diff --git a/README.md b/README.md index 3b8c5520..0bde6952 100644 --- a/README.md +++ b/README.md @@ -257,34 +257,41 @@ The server provides core tools for interacting with the Falcon API: Provides tools for accessing and analyzing CrowdStrike Falcon detections: -- `falcon_search_detections`: Query and return information about detections -- `falcon_get_detection_details`: Get information about specific detection composite IDs +- `falcon_search_detections`: Search for detections in your CrowdStrike environment +- `falcon_search_detections_fql_filter_guide`: Get comprehensive FQL documentation for the search_detections tool +- `falcon_get_detection_details`: Retrieve detailed information for specified detection IDs ### Incidents Module Provides tools for accessing and analyzing CrowdStrike Falcon incidents: -- `falcon_show_crowd_score`: Show CrowdScore in the environment -- `falcon_search_incidents`: Query for incidents -- `falcon_get_incident_details`: Get incidents by ID -- `falcon_search_behaviors`: Query for behaviors -- `falcon_get_behavior_details`: Get behaviors by ID +- `falcon_show_crowd_score`: Query environment wide CrowdScore and return the entity data +- `falcon_show_crowd_score_fql_filter_guide`: Get comprehensive FQL documentation for the show_crowd_score tool +- `falcon_search_incidents`: Search for incidents by providing a FQL filter, sorting, and paging details +- `falcon_search_incidents_fql_filter_guide`: Get comprehensive FQL documentation for the search_incidents tool +- `falcon_get_incident_details`: Retrieve detailed information for specified incident IDs +- `falcon_search_behaviors`: Search for behaviors by providing a FQL filter, sorting, and paging details +- `falcon_search_behaviors_fql_filter_guide`: Get comprehensive FQL documentation for the search_behaviors tool +- `falcon_get_behavior_details`: Retrieve detailed information for specified behavior IDs ### Intel Module Provides tools for accessing and analyzing CrowdStrike Intel: -- `falcon_search_actors`: Get info about actors -- `falcon_search_actors_fql_filter_guide`: Get FQL rules for falcon_search_actors tool filter param -- `falcon_search_indicators`: Get info about indicators -- `falcon_search_reports`: Get info about reports +- `falcon_search_actors`: Get info about actors that match provided FQL filters +- `falcon_search_actors_fql_filter_guide`: Get comprehensive FQL documentation for the search_actors tool +- `falcon_search_indicators`: Get info about indicators that match provided FQL filters +- `falcon_search_indicators_fql_filter_guide`: Get comprehensive FQL documentation for the search_indicators tool +- `falcon_search_reports`: Retrieve intelligence reports that match provided FQL filters +- `falcon_search_reports_fql_filter_guide`: Get comprehensive FQL documentation for the search_reports tool ### Hosts Module Provides tools for accessing and managing CrowdStrike Falcon hosts/devices: -- `falcon_search_hosts`: Query and return information about hosts -- `falcon_get_host_details`: Get information about specific host IDs +- `falcon_search_hosts`: Search for hosts in your CrowdStrike environment +- `falcon_search_hosts_fql_filter_guide`: Get comprehensive FQL documentation for the search_hosts tool +- `falcon_get_host_details`: Retrieve detailed information for specified host device IDs ## MCP Configuration diff --git a/src/modules/detections.py b/src/modules/detections.py index a3c9d470..b2c960f1 100644 --- a/src/modules/detections.py +++ b/src/modules/detections.py @@ -5,6 +5,7 @@ This module provides tools for accessing and analyzing CrowdStrike Falcon detections. """ from typing import Dict, List, Optional, Any +from textwrap import dedent from mcp.server import FastMCP from pydantic import Field @@ -12,6 +13,7 @@ from ..common.logging import get_logger from ..common.errors import handle_api_response from ..common.utils import prepare_api_parameters +from ..resources.detections import SEARCH_DETECTIONS_FQL_DOCUMENTATION from .base import BaseModule logger = get_logger(__name__) @@ -33,6 +35,12 @@ def register_tools(self, server: FastMCP) -> None: name="search_detections" ) + self._add_tool( + server, + self.search_detections_fql_filter_guide, + name="search_detections_fql_filter_guide" + ) + self._add_tool( server, self.get_detection_details, @@ -41,275 +49,40 @@ def register_tools(self, server: FastMCP) -> None: def search_detections( self, - filter: Optional[str] = Field(default=None, examples={"agent_id:'77d11725xxxxxxxxxxxxxxxxxxxxc48ca19'", "status:'new'"}), - limit: Optional[int] = Field(default=100, ge=1, le=9999), - offset: Optional[int] = Field(default=0, ge=0), - q: Optional[str] = Field(default=None), - sort: Optional[str] = Field(default=None, examples={"severity.desc", "timestamp.desc"}), - include_hidden: Optional[bool] = Field(default=True), - ) -> List[Dict[str, Any]]: - """Search for detections in your CrowdStrike environment. - - Args: - filter: Filter detections using a query in Falcon Query Language (FQL) An asterisk wildcard * includes all results. You must use FQL and never use JSON. - limit: The maximum number of detections to return in this response (default: 100; max: 9999). Use with the offset parameter to manage pagination of results. - offset: The first detection to return, where 0 is the latest detection. Use with the limit parameter to manage pagination of results. - q: Search all detection metadata for the provided string. - sort: Sort detections using these options: - timestamp: Timestamp when the alert occurred - created_timestamp: When the alert was created - updated_timestamp: When the alert was last modified - severity: Severity level of the alert (1-100, recommended when filtering by severity) - confidence: Confidence level of the alert (1-100) - agent_id: Agent ID associated with the alert + filter: Optional[str] = Field(default=None, description="FQL Syntax formatted string used to limit the results. IMPORTANT: use the `falcon_search_detections_fql_filter_guide` tool when building this filter parameter.", examples={"agent_id:'77d11725xxxxxxxxxxxxxxxxxxxxc48ca19'", "status:'new'"}), + limit: Optional[int] = Field(default=100, ge=1, le=9999, description="The maximum number of detections to return in this response (default: 100; max: 9999). Use with the offset parameter to manage pagination of results."), + offset: Optional[int] = Field(default=0, ge=0, description="The first detection to return, where 0 is the latest detection. Use with the limit parameter to manage pagination of results."), + q: Optional[str] = Field(default=None, description="Search all detection metadata for the provided string"), + sort: Optional[str] = Field( + default=None, + description=dedent(""" + Sort detections using these options: + + timestamp: Timestamp when the detection occurred + created_timestamp: When the detection was created + updated_timestamp: When the detection was last modified + severity: Severity level of the detection (1-100, recommended when filtering by severity) + confidence: Confidence level of the detection (1-100) + agent_id: Agent ID associated with the detection Sort either asc (ascending) or desc (descending). Both formats are supported: 'severity.desc' or 'severity|desc' - When searching for high severity alerts, use 'severity.desc' to get the highest severity alerts first. - For chronological ordering, use 'timestamp.desc' for most recent alerts first. + When searching for high severity detections, use 'severity.desc' to get the highest severity detections first. + For chronological ordering, use 'timestamp.desc' for most recent detections first. Examples: 'severity.desc', 'timestamp.desc' - include_hidden: Whether to include hidden detections (default: True). When True, shows all detections including previously hidden ones for comprehensive visibility. - - 🎯 FALCON QUERY LANGUAGE (FQL) COMPREHENSIVE GUIDE FOR DETECTIONS: - - === BASIC SYNTAX === - property_name:[operator]'value' - - === AVAILABLE OPERATORS === - • No operator = equals (default) - • ! = not equal to - • > = greater than - • >= = greater than or equal - • < = less than - • <= = less than or equal - • ~ = text match (ignores case, spaces, punctuation) - • !~ = does not text match - • * = wildcard matching (one or more characters) - - === DATA TYPES & SYNTAX === - • Strings: 'value' or ['exact_value'] for exact match - • Dates: 'YYYY-MM-DDTHH:MM:SSZ' (UTC format) - • Booleans: true or false (no quotes) - • Numbers: 123 (no quotes) - • Wildcards: 'partial*' or '*partial' or '*partial*' - - === COMBINING CONDITIONS === - • + = AND condition - • , = OR condition - • ( ) = Group expressions - - 🚨 DETECTION PROPERTIES (Complete List): - - === IDENTIFICATION & CORE === - • composite_id: Unique detection identifier - • aggregate_id: Related detection group identifier - • cid: Customer ID - • agent_id: Falcon agent identifier - • pattern_id: Detection pattern identifier - - === ASSIGNMENT & WORKFLOW === - • assigned_to_name: Person assigned to this detection - • assigned_to_uid: Assigned user identifier - • assigned_to_uuid: Assigned user UUID - • status: Detection status (new, in_progress, closed, reopened) - - === TIMESTAMPS === - • created_timestamp: When detection was created - • updated_timestamp: Last modification time - • timestamp: Detection occurrence timestamp - - === THREAT INTELLIGENCE === - • confidence: Confidence level (1-100) - • severity: Detection severity level - • tactic: MITRE ATT&CK tactic - • tactic_id: MITRE ATT&CK tactic ID - • technique: MITRE ATT&CK technique - • technique_id: MITRE ATT&CK technique ID - • objective: Attack objective description - - === DETECTION METADATA === - • name: Detection name/title - • display_name: Human-readable detection name - • description: Detection description - • type: Detection type classification - • scenario: Detection scenario - - === SYSTEM & PLATFORM === - • platform: Operating system platform - • show_in_ui: Whether detection appears in UI (true/false) - • data_domains: Data classification domains - - === PRODUCT FILTERING === - • product: Source Falcon product - - 'epp' (Endpoint Protection) - - 'idp' (Identity Protection) - - 'mobile' (Falcon for Mobile) - - 'xdr' (Falcon XDR) - - 'overwatch' (OverWatch) - - 'cwpp' (Cloud Workload Protection) - - 'ngsiem' (Next-Gen SIEM) - - 'thirdparty' (Third party data) - - 'data-protection' (Data Protection) - - === SOURCE INFORMATION === - • source_products: Products that generated this detection - • source_vendors: Vendor sources for the detection - - === TAGS & CLASSIFICATION === - • tags: Detection classification tags - - 💡 PRACTICAL DETECTION SEARCH EXAMPLES: - - === STATUS-BASED SEARCHES === - Find new detections: - status:'new' - - Find detections in progress: - status:'in_progress' - - Find closed detections: - status:'closed' - - Find reopened detections: - status:'reopened' - - === PRODUCT-SPECIFIC SEARCHES === - Find endpoint protection detections: - product:'epp' - - Find identity protection detections: - product:'idp' - - Find XDR detections: - product:'xdr' - - Find OverWatch detections: - product:'overwatch' - - === SEVERITY & CONFIDENCE SEARCHES === - Find high confidence detections: - confidence:>80 - - Find medium to high confidence: - confidence:>=50 - - 🔥 SEVERITY NUMERIC MAPPING (Critical for Proper Filtering): - Based on CrowdStrike Falcon API data: - • Critical: severity:>=90 (or severity:90 exactly) - • High: severity:>=70 (or severity:70 exactly) - • Medium: severity:>=50 (or severity:50 exactly) - • Low: severity:>=20 (covers range 20-40) - • Informational: severity:<=10 (covers range 2-5) - - Find critical severity detections only: - severity:>=90 - - Find high severity detections (includes critical): - severity:>=70 - - Find medium severity and above (includes high & critical): - severity:>=50 - - Find high severity detections only (excludes critical): - severity:70 - - Find informational detections: - severity:<=10 - - === ASSIGNMENT SEARCHES === - Find unassigned detections: - assigned_to_name:!* - - Find detections assigned to specific analyst: - assigned_to_name:'john.doe' - - === TIME-BASED SEARCHES === - Find recent detections (last 24 hours): - created_timestamp:>'2024-01-20T00:00:00Z' - - Find detections from specific date range: - created_timestamp:>='2024-01-15T00:00:00Z'+created_timestamp:<='2024-01-20T00:00:00Z' - - Find recently updated detections: - updated_timestamp:>'2024-01-19T00:00:00Z' - - === THREAT INTELLIGENCE SEARCHES === - Find detections with specific tactic: - tactic:'Persistence' - - Find detections with technique ID: - technique_id:'T1055' - - Find detections with specific objective: - objective:'*credential*' - - === ADVANCED COMBINED SEARCHES === - Find new high-confidence endpoint detections: - status:'new'+confidence:>75+product:'epp' - - Find assigned XDR detections that are in progress: - product:'xdr'+status:'in_progress'+assigned_to_name:* - - Find recent high-severity unassigned detections: - created_timestamp:>'2024-01-18T00:00:00Z'+assigned_to_name:!*+confidence:>80 - - Find OverWatch detections with persistence tactics: - product:'overwatch'+tactic:'Persistence' - - === BULK FILTERING SEARCHES === - Find detections from multiple products: - (product:'epp'),(product:'xdr'),(product:'idp') - - Find detections in various active states: - (status:'new'),(status:'in_progress') - - Find detections needing attention (new or reopened): - (status:'new'),(status:'reopened') - - === INVESTIGATION-FOCUSED SEARCHES === - Find detections with specific pattern: - pattern_id:'12345' - - Find related detections by aggregate: - aggregate_id:'agg-67890' - - Find detections with specific tags: - tags:'malware' - - Find detections that show in UI: - show_in_ui:true - - 🚀 USAGE EXAMPLES: - - # Find new endpoint protection detections sorted by severity - search_detections("status:'new'+product:'epp'", limit=50, sort="severity.desc") - - # Find high-confidence XDR detections from last week - search_detections("product:'xdr'+confidence:>80+created_timestamp:>'2024-01-15T00:00:00Z'", limit=25) - - # Find unassigned detections across all products - search_detections("assigned_to_name:!*", limit=100, sort="timestamp.desc") - - # Find OverWatch detections with specific tactics - search_detections("product:'overwatch'+tactic:'Initial Access'", limit=50) - - # Find detections that need immediate attention - search_detections("(status:'new'),(status:'reopened')+confidence:>75", sort="timestamp.desc") + """).strip(), + examples={"severity.desc", "timestamp.desc"} + ), + include_hidden: Optional[bool] = Field(default=True), + ) -> List[Dict[str, Any]]: + """Search for detections in your CrowdStrike environment. - ⚠️ IMPORTANT NOTES: - • Use single quotes around string values: 'value' - • Use square brackets for exact matches: ['exact_value'] - • Date format must be UTC: 'YYYY-MM-DDTHH:MM:SSZ' - • Status values are: new, in_progress, closed, reopened - • Product filtering enables product-specific detection analysis - • Confidence values range from 1-100 - • Complex queries may take longer to execute - • include_hidden parameter shows previously hidden detections + IMPORTANT: You must use the tool `falcon_search_detections_fql_filter_guide` whenever you want to use the `filter` parameter. This tool contains the guide on how to build the FQL `filter` parameter for `falcon_search_detections` tool. Returns: - List of detection details + List of detections with details """ # Prepare parameters params = prepare_api_parameters({ @@ -360,19 +133,28 @@ def search_detections( return [] + def search_detections_fql_filter_guide(self) -> str: + """ + Returns the guide for the `filter` param of the `falcon_search_detections` tool. + + IMPORTANT: Before running `falcon_search_detections`, always call this tool to get information about how to build the FQL for the filter. + """ + return SEARCH_DETECTIONS_FQL_DOCUMENTATION + def get_detection_details( self, - ids: List[str] = Field(), - include_hidden: Optional[bool] = Field(default=True), + ids: List[str] = Field(default=None, description="Detection ID(s) to retrieve details for. Specify one or more detection IDs (max 1000 per request)."), + include_hidden: Optional[bool] = Field(default=True, description="Whether to include hidden detections (default: True). When True, shows all detections including previously hidden ones for comprehensive visibility."), ) -> List[Dict[str, Any]]|Dict[str, Any]: - """View information about detections. Gets detailed information about a specific detection. + """Retrieve detailed information for specified detection IDs. - Args: - ids: ID(s) of the detections to retrieve. View key attributes of detections, including the associated host, disposition, objective/tactic/technique, adversary, and more. Specify one or more detection IDs (max 1000 per request). Find detection IDs with the search_detections operation, the Falcon console, or the Streaming API. - include_hidden: Whether to include hidden detections (default: True). When True, shows all detections including previously hidden ones for comprehensive visibility. + This tool returns comprehensive detection details for one or more detection IDs. + Use this when you already have specific detection IDs and need their full details. + For searching/discovering detections, use the `falcon_search_detections` tool instead. Returns: - Detection details + List of detection details with comprehensive information including host data, + disposition, objective/tactic/technique, adversary information, and more """ logger.debug("Getting detection details for ID: %s", ids) diff --git a/src/modules/hosts.py b/src/modules/hosts.py index 372d88dc..45b4e26f 100644 --- a/src/modules/hosts.py +++ b/src/modules/hosts.py @@ -5,6 +5,7 @@ This module provides tools for accessing and managing CrowdStrike Falcon hosts/devices. """ from typing import Dict, List, Optional, Any +from textwrap import dedent from mcp.server import FastMCP from pydantic import Field @@ -12,6 +13,7 @@ from ..common.logging import get_logger from ..common.errors import handle_api_response from ..common.utils import prepare_api_parameters +from ..resources.hosts import SEARCH_HOSTS_FQL_DOCUMENTATION from .base import BaseModule logger = get_logger(__name__) @@ -33,6 +35,12 @@ def register_tools(self, server: FastMCP) -> None: name="search_hosts" ) + self._add_tool( + server, + self.search_hosts_fql_filter_guide, + name="search_hosts_fql_filter_guide" + ) + self._add_tool( server, self.get_host_details, @@ -41,18 +49,14 @@ def register_tools(self, server: FastMCP) -> None: def search_hosts( self, - filter: Optional[str] = Field(default=None, examples={"platform_name:'Windows'", "hostname:'PC*'"}), - limit: Optional[int] = Field(default=100, ge=1, le=5000), - offset: Optional[int] = Field(default=0, ge=0), - sort: Optional[str] = Field(default=None, examples={"hostname.asc", "last_seen.desc"}), - ) -> List[Dict[str, Any]]: - """Search for hosts in your CrowdStrike environment. + filter: Optional[str] = Field(default=None, description="FQL Syntax formatted string used to limit the results. IMPORTANT: use the `falcon_search_hosts_fql_filter_guide` tool when building this filter parameter.", examples={"platform_name:'Windows'", "hostname:'PC*'"}), + limit: Optional[int] = Field(default=100, ge=1, le=5000, description="The maximum records to return. [1-5000]"), + offset: Optional[int] = Field(default=0, ge=0, description="The offset to start retrieving records from."), + sort: Optional[str] = Field( + default=None, + description=dedent(""" + Sort hosts using these options: - Args: - filter: Filter hosts using a query in Falcon Query Language (FQL). An asterisk wildcard * includes all results. You must use FQL and never use JSON. - limit: The maximum number of hosts to return in this response (default: 100; max: 5000). Use with the offset parameter to manage pagination of results. - offset: The first host to return, where 0 is the latest host. Use with the limit parameter to manage pagination of results. - sort: Sort hosts using these options: hostname: Host name/computer name last_seen: Timestamp when the host was last seen first_seen: Timestamp when the host was first seen @@ -66,263 +70,13 @@ def search_hosts( Both formats are supported: 'hostname.desc' or 'hostname|desc' Examples: 'hostname.asc', 'last_seen.desc', 'platform_name.asc' + """).strip(), + examples={"hostname.asc", "last_seen.desc"} + ), + ) -> List[Dict[str, Any]]: + """Search for hosts in your CrowdStrike environment. - 🎯 FALCON QUERY LANGUAGE (FQL) COMPREHENSIVE GUIDE FOR HOSTS: - - === BASIC SYNTAX === - property_name:[operator]'value' - - === AVAILABLE OPERATORS === - • No operator = equals (default) - • ! = not equal to - • > = greater than - • >= = greater than or equal - • < = less than - • <= = less than or equal - • ~ = text match (ignores case, spaces, punctuation) - • !~ = does not text match - • * = wildcard matching (one or more characters) - - === DATA TYPES & SYNTAX === - • Strings: 'value' or ['exact_value'] for exact match - • Dates: 'YYYY-MM-DDTHH:MM:SSZ' (UTC format) - • Booleans: true or false (no quotes) - • Numbers: 123 (no quotes) - • Wildcards: 'partial*' or '*partial' or '*partial*' - - === COMBINING CONDITIONS === - • + = AND condition - • , = OR condition - • ( ) = Group expressions - - 🖥️ HOST PROPERTIES (Complete List): - - === IDENTIFICATION & CORE === - • device_id: Unique device identifier - • hostname: Host name/computer name (supports wildcards) - • cid: Customer ID - • agent_version: CrowdStrike agent version - • serial_number: Device serial number - - === PLATFORM & SYSTEM === - • platform_name: Operating system platform - Available Options: - - 'Windows' - - 'Mac' - - 'Linux' - • platform_id: Numeric platform identifier - • os_version: Operating system version - • major_version: Major OS version number - • minor_version: Minor OS version number - • kernel_version: Linux kernel version - • product_type_desc: System type - Available Options: - - 'Workstation' - - 'Server' - - 'Domain Controller' - - === NETWORK INFORMATION === - • external_ip: External IP address as seen by CrowdStrike - • local_ip: Local/internal IP address - • local_ip.raw: IP address with wildcard support (use *'192.168.1.*') - • connection_ip: Current connection IP - • default_gateway_ip: Default gateway IP - • mac_address: MAC address - • connection_mac_address: Connection MAC address - - === STATUS & CONTAINMENT === - • status: Host containment status - Available Options: - - 'normal' (normal operations) - - 'containment_pending' (containment in progress) - - 'contained' (host contained) - - 'lift_containment_pending' (lifting containment) - • filesystem_containment_status: File system containment status - • reduced_functionality_mode: RFM status ('yes', 'no', or blank) - • rtr_state: Real Time Response state - - === TIMESTAMPS === - • first_seen: When host first connected to Falcon - • last_seen: Most recent connection to Falcon - • modified_timestamp: Last host record update - • agent_local_time: Agent's local timestamp - - === HARDWARE & BIOS === - • bios_manufacturer: BIOS manufacturer name - • bios_version: BIOS version - • system_manufacturer: System manufacturer - • system_product_name: System product name - • cpu_signature: CPU signature - • cpu_vendor: CPU vendor code - • chassis_type: Chassis type code - • chassis_type_desc: Chassis type description - - === DOMAIN & GROUPS === - • machine_domain: Active Directory domain - • ou: Organizational unit - • groups: Host groups - • tags: Falcon grouping tags - - === CLOUD & VIRTUALIZATION === - • service_provider: Cloud provider ('AZURE', 'AWS', 'GCP', etc.) - • service_provider_account_id: Cloud account ID - • instance_id: Cloud instance ID - • k8s_cluster_id: Kubernetes cluster ID - • deployment_type: Deployment type ('Standard', 'DaemonSet') - • linux_sensor_mode: Linux sensor mode ('Kernel Mode', 'User Mode') - - === CONFIGURATION === - • config_id_base: Agent configuration base ID - • config_id_build: Agent configuration build ID - • config_id_platform: Agent configuration platform ID - • agent_load_flags: Agent load flags - - 💡 PRACTICAL HOST SEARCH EXAMPLES: - - === PLATFORM-BASED SEARCHES === - Find Windows hosts: - platform_name:'Windows' - - Find Linux servers: - platform_name:'Linux'+product_type_desc:'Server' - - Find Mac workstations: - platform_name:'Mac'+product_type_desc:'Workstation' - - === HOSTNAME SEARCHES === - Find hosts with specific hostname pattern: - hostname:'PC*' - - Find hosts containing specific text: - hostname:'*server*' - - Find specific host: - hostname:'DESKTOP-ABC123' - - === STATUS-BASED SEARCHES === - Find normal/healthy hosts: - status:'normal' - - Find contained hosts: - status:'contained' - - Find hosts with reduced functionality: - reduced_functionality_mode:'yes' - - === NETWORK-BASED SEARCHES === - Find hosts by IP range: - local_ip.raw:*'192.168.1.*' - - Find hosts by external IP: - external_ip:'203.0.113.10' - - Find hosts by MAC address pattern: - mac_address:'00:50:56:*' - - === TIME-BASED SEARCHES === - Find recently seen hosts (last 24 hours): - last_seen:>'2024-01-20T00:00:00Z' - - Find hosts first seen in date range: - first_seen:>='2024-01-15T00:00:00Z'+first_seen:<='2024-01-20T00:00:00Z' - - Find hosts not seen recently (offline): - last_seen:<'2024-01-15T00:00:00Z' - - === AGENT & VERSION SEARCHES === - Find hosts with specific agent version: - agent_version:'7.26.*' - - Find hosts with older agents: - agent_version:<'7.20.0' - - Find hosts with specific OS version: - os_version:'*Windows 10*' - - === CLOUD & INFRASTRUCTURE SEARCHES === - Find Azure hosts: - service_provider:'AZURE' - - Find AWS hosts: - service_provider:'AWS' - - Find Kubernetes hosts: - deployment_type:'DaemonSet' - - Find Docker/container hosts: - k8s_cluster_id:* - - === HARDWARE-BASED SEARCHES === - Find VMware virtual machines: - system_manufacturer:'VMware*' - - Find Microsoft virtual machines: - system_manufacturer:'Microsoft Corporation' - - Find specific BIOS manufacturer: - bios_manufacturer:'American Megatrends*' - - === ADVANCED COMBINED SEARCHES === - Find Windows servers that are online: - platform_name:'Windows'+product_type_desc:'Server'+status:'normal' - - Find Linux hosts in specific domain: - platform_name:'Linux'+machine_domain:'company.local' - - Find contained Windows workstations: - platform_name:'Windows'+product_type_desc:'Workstation'+status:'contained' - - Find Azure Linux servers seen recently: - service_provider:'AZURE'+platform_name:'Linux'+product_type_desc:'Server'+last_seen:>'2024-01-18T00:00:00Z' - - Find hosts with specific tags: - tags:'*production*' - - === BULK FILTERING SEARCHES === - Find multiple platform types: - (platform_name:'Windows'),(platform_name:'Linux') - - Find various system types: - (product_type_desc:'Server'),(product_type_desc:'Workstation') - - Find hosts in multiple subnets: - (local_ip.raw:*'192.168.1.*'),(local_ip.raw:*'10.0.1.*') - - === TROUBLESHOOTING SEARCHES === - Find hosts with issues: - (status:'containment_pending'),(status:'contained'),(reduced_functionality_mode:'yes') - - Find offline hosts: - last_seen:<'2024-01-15T00:00:00Z' - - Find hosts needing attention: - (rtr_state:!'')+status:'normal' - - 🚀 USAGE EXAMPLES: - - # Find Windows workstations sorted by hostname - falcon_search_hosts(filter="platform_name:'Windows'+product_type_desc:'Workstation'", limit=50, sort="hostname.asc") - - # Find recently seen Linux servers - falcon_search_hosts(filter="platform_name:'Linux'+product_type_desc:'Server'+last_seen:>'2024-01-15T00:00:00Z'", limit=25) - - # Find hosts by hostname pattern - falcon_search_hosts(filter="hostname:'SERVER*'", limit=100, sort="last_seen.desc") - - # Find Azure virtual machines - falcon_search_hosts(filter="service_provider:'AZURE'+system_manufacturer:'Microsoft Corporation'", limit=50) - - # Find contained hosts needing attention - falcon_search_hosts(filter="status:'contained'", sort="modified_timestamp.desc") - - ⚠️ IMPORTANT NOTES: - • Use single quotes around string values: 'value' - • Use square brackets for exact matches: ['exact_value'] - • Date format must be UTC: 'YYYY-MM-DDTHH:MM:SSZ' - • Hostname supports wildcards: 'PC*', '*server*' - • IP wildcards require local_ip.raw with specific syntax - • Complex queries may take longer to execute - • Status values: normal, containment_pending, contained, lift_containment_pending + IMPORTANT: You must use the tool `falcon_search_hosts_fql_filter_guide` whenever you want to use the `filter` parameter. This tool contains the guide on how to build the FQL `filter` parameter for `search_hosts` tool. Returns: List of host details @@ -374,17 +128,27 @@ def search_hosts( return [] + def search_hosts_fql_filter_guide(self) -> str: + """ + Returns the guide for the `filter` param of the `falcon_search_hosts` tool. + + IMPORTANT: Before running `falcon_search_hosts`, always call this tool to get information about how to build the FQL for the filter. + """ + return SEARCH_HOSTS_FQL_DOCUMENTATION + def get_host_details( self, - ids: List[str] = Field(description="Host device IDs to retrieve details for"), + ids: List[str] = Field(description="Host device IDs to retrieve details for. You can get device IDs from the search_hosts operation, the Falcon console, or the Streaming API. Maximum: 5000 IDs per request."), ) -> List[Dict[str, Any]]|Dict[str, Any]: - """Get detailed information about specific hosts by their device IDs. + """Retrieve detailed information for specified host device IDs. - Args: - ids: List of host device IDs to retrieve details for. You can get device IDs from the search_hosts operation, the Falcon console, or the Streaming API. Maximum: 5000 IDs per request. + This tool returns comprehensive host details for one or more device IDs. + Use this when you already have specific device IDs and need their full details. + For searching/discovering hosts, use the `falcon_search_hosts` tool instead. Returns: - Host details for the specified device IDs + List of host details with comprehensive information including system specs, + agent information, network details, and security status """ logger.debug("Getting host details for IDs: %s", ids) diff --git a/src/modules/incidents.py b/src/modules/incidents.py index 83900896..43a44ba3 100644 --- a/src/modules/incidents.py +++ b/src/modules/incidents.py @@ -11,6 +11,11 @@ from ..common.errors import handle_api_response from ..common.utils import prepare_api_parameters +from ..resources.incidents import ( + CROWD_SCORE_FQL_DOCUMENTATION, + SEARCH_INCIDENTS_FQL_DOCUMENTATION, + SEARCH_BEHAVIORS_FQL_DOCUMENTATION +) from .base import BaseModule @@ -30,12 +35,24 @@ def register_tools(self, server: FastMCP) -> None: name="show_crowd_score" ) + self._add_tool( + server, + self.show_crowd_score_fql_filter_guide, + name="show_crowd_score_fql_filter_guide" + ) + self._add_tool( server, self.search_incidents, name="search_incidents" ) + self._add_tool( + server, + self.search_incidents_fql_filter_guide, + name="search_incidents_fql_filter_guide" + ) + self._add_tool( server, self.get_incident_details, @@ -48,6 +65,12 @@ def register_tools(self, server: FastMCP) -> None: name="search_behaviors" ) + self._add_tool( + server, + self.search_behaviors_fql_filter_guide, + name="search_behaviors_fql_filter_guide" + ) + self._add_tool( server, self.get_behavior_details, @@ -56,18 +79,14 @@ def register_tools(self, server: FastMCP) -> None: def show_crowd_score( self, - filter: Optional[str] = Field(default=None, description="FQL Syntax formatted string used to limit the results."), + filter: Optional[str] = Field(default=None, description="FQL Syntax formatted string used to limit the results. IMPORTANT: use the `falcon_show_crowd_score_fql_filter_guide` tool when building this filter parameter."), limit: Optional[int] = Field(default=100, ge=1, le=2500, description="Maximum number of records to return. (Max: 2500)"), offset: Optional[int] = Field(default=0, ge=0, description="Starting index of overall result set from which to return ids."), sort: Optional[str] = Field(default=None, description="TThe property to sort by. (Ex: modified_timestamp.desc)", examples={"modified_timestamp.desc"}), ) -> Dict[str, Any]: """Query environment wide CrowdScore and return the entity data. - Args: - filter: FQL Syntax formatted string used to limit the results. - limit: Maximum number of records to return. (Max: 2500) - offset: Starting index of overall result set from which to return ids. - sort: The property to sort by. (Ex: modified_timestamp.desc) + IMPORTANT: You must use the tool `falcon_show_crowd_score_fql_filter_guide` whenever you want to use the `filter` parameter. This tool contains the guide on how to build the FQL `filter` parameter for `show_crowd_score` tool. Returns: Tool returns the CrowdScore entity data. @@ -122,38 +141,24 @@ def show_crowd_score( return result + def show_crowd_score_fql_filter_guide(self) -> str: + """ + Returns the guide for the `filter` param of the `falcon_show_crowd_score` tool. + + IMPORTANT: Before running `falcon_show_crowd_score`, always call this tool to get information about how to build the FQL for the filter. + """ + return CROWD_SCORE_FQL_DOCUMENTATION + def search_incidents( self, - filter: Optional[str] = Field(default=None, description="FQL Syntax formatted string used to limit the results. Review the following table for a complete list of available filters."), + filter: Optional[str] = Field(default=None, description="FQL Syntax formatted string used to limit the results. IMPORTANT: use the `falcon_search_incidents_fql_filter_guide` tool when building this filter parameter."), limit: int = Field(default=100, ge=1, le=500, description="Maximum number of records to return. (Max: 500)"), offset: int = Field(default=0, ge=0, description="Starting index of overall result set from which to return ids."), sort: Optional[str] = Field(default=None, description="The property to sort by. FQL syntax. Ex: state.asc, name.desc"), ) -> List[Dict[str, Any]]: """Search for incidents by providing a FQL filter, sorting, and paging details. - Args: - filter: FQL Syntax formatted string used to limit the results. Review the following table for a complete list of available filters. - limit: Maximum number of records to return. (Max: 500) - offset: Starting index of overall result set from which to return ids. - sort: The property to sort by. (Ex: modified_timestamp.desc) - - For more detail regarding filters and their usage, please review the Falcon Query Language documentation. - - Available filters: - host_ids: The device IDs of all the hosts on which the incident occurred. Example: `9a07d39f8c9f430eb3e474d1a0c16ce9` - lm_host_ids: If lateral movement has occurred, this field shows the remote device IDs of the hosts on which the lateral movement occurred. Example: `c4e9e4643999495da6958ea9f21ee597` - lm_hosts_capped: Indicates that the list of lateral movement hosts has been truncated. The limit is 15 hosts. Example: `True` - name: The name of the incident. Initially the name is assigned by CrowdScore, but it can be updated through the API. Example: `Incident on DESKTOP-27LTE3R at 2019-12-20T19:56:16Z` - description: The description of the incident. Initially the description is assigned by CrowdScore, but it can be updated through the API. Example: `Objectives in this incident: Keep Access. Techniques: Masquerading. Involved hosts and end users: DESKTOP-27LTE3R, DESKTOP-27LTE3R$.` - users: The usernames of the accounts associated with the incident. Example: `someuser` - tags: Tags associated with the incident. CrowdScore will assign an initial set of tags, but tags can be added or removed through the API. Example: `Objective/Keep Access` - final_score: The incident score. Divide the integer by 10 to match the displayed score for the incident. Example: `56` - start: The recorded time of the earliest behavior. Example: 2017-01-31T22:36:11Z - end: The recorded time of the latest behavior. Example: 2017-01-31T22:36:11Z - assigned_to_name: The name of the user the incident is assigned to. - state: The incident state: "open" or "closed". Example: `open` - status: The incident status as a number: 20: New, 25: Reopened, 30: In Progress, 40: Closed. Example: `20` - modified_timestamp: The most recent time a user has updated the incident. Example: `2021-02-04T05:57:04Z` + IMPORTANT: You must use the tool `falcon_search_incidents_fql_filter_guide` whenever you want to use the `filter` parameter. This tool contains the guide on how to build the FQL `filter` parameter for `search_incidents` tool. Returns: Tool returns CrowdStrike incidents. @@ -175,17 +180,27 @@ def search_incidents( return [] + def search_incidents_fql_filter_guide(self) -> str: + """ + Returns the guide for the `filter` param of the `falcon_search_incidents` tool. + + IMPORTANT: Before running `falcon_search_incidents`, always call this tool to get information about how to build the FQL for the filter. + """ + return SEARCH_INCIDENTS_FQL_DOCUMENTATION + def get_incident_details( self, ids: List[str] = Field(description="Incident ID(s) to retrieve."), ) -> List[Dict[str, Any]]: - """Get details on incidents by providing incident IDs. + """Retrieve detailed information for specified incident IDs. - Args: - ids: Incident ID(s) to retrieve. + This tool returns comprehensive incident details for one or more incident IDs. + Use this when you already have specific incident IDs and need their full details. + For searching/discovering incidents, use the `falcon_search_incidents` tool instead. Returns: - Tool returns the CrowdScore entity data. + List of incident details with comprehensive information including hosts, + scores, behaviors, timeline, and associated metadata """ incidents = self._base_get_by_ids( operation="GetIncidents", @@ -199,7 +214,7 @@ def get_incident_details( def search_behaviors( self, - filter: Optional[str] = Field(default=None, description="FQL Syntax formatted string used to limit the results."), + filter: Optional[str] = Field(default=None, description="FQL Syntax formatted string used to limit the results. IMPORTANT: use the `falcon_search_behaviors_fql_filter_guide` tool when building this filter parameter."), limit: int = Field(default=100, ge=1, le=500, description="Maximum number of records to return. (Max: 500)"), offset: int = Field(default=0, ge=0, description="Starting index of overall result set from which to return ids."), sort: Optional[str] = Field(default=None, description="The property to sort by. (Ex: modified_timestamp.desc)"), @@ -209,12 +224,7 @@ def search_behaviors( Use this when you need to find behaviors matching certain criteria rather than retrieving specific behaviors by ID. For retrieving details of known behavior IDs, use falcon_get_behavior_details instead. - Args: - filter: FQL Syntax formatted string used to limit the results. - limit: The maximum number of records to return in this response. [Integer, 1-500]. Use with the offset parameter to manage pagination of results. - offset: Starting index of overall result set from which to return ids. - sort: The property to sort by. (Ex: modified_timestamp.desc) - + IMPORTANT: You must use the tool `falcon_search_behaviors_fql_filter_guide` whenever you want to use the `filter` parameter. This tool contains the guide on how to build the FQL `filter` parameter for `search_behaviors` tool. Returns: Tool returns CrowdStrike behaviors. @@ -236,20 +246,26 @@ def search_behaviors( return [] + def search_behaviors_fql_filter_guide(self) -> str: + """ + Returns the guide for the `filter` param of the `falcon_search_behaviors` tool. + + IMPORTANT: Before running `falcon_search_behaviors`, always call this tool to get information about how to build the FQL for the filter. + """ + return SEARCH_BEHAVIORS_FQL_DOCUMENTATION + def get_behavior_details( self, ids: List[str] = Field(description="Behavior ID(s) to retrieve."), ) -> List[Dict[str, Any]]: - """Get details on behaviors by providing behavior IDs. + """Retrieve detailed information for specified behavior IDs. Use this when you already know the specific behavior ID(s) and need to retrieve their details. - For searching behaviors based on criteria, use falcon_search_behaviors instead. - - Args: - ids: Behavior ID(s) to retrieve. + For searching behaviors based on criteria, use the search_behaviors tool instead. Returns: - Tool returns the CrowdScore behaviors by ID. + List of behavior details with comprehensive information including techniques, + tactics, severity, confidence levels, and associated metadata """ behaviors = self._base_get_by_ids( operation="GetBehaviors", diff --git a/src/modules/intel.py b/src/modules/intel.py index b133576a..2d6627c8 100644 --- a/src/modules/intel.py +++ b/src/modules/intel.py @@ -12,7 +12,11 @@ from ..common.logging import get_logger from ..common.errors import handle_api_response from ..common.utils import prepare_api_parameters -from ..resources.intel import QUERY_ACTOR_ENTITIES_FQL_DOCUMENTATION +from ..resources.intel import ( + QUERY_ACTOR_ENTITIES_FQL_DOCUMENTATION, + QUERY_INDICATOR_ENTITIES_FQL_DOCUMENTATION, + QUERY_REPORT_ENTITIES_FQL_DOCUMENTATION +) from .base import BaseModule logger = get_logger(__name__) @@ -46,12 +50,24 @@ def register_tools(self, server: FastMCP) -> None: name="search_indicators" ) + self._add_tool( + server, + self.search_indicators_fql_filter_guide, + name="search_indicators_fql_filter_guide" + ) + self._add_tool( server, self.query_report_entities, name="search_reports" ) + self._add_tool( + server, + self.search_reports_fql_filter_guide, + name="search_reports_fql_filter_guide" + ) + def query_actor_entities( self, filter: Optional[str] = Field(default=None, description="FQL query expression that should be used to limit the results. IMPORTANT: use the `falcon_query_actor_entities_fql_filter_guide` tool when building this filter parameter."), @@ -107,7 +123,7 @@ def search_actors_fql_filter_guide(self) -> str: def query_indicator_entities( self, - filter: Optional[str] = Field(default=None, description="FQL query expression that should be used to limit the results."), + filter: Optional[str] = Field(default=None, description="FQL query expression that should be used to limit the results. IMPORTANT: use the `falcon_search_indicators_fql_filter_guide` tool when building this filter parameter."), limit: Optional[int] = Field(default=100, ge=1, le=5000, description="Maximum number of records to return. (Max: 5000)"), offset: Optional[int] = Field(default=0, ge=0, description="Starting index of overall result set from which to return ids."), sort: Optional[str] = Field(default=None, description="The property to sort by. (Ex: created_date|desc)"), @@ -117,14 +133,7 @@ def query_indicator_entities( ) -> List[Dict[str, Any]]: """Get info about indicators that match provided FQL filters. - Args: - filter: FQL query expression that should be used to limit the results. - limit: Maximum number of records to return. (Max: 5000) - offset: Starting index of overall result set from which to return ids. - sort: The property to sort by. (Ex: created_date|desc) - q: Free text search across all indexed fields. - include_deleted: Flag indicating if both published and deleted indicators should be returned. - include_relations: Flag indicating if related indicators should be returned. + IMPORTANT: You must use the tool `falcon_search_indicators_fql_filter_guide` whenever you want to use the `filter` parameter. This tool contains the guide on how to build the FQL `filter` parameter for `search_indicators` tool. Returns: List of indicators that match the provided filters. @@ -161,26 +170,33 @@ def query_indicator_entities( return api_response + def search_indicators_fql_filter_guide(self) -> str: + """ + Returns the guide for the `filter` param of the `falcon_search_indicators` tool. + + IMPORTANT: Before running `falcon_search_indicators`, always call this tool to get information about how to build the FQL for the filter. + """ + return QUERY_INDICATOR_ENTITIES_FQL_DOCUMENTATION + def query_report_entities( self, - filter: Optional[str] = Field(default=None, description="FQL query expression that should be used to limit the results."), + filter: Optional[str] = Field(default=None, description="FQL query expression that should be used to limit the results. IMPORTANT: use the `falcon_search_reports_fql_filter_guide` tool when building this filter parameter."), limit: int = Field(default=100, ge=1, le=5000, description="Maximum number of records to return. (Max: 5000)"), offset: int = Field(default=0, ge=0, description="Starting index of overall result set from which to return ids."), sort: Optional[str] = Field(default=None, description="The property to sort by. (Ex: created_date|desc)"), q: Optional[str] = Field(default=None, description="Free text search across all indexed fields."), ) -> List[Dict[str, Any]]: - """Get info about reports that match provided FQL filters. + """Retrieve intelligence reports that match provided FQL filters. - Args: - filter: FQL query expression that should be used to limit the results. Review the following table for a complete list of available filters. - limit: Maximum number of records to return. (Max: 5000) - offset: Starting index of overall result set from which to return ids. - sort: The property to sort by. (Ex: created_date|desc) - q: Free text search across all indexed fields. - fields: The fields to return, or a predefined set of fields in the form of the collection name surrounded by two underscores. + This tool returns comprehensive intelligence report details based on your search criteria. + Use this when you need to find threat intelligence reports matching specific conditions. + For guidance on building FQL filters, use the `falcon_search_reports_fql_filter_guide` tool. + + IMPORTANT: You must use the tool `falcon_search_reports_fql_filter_guide` whenever you want to use the `filter` parameter. This tool contains the guide on how to build the FQL `filter` parameter for `search_reports` tool. Returns: - List of reports that match the provided filters. + List of intelligence reports with comprehensive information including content, + metadata, threat classifications, and associated indicators """ # Prepare parameters params = prepare_api_parameters({ @@ -213,3 +229,11 @@ def query_report_entities( return [api_response] return api_response + + def search_reports_fql_filter_guide(self) -> str: + """ + Returns the guide for the `filter` param of the `falcon_search_reports` tool. + + IMPORTANT: Before running `falcon_search_reports`, always call this tool to get information about how to build the FQL for the filter. + """ + return QUERY_REPORT_ENTITIES_FQL_DOCUMENTATION diff --git a/src/resources/detections.py b/src/resources/detections.py new file mode 100644 index 00000000..00f8d0f2 --- /dev/null +++ b/src/resources/detections.py @@ -0,0 +1,240 @@ +""" +Contains Detections resources. +""" + +SEARCH_DETECTIONS_FQL_DOCUMENTATION = """Falcon Query Language (FQL) - Search Detections Guide + +=== BASIC SYNTAX === +property_name:[operator]'value' + +=== AVAILABLE OPERATORS === +• No operator = equals (default) +• ! = not equal to +• > = greater than +• >= = greater than or equal +• < = less than +• <= = less than or equal +• ~ = text match (ignores case, spaces, punctuation) +• !~ = does not text match +• * = wildcard matching (one or more characters) + +=== DATA TYPES & SYNTAX === +• Strings: 'value' or ['exact_value'] for exact match +• Dates: 'YYYY-MM-DDTHH:MM:SSZ' (UTC format) +• Booleans: true or false (no quotes) +• Numbers: 123 (no quotes) +• Wildcards: 'partial*' or '*partial' or '*partial*' + +=== COMBINING CONDITIONS === +• + = AND condition +• , = OR condition +• ( ) = Group expressions + +🚨 DETECTION PROPERTIES (Complete List): + +=== IDENTIFICATION & CORE === +• composite_id: Unique detection identifier +• aggregate_id: Related detection group identifier +• cid: Customer ID +• agent_id: Falcon agent identifier +• pattern_id: Detection pattern identifier + +=== ASSIGNMENT & WORKFLOW === +• assigned_to_name: Person assigned to this detection +• assigned_to_uid: Assigned user identifier +• assigned_to_uuid: Assigned user UUID +• status: Detection status (new, in_progress, closed, reopened) + +=== TIMESTAMPS === +• created_timestamp: When detection was created +• updated_timestamp: Last modification time +• timestamp: Detection occurrence timestamp + +=== THREAT INTELLIGENCE === +• confidence: Confidence level (1-100) +• severity: Detection severity level +• tactic: MITRE ATT&CK tactic +• tactic_id: MITRE ATT&CK tactic ID +• technique: MITRE ATT&CK technique +• technique_id: MITRE ATT&CK technique ID +• objective: Attack objective description + +=== DETECTION METADATA === +• name: Detection name/title +• display_name: Human-readable detection name +• description: Detection description +• type: Detection type classification +• scenario: Detection scenario + +=== SYSTEM & PLATFORM === +• platform: Operating system platform +• show_in_ui: Whether detection appears in UI (true/false) +• data_domains: Data classification domains + +=== PRODUCT FILTERING === +• product: Source Falcon product + - 'epp' (Endpoint Protection) + - 'idp' (Identity Protection) + - 'mobile' (Falcon for Mobile) + - 'xdr' (Falcon XDR) + - 'overwatch' (OverWatch) + - 'cwpp' (Cloud Workload Protection) + - 'ngsiem' (Next-Gen SIEM) + - 'thirdparty' (Third party data) + - 'data-protection' (Data Protection) + +=== SOURCE INFORMATION === +• source_products: Products that generated this detection +• source_vendors: Vendor sources for the detection + +=== TAGS & CLASSIFICATION === +• tags: Detection classification tags + +💡 PRACTICAL DETECTION SEARCH EXAMPLES: + +=== STATUS-BASED SEARCHES === +Find new detections: +status:'new' + +Find detections in progress: +status:'in_progress' + +Find closed detections: +status:'closed' + +Find reopened detections: +status:'reopened' + +=== PRODUCT-SPECIFIC SEARCHES === +Find endpoint protection detections: +product:'epp' + +Find identity protection detections: +product:'idp' + +Find XDR detections: +product:'xdr' + +Find OverWatch detections: +product:'overwatch' + +=== SEVERITY & CONFIDENCE SEARCHES === +Find high confidence detections: +confidence:>80 + +Find medium to high confidence: +confidence:>=50 + +🔥 SEVERITY NUMERIC MAPPING (Critical for Proper Filtering): +Based on CrowdStrike Falcon API data: +• Critical: severity:>=90 (or severity:90 exactly) +• High: severity:>=70 (or severity:70 exactly) +• Medium: severity:>=50 (or severity:50 exactly) +• Low: severity:>=20 (covers range 20-40) +• Informational: severity:<=10 (covers range 2-5) + +Find critical severity detections only: +severity:>=90 + +Find high severity detections (includes critical): +severity:>=70 + +Find medium severity and above (includes high & critical): +severity:>=50 + +Find high severity detections only (excludes critical): +severity:70 + +Find informational detections: +severity:<=10 + +=== ASSIGNMENT SEARCHES === +Find unassigned detections: +assigned_to_name:!* + +Find detections assigned to specific analyst: +assigned_to_name:'john.doe' + +=== TIME-BASED SEARCHES === +Find recent detections (last 24 hours): +created_timestamp:>'2024-01-20T00:00:00Z' + +Find detections from specific date range: +created_timestamp:>='2024-01-15T00:00:00Z'+created_timestamp:<='2024-01-20T00:00:00Z' + +Find recently updated detections: +updated_timestamp:>'2024-01-19T00:00:00Z' + +=== THREAT INTELLIGENCE SEARCHES === +Find detections with specific tactic: +tactic:'Persistence' + +Find detections with technique ID: +technique_id:'T1055' + +Find detections with specific objective: +objective:'*credential*' + +=== ADVANCED COMBINED SEARCHES === +Find new high-confidence endpoint detections: +status:'new'+confidence:>75+product:'epp' + +Find assigned XDR detections that are in progress: +product:'xdr'+status:'in_progress'+assigned_to_name:* + +Find recent high-severity unassigned detections: +created_timestamp:>'2024-01-18T00:00:00Z'+assigned_to_name:!*+confidence:>80 + +Find OverWatch detections with persistence tactics: +product:'overwatch'+tactic:'Persistence' + +=== BULK FILTERING SEARCHES === +Find detections from multiple products: +(product:'epp'),(product:'xdr'),(product:'idp') + +Find detections in various active states: +(status:'new'),(status:'in_progress') + +Find detections needing attention (new or reopened): +(status:'new'),(status:'reopened') + +=== INVESTIGATION-FOCUSED SEARCHES === +Find detections with specific pattern: +pattern_id:'12345' + +Find related detections by aggregate: +aggregate_id:'agg-67890' + +Find detections with specific tags: +tags:'malware' + +Find detections that show in UI: +show_in_ui:true + +🚀 USAGE EXAMPLES: + +# Find new endpoint protection detections sorted by severity +falcon_search_detections(filter="status:'new'+product:'epp'", limit=50, sort="severity.desc") + +# Find high-confidence XDR detections from last week +falcon_search_detections(filter="product:'xdr'+confidence:>80+created_timestamp:>'2024-01-15T00:00:00Z'", limit=25) + +# Find unassigned detections across all products +falcon_search_detections(filter="assigned_to_name:!*", limit=100, sort="timestamp.desc") + +# Find OverWatch detections with specific tactics +falcon_search_detections(filter="product:'overwatch'+tactic:'Initial Access'", limit=50) + +# Find detections that need immediate attention +falcon_search_detections(filter="(status:'new'),(status:'reopened')+confidence:>75", sort="timestamp.desc") + +⚠️ IMPORTANT NOTES: +• Use single quotes around string values: 'value' +• Use square brackets for exact matches: ['exact_value'] +• Date format must be UTC: 'YYYY-MM-DDTHH:MM:SSZ' +• Status values are: new, in_progress, closed, reopened +• Product filtering enables product-specific detection analysis +• Confidence values range from 1-100 +• Complex queries may take longer to execute +• include_hidden parameter shows previously hidden detections +""" diff --git a/src/resources/hosts.py b/src/resources/hosts.py new file mode 100644 index 00000000..d5257c5f --- /dev/null +++ b/src/resources/hosts.py @@ -0,0 +1,173 @@ +""" +Contains Hosts resources. +""" + +SEARCH_HOSTS_FQL_DOCUMENTATION = """Falcon Query Language (FQL) - Search Hosts Guide + +=== BASIC SYNTAX === +property_name:[operator]'value' + +=== AVAILABLE OPERATORS === +• No operator = equals (default) +• ! = not equal to +• > = greater than +• >= = greater than or equal +• < = less than +• <= = less than or equal +• ~ = text match (ignores case, spaces, punctuation) +• !~ = does not text match +• * = wildcard matching (one or more characters) + +=== DATA TYPES & SYNTAX === +• Strings: 'value' or ['exact_value'] for exact match +• Dates: 'YYYY-MM-DDTHH:MM:SSZ' (UTC format) +• Booleans: true or false (no quotes) +• Numbers: 123 (no quotes) +• Wildcards: 'partial*' or '*partial' or '*partial*' + +=== COMBINING CONDITIONS === +• + = AND condition +• , = OR condition +• ( ) = Group expressions + +=== falcon_search_hosts FQL filter options === + ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| Name | Type | Operators| Description | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| device_id | String | No | The ID of the device. | +| | | | Ex: 061a51ec742c44624a176f079d742052 | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| agent_load_flags | String | No | CrowdStrike agent configuration notes | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| agent_version | String | No | CrowdStrike agent configuration notes | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| bios_manufacturer | String | No | Bios manufacture name. | +| | | | Ex: Phoenix Technologies LTD | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| bios_version | String | No | Bios version. | +| | | | Ex: 6.00 | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| config_id_base | String | No | CrowdStrike agent configuration notes | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| config_id_build | String | No | CrowdStrike agent configuration notes | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| config_id_platform | String | No | CrowdStrike agent configuration notes | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| cpu_signature | String | Yes | The CPU signature of the device. | +| | | | Ex: GenuineIntel | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| deployment_type | String | Yes | Linux deployment type: | +| | | | - Standard | +| | | | - DaemonSet | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| external_ip | IP Address | Yes | External IP of the device, as seen by CrowdStrike. | +| | | | Ex: 192.0.2.100 | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| first_seen | Timestamp | Yes | Timestamp of device's first connection to Falcon, | +| | | | in UTC date format ("YYYY-MM-DDTHH:MM:SSZ"). | +| | | | Ex: 2016-07-19T11:14:15Z | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| hostname | String | No | The name of the machine. Supports prefix and suffix | +| | | | searching with wildcard, so you can search for | +| | | | terms like abc and *abc. | +| | | | Ex: WinPC9251 | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| last_login_timestamp | Timestamp | Yes | User logon event timestamp, once a week. | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| last_seen | Timestamp | Yes | Timestamp of device's most recent connection to Falcon, | +| | | | in UTC date format ("YYYY-MM-DDTHH:MM:SSZ"). | +| | | | Ex: 2016-07-19T11:14:15Z | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| linux_sensor_mode | String | Yes | Linux sensor mode: | +| | | | - Kernel Mode | +| | | | - User Mode | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| local_ip | IP Address | No | The device's local IP address. As a device management | +| | | | parameter, this is the IP address of this device at the | +| | | | last time it connected to the CrowdStrike Cloud. | +| | | | Ex: 192.0.2.1 | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| local_ip.raw | IP Address with wildcards | No | A portion of the device's local IP address, used only for | +| | (*) | | searches that include wildcard characters. Using a wildcard | +| | | | requires specific syntax: when you specify an IP address with | +| | | | this parameter, prefix the IP address with an asterisk (*) | +| | | | and enclose the IP address in single quotes. | +| | | | | +| | | | Search for a device with the IP address 192.0.2.100: | +| | | | local_ip.raw:*'192.0.2.*' | +| | | | local_ip.raw:*'*.0.2.100' | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| mac_address | String | No | The MAC address of the device | +| | | | Ex: 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| machine_domain | String | No | Active Directory domain name. | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| major_version | String | No | Major version of the Operating System | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| minor_version | String | No | Minor version of the Operating System | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| modified_timestamp | Timestamp | Yes | The last time that the machine record was updated. Can include | +| | | | status like containment status changes or configuration | +| | | | group changes. | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| os_version | String | No | Operating system version. | +| | | | Ex: Windows 7 | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| ou | String | No | Active Directory organizational unit name. | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| platform_id | String | No | CrowdStrike agent configuration notes | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| platform_name | String | No | Operating system platform. | +| | | | | +| | | | Available options: | +| | | | - Windows | +| | | | - Mac | +| | | | - Linux | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| product_type_desc | String | No | Name of product type. | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| reduced_functionality| String | Yes | Reduced functionality mode (RFM) status: | +| _mode | | | - yes | +| | | | - no | +| | | | - Unknown (displayed as a blank string) | +| | | | | +| | | | Unknown is used for hosts with an unavailable RFM status: | +| | | | - The sensor was deployed less than 24 hours ago and has not | +| | | | yet provided an RFM status. | +| | | | - The sensor version does not support RFM. | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| release_group | String | No | Name of the Falcon deployment group, if the this machine is | +| | | | part of a Falcon sensor deployment group. | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| serial_number | String | Yes | Serial number of the device. | +| | | | Ex: C42AFKEBM563 | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| site_name | String | No | Active Directory site name. | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| status | String | No | Containment Status of the machine. "Normal" denotes good | +| | | | operations; other values might mean reduced functionality | +| | | | or support. | +| | | | | +| | | | Possible values: | +| | | | - normal | +| | | | - containment_pending | +| | | | - contained | +| | | | - lift_containment_pending | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| system_manufacturer | String | No | Name of system manufacturer | +| | | | Ex: VMware, Inc. | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| system_product_name | String | No | Name of system product | +| | | | Ex: VMware Virtual Platform | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| tags | String | No | Falcon grouping tags | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ + +=== IMPORTANT NOTES === +• Use single quotes around string values: 'value' +• Use square brackets for exact matches: ['exact_value'] +• Date format must be UTC: 'YYYY-MM-DDTHH:MM:SSZ' +• Hostname supports wildcards: 'PC*', '*server*' +• IP wildcards require local_ip.raw with specific syntax +""" diff --git a/src/resources/incidents.py b/src/resources/incidents.py new file mode 100644 index 00000000..b85254af --- /dev/null +++ b/src/resources/incidents.py @@ -0,0 +1,206 @@ +""" +Contains Incidents resources. +""" + +CROWD_SCORE_FQL_DOCUMENTATION = """Falcon Query Language (FQL) - CrowdScore Guide + +=== BASIC SYNTAX === +property_name:[operator]'value' + +=== AVAILABLE OPERATORS === +• No operator = equals (default) +• ! = not equal to +• > = greater than +• >= = greater than or equal +• < = less than +• <= = less than or equal +• ~ = text match (ignores case, spaces, punctuation) +• !~ = does not text match +• * = wildcard matching (one or more characters) + +=== DATA TYPES & SYNTAX === +• Strings: 'value' or ['exact_value'] for exact match +• Dates: 'YYYY-MM-DDTHH:MM:SSZ' (UTC format) +• Booleans: true or false (no quotes) +• Numbers: 123 (no quotes) +• Wildcards: 'partial*' or '*partial' or '*partial*' + +=== COMBINING CONDITIONS === +• + = AND condition +• , = OR condition +• ( ) = Group expressions + +=== falcon_show_crowd_score FQL filter options === +• id +• cid +• timestamp +• score +• adjusted_score +• modified_timestamp + +=== EXAMPLE USAGE === + +• score:>50 +• timestamp:>'2023-01-01T00:00:00Z' +• modified_timestamp:>'2023-01-01T00:00:00Z'+score:>70 + +=== IMPORTANT NOTES === +• Use single quotes around string values: 'value' +• Use square brackets for exact matches: ['exact_value'] +• Date format must be UTC: 'YYYY-MM-DDTHH:MM:SSZ' +""" + +SEARCH_INCIDENTS_FQL_DOCUMENTATION = """Falcon Query Language (FQL) - Search Incidents Guide + +=== BASIC SYNTAX === +property_name:[operator]'value' + +=== AVAILABLE OPERATORS === +• No operator = equals (default) +• ! = not equal to +• > = greater than +• >= = greater than or equal +• < = less than +• <= = less than or equal +• ~ = text match (ignores case, spaces, punctuation) +• !~ = does not text match +• * = wildcard matching (one or more characters) + +=== DATA TYPES & SYNTAX === +• Strings: 'value' or ['exact_value'] for exact match +• Dates: 'YYYY-MM-DDTHH:MM:SSZ' (UTC format) +• Booleans: true or false (no quotes) +• Numbers: 123 (no quotes) +• Wildcards: 'partial*' or '*partial' or '*partial*' + +=== COMBINING CONDITIONS === +• + = AND condition +• , = OR condition +• ( ) = Group expressions + +=== falcon_search_incidents FQL filter options === + ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| Name | Type | Operators| Description | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| host_ids | String | No | The device IDs of all the hosts on which the incident occurred. | +| | | | Ex: 9a07d39f8c9f430eb3e474d1a0c16ce9 | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| lm_host_ids | String | No | If lateral movement has occurred, this field shows the remote | +| | | | device IDs of the hosts on which the lateral movement occurred. | +| | | | Ex: c4e9e4643999495da6958ea9f21ee597 | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| lm_hosts_capped | Boolean | No | Indicates that the list of lateral movement hosts has been | +| | | | truncated. The limit is 15 hosts. | +| | | | Ex: True | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| name | String | Yes | The name of the incident. Initially the name is assigned by | +| | | | CrowdScore, but it can be updated through the API. | +| | | | Ex: Incident on DESKTOP-27LTE3R at 2019-12-20T19:56:16Z | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| description | String | Yes | The description of the incident. Initially the description is | +| | | | assigned by CrowdScore, but it can be updated through the API. | +| | | | Ex: Objectives in this incident: Keep Access. | +| | | | Techniques: Masquerading. | +| | | | Involved hosts and end users: DESKTOP-27LTE3R. | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| users | String | Yes | The usernames of the accounts associated with the incident. | +| | | | Ex: someuser | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| tags | String | Yes | Tags associated with the incident. CrowdScore will assign an | +| | | | initial set of tags, but tags can be added or removed through | +| | | | the API. | +| | | | Ex: Objective/Keep Access | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| final_score | Number | Yes | The incident score. Divide the integer by 10 to match the | +| | | | displayed score for the incident. | +| | | | Ex: 56 | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| start | Timestamp | Yes | The recorded time of the earliest behavior. | +| | | | Ex: 2017-01-31T22:36:11Z | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| end | Timestamp | Yes | The recorded time of the latest behavior. | +| | | | Ex: 2017-01-31T22:36:11Z | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| assigned_to_name | String | Yes | The name of the user the incident is assigned to. | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| state | String | No | The incident state: "open" or "closed" | +| | | | Ex: open | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| status | Number | No | The incident status as a number: | +| | | | - 20: New | +| | | | - 25: Reopened | +| | | | - 30: In Progress | +| | | | - 40: Closed | +| | | | Ex: 20 | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ +| modified_timestamp | Timestamp | Yes | The most recent time a user has updated the incident. | +| | | | Ex: 2021-02-04T05:57:04Z | ++----------------------+---------------------------+----------+------------------------------------------------------------------+ + +=== EXAMPLE USAGE === + +• state:'open' +• status:'20' +• final_score:>50 +• tags:'Objective/Keep Access' +• modified_timestamp:>'2023-01-01T00:00:00Z' +• state:'open'+final_score:>50 + +=== IMPORTANT NOTES === +• Use single quotes around string values: 'value' +• Use square brackets for exact matches: ['exact_value'] +• Date format must be UTC: 'YYYY-MM-DDTHH:MM:SSZ' +• Status values: 20: New, 25: Reopened, 30: In Progress, 40: Closed +""" + +SEARCH_BEHAVIORS_FQL_DOCUMENTATION = """Falcon Query Language (FQL) - Search Behaviors Guide + +=== BASIC SYNTAX === +property_name:[operator]'value' + +=== AVAILABLE OPERATORS === +• No operator = equals (default) +• ! = not equal to +• > = greater than +• >= = greater than or equal +• < = less than +• <= = less than or equal +• ~ = text match (ignores case, spaces, punctuation) +• !~ = does not text match +• * = wildcard matching (one or more characters) + +=== DATA TYPES & SYNTAX === +• Strings: 'value' or ['exact_value'] for exact match +• Dates: 'YYYY-MM-DDTHH:MM:SSZ' (UTC format) +• Booleans: true or false (no quotes) +• Numbers: 123 (no quotes) +• Wildcards: 'partial*' or '*partial' or '*partial*' + +=== COMBINING CONDITIONS === +• + = AND condition +• , = OR condition +• ( ) = Group expressions + +=== falcon_search_behaviors FQL filter options === +• aid: Agent ID +• behavior_id: Behavior ID +• incident_id: Incident ID +• tactic: MITRE ATT&CK tactic +• technique: MITRE ATT&CK technique +• objective: Attack objective +• timestamp: When the behavior occurred + +=== EXAMPLE USAGE === + +• tactic:'Defense Evasion' +• technique:'Masquerading' +• timestamp:>'2023-01-01T00:00:00Z' +• tactic:'Persistence'+confidence:>80 +• objective:'Keep Access' + +=== IMPORTANT NOTES === +• Use single quotes around string values: 'value' +• Use square brackets for exact matches: ['exact_value'] +• Date format must be UTC: 'YYYY-MM-DDTHH:MM:SSZ' +""" diff --git a/src/resources/intel.py b/src/resources/intel.py index 09014d9b..a76dce89 100644 --- a/src/resources/intel.py +++ b/src/resources/intel.py @@ -82,3 +82,120 @@ • Use square brackets for exact matches: ['exact_value'] • Date format must be UTC: 'YYYY-MM-DDTHH:MM:SSZ' """ + +QUERY_INDICATOR_ENTITIES_FQL_DOCUMENTATION = """Falcon Query Language (FQL) - Intel Query Indicator Entities Guide + +=== BASIC SYNTAX === +property_name:[operator]'value' + +=== AVAILABLE OPERATORS === +• No operator = equals (default) +• ! = not equal to +• > = greater than +• >= = greater than or equal +• < = less than +• <= = less than or equal +• ~ = text match (ignores case, spaces, punctuation) +• !~ = does not text match +• * = wildcard matching (one or more characters) + +=== DATA TYPES & SYNTAX === +• Strings: 'value' or ['exact_value'] for exact match +• Dates: 'YYYY-MM-DDTHH:MM:SSZ' (UTC format) +• Booleans: true or false (no quotes) +• Numbers: 123 (no quotes) +• Wildcards: 'partial*' or '*partial' or '*partial*' + +=== COMBINING CONDITIONS === +• + = AND condition +• , = OR condition +• ( ) = Group expressions + +=== falcon_search_indicators FQL filter options === +• created_date +• deleted +• domain_types +• id +• indicator +• ip_address_types +• kill_chains +• labels +• last_updated +• malicious_confidence +• malware_families +• published_date +• reports +• source +• targets +• threat_types +• type +• vulnerabilities + +=== EXAMPLE USAGE === + +• type:'domain' +• malicious_confidence:'high' +• type:'hash_md5'+malicious_confidence:'high' +• created_date:>'2023-01-01T00:00:00Z' + +=== IMPORTANT NOTES === +• Use single quotes around string values: 'value' +• Use square brackets for exact matches: ['exact_value'] +• Date format must be UTC: 'YYYY-MM-DDTHH:MM:SSZ' +""" + +QUERY_REPORT_ENTITIES_FQL_DOCUMENTATION = """Falcon Query Language (FQL) - Intel Query Report Entities Guide + +=== BASIC SYNTAX === +property_name:[operator]'value' + +=== AVAILABLE OPERATORS === +• No operator = equals (default) +• ! = not equal to +• > = greater than +• >= = greater than or equal +• < = less than +• <= = less than or equal +• ~ = text match (ignores case, spaces, punctuation) +• !~ = does not text match +• * = wildcard matching (one or more characters) + +=== DATA TYPES & SYNTAX === +• Strings: 'value' or ['exact_value'] for exact match +• Dates: 'YYYY-MM-DDTHH:MM:SSZ' (UTC format) +• Booleans: true or false (no quotes) +• Numbers: 123 (no quotes) +• Wildcards: 'partial*' or '*partial' or '*partial*' + +=== COMBINING CONDITIONS === +• + = AND condition +• , = OR condition +• ( ) = Group expressions + +=== falcon_search_reports FQL filter options === +• actors +• created_date +• description +• id +• last_modified_date +• name +• report_type +• short_description +• slug +• tags +• target_countries +• target_industries +• url + +=== EXAMPLE USAGE === + +• report_type:'malware' +• name:'*ransomware*' +• created_date:>'2023-01-01T00:00:00Z' +• target_industries:'healthcare' + +=== IMPORTANT NOTES === +• Use single quotes around string values: 'value' +• Use square brackets for exact matches: ['exact_value'] +• Date format must be UTC: 'YYYY-MM-DDTHH:MM:SSZ' +""" diff --git a/tests/modules/test_detections.py b/tests/modules/test_detections.py index 5325c196..2fe8f78e 100644 --- a/tests/modules/test_detections.py +++ b/tests/modules/test_detections.py @@ -18,6 +18,7 @@ def test_register_tools(self): """Test registering tools with the server.""" expected_tools = [ "falcon_search_detections", + "falcon_search_detections_fql_filter_guide", "falcon_get_detection_details", ] self.assert_tools_registered(expected_tools) diff --git a/tests/modules/test_hosts.py b/tests/modules/test_hosts.py index 7709b808..fc12cba6 100644 --- a/tests/modules/test_hosts.py +++ b/tests/modules/test_hosts.py @@ -18,6 +18,7 @@ def test_register_tools(self): """Test registering tools with the server.""" expected_tools = [ "falcon_search_hosts", + "falcon_search_hosts_fql_filter_guide", "falcon_get_host_details", ] self.assert_tools_registered(expected_tools) diff --git a/tests/modules/test_incidents.py b/tests/modules/test_incidents.py index 8d98dc01..40cd82f0 100644 --- a/tests/modules/test_incidents.py +++ b/tests/modules/test_incidents.py @@ -18,10 +18,13 @@ def test_register_tools(self): """Test registering tools with the server.""" expected_tools = [ "falcon_show_crowd_score", + "falcon_show_crowd_score_fql_filter_guide", "falcon_get_incident_details", "falcon_search_incidents", + "falcon_search_incidents_fql_filter_guide", "falcon_get_behavior_details", "falcon_search_behaviors", + "falcon_search_behaviors_fql_filter_guide", ] self.assert_tools_registered(expected_tools) diff --git a/tests/modules/test_intel.py b/tests/modules/test_intel.py index 6dd61e0b..b0cffcd4 100644 --- a/tests/modules/test_intel.py +++ b/tests/modules/test_intel.py @@ -20,7 +20,9 @@ def test_register_tools(self): "falcon_search_actors", "falcon_search_actors_fql_filter_guide", "falcon_search_indicators", + "falcon_search_indicators_fql_filter_guide", "falcon_search_reports", + "falcon_search_reports_fql_filter_guide", ] self.assert_tools_registered(expected_tools)