chore: fix e2e testing env var in Github action

.github/workflows/python-test-e2e.yml

@@ -2,6 +2,12 @@ name: Manual E2E Tests
 
 on:
   workflow_dispatch:
+    inputs:
+      models:
+        description: 'Models to test'
+        required: false
+        default: 'gpt-4.1-mini,gpt-4o-mini'
+        type: string
 
 jobs:
   test:
@@ -21,5 +27,20 @@ jobs:
         pip install -e ".[dev]"
 
     - name: Test with pytest
+      env:
+        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+        MODELS_TO_TEST: ${{ inputs.models }}
       run: |
         pytest --run-e2e
+
+    - name: Generate HTML report
+      if: always()
+      run: |
+        python scripts/generate_e2e_report.py
+
+    - name: Upload HTML report artifact
+      uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: e2e-test-report
+        path: ./static_test_report.html

src/modules/detections.py

@@ -50,7 +50,7 @@ def search_detections(
         """Search for detections in your CrowdStrike environment.
 
         Args:
-            filter: Filter detections using a query in Falcon Query Language (FQL) An asterisk wildcard * includes all results.
+            filter: Filter detections using a query in Falcon Query Language (FQL) An asterisk wildcard * includes all results. You must use FQL and never use JSON.
             limit: The maximum number of detections to return in this response (default: 100; max: 9999). Use with the offset parameter to manage pagination of results.
             offset: The first detection to return, where 0 is the latest detection. Use with the limit parameter to manage pagination of results.
             q: Search all detection metadata for the provided string.
@@ -69,89 +69,207 @@ def search_detections(
 
                 Examples: 'max_severity.desc', 'last_behavior.desc'
 
-        Available FQL Filters:
-            adversary_ids
-            assigned_to_name
-            cid
-            date_updated
-            detection_id
-            first_behavior
-            last_behavior
-            max_confidence
-            max_severity: Value can be any integer between 1-100
-            max_severity_displayname: informational, low, medium, high, critical
-            seconds_to_resolved
-            seconds_to_triaged
-            status
-            behaviors
-                alleged_filetype
-                behavior_id
-                cmdline
-                confidence
-                contral_graph_id
-                device_id
-                filename
-                ioc_source
-                ioc_type
-                ioc_value
-                md5
-                objective
-                parent_details.parent_cmdline
-                parent_details.parent_md5
-                parent_details.parent_process_graph_id
-                parent_details.parent_process_id
-                parent_details.parent_sha256
-                pattern_disposition
-                scenario
-                severity
-                sha256
-                tactic
-                technique
-                timestamp
-                triggering_process_graph_id
-                triggering_process_id
-                user_id
-                user_name
-            device
-                agent_load_flags
-                agent_local_time
-                agent_version
-                bios_manufacturer
-                bios_version
-                cid	machine_domain
-                config_id_base
-                config_id_build
-                config_id_platform
-                cpu_signature
-                device_id
-                external_ip
-                first_seen
-                hostname
-                last_seen
-                local_ip
-                mac_address
-                major_version
-                minor_version
-                modified_timestamp
-                os_version
-                ou
-                platform_id
-                platform_name
-                product_type
-                product_type_desc
-                reduced_functionality_mode
-                release_group
-                serial_number
-                site_name
-                status
-                system_manufacturer
-                system_product_name
-            hostinfo.domain
-            hostinfo.active_directory_dn_display
-            quarantined_files.id
-            quarantined_files.sha256
-            quarantined_files.paths
-            quarantined_files.state
+    🎯 FALCON QUERY LANGUAGE (FQL) COMPREHENSIVE GUIDE:
+
+    === BASIC SYNTAX ===
+    property_name:[operator]'value'
+
+    === AVAILABLE OPERATORS ===
+    • No operator = equals (default)
+    • ! = not equal to
+    • > = greater than  
+    • >= = greater than or equal
+    • < = less than
+    • <= = less than or equal  
+    • ~ = text match (ignores case, spaces, punctuation)
+    • !~ = does not text match
+    • * = wildcard matching (one or more characters)
+
+    === DATA TYPES & SYNTAX ===
+    • Strings: 'value' or ['exact_value'] for exact match
+    • Dates: 'YYYY-MM-DDTHH:MM:SSZ' (UTC format) 
+    • Booleans: true or false (no quotes)
+    • Numbers: 123 (no quotes)
+    • Wildcards: 'partial*' or '*partial' or '*partial*'
+    • IP addresses: Support wildcards like '192.168.*'
+
+    === COMBINING CONDITIONS ===
+    • + = AND condition
+    • , = OR condition  
+    • ( ) = Group expressions
+
+    🏷️ SEARCHABLE HOST PROPERTIES (Complete List):
+
+    === IDENTIFICATION ===
+    • device_id: Host unique identifier (AID)
+    • hostname: Machine hostname (supports wildcards)
+    • computer_name: Computer display name
+    • serial_number: Hardware serial number
+    • mac_address: Network MAC address
+
+    === SYSTEM INFORMATION ===  
+    • platform_name: OS platform (Windows, Mac, Linux)
+    • os_version: Operating system version
+    • major_version: OS major version number
+    • minor_version: OS minor version number
+    • system_manufacturer: Hardware manufacturer
+    • system_product_name: System model/product name
+    • bios_manufacturer: BIOS manufacturer
+    • bios_version: BIOS version
+    • cpu_signature: CPU type/signature
+
+    === NETWORK INFORMATION ===
+    • local_ip: Internal IP address (supports wildcards with local_ip.raw)
+    • external_ip: External/public IP address  
+    • machine_domain: Active Directory domain
+    • ou: Organizational Unit
+    • site_name: AD site name
+
+    === AGENT & CONFIGURATION ===
+    • agent_version: Falcon agent version
+    • agent_load_flags: Agent configuration flags
+    • config_id_base: Configuration base ID
+    • config_id_build: Configuration build ID  
+    • config_id_platform: Platform configuration ID
+    • platform_id: Platform identifier
+    • product_type_desc: Product type description
+    • release_group: Sensor deployment group
+
+    === STATUS & TIMESTAMPS ===
+    • status: Host status (normal, containment_pending, contained, lift_containment_pending)
+    • first_seen: First connection timestamp
+    • last_seen: Most recent connection timestamp  
+    • last_login_timestamp: User login timestamp
+    • modified_timestamp: Last record update timestamp
+    • max_severity: Value can be any integer between 1-100
+    • max_severity_displayname: informational, low, medium, high, critical
+
+    === SPECIALIZED PROPERTIES ===
+    • reduced_functionality_mode: RFM status (yes, no, blank for unknown)
+    • linux_sensor_mode: Linux mode (Kernel Mode, User Mode)
+    • deployment_type: Linux deployment (Standard, DaemonSet)
+    • tags: Falcon grouping tags
+
+    💡 PRACTICAL SEARCH EXAMPLES:
+
+    === BASIC SEARCHES ===
+    Find Windows servers:
+    platform_name:'Windows'
+
+    Find specific hostname:
+    hostname:'web-server-01'
+
+    Find hosts with hostname starting with 'web':
+    hostname:'web*'
+
+    === NETWORK-BASED SEARCHES ===
+    Find hosts in specific IP range:
+    local_ip.raw:*'192.168.1.*'
+
+    Find hosts by external IP:
+    external_ip:'203.0.113.45'
+
+    Find hosts in specific domain:
+    machine_domain:'contoso.com'
+
+    === TIME-BASED SEARCHES ===
+    Find hosts not seen in last 30 days:
+    last_seen:<'2024-01-01T00:00:00Z'
+
+    Find recently joined hosts (last 7 days):
+    first_seen:>'2024-01-15T00:00:00Z'
+
+    === STATUS & HEALTH SEARCHES ===
+    Find contained hosts:
+    status:'contained'
+
+    Find hosts in reduced functionality mode:
+    reduced_functionality_mode:'yes'
+
+    Find offline hosts (not seen in 24 hours):
+    last_seen:<'2024-01-20T00:00:00Z'
+
+    === SYSTEM SPECIFICATION SEARCHES ===
+    Find Linux hosts:
+    platform_name:'Linux'
+
+    Find VMware virtual machines:
+    system_manufacturer:'VMware, Inc.'
+
+    Find specific OS version:
+    os_version:'Windows Server 2019'
+
+    Find hosts with old agent versions:
+    agent_version:<'7.0.0'
+
+    === ADVANCED COMBINED SEARCHES ===
+    Find Windows servers in production domain not seen recently:
+    platform_name:'Windows'+machine_domain:'prod.company.com'+last_seen:<'2024-01-15T00:00:00Z'
+
+    Find either Linux hosts OR hosts with specific hostname pattern:
+    (platform_name:'Linux'),(hostname:'app-*')
+
+    Find critical infrastructure hosts (complex grouping):
+    (hostname:'dc-*'+platform_name:'Windows'),(hostname:'db-*'+status:'normal')
+
+    Find hosts by multiple criteria with exclusions:
+    platform_name:'Windows'+hostname:!'test-*'+status:!'contained'
+
+    Find hosts needing attention (old, offline, or contained):
+    (last_seen:<'2024-01-10T00:00:00Z'),(status:'contained'),(agent_version:<'6.0.0')
+
+    === COMPLIANCE & INVENTORY SEARCHES ===
+    Find untagged hosts:
+    tags:!*
+
+    Find hosts with specific tags:
+    tags:'production'
+
+    Find hosts by manufacturer for hardware inventory:
+    system_manufacturer:'Dell Inc.'
+
+    Find hosts by deployment group:
+    release_group:'production-sensors'
+
+    === SECURITY-FOCUSED SEARCHES ===
+    Find hosts with suspicious external IPs:
+    external_ip.raw:*'10.*'
+
+    Find hosts that haven't checked in (potential compromise):
+    last_seen:<'2024-01-18T00:00:00Z'+status:'normal'
+
+    Find hosts with modified configurations:
+    modified_timestamp:>'2024-01-15T00:00:00Z'
+
+    🚀 USAGE EXAMPLES:
+
+    # Find all Windows hosts sorted by hostname
+    search_hosts_advanced("platform_name:'Windows'", limit=50, sort="hostname.asc")
+
+    # Find hosts not seen in 30 days with full details  
+    search_hosts_advanced("last_seen:<'2024-01-01T00:00:00Z'", limit=25, include_details=True)
+
+    # Find Linux hosts in specific IP range
+    search_hosts_advanced("platform_name:'Linux'+local_ip.raw:*'10.0.*'", limit=100)
+
+    # Get basic inventory - just hostnames and IDs
+    search_hosts_advanced("", limit=1000, fields="hostname,device_id,platform_name")
+
+    # Find contained or pending containment hosts
+    search_hosts_advanced("(status:'contained'),(status:'containment_pending')", sort="modified_timestamp.desc")
+
+    # Complex search: Production Windows servers, healthy, recent
+    search_hosts_advanced("platform_name:'Windows'+hostname:'prod-*'+status:'normal'+last_seen:>'2024-01-15T00:00:00Z'")
+
+    ⚠️ IMPORTANT NOTES:
+    • Use single quotes around string values: 'value'
+    • Use square brackets for exact matches: ['exact_value']  
+    • Wildcard searches may be limited (one * per property in some cases)
+    • Date format must be UTC: 'YYYY-MM-DDTHH:MM:SSZ'
+    • Maximum 20 properties per FQL statement
+    • Boolean values: true/false (no quotes)
+    • For IP wildcards, use local_ip.raw property
+    • Complex queries may take longer to execute
 
         Returns:
             List of detection details