This url https://github.com/CrowdStrike/falconpy/blob/main/samples/detects/detects_advisor.py

[aaminahassan]

Here i want to get all detections whose status is closed, open , in-progress any.

where as
python .\detects_advisor.py -k <> -s <>,

gives me only status open results.

Documentation repository:

• [ https://github.com/CrowdStrike/falconpy/blob/main/samples/detects/detects_advisor.py] GitHub Wiki

• Source code - docstring

Additional context
Add any other context about the problem here.

I want to read detections for last month either open or closed but even this call gives me only open detections. what about the closed ones ?

falcon = FalconDetects.Detects(creds=creds)

PARAMS = {
    'offset': 0,
     'sort': 'first_behavior',
    'limit': 9999,
}

response = falcon.QueryDetects(parameters=PARAMS)
print ("----------")
print(response)

[aaminahassan]

And in the query detects only this filter works

detection_response = detects.query_detects(filter=f"status:'new'")

the above shows 200+ count

while I have to get all detections
detection_response = detects.query_detects(filter=f"status:'closed'")
no result

detection_response = detects.query_detects(filter=f"status:'in_progress'")

no result

[jshcodes]

Hi @aaminahassan -

This sample should return all detections found (that match the filter) regardless of status. In Progress and Closed detections should be displayed in the returned list.

I'm able to recreate the behavior you're encountering only when there are no detections in my environment with the specified status.

To test this, I used the sample to set a detection's status to In Progress (previously it was at New). This is then reflected in the results produced when I run the sample again (without filters).

 _____         __               __   __
|     \.-----.|  |_.-----.----.|  |_|__|.-----.-----.-----.
|  --  |  -__||   _|  -__|  __||   _|  ||  _  |     |__ --|
|_____/|_____||____|_____|____||____|__||_____|__|__|_____|

╒═════════════╤══════════════════════════════════╤═════════════════════════════╤══════════════════════════════╤══════════════════════╕
│ Detection   │ Hostname / Agent ID              │ Tactic                      │ Technique                    │ Date occurred        │
╞═════════════╪══════════════════════════════════╪═════════════════════════════╪══════════════════════════════╪══════════════════════╡
│ New         │ host-1                           │ Defense Evasion (TA0005)    │ Masquerading (T1036)         │ 2024-10-22T09:32:35Z │
│ REDACTED    │ REDACTED                         │                             │                              │                      │
├─────────────┼──────────────────────────────────┼─────────────────────────────┼──────────────────────────────┼──────────────────────┤
│ In Progress │ host-2                           │ Falcon Overwatch (CSTA0006) │ Malicious Activity (CST0002) │ 2024-10-24T12:31:25Z │
│ REDACTED    │ REDACTED                         │                             │                              │                      │
├─────────────┼──────────────────────────────────┼─────────────────────────────┼──────────────────────────────┼──────────────────────┤
│ Closed      │ host-1                           │ Defense Evasion (TA0005)    │ Masquerading (T1036)         │ 2024-10-28T19:43:19Z │
│ REDACTED    │ REDACTED                         │                             │                              │                      │
├─────────────┼──────────────────────────────────┼─────────────────────────────┼──────────────────────────────┼──────────────────────┤
│ New         │ host-1                           │ Falcon Overwatch (CSTA0006) │ Malicious Activity (CST0002) │ 2024-10-28T19:44:24Z │
│ REDACTED    │ REDACTED                         │                             │                              │                      │
├─────────────┼──────────────────────────────────┼─────────────────────────────┼──────────────────────────────┼──────────────────────┤
│ New         │ host-3                           │ Falcon Overwatch (CSTA0006) │ Malicious Activity (CST0002) │ 2024-10-28T19:46:35Z │
│ REDACTED    │ REDACTED                         │                             │                              │                      │
╘═════════════╧══════════════════════════════════╧═════════════════════════════╧══════════════════════════════╧══════════════════════╛

If I manually execute the QueryDetects operation, with the filter status:'in_progress', the ID of the updated detection is returned from the API.

[aaminahassan]

Hi Jshcodes, first thanks for your Immediate reply.

With the -u filter I am able to change the status,
with -f filter i can only see new detections, but there exit closed detections in my platform as well.

Also Please share your query_detects whole code for status in-progress, just to read the last months detection sttauses and not to update the status .

detection_response = detects.query_detects(filter=f"status:'new'")

the issue is I have to report all detections from last month whether closed or open or in progress. Passive operation

[jshcodes]

Hi @aaminahassan -

To retrieve detections from last month (regardless of status), you could calculate the previous month's UTC datetime (as a string) and then provide it as the date_updated filter.

# You can also use >= to include the date specified in the results.
detections_response = detects.query_detects(filter=f"date_updated:>'2024-12-01T00:00:01Z'")

If you'd like to add status to the filter, it would look like this:

detections_response = detects.query_detects(filter=f"date_updated:>'2024-12-01T00:00:01Z'+status:'in_progress'")