API Stability Long-Term

The createFdrFeed() GraphQL mutation field is used to create an FDR feed.

To test an FDR feed, you could use the testFdrFeed() mutation. To make changes, you can use updateFdrFeed() and updateFdrFeedControl(). To delete a feed, use the deleteFdrFeed() mutation.

Hide Query Example

Show FDR Feed Query

For more information on FDR ingest feeds, see Ingesting FDR Data into a Repository.

Syntax

graphql
createFdrFeed(
       input: CreateFdrFeed!
    ): FdrFeed!

Example

Below is an example of how this mutation field might be used:

Raw
graphql
mutation {
  createFdrFeed(input:
         {name: "my-fdr-feed",
          repositoryName: "humio",
          parser: "humio",
          clientId: "1234",
          clientSecret: "psst",
          sqsUrl: "https://fdr.company.com",
          s3Identifier: "xxxx",
          enabled: false
        }
    )
  { id, name, enabled }
}
Mac OS or Linux (curl)
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
EOF
Mac OS or Linux (curl) One-line
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql \
    -H "Authorization: Bearer $TOKEN" \
    -H "Content-Type: application/json" \
    -d @- << EOF
{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
EOF
Windows Cmd and curl
shell
curl -v -X POST $YOUR_LOGSCALE_URL/graphql ^
    -H "Authorization: Bearer $TOKEN" ^
    -H "Content-Type: application/json" ^
    -d @'{"query" : "mutation { ^
  createFdrFeed(input: ^
         {name: \"my-fdr-feed\", ^
          repositoryName: \"humio\", ^
          parser: \"humio\", ^
          clientId: \"1234\", ^
          clientSecret: \"psst\", ^
          sqsUrl: \"https://fdr.company.com\", ^
          s3Identifier: \"xxxx\", ^
          enabled: false ^
        } ^
    ) ^
  { id, name, enabled } ^
}" ^
} '
Windows Powershell and curl
powershell
curl.exe -X POST 
    -H "Authorization: Bearer $TOKEN"
    -H "Content-Type: application/json"
    -d '{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}'
    "$YOUR_LOGSCALE_URL/graphql"
Perl
perl
#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/graphql';

my $query = "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}";
$query =~ s/\n/ /g;
my $json = sprintf('{"query" : "%s"}',$query);
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $TOKEN");
$req->header("Content-Type" => "application/json");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";
Python
python
#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/graphql'
mydata = r'''{"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $TOKEN",
   "Content-Type" : "application/json"
}
)

print(resp.text)
Node.js
javascript
const https = require('https');

const data = JSON.stringify(
    {"query" : "mutation {
  createFdrFeed(input:
         {name: \"my-fdr-feed\",
          repositoryName: \"humio\",
          parser: \"humio\",
          clientId: \"1234\",
          clientSecret: \"psst\",
          sqsUrl: \"https://fdr.company.com\",
          s3Identifier: \"xxxx\",
          enabled: false
        }
    )
  { id, name, enabled }
}"
}
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL',
  path: 'graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Given Datatype

For this input datatype, you would provide the name of the repository to be associated with the FDR feed, the name or unique identifer of the parser to use, and information about connecting with Amazon AWS. These are listed and explained, along with other parameters, in the table below:

Table: CreateFdrFeed

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Mar 28, 2025
clientIdstringyes Long-TermThe AWS client identifier of the FDR feed.
clientSecretstringyes Long-TermThe AWS client secret of the FDR feed.
descriptionstring  Long-TermA description of the FDR feed.
enabledbooleanyestrueLong-TermWhether ingest from the FDR feed is enabled.
namestringyes Long-TermThe name of the FDR feed.
parserstringyes Long-TermThe unique identifier or name of the parser that should be used to parse the FDR data. We recommend using the FDR parser from the crowdstrike/fdr package, which can be referred to as crowdstrike/fdr:FDR.
repositoryNamestringyes Long-TermThe name of the repository of the FDR feed.
s3Identifierstringyes Long-TermThe AWS S3 identifier of the FDR feed.
sqsUrlstringyes Long-TermThe AWS SQS queue URL of the FDR feed.

Returned Datatype

With this returned datatype, you can get the unique identifier for the FDR feed and the parser it uses. You can use them with other mutations and queries. You can also get AWS identifiers and URL. Below are the available parameters:

Table: FdrFeed

ParameterTypeRequiredDefaultStabilityDescription
Some arguments may be required, as indicated in the Required column. For return datatypes, this indicates that you must specify which fields you want returned in the results.
Table last updated: Sep 25, 2024
clientIdstringyes Long-TermThe AWS client identifier of the FDR feed.
descriptionstring  Long-TermA description of the FDR feed.
enabledbooleanyes Long-TermWhether ingest from the FDR feed is enabled.
idstringyes Long-TermUnique identifier of the FDR feed.
namestringyes Long-TermName of the FDR feed.
parserIdstringyes Long-TermThe unique identifier of the parser that is used to parse the FDR data.
s3Identifierstringyes Long-TermThe AWS S3 identifier of the FDR feed.
sqsUrlstringyes Long-TermThe AWS SQS queue URL of the FDR feed.