Error 400 when using detects.QueryDetects

[Sshahar]

I'm trying to get detections from CrowdStrike but I get an error. Probably for not defining PARAMS.q (query). What should I do?

from falconpy import detects as FalconDetects

    falcon = FalconDetects.Detects(creds={
        'client_id': CrowdStrike.get('cid'),
        'client_secret': CrowdStrike.get('secret')
    })

    PARAMS = {
        'offset': 0,
        'limit': 9999,
        'sort': 'desc',
        'filter': '*',
        'q': "*"
    }

    response = falcon.QueryDetects(parameters=PARAMS)
    print(response)

response

{'status_code': 400, 'headers': {'Content-Encoding': 'gzip', 'Content-Length': '172', 'Content-Type': 'application/json', 'Date': 'Sun, 27 Jun 2021 12:31:28 GMT', 'X-Cs-Region': 'us-1', 'X-Cs-Traceid': 'ae0c3720-914e-4394-be95-dc87bab1f783', 'X-Ratelimit-Limit': '6000', 'X-Ratelimit-Remaining': '5999'}, 'body': {'meta': {'query_time': 0.051385664, 'powered_by': 'msa-api', 'trace_id': 'ae0c3720-914e-4394-be95-dc87bab1f783'}, 'resources': [], 'errors': [{'code': 400, 'message': 'Invalid argument'}]}}

[jshcodes]

Two issues in your payload.

1. Sort needs to specify the field to sort by, like first_behavior or max_confidence. Hostnames are a little different, use devices.hostname to sort. (i.e.: "devices.hostname|desc")
2. You can't pass just a wildcard as a filter or a query. That's the same as querying without the values. (i.e.: Return all detections up to query maximum.)

Try this instead and let us know if you have any problems:

from falconpy import detects as FalconDetects

falcon = FalconDetects.Detects(creds={
    'client_id': CrowdStrike.get('cid'),
    'client_secret': CrowdStrike.get('secret')
})

PARAMS = {
    'sort': 'devices.hostname|desc',
}

response = falcon.QueryDetects(parameters=PARAMS)
print(response)

[Sshahar]

Thanks, I've tried running your code but still getting Http status 400

[jshcodes]

Could you post the updated code you are using (don't forget to sanitize any API keys) so we can review?

[Sshahar]

I've ran exactly the code you've written above. that is all.

The same CrowdStrike dict is used with a script I wrote and they work.

[jshcodes]

This is my test code.

import json
from falconpy import detects as FalconDetects

with open("config.json", "r") as cred_file:
    config = json.loads(cred_file.read())
creds = {
    "client_id": config["falcon_client_id"],
    "client_secret": config["falcon_client_secret"]
}

falcon = FalconDetects.Detects(creds=creds)

PARAMS = {
    'offset': 0,
    'sort': 'devices.hostname|desc',
    'limit': 9999,
}

response = falcon.QueryDetects(parameters=PARAMS)
print(response)

Which produces the following result (sanitized).

{
	"status_code": 200,
	"headers": {
		"Content-Encoding": "gzip",
		"Content-Length": "2222",
		"Content-Type": "application/json",
		"Date": "Wed, 07 Jul 2021 12:42:25 GMT",
		"X-Cs-Region": "us-1",
		"X-Cs-Traceid": "45c58c92-SOMETHING-SOMETHING-SOMETHING-DARKSIDE",
		"X-Ratelimit-Limit": "6000",
		"X-Ratelimit-Remaining": "5999"
	},
	"body": {
		"meta": {
			"query_time": 0.009252088,
			"pagination": {
				"offset": 0,
				"limit": 9999,
				"total": 155
			},
			"powered_by": "msa-api",
			"trace_id": "45c58c92-SOMETHING-SOMETHING-SOMETHING-DARKSIDE"
		},
		"resources": ["ldt:05b113324ed0477b9a9de483c416c7ad:1548314",
                              "ldt:f482244c39024SOME_MACHINE_ID:577SOMETHING", 
                              "ldt:f482244c39024SOME_MACHINE_ID:483SOMETHING", 
                              "ldt:f482244c39024SOME_MACHINE_ID:388SOMETHING", 
                              "ldt:f482244c39024SOME_MACHINE_ID:272SOMETHING",
                              "more detections listed here..."],
		"errors": []
	}
}

My API key has full access to the Detects API.

I don't think the way you're passing in credentials is the issue (unless the creds are bad).

Can we get some more detail? (We're still looking into this on our end as well.)

• FalconPy version
• OS
• Python version
• CS cloud

[jshcodes]

As a follow up test, can you change your parameter payload to this and let us know if it works?

PARAMS = {
    'sort': 'first_behavior'
}

[jshcodes]

There appears to be an issue with using 'devices.hostname' for a sort parameter when using this operation. Using the updated code below should work. (We are looking into the issue with the device hostname sort.)

Let us know if you are still encountering problems.

import json
from falconpy import detects as FalconDetects

with open("config.json", "r") as cred_file:
    config = json.loads(cred_file.read())
creds = {
    "client_id": config["falcon_client_id"],
    "client_secret": config["falcon_client_secret"]
}

falcon = FalconDetects.Detects(creds=creds)

PARAMS = {
    'sort': 'first_behavior|asc'
}

response = falcon.QueryDetects(parameters=PARAMS)
print(response)