createFdrFeed()

API StabilityLongTerm

The createFdrFeed() GraphQL mutation field is used to create an FDR feed.

Syntax

Below is the syntax for the createFdrFeed() mutation field:

graphql
createFdrFeed(
       input: CreateFdrFeed!
    ): FdrFeed!

Below is an example of how this mutation field might be used:

Raw
graphql
mutation {
  createFdrFeed(input:
         {name: "my-fdr-feed",
          repositoryName: "humio",
          parser: "humio",
          clientId: "1234",
          clientSecret: "psst",
          sqsUrl: "https://fdr.company.com",
          s3Identifier: "xxxx",
          enabled: false
        }
    )
  { id, name, enabled }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createFdrFeed(input: ^
         {name: \"my-fdr-feed\", ^
          repositoryName: \"humio\", ^
          parser: \"humio\", ^
          clientId: \"1234\", ^
          clientSecret: \"psst\", ^
          sqsUrl: \"https://fdr.company.com\", ^
          s3Identifier: \"xxxx\", ^
          enabled: false ^
        } ^
    ) ^
  { id, name, enabled } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatypes

For CreateFdrFeed, there are a few parameters. Below is a list of them:

Table: CreateFdrFeed

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 17, 2024
clientIdstringyes  The AWS client identifier of the FDR feed.
clientSecretstringyes  The AWS client secret of the FDR feed.
descriptionstring   A description of the FDR feed.
enabledbooleanyes  Whether ingest from the FDR feed is enabled.
namestringyes  The name of the FDR feed.
Parserstringyes  The unique identifier or name of the parser that should be used to parse the FDR data. We recommend using the FDR parser from the crowdstrike/fdr package, which can be referred to as crowdstrike/fdr:FDR.
repositoryNamestringyes  The name of the repository of the FDR feed.
s3Identifierstringyes  The AWS S3 identifier of the FDR feed.
sqsUrlstringyes  The AWS SQS queue URL of the FDR feed.

Returned Datatypes

As indicated by the syntax above, this mutation will return data using the datatype, FdrFeed. Below are the parameters of that datatype:

Table: FdrFeed

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 25, 2024
clientIdstringyes  The AWS client identifier of the FDR feed.
descriptionstring   A description of the FDR feed.
enabledbooleanyes  Whether ingest from the FDR feed is enabled.
idstringyes  Unique identifier of the FDR feed.
namestringyes  Name of the FDR feed.
parserIdstringyes  The unique identifier of the parser that is used to parse the FDR data.
s3Identifierstringyes  The AWS S3 identifier of the FDR feed.
sqsUrlstringyes  The AWS SQS queue URL of the FDR feed.