Merge pull request #6 from CrowdStrike/ChristopherHammond13/issue-5

Resolves #5 and bumps to 0.1.3

caracara_filters/dialects/hosts.py

@@ -47,6 +47,11 @@ def user_readable_string_transform(map_dict: Dict[str, str], input_str: str) ->
     ]),
 }
 
+hosts_device_id_filter = {
+    "fql": "device_id",
+    "help": "Filter by device ID (AID).",
+}
+
 hosts_domain_filter = {
     "fql": "machine_domain",
     "help": (
@@ -55,6 +60,28 @@ def user_readable_string_transform(map_dict: Dict[str, str], input_str: str) ->
     ),
 }
 
+hosts_first_seen_filter = {
+    "fql": "first_seen",
+    "multivariate": False,
+    "operator": "GTE",
+    "valid_operators": [
+        "EQUAL",
+        "GT",
+        "GTE",
+        "LT",
+        "LTE",
+    ],
+    "transform": relative_timestamp_transform,
+    "validator": relative_timestamp_validator,
+    "help": (
+        "This filter accepts two types of parameter: a fixed ISO 8601 timestamp (such as "
+        "2020-01-01:01:00:00Z), or a relative timestamp such as -30m. -30m means time now, "
+        "minus thirty minutes, so is best combined with an operator such as GTE. One example is "
+        "FirstSeen__GTE=-1d, to filter for all new hosts that have been added to Falcon within "
+        "the past 1 day."
+    ),
+}
+
 hosts_group_id_filter = {
     "fql": "groups",
     "help": (
@@ -96,28 +123,6 @@ def user_readable_string_transform(map_dict: Dict[str, str], input_str: str) ->
     ),
 }
 
-hosts_first_seen_filter = {
-    "fql": "first_seen",
-    "multivariate": False,
-    "operator": "GTE",
-    "valid_operators": [
-        "EQUAL",
-        "GT",
-        "GTE",
-        "LT",
-        "LTE",
-    ],
-    "transform": relative_timestamp_transform,
-    "validator": relative_timestamp_validator,
-    "help": (
-        "This filter accepts two types of parameter: a fixed ISO 8601 timestamp (such as "
-        "2020-01-01:01:00:00Z), or a relative timestamp such as -30m. -30m means time now, "
-        "minus thirty minutes, so is best combined with an operator such as GTE. One example is "
-        "FirstSeen__GTE=-1d, to filter for all new hosts that have been added to Falcon within "
-        "the past 1 day."
-    ),
-}
-
 hosts_local_ip_address_filter = {
     "fql": "local_ip",
     "help": (
@@ -128,6 +133,14 @@ def user_readable_string_transform(map_dict: Dict[str, str], input_str: str) ->
     ),
 }
 
+hosts_mac_address_filter = {
+    "fql": "mac_address",
+    "help": (
+        "This filter accepts a MAC address string associated with a network interface, e.g., "
+        "01-22-33-44-55-66"
+    ),
+}
+
 hosts_os_version_filter = {
     "fql": "os_version",
     "help": (
@@ -172,16 +185,20 @@ def user_readable_string_transform(map_dict: Dict[str, str], input_str: str) ->
 
 HOSTS_FILTERS: Dict[str, Dict[str, Any]] = {
     "contained": hosts_contained_filter,
+    "deviceid": hosts_device_id_filter,
+    "device_id": hosts_device_id_filter,  # pythonic
     "domain": hosts_domain_filter,
+    "firstseen": hosts_first_seen_filter,
+    "first_seen": hosts_first_seen_filter,  # pythonic
     "groupid": hosts_group_id_filter,
     "group_id": hosts_group_id_filter,  # pythonic
     "hostname": hosts_hostname_filter,
     "lastseen": hosts_last_seen_filter,
     "last_seen": hosts_last_seen_filter,  # pythonic
-    "firstseen": hosts_first_seen_filter,
-    "first_seen": hosts_first_seen_filter,  # pythonic
     "localip": hosts_local_ip_address_filter,
     "local_ip": hosts_local_ip_address_filter,  # pythonic
+    "macaddress": hosts_mac_address_filter,
+    "mac_address": hosts_mac_address_filter,  # pythonic
     "osversion": hosts_os_version_filter,
     "os_version": hosts_os_version_filter,  # pythonic
     "role": hosts_role_filter,

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "caracara-filters"
-version = "0.1.2"
+version = "0.1.3"
 description = "FQL generation engine for Caracara"
 authors = ["Chris Hammond <[email protected]>"]
 license = "MIT"