Skip to content

Filtering Results

Jump to bottom
bk-cs edited this page Dec 20, 2024 · 7 revisions

CrowdStrike Falcon

Falcon Query Language

Many PSFalcon commands support the use of Falcon Query Language ("FQL") statements using the Filter parameter. When using Filter, it is important to keep in mind:

  • Available FQL filters and their syntax will vary between APIs and are not determined by PSFalcon
  • Each FQL filter and value may be case-sensitive (exact case, lowercase only, etc.)
  • Each FQL filter statement can contain a maximum of 20 properties

Values in an FQL statement tend to either be restricted to $true, $false, null, an integer, or a string (description, date or time, etc).

Comparison operators

Comparison operators can be combined, depending on context.

  • =: Equal to
  • <: Occurred before following value
  • >: Occurred after following value
  • !: Does not include following value
  • *: Include following value as partial match
-Filter "last_seen:>'YYYY-MM-DD'"
-Filter "created_timestamp:=<'YYYY-MM-DD'"
-Filter "hostname:!'EXAMPLE-PC'"
-Filter "name:*'*partial*'"
-Filter "assigned_to_uid:null"

Multiple filters

Multiple filters can be combined with + (AND) or , (OR). URL encoding is performed by PSFalcon automatically when required.

-Filter "expiration_on:>'2021-11-02'+last_execution.status:'DONE'"

Multiple values

Multiple values for a single property must be enclosed within square brackets, with each [string] value being enclosed in quotes.

-Filter "name:['My','Example']"

Timestamps

Timestamp filters use ISO 8601 format (YYYY-MM-DDTHH:mm:ss.sssZ). The timezone is always UTC (as denoted by "Z").

When entering a timestamp value, the full timestamp is not required. You can supply various full and partial date and time combinations.

  • Full date: YYYY-MM-DD
  • Partial date: YYYY-MM, YYYY
  • Full date with partial time: YYYY-MM-DDThh, YYYY-MM-DDThh:mm, YYYY-MM-DDThh:mm:ss
  • Partial date with full time: YYYY-MMthh:mm:ss.sZ, YYYYThh:mm:ss.sZ
  • Partial date with partial time: YYYY-MM-Thh, YYYY-MM-Thh:mm, YYYY-MMThh:mm:ss, YYYYThh, YYYYThh:mm, YYYYThh:mm:ss

NOTE: PSFalcon will automatically convert last <int> days and last <int> hours to a compatible UTC timestamp.

Timestamps are expected when working with properties that display timestamps in result output. Timestamps will often require comparison operators to match results.

Clone this wiki locally