CrowdStrike Falcon Filtering
runZero integrates with CrowdStrike by importing data through the CrowdStrike Falcon API. The integration will merge existing assets with Falcon data when the MAC address or hostname matches and create new assets where there is not a match. By default, the integration will import all Falcon hosts. runZero provides a filter option that allows you to scope the import to a subset of hosts based on foreign attributes provided by CrowdStrike. The filter follows the Falcon Query Lanugage (FQL) syntax.
Falcon Query Language
Falcon Query Language (FQL) follows the syntax <property>:[operator]<value>. Multiple expressions can be combined for more complex filtering by adding a + between expressions. An OR expression can also be leveraged with comma separated expressions. See Sample Filters for examples.
Properties
The following are some useful CrowdStrike properties that can be used in an FQL expression to filter assets. Details on additional attributes that are available for filtering can be found by reviewing CrowdStrike’s API documentation.
| CrowdStrike Property | runZero Attribute | Description | Example |
|---|---|---|---|
external_ip |
externalIP | The external IP address of the device | 18.191.169.203 |
first_seen |
firstSeen | A timestamp of when the device was first seen by CrowdStrike | 2022-01-08T19:42:34Z |
hostname |
hostname | The hostname of the device | EXPLORER-01 |
last_seen |
lastSeen | The timestamp of when the device was last seen by CrowdStrike | 2022-09-13T19:14:30Z |
local_ip |
localIP | The local IP address of the device | 192.168.1.100 |
mac_address |
macAddress | The mac address of the interface communication with CrowdStrike | 0a-6e-20-4a-e6-56 |
os_version |
osVersion | The operation system version of the device | Ubuntu 20.04 |
platform_name |
platformName | The platform running on the device | Linux |
product_type_desc |
productTypeDesc | The type of device | Server |
Operators
The following operators can be used in an FQL expression to filter assets.
| Operator | Description |
|---|---|
| ! | Not equal to |
| > | Greater than |
| >= | Greater than or equal to |
| < | Less than |
| <= | Less than or equal to |
| ~ | Text match. Tokenizes the string, ignoring spaces, case and punctuation |
| !~ | Does not text match. Tokenized the string, ignoring spaces, cases and punctuation |
| * | Wildcard matching. Matches one or more characters |
Sample Filters
The following are examples of filters that can be applied to the CrowdStrike sync.
| Search Filter | Description |
|---|---|
hostname:'WIN10*' |
Import all devices where the hostname starts with WIN10 |
platform_name:'Linux' |
Import all Linux devices |
platform_types_desc:'Server' |
Import all devices that CrowdStrike identifies as a Server |
hostname:'PROD*'+platform_name:'Linux' |
Import all Linux devices with a hostname that starts with PROD |
local_ip:'192.168.1.100' |
Only import the device with a local IP address of 192.168.1.100 |
local_ip:!'192.168.1.100' |
Import all devices, excluding 192.168.1.100 |
local_ip.raw:*'192.168.1.*' |
Import all devices with a local IP address in the 192.168.1.0/24 range |
(local_ip.raw:*'192.168.1.*'),(local_ip.raw:*'192.168.2.*') |
Import all devices with a local IP address in the 192.168.1.0/24 or 192.168.2.0/24 range |
local_ip.raw:!*'192.168.1.*' |
Import all devices, excluding devices with a local IP address in the 192.168.1.0/24 range |
local_ip.raw:!*'192.168.1.*'+local_ip.raw:!*'192.168.2.*' |
Import all devices, exluding devices with a local IP in the 192.168.1.0/24 and 192.168.2.0/24 ranges |
last_seen:>'now-24h' |
Only import devices that have been seen in the last 24 hours |
last_seen:!<'now-7d' |
Exclude devices that have not been seen in the last 7 days |