also get an alert's unique identifier and get a list of alerts.

Action API

The Action API has been replaced or made obsolete by the GraphQL API, which is more versatile and handles so much more.

Administrative APIs

These APIs are primarily for performing administrative tasks on LogScale.

Cluster Management API

If you're self-hosting Falcon LogScale and have set up your own cluster, this API may be used to manage your cluster.

Redact Events API

With this API, you can redact individual events from a compressed segment files. It's intended to support removal of a small number of events from LogScale. Usually, this is used to remove personally identifiable information (e.g., a GDPR requirement), accidentally logged passwords or other confidential data from LogScale.

Ingest API

Server logs and other such data can be sent to LogScale and a repository using the Ingest API. That can be sent in a structured format, or it can be sent as it is, relying on LogScale parsers to add structure to it.

Lookup API

This API can be used to upload CSV or JSON files. These may then be used by the match() functions.

Health Check API

The health of LogScale can be determined by a set of individual health checks. This includes a Status API and a Health API.

Software Libraries

In addition to LogScale's APIs, there are a few software libraries (click on the heading here for more) that can be used to integrate applications — written in other programming languages (e.g., JavaScript, Python) — into LogScale. Although they work, CrowdStrike doesn't offer support for them.

Attention

REST & GraphQL

Falcon LogScale has a mixture of GraphQL and REST endpoints. You can read about the motivation behind using GraphQL, as well as an introduction to GraphQL if you are not familiar with the technology.

Some of the REST endpoints described above are deprecated. We strongly encourage you to use the corresponding GraphQL queries and mutations instead. See the reference page on GraphQL for more information.