❯ falcon filters
Falcon Toolkit v3.6.1
Configuration Directory: /Users/myuser/Library/Application Support/FalconToolkit
contained
Filter by a host's network containment status.
deviceid
Filter by device ID (AID).
domain
This filter accepts an AD domain, e.g. GOODDOMAIN or gooddomain.company.com. You can also provide multiple domains as a Python list or comma delimited string
externalip
This filter accepts an IP address string associated with a remote network, e.g. 123.234.123.234, or 123.234.0.0/16 to cover the /16 range. You can also comma delimit strings for multiple matches, e.g., 123.234.123.234,100.200.100.200 to target hosts with each of those IP addresses, or provide a Python list of IP address strings.
firstseen
This filter accepts two types of parameter: a fixed ISO 8601 timestamp (such as 2020-01-01:01:00:00Z), or a relative timestamp such as -30m. -30m means time now, minus thirty minutes, so is best combined with an operator such as GTE. One example is FirstSeen__GTE=-1d, to filter for all new hosts that have been added to Falcon within the past 1 day.
groupid
This filter accepts one or more Group IDs as either one string, or as a comma delimited list of strings. For example, 075e03f5e5c04d83b4831374e7dc01c3 would target hosts within the group with ID 075e03f5e5c04d83b4831374e7dc01c3 only, or abcdefg123,abcdefg321 would target hosts in either group.
hostname
Provide either a single hostname string, or a list of hostnames via a comma delimited string or Python list. For example, you can omit two specific hosts with Hostname__NOT=HOST1,HOST2.
lastseen
This filter accepts two types of parameter: a fixed ISO 8601 timestamp (such as 2020-01-01:01:00:00Z), or a relative timestamp such as -30m. -30m means time now, minus thirty minutes, so is best combined with an operator such as GTE. A popular example is LastSeen__GTE=-30m, to stipulate all hosts that have been online in the past half hour (i.e. are likely to be online).
localip
This filter accepts an IP address string associated with a network card, e.g. 172.16.1.2 or 172.16.0.0/16 to cover the /16 range. You can also comma delimit strings for multiple matches, e.g., 172.16.1.2,172.16.1.3 to target hosts with each of those IP addresses, or provide a Python list of IP address strings.
macaddress
This filter accepts a MAC address string associated with a network interface, e.g., 01-22-33-44-55-66
osversion
This filter accepts a name of an operating system version and can be supplied many times. For example, Windows 7, RHEL 7.9, Catalina (10.15), etc.
reducedfunctionalitymode
Traceback (most recent call last):
File "/Users/myuser/.local/bin/falcon", line 7, in <module>
sys.exit(cli())
~~~^^
File "/Users/myuser/.local/pipx/venvs/falcon-toolkit/lib/python3.13/site-packages/click/core.py", line 1442, in __call__
return self.main(*args, **kwargs)
~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/Users/myuser/.local/pipx/venvs/falcon-toolkit/lib/python3.13/site-packages/click/core.py", line 1363, in main
rv = self.invoke(ctx)
File "/Users/myuser/.local/pipx/venvs/falcon-toolkit/lib/python3.13/site-packages/click/core.py", line 1830, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^
File "/Users/myuser/.local/pipx/venvs/falcon-toolkit/lib/python3.13/site-packages/click/core.py", line 1226, in invoke
return ctx.invoke(self.callback, **ctx.params)
~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/myuser/.local/pipx/venvs/falcon-toolkit/lib/python3.13/site-packages/click/core.py", line 794, in invoke
return callback(*args, **kwargs)
File "/Users/myuser/.local/pipx/venvs/falcon-toolkit/lib/python3.13/site-packages/falcon_toolkit/falcon.py", line 309, in cli_list_filters
click.echo(host_filters[unique_filter_name]["help"])
~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
KeyError: 'reducedfunctionalitymode'
I ran the
falcon filterscommand and got an error when it was parsing the reducedfunctionalitymode command. I installed a fresh copy on a test machine using pipx and got the same error/results.