• Falcon Query Language
  • Comparison operators
  • Multiple filters
  • Multiple values
  • Timestamps

Many PSFalcon commands support the use of Falcon Query Language ("FQL") statements using the Filter parameter. When using Filter, it is important to keep in mind:

• Available FQL filters and their syntax will vary between APIs and are not determined by PSFalcon
• Each FQL filter and value may be case-sensitive (exact case, lowercase only, etc.)
• Each FQL filter statement can contain a maximum of 20 properties

Values in an FQL statement tend to either be restricted to $true, $false, null, an integer, or a string (description, date or time, etc).

Comparison operators can be combined, depending on context.

• = Equal to
• ! Not equal to
• < Occurred before
• > Occurred after
• * Partial match
• ~ Case insensitive

NOTE: Many CrowdStrike APIs default to partial match, and including incomplete values may lead to more results than expected. Additionally, searching for empty values (i.e. name:'') can return all results. You can use an exact value to exclude partial matches.

last_seen before a given date

-Filter "last_seen:>'YYYY-MM-DD'"

created_timestamp on or before a given date

-Filter "created_timestamp:=<'YYYY-MM-DD'"

Exact match of name

-Filter "name:['value']"

hostname does not match a given value

-Filter "hostname:!'value'"

Partial match of name

-Filter "name:'value'"

Partial match of name with leading characters

-Filter "name:*'*value'"

Partial match of name with trailing characters

-Filter "name:~'value*'"

Items without a assigned_to_uid value

-Filter "assigned_to_uid:null"

Multiple filters can be combined with + (AND) or , (OR). URL encoding is performed by PSFalcon automatically when required.

-Filter "expiration_on:>'2021-11-02'+last_execution.status:'DONE'"

Multiple values for a single property must be enclosed within square brackets, with each [string] value being enclosed in quotes.

-Filter "name:['value','value']"

Timestamp filters generally use ISO 8601 format (YYYY-MM-DDTHH:mm:ssZ). The timezone is always UTC (as denoted by Z).

When entering a timestamp value, the full timestamp may not be required. You can supply various full and partial date and time combinations.

• Full date: YYYY-MM-DD
• Partial date: YYYY-MM, YYYY
• Full date with partial time: YYYY-MM-DDThh, YYYY-MM-DDThh:mm, YYYY-MM-DDThh:mm:ss
• Partial date with full time: YYYY-MMthh:mm:ss.sZ, YYYYThh:mm:ss.sZ
• Partial date with partial time: YYYY-MM-Thh, YYYY-MM-Thh:mm, YYYY-MMThh:mm:ss, YYYYThh, YYYYThh:mm, YYYYThh:mm:ss

NOTE: PSFalcon will automatically convert last <int> days and last <int> hours to a compatible UTC timestamp.

Timestamps are expected when working with properties that display timestamps in result output. Timestamps will often require comparison operators to match results.