Filtering Results - CrowdStrike/psfalcon GitHub Wiki

CrowdStrike Falcon

API DocumentationEU 1US-1US-2US-GOV-1

Falcon Query Language

Many PSFalcon commands support the use of Falcon Query Language ("FQL") statements using the Filter parameter. When using Filter, it is important to keep in mind:

  • Available FQL filters and their syntax will vary between APIs and are not determined by PSFalcon
  • Each FQL filter and value may be case-sensitive (exact case, lowercase only, etc.)
  • Each FQL filter statement can contain a maximum of 20 properties

Values in an FQL statement tend to either be restricted to $true, $false, null, an integer, or a string (description, date or time, etc).

Comparison operators

Comparison operators can be combined, depending on context.

  • =: Equal to
  • <: Occurred before following value
  • >: Occurred after following value
  • !: Does not include following value
  • *: Include following value as partial match
-Filter "last_seen:>'YYYY-MM-DD'"
-Filter "created_timestamp:=<'YYYY-MM-DD'"
-Filter "hostname:!'EXAMPLE-PC'"
-Filter "name:*'*partial*'"
-Filter "assigned_to_uid:null"

Multiple filters

Multiple filters can be combined with + (AND) or , (OR). URL encoding is performed by PSFalcon automatically when required.

-Filter "expiration_on:>'2021-11-02'+last_execution.status:'DONE'"

Multiple values

Multiple values for a single property must be enclosed within square brackets, with each [string] value being enclosed in quotes.

-Filter "name:['My','Example']"

Timestamps

Timestamp filters use ISO 8601 format (YYYY-MM-DDTHH:mm:ss.sssZ). The timezone is always UTC (as denoted by "Z").

When entering a timestamp value, the full timestamp is not required. You can supply various full and partial date and time combinations.

  • Full date: YYYY-MM-DD
  • Partial date: YYYY-MM, YYYY
  • Full date with partial time: YYYY-MM-DDThh, YYYY-MM-DDThh:mm, YYYY-MM-DDThh:mm:ss
  • Partial date with full time: YYYY-MMthh:mm:ss.sZ, YYYYThh:mm:ss.sZ
  • Partial date with partial time: YYYY-MM-Thh, YYYY-MM-Thh:mm, YYYY-MMThh:mm:ss, YYYYThh, YYYYThh:mm, YYYYThh:mm:ss

NOTE: PSFalcon will automatically convert last <int> days and last <int> hours to a compatible UTC timestamp.

Timestamps are expected when working with properties that display timestamps in result output. Timestamps will often require comparison operators to match results.

⚠️ **GitHub.com Fallback** ⚠️