createFdrFeed()

The createFdrFeed() GraphQL mutation field is used to create an FDR feed.

Syntax

Below is the syntax for the createFdrFeed() mutation field:

graphql

createFdrFeed(
       input: CreateFdrFeed!
    ): FdrFeed!

Below is an example of how this mutation field might be used:

Raw

graphql

mutation {
  createFdrFeed(input:
         {name: "my-fdr-feed",
          repositoryName: "humio",
          parser: "humio",
          clientId: "1234",
          clientSecret: "psst",
          sqsUrl: "https://fdr.company.com",
          s3Identifier: "xxxx",
          enabled: false
        }
    )
  { id, name, enabled }
}

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
EOF

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
EOF

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createFdrFeed(input: ^
         {name: \"my-fdr-feed\", ^
          repositoryName: \"humio\", ^
          parser: \"humio\", ^
          clientId: \"1234\", ^
          clientSecret: \"psst\", ^
          sqsUrl: \"https://fdr.company.com\", ^
          s3Identifier: \"xxxx\", ^
          enabled: false ^
        } ^
    ) ^
  { id, name, enabled } ^
}" ^
} '

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $json = '{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/graphql',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatypes

For CreateFdrFeed), there are a few parameters. Below is a list of them:

Table: CreateFdrFeed

Parameter	Type	Required	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 17, 2024
`clientId`	string	yes	The AWS client identifier of the FDR feed.
`clientSecret`	string	yes	The AWS client secret of the FDR feed.
`description`	string		A description of the FDR feed.
`enabled`	boolean	yes	Whether ingest from the FDR feed is enabled.
`name`	string	yes	The name of the FDR feed.
`Parser`	string	yes	The unique identifier or name of the parser that should be used to parse the FDR data. We recommend using the FDR parser from the crowdstrike/fdr package, which can be referred to as crowdstrike/fdr:FDR.
`repositoryName`	string	yes	The name of the repository of the FDR feed.
`s3Identifier`	string	yes	The AWS S3 identifier of the FDR feed.
`sqsUrl`	string	yes	The AWS SQS queue URL of the FDR feed.

Returned Datatypes

As indicated by the syntax above, this mutation will return data using the datatype, FdrFeed. Below are the parameters of that datatype:

Table: FdrFeed

Parameter	Type	Required	Description
Some arguments may be required, as indicated in the Required column. For some fields, this column indicates that a result will always be returned for this column.
Table last updated: Sep 25, 2024
`clientId`	string	yes	The AWS client identifier of the FDR feed.
`description`	string		A description of the FDR feed.
`enabled`	boolean	yes	Whether ingest from the FDR feed is enabled.
`id`	string	yes	Unique identifier of the FDR feed.
`name`	string	yes	Name of the FDR feed.
`parserId`	string	yes	The unique identifier of the parser that is used to parse the FDR data.
`s3Identifier`	string	yes	The AWS S3 identifier of the FDR feed.
`sqsUrl`	string	yes	The AWS SQS queue URL of the FDR feed.

GraphQL Mutation Fields

GraphQL Queries

GraphQL Datatypes

createFdrFeed()

Syntax

Given Datatypes

Returned Datatypes

Enter search term