List of Valid FQL <property> values?

[mbullmanFHCRC]

Hi, been working with the falconpy library the last week or so, and I think I'm getting a better handle on how it works and what it expects. But I've been searching the source code and the documentation (github wiki + crowdstrike docs ).

Is there a list of valid values for ? I'm having trouble tying together what I see in crowdstrike dashboards and what I can current pull from the API. Ive tried looking at URLs while applying filters to dashboard and I'm not sure if I'm asking the wrong endpoint, or using the wrong property name

for example falconDetects.QueryDetects({'limit':200, 'filter':'SeverityName=Critical'}) is SeverityName a valid property?
The swagger API references this page for a list of valid filter values, but then that page is deprecated, and the updated documentation does not include the list of valid query parameters that I've been able to find. Am I just looking in the wrong place?

Any help is great, thanks

[jshcodes]

Hi @mbullmanFHCRC -

First off, thank you for pointing out the deprecated link in our swagger. I've submitted an internal ticket to have this link updated.

A couple of notes regarding filtering and sorting with FQL (Falcon Query Language):

• Available FQL filters and their syntax will vary between APIs and are not determined by the SDK
• Each FQL filter and value may be case-sensitive (exact case, lowercase only, etc.)
• API's may only support filtering or sorting on specific fields

There is not currently a singular list of all of the acceptable fields for each API.

As a work-around, here are some other places you can check:

• Swagger - As you mentioned, sometimes the swagger content will provide you some of the acceptable values for these arguments.
• Falcon Documentation
• Samples (within documentation or within our GitHub repositories)
• Resultsets
  • You can also just try fields you receive back from the API as a filter to see the result. Pay attention to case and data type / format if you go this route. (Remember that not all fields are available to use as a filter or sort parameter.)

Detects API

There is documentation for the Detects API here: https://falcon.crowdstrike.com/documentation/86/detections-monitoring-apis#filtering-options that has a pretty large appendix of possible values.

I was also able to pull these values out of swagger or by making test calls:

Sort

• first_behavior: Timestamp of the first behavior associated with this detection
• last_behavior: Timestamp of the last behavior associated with this detection
• max_severity: Highest severity of the behaviors associated with this detection
• max_confidence: Highest confidence of the behaviors associated with this detection
• adversary_id: ID of the adversary associated with this detection, if any
• devices.hostname: Hostname of the host where this detection was detected

Sort either asc (ascending) or desc (descending). For example: last_behavior|asc

Filter

• detection_id
• filename
• severity
• status
• device.device_id
• max_severity (To filter by severity name use max_severity_displayname)

Example

from falconpy.detects import Detects
detects = Detects(creds={"client_id": client_id, "client_secret": client_secret})
result = detects.QueryDetects(parameters={"filter": "filename:'chrome.exe'"})

Side note: The pattern for query string parameters is being updated. Shortly you will be able to pass these arguments without creating the parameter array if you prefer. (Example: detects.QueryDetects(filter="filename:'chrome.exe'"))