Summary

The createFdrFeed() GraphQL mutation field is used to create an FDR feed.

API Stability Long-Term

Syntax

graphql
createFdrFeed(
       input: CreateFdrFeed!
    ): FdrFeed!

For the input, you'll have to give the name of the repository, the name or unique identifer of the parser, and information about connecting with Amazon AWS. See the Input Parameters section for details.

For the results, you can get the unique identifier for the FDR feed and the parser. You can use them with other mutations and queries. See the Returned Values section for more.

Example

Raw
graphql
mutation {
  createFdrFeed(input:
         {name: "my-fdr-feed",
          repositoryName: "humio",
          parser: "humio",
          clientId: "1234",
          clientSecret: "psst",
          sqsUrl: "https://fdr.company.com",
          s3Identifier: "xxxx",
          enabled: false
        }
    )
  { id, name, enabled }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createFdrFeed(input: ^
         {name: \"my-fdr-feed\", ^
          repositoryName: \"humio\", ^
          parser: \"humio\", ^
          clientId: \"1234\", ^
          clientSecret: \"psst\", ^
          sqsUrl: \"https://fdr.company.com\", ^
          s3Identifier: \"xxxx\", ^
          enabled: false ^
        } ^
    ) ^
  { id, name, enabled } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Input Parameters

For the input, you would provide the name of the repository to be associated with the FDR feed, the name or unique identifer of the parser to use, and information about connecting with Amazon AWS. These are listed and explained, along with other parameters, in the table below:

Table: CreateFdrFeed Input Datatype

ParameterTypeRequiredDefaultStabilityDescription
Some input parameters may be required, as indicated in the Required column. For return values, this indicates that you are assured a value if the field is requested for the results.
Table last updated: Mar 28, 2025
clientIdstringyes Long-TermThe AWS client identifier of the FDR feed.
clientSecretstringyes Long-TermThe AWS client secret of the FDR feed.
descriptionstring  Long-TermA description of the FDR feed.
enabledbooleanyestrueLong-TermWhether ingest from the FDR feed is enabled.
namestringyes Long-TermThe name of the FDR feed.
parserstringyes Long-TermThe unique identifier or name of the parser that should be used to parse the FDR data. We recommend using the FDR parser from the crowdstrike/fdr package, which can be referred to as crowdstrike/fdr:FDR.
repositoryNamestringyes Long-TermThe name of the repository of the FDR feed.
s3Identifierstringyes Long-TermThe AWS S3 identifier of the FDR feed.
sqsUrlstringyes Long-TermThe AWS SQS queue URL of the FDR feed.

Returned Values

For the results, you can get the unique identifier for the FDR feed and the parser it uses. You can use them with other mutations and queries. You can also get AWS identifiers and URL.

Table: FdrFeed Datatype

ParameterTypeRequiredDefaultStabilityDescription
Some input parameters may be required, as indicated in the Required column. For return values, this indicates that you are assured a value if the field is requested for the results.
Table last updated: Sep 25, 2024
clientIdstringyes Long-TermThe AWS client identifier of the FDR feed.
descriptionstring  Long-TermA description of the FDR feed.
enabledbooleanyes Long-TermWhether ingest from the FDR feed is enabled.
idstringyes Long-TermUnique identifier of the FDR feed.
namestringyes Long-TermName of the FDR feed.
parserIdstringyes Long-TermThe unique identifier of the parser that is used to parse the FDR data.
s3Identifierstringyes Long-TermThe AWS S3 identifier of the FDR feed.
sqsUrlstringyes Long-TermThe AWS SQS queue URL of the FDR feed.