Params Documentation

[Monstrosity8]

I'm using the QueryDevicesByFilterScroll and would like to know if there further documentation on how to use the parameters? Specifically regarding the offset?

[jshcodes]

Hi @Monstrosity8 !

Does this documentation help: https://github.com/CrowdStrike/falconpy/wiki/hosts#querydevicesbyfilterscroll ?

...or are you looking for an example of offset being used?

[Monstrosity8]

An example of the offset being used. Additionally, do you have more for the filter? Is there a way I can omit the filter? Ultimately, I am trying to pull all the device ids in CrowdStrike which will require several pulls.

[jshcodes]

Filter should not be required (according to swagger). So you should be OK to just not include it in the parameters dictionary.

Regarding the FQL for the filter, I've not yet had a chance to publish FalconPy specific FQL documentation, but a sibling project of ours, psFalcon, has started theirs. This gives us some good examples of what the filter string formatting should look like: psFalcon FQL examples.

I'm working on running down a good example using offset. I'll post it to the samples folder here once I've got it ready.

[Monstrosity8]

Thanks! And presumably changing the offset will iterate through all the systems I have in CrowdStrike?

[CalebSchwartz]

params = {"filter": _filter, "offset": offset, "limit": limit}
total = data["body"]["meta"]["pagination"]["total"]
resource_count = len(data["body"]["resources"])
ret_ids.update(data["body"]["resources"])
while len(ret_ids) != total:
        # ret_ids is a set so we don't care if we are exact with this offset updating.
        # only will care about making sure we everything
        offset += resource_count
        params["offset"] = offset
        ids = host_client.QueryDevicesByFilter(parameters=params)["body"]["resources"]
        ret_ids.update(ids)

this may not be exactly what you are after but I have a script pulling all hosts

[jshcodes]

I tweaked this post a bit so the formatting displayed properly.

[jshcodes]

Here's an example I put together using the Detections API. Pretty much the same logic @CalebSchwartz demonstrates above, just expanded to show how you can adjust the paging.

"""
    pagination_example.py

    Created: 04.07.21, jshcodes@CrowdStrike

    This sample shows an example of iterating through a returned
    list of record ids using the pagination details provided by the
    CrowdStrike API in the meta branch of the response.
"""
import json
from falconpy import detects as FalconDetects


def create_payload(position: int, per_page: int) -> dict:
    """Create a properly formatted parameter payload"""
    payload = {}
    payload["offset"] = position
    payload["limit"] = per_page

    return payload


def iterate_detections(detections: list, position: int):
    """Iterate through this batch of detections and show our current position"""
    for detection in detections:
        position += 1
        print("{}: {}".format(str(position), detection))


def get_records(max_rows: int, cur_pos: int):
    """Retrieve our record batch, display the results and update our positions"""
    detects = falcon.QueryDetects(parameters=create_payload(cur_pos, max_rows))
    offset = detects["body"]["meta"]["pagination"]["offset"]    # This will be the same as cur_pos
    total = detects["body"]["meta"]["pagination"]["total"]      # Total available
    iterate_detections(detects["body"]["resources"], cur_pos)   # Do stuff
    new_position = cur_pos + max_rows                           # Update our position
    # Fix our new_position if it exceeds our total
    if total < new_position:
        new_position = total
    print(f"Offset: {offset} CurPos: {new_position} Total: {total}")

    return total, new_position


# Grab our config parameters
with open('config.json', 'r') as file_config:
    config = json.loads(file_config.read())

falcon = FalconDetects.Detects(creds={
      'client_id': config["falcon_client_id"],
      'client_secret': config["falcon_client_secret"]
   }
)

# Adjust this to play with the pagination
MAX_PER_PAGE = 25
# Grab our first batch of IDs
total_records, current_position = get_records(MAX_PER_PAGE, 0)
# Based upon our returned total and current position, loop through the remaining rows
while total_records > current_position:
    # Query the API for the next batch
    total_records, current_position = get_records(MAX_PER_PAGE, current_position)