Get detections sort date

[brucelourenco]

Hello everyone!

I just started to work with this library and I'm loving it. It helps me a lot. Congrats for the best effort of all contributors!

I've just tried to make some tests of data gathering of detections sorting by date but it is returning http 400 error and I don't understand what I'm doing wrong.

Could anyone give me some help?

Follow the example:

from falconpy import Detects

falcon = Detects(client_id="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
client_secret="yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy"
)

date_range = {
"from": "2022-02-23",
"to": "2022-03-01"
}

response = falcon.get_aggregate_detects(date_ranges=[date_range])
print(response)

RESULT

python3.9 /home/bruce/PROJECTS/FALCON/get_aggregates.py
{'status_code': 400, 'headers': {'Content-Encoding': 'gzip', 'Content-Length': '176', 'Content-Type': 'application/json', 'Date':
'Wed, 02 Mar 2022 17:13:19 GMT', 'Strict-Transport-Security': 'max-age=31536000; includeSubDomains, max-age=15724800; includeSubDomains',
'X-Cs-Region': 'us-1', 'X-Cs-Traceid': 'ef0ec0bf-f165-4ac9-95dd-602d95af1173', 'X-Ratelimit-Limit': '6000', 'X-Ratelimit-Remaining': '5997'},
'body': {'meta': {'query_time': 0.02749901, 'powered_by': 'msa-api', 'trace_id': 'ef0ec0bf-f165-4ac9-95dd-602d95af1173'}, 'resources': [],
'errors': [{'code': 400, 'message': 'Failed to validate resource'}]}}

[jshcodes]

Hi @brucelourenco!

Are you sure you need the aggregate data? You can get a list of detection IDs sorted by date and then look up their details using the following:

from falconpy import Detects

falcon = Detects(client_id="ID HERE", client_secret="SECRET HERE")

response = falcon.query_detects(sort="last_behavior|desc")
if response["status_code"] == 200:
    if response["body"]["resources"]:
        results = falcon.get_detect_summaries(ids=response["body"]["resources"])
        print(results)
else:
    print("Unable to retrieve detections list.")

More examples of using the Detects service collection can be found here: https://github.com/CrowdStrike/falconpy/tree/main/samples/detects

[brucelourenco]

Thanks for the answer @jshcodes !
I think I wasn't clear enough.
My idea was get data from/to. Like between two distinct periods of time.
Seeing your example, in this case I will get data since "last_behavior" until the "first_behavior" right?
PS: Of course if it is the case I can export to a csv file and make the filters after, but is possible do it using the library directly?
Thanks again

[jshcodes]

Correct, you should be able to do this using a filter to specify the first and last behavior.

from falconpy import Detects

falcon = Detects(client_id="ID HERE", client_secret="SECRET HERE")

response = falcon.query_detects(filter="last_behavior:<='2022-03-01'+first_behavior:>='2022-02-23'",
                                sort="last_behavior|desc"
                                )

[brucelourenco]

Nice!
It really solves my issue.
Thanks for the quick help @jshcodes !