Using the CrowdStrike Plug-In rapid7/crowdstrike_falcon:1.4.4 I can get Detections, but if I try to add a filter nothing comes back. I tried using these filters and nothing came back when I know that there were detections:
- host:’{{[Trigger].[hostname]}}’
- hostname:’{{[Trigger].[hostname]}}’
- device_id:’{{[“CrowdStrike Host”].[resources].[0].[device_id]}}’
Has any anyone got a filter that works?
For anyone that stumbles across this, their documentation doesn’t mention this and their filters are inconsistent.
for Host search this works:
- hostname:’{{[Trigger].[hostname]}}’
- device_id:’{{[“CrowdStrike Host”].[resources].[0].[device_id]}}’
For Detections you need this:
- device.hostname:’{{[Trigger].[hostname]}}’
- device.device_id:’{{[“CrowdStrike Host”].[resources].[0].[device_id]}}’
Hopefully this saves someone else time and headache!
2 Likes