Filtering Vulnerability Data Using host_info.groups

[kpoznanski5]

Hello,

My name is Kris. I am using the PSFalcon to export the vulnerability data. First I ran an example script which had the following filter:
Filter = "status:!'closed'+(created_timestamp:>'now-1d'+created_timestamp:<'now')+suppression_info.is_suppressed:false"
This one works just fine.
However, I can't get the filter working using the host_info.groups property. I have tried the following:
Filter = "status:!'closed'+host_info.groups:'Group1'+suppression_info.is_suppressed:false"
or
Filter = "status:!'closed'+host_info.groups.name:'Group1'+suppression_info.is_suppressed:false"

But both return [{"code":400,"message":"invalid input data"}]

I am using the latest version of the PSFalcon.

Any help on resolving this issue would be appreciated.

Thank you.

Kris

[bk-cs]

The host_info.groups filter expects a group identifier and does not accept a name. See the Spotlight API documentation for examples:

[ EU-1 | US-1 | US-2 | US-GOV-1 ]

Give this a try:

Get-FalconVulnerability -Filter "status:!'closed'+host_info.groups:['44df8f70a7cc4eb495a9977c07594c95']+suppression_info.is_suppressed:false"

[kpoznanski5]

Thank you. We were able to get the groups IDs and now the script works with group filterting.
Thank you.

Kris