Not able to search for CrowStrike Detections by hostname or aid

Using the CrowdStrike Plug-In rapid7/crowdstrike_falcon:1.4.4 I can get Detections, but if I try to add a filter nothing comes back. I tried using these filters and nothing came back when I know that there were detections:

  • host:’{{[Trigger].[hostname]}}’
  • hostname:’{{[Trigger].[hostname]}}’
  • device_id:’{{[“CrowdStrike Host”].[resources].[0].[device_id]}}’

Has any anyone got a filter that works?

For anyone that stumbles across this, their documentation doesn’t mention this and their filters are inconsistent.
for Host search this works:

  • hostname:’{{[Trigger].[hostname]}}’
  • device_id:’{{[“CrowdStrike Host”].[resources].[0].[device_id]}}’

For Detections you need this:

  • device.hostname:’{{[Trigger].[hostname]}}’
  • device.device_id:’{{[“CrowdStrike Host”].[resources].[0].[device_id]}}’

Hopefully this saves someone else time and headache!

1 Like