CrowdStrike Falcon Filtering

Enterprise

runZero integrates with CrowdStrike by importing data through the CrowdStrike Falcon API. The integration will merge existing assets with Falcon data when the MAC address or hostname matches and create new assets where there is not a match. By default, the integration will import all Falcon hosts. runZero provides a filter option that allows you to scope the import to a subset of hosts based on foreign attributes provided by Crowdstrike. The filter follows the Falcon Query Lanugage (FQL) syntax.

Falcon Query Language

Falcon Query Language (FQL) follows the syntax <property>:[operator]<value>. Multiple expressions can be combined for more complex filtering by adding a + between expressions. An OR expression can also be leveraged with comma separated expressions. See Sample Filters for examples.

Properties

The following are some useful Crowdstrike properties that can be used in an FQL expression to filter assets. Details on additional attributes that are available for filtering can be found by reviewing Crowdstrike’s API documentation.

Crowdstrike Property runZero Attribute Description Example
external_ip externalIP The external IP address of the device 18.191.169.203
first_seen firstSeen A timestamp of when the device was first seen by Crowdstrike 2022-01-08T19:42:34Z
hostname hostname The hostname of the device EXPLORER-01
last_seen lastSeen The timestamp of when the device was last seen by Crowdstrike 2022-09-13T19:14:30Z
local_ip localIP The local IP address of the device 192.168.1.100
mac_address macAddress The mac address of the interface communication with Crowdstrike 0a-6e-20-4a-e6-56
os_version osVersion The operation system version of the device Ubuntu 20.04
platform_name platformName The platform running on the device Linux
product_type_desc productTypeDesc The type of device Server

Operators

The following operators can be used in an FQL expression to filter assets.

Operator Description
! Not equal to
> Greater than
>= Greater than or equal to
< Less than
<= Less than or equal to
~ Text match. Tokenizes the string, ignoring spaces, case and punctuation
!~ Does not text match. Tokenized the string, ignoring spaces, cases and punctuation
* Wildcard matching. Matches one or more characters

Sample Filters

The following are examples of filters that can be applied to the Crowdstrike sync.

Search Filter Description
hostname:'WIN10*' Import all devices where the hostname starts with WIN10
platform_name:'Linux' Import all Linux devices
platform_types_desc:'Server' Import all devices that Crowdstrike identifies as a Server
hostname:'PROD*'+platform_name:'Linux' Import all Linux devices with a hostname that starts with PROD
local_ip:'192.168.1.100' Only import the device with a local IP address of 192.168.1.100
local_ip:!'192.168.1.100' Import all devices, excluding 192.168.1.100
local_ip.raw:*'192.168.1.*' Import all devices with a local IP address in the 192.168.1.0/24 range
(local_ip.raw:*'192.168.1.*'),(local_ip.raw:*'192.168.2.*') Import all devices with a local IP address in the 192.168.1.0/24 or 192.168.2.0/24 range
local_ip.raw:!*'192.168.1.*' Import all devices, excluding devices with a local IP address in the 192.168.1.0/24 range
local_ip.raw:!*'192.168.1.*'+local_ip.raw:!*'192.168.2.*' Import all devices, exluding devices with a local IP in the 192.168.1.0/24 and 192.168.2.0/24 ranges
last_seen:>'now-24h' Only import devices that have been seen in the last 24 hours
last_seen:!<'now-7d' Exclude devices that have not been seen in the last 7 days