filters 'last_seen' and 'os_version' functionality for API not same as on URL

[hodgett]

For query_devices_by_filter_scroll the filter can't use wildcards in the os_version and can't use 'last_week' in the last_seen filter like can in the browser URL. When trying the error 500 is usually returned.

The following example returns all RHEL* hosts that were last seen over the last week (and it works);

https://falcon.crowdstrike.com/host-management/hosts?filter=os_version%3A%27RHEL%20*%27%2Blast_seen%3A%27Last%20week%27

I'm sure there are other filter capabilities that are also not working but I haven't tested them all. An I know I can manually calculate a date to create the last_week capability via the API but that doesn't reflect what can be done via the URL.

[crowdstrikedcs]

Hi @hodgett I did take a look and confirmed the same. The API and URL filters are notably different in a few areas and this is expected based on the usage of different API paths in some cases. We keep a list of supported filters and format for operations like this on our website. https://falconpy.io/Service-Collections/Hosts.html#querydevicesbyfilterscroll

[hodgett]

Hi @crowdstrikedcs ,
I did see that documentation however the limitation is a problem that I would hope someone would take onboard as needing attention. Because of the limitations in the number of results that can be returned and the CS documentation saying the workaround is to use filters then being able to use wildcards is kind of an important requirement. Is there any other way to return all the hosts with a variety of RHEL versions installed? CS support suggested using psfalcon because it can do it but our scripting host is linux+python.

[crowdstrikedcs]

Try out this filter and let me know:

os_version:*'RHEL *'

The FQL Docs Note:

You need to indicate that a search is a wildcard search instead of the default "is equal to" by adding the operator asterisk (*) to the beginning of the search string.

[hodgett]

Yes, I tried that. The wildcard operator is not accepted by os_version.

[crowdstrikedcs]

Could you please provide a code snippet that is currently failing for you? I am able to use this filter with the below:

from falconpy import Hosts
falcon = Hosts()

response = falcon.query_devices_by_filter_scroll(
                                                 filter="os_version:*'RHEL *'"
                                                 )

[hodgett]

Hmm, something has changed, and something still isn't right. I need to do some more analysis. I spent a whole day on this last week and wildcards, even as you described, wasn't working at all. This week it's sort of working. Using Windows* returns the correct results but RHEL is returning 50% more results. I'm going to have to unpick that data to see what the anomaly is so leave it with me for now. Thanks @crowdstrikedcs for your attention so far.
For reference the current code is;

def get_cs_query_results(max_rows: int): 
    last7Day = date.today().replace(day=1) - timedelta(days=7)
    last_seen = last7Day.strftime("%Y-%m-%dT00:00:00Z")
    total = 1 
    counter = 0 
    returning = [] 
    offset_value = "" 
    while counter < total: 
        result = falcon.query_devices_by_filter_scroll(
            sort="hostname|asc",
            limit=max_rows,
            offset=offset_value,
            filter=f"last_seen:>='{last_seen}'+os_version:*'RHEL *'"
        )["body"]
        counter += max_rows 
        offset_value = result["meta"]["pagination"]["offset"] 
        total = result["meta"]["pagination"]["total"] 
        id_list = result["resources"] 
        returning.extend(id_list) 
    return returning