Event Streams

The Event Streams service collection provides operations for discovering and maintaining event stream connections in your CrowdStrike Falcon environment. List available streams and refresh active stream sessions to maintain continuous event ingestion.

Language	Last Update
Python	v1.4.6
PowerShell	v2.2.9
Go	v0.20.0
TypeScript	v0.6.0
Rust	v0.7.0
Ruby	v1.2.0

Sample Code

Operation	Description
refreshActiveStreamSession `refresh_active_stream`	Refresh an active event stream. Use the URL shown in a listAvailableStreamsOAuth2 response.
listAvailableStreamsOAuth2 `list_available_streams`	Discover all event streams in your environment

refreshActiveStreamSession

Refresh an active event stream. Use the URL shown in a listAvailableStreamsOAuth2 response.

POST /sensors/entities/datafeed-actions/v1/{}

Scope Event Streams: READ Consumes · Produces application/json

PEP 8 refresh_active_stream

Parameters

Name	Type	Data type	Description
action_name	query	string	The name of the action to perform. The only allowed value is `refresh_active_stream_session`. Defaults to this value if not present when using the Service Class.
app_id	query	string	Label that identifies your connection. Max: 32 alphanumeric characters (a-z, A-Z, 0-9). Will also accept the keyword `appId` to specify this value.
partition	path	integer	Partition to request data for. If you are using the Service Class, this will default to `0` when not specified.
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import EventStreams

falcon = EventStreams(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.refresh_active_stream(action_name="string",
                                        app_id="string",
                                        partition="string")
print(response)

from falconpy import EventStreams

falcon = EventStreams(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.refreshActiveStreamSession(action_name="string",
                                             app_id="string",
                                             partition="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("refreshActiveStreamSession",
                          action_name="string",
                          app_id="string",
                          partition=integer)
print(response)

Update-FalconStream -AppId "string" -Partition integer

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/event_streams"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  response, err := client.EventStreams.RefreshActiveStreamSession(
    &event_streams.RefreshActiveStreamSessionParams{
      ActionName: "string",
      AppID: "string",
      Partition: integer,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.eventStreams.refreshActiveStreamSession(
  "string",  // actionName
  "string",  // appId
  integer  // partition
);

console.log(response);

use rusty_falcon::apis::event_streams_api::refresh_active_stream_session;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = refresh_active_stream_session(
        &falcon.cfg,  // configuration
        "string",  // action_name
        "string",  // app_id
        integer,  // partition
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::EventStreams.new

response = api.refresh_active_stream_session('string', 'string', integer)

puts response

listAvailableStreamsOAuth2

Discover all event streams in your environment

GET /sensors/entities/datafeed/v2

Scope Event Streams: READ Consumes · Produces application/json

PEP 8 list_available_streams

Parameters

Name	Type	Data type	Description
app_id	query	string	Label that identifies your connection. Max: 32 alphanumeric characters (a-z, A-Z, 0-9). Will also accept the keyword `appId` to specify this value.
format	query	string	Format for streaming events. Valid values: `json`, `flatjson`
parameters	query	dictionary	Full query string parameters payload in JSON format.

Code Examples

from falconpy import EventStreams

falcon = EventStreams(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.list_available_streams(app_id="string", format="string")
print(response)

from falconpy import EventStreams

falcon = EventStreams(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.listAvailableStreamsOAuth2(app_id="string", format="string")
print(response)

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("listAvailableStreamsOAuth2",
                          app_id="string",
                          format="string")
print(response)

Get-FalconStream -AppId "string"

package main

import (
  "context"
  "fmt"
  "os"

  "github.com/crowdstrike/gofalcon/falcon"
  "github.com/crowdstrike/gofalcon/falcon/client/event_streams"
)

func main() {
  client, err := falcon.NewClient(&falcon.ApiConfig{
    ClientId:     os.Getenv("FALCON_CLIENT_ID"),
    ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"),
    Context:      context.Background(),
  })
  if err != nil {
    panic(err)
  }

  format := "string"

  response, err := client.EventStreams.ListAvailableStreamsOAuth2(
    &event_streams.ListAvailableStreamsOAuth2Params{
      AppID: "string",
      Format: &format,
      Context: context.Background(),
    },
  )
  if err != nil {
    panic(falcon.ErrorExplain(err))
  }

  fmt.Printf("%+v\n", response.Payload)
}

import { FalconClient } from "crowdstrike-falcon";

const client = new FalconClient({
  cloud: process.env.FALCON_CLOUD!,
  clientId: process.env.FALCON_CLIENT_ID!,
  clientSecret: process.env.FALCON_CLIENT_SECRET!,
});

const response = await client.eventStreams.listAvailableStreamsOAuth2(
  "string",  // appId
  "string"  // format
);

console.log(response);

use rusty_falcon::apis::event_streams_api::list_available_streams_o_auth2;
use rusty_falcon::easy::client::FalconHandle;

#[tokio::main]
async fn main() {
    let falcon = FalconHandle::from_env().await.expect("Could not authenticate");

    let response = list_available_streams_o_auth2(
        &falcon.cfg,  // configuration
        "string",  // app_id
        Some("string"),  // format
    ).await.expect("API call failed");

    println!("{:?}", response);
}

require "crimson-falcon"

Falcon.configure do |config|
  config.client_id = ENV["FALCON_CLIENT_ID"]
  config.client_secret = ENV["FALCON_CLIENT_SECRET"]
  config.cloud = ENV["FALCON_CLOUD"]
end

api = Falcon::EventStreams.new

response = api.list_available_streams_o_auth2('string')

puts response

Event Streams

Table of Contents

refreshActiveStreamSession

Parameters

Code Examples

listAvailableStreamsOAuth2

Parameters

Code Examples