XSUP-53101

Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.py

@@ -432,6 +432,16 @@ def is_detection_fetch_type_selected(selected_types: list):
     return any(detection_type in selected_types for detection_type in DETECTION_FETCH_TYPES)
 
 
+def is_detection_occurred_before_fetch_time(detection: dict, start_fetch_time: str) -> bool:
+    # the following test is to filter out detections that are older than the start_fetch_time.
+    # The CS Falcon API does not do that reliably
+    created_time = detection["created_timestamp"]
+    create_date = datetime.fromisoformat(created_time.replace("Z", "+00:00"))
+    start_date = datetime.fromisoformat(start_fetch_time.replace("Z", "+00:00"))
+
+    return create_date < start_date
+
+
 def is_incident_fetch_type_selected(selected_types: list):
     return any(incident_type in selected_types for incident_type in INCIDENT_FETCH_TYPES)
 
@@ -3035,7 +3045,6 @@ def fetch_endpoint_detections(current_fetch_info_detections, look_back, is_fetch
     start_fetch_time, end_fetch_time = get_fetch_run_time_range(
         last_run=current_fetch_info_detections, first_fetch=FETCH_TIME, look_back=look_back, date_format=DETECTION_DATE_FORMAT
     )
-
     fetch_limit = current_fetch_info_detections.get("limit") or fetch_limit
     incident_type = "detection"
 
@@ -3061,10 +3070,17 @@ def fetch_endpoint_detections(current_fetch_info_detections, look_back, is_fetch
 
     if raw_res is not None and "resources" in raw_res:
         full_detections = demisto.get(raw_res, "resources")
+        # detection_id is for the old version of the API, composite_id is for the new version (Raptor)
         for detection in full_detections:
-            detection["incident_type"] = incident_type
-            # detection_id is for the old version of the API, composite_id is for the new version (Raptor)
             detection_id = detection.get("detection_id") if LEGACY_VERSION else detection.get("composite_id")
+            if is_detection_occurred_before_fetch_time(detection, start_fetch_time):
+                demisto.debug(
+                    f"CrowdStrikeFalconMsg: Detection {detection_id} created at {detection.get('created_timestamp')} "
+                    f"was created before the fetch start date: {start_fetch_time}"
+                )
+                continue
+
+            detection["incident_type"] = incident_type
             demisto.debug(
                 f"CrowdStrikeFalconMsg: Detection {detection_id} "
                 f"was fetched which was created in {detection['created_timestamp']}"
@@ -3094,7 +3110,7 @@ def fetch_endpoint_detections(current_fetch_info_detections, look_back, is_fetch
         date_format=DETECTION_DATE_FORMAT,
         new_offset=detections_offset,
     )
-    demisto.debug(f"CrowdstrikeFalconMsg: Ending fetch endpoint_detections. Fetched {len(detections) if detections else 0}")
+    demisto.debug(f"CrowdStrikeFalconMsg: Ending fetch endpoint_detections. Fetched {len(detections) if detections else 0}")
 
     return detections, current_fetch_info_detections
 

Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon.yml

@@ -5174,7 +5174,7 @@ script:
     - contextPath: CrowdStrike.IOARules.version_ids
       description: The IOA rule's version ID.
       type: String
-  dockerimage: demisto/py3-tools:1.0.0.3205634
+  dockerimage: demisto/py3-tools:1.0.0.4257568
   isfetch: true
   isfetch:marketplacev2: false
   isfetch:platform: false

Packs/CrowdStrikeFalcon/Integrations/CrowdStrikeFalcon/CrowdStrikeFalcon_test.py

@@ -5,7 +5,6 @@
 
 import demistomock as demisto
 import pytest
-from _pytest.python_api import raises
 from CommonServerPython import (
     CommandResults,
     DemistoException,
@@ -1895,6 +1894,25 @@ def test_fetch_endpoint_detections__update_last_run_object(self, mocker):
         except Exception as e:
             pytest.fail(f"Unexpected error during fetch_endpoint_detections with non-zero offset: {str(e)}")
 
+    def test_fetch_endpoint_detections__is_detection_occurred_before_fetch_time(self, mocker):
+        from CrowdStrikeFalcon import fetch_endpoint_detections
+
+        mocked_res = [
+            {"created_timestamp": "2025-07-25T23:59:59.999999Z", "composite_id": "123"},
+            {"created_timestamp": "2025-07-24T01:01:00.000001Z", "composite_id": "456"},
+        ]
+        mocker.patch("CrowdStrikeFalcon.get_fetch_detections", return_value={})
+        mocker.patch(
+            "CrowdStrikeFalcon.get_detections_entities",
+            return_value={"resources": mocked_res},
+        )
+
+        start_fetch_time = "2025-07-25T01:01:00.000000000Z"
+
+        results, _ = fetch_endpoint_detections({"time": start_fetch_time}, 2, False)
+        assert len(results) == 1
+        assert results[0]["occurred"] == mocked_res[0]["created_timestamp"]
+
     @pytest.mark.parametrize(
         "product_type, detection_name_prefix",
         [
@@ -3978,7 +3996,7 @@ def test_add_error_message(failed_devices, all_requested_devices, expected_resul
 def test_add_error_message_raise_error(failed_devices, all_requested_devices):
     from CrowdStrikeFalcon import add_error_message
 
-    with raises(DemistoException, match=f"CrowdStrike Falcon The command was failed with the errors: {failed_devices}"):
+    with pytest.raises(DemistoException, match=f"CrowdStrike Falcon The command was failed with the errors: {failed_devices}"):
         add_error_message(failed_devices, all_requested_devices)
 
 
@@ -7860,3 +7878,15 @@ def test_fetch_items_reads_last_run_indexes_correctly(mocker, command):
 
     # Verify that fetch_events refers to the correctly indexes for each type by last_run object.
     assert last_run_identifiers_result == last_run_identifiers
+
+
+def test_is_detection_occurred_before_fetch_time():
+    from CrowdStrikeFalcon import is_detection_occurred_before_fetch_time
+
+    detection = {"created_timestamp": "2020-05-16T17:30:38Z"}
+    start_fetch_time = "2020-05-17T17:30:38Z"
+    assert is_detection_occurred_before_fetch_time(detection, start_fetch_time)
+
+    detection = {"created_timestamp": "2020-05-17T17:30:38Z"}
+    start_fetch_time = "2020-05-17T17:30:38Z"
+    assert not is_detection_occurred_before_fetch_time(detection, start_fetch_time)

Packs/CrowdStrikeFalcon/ReleaseNotes/2_3_3.md

@@ -0,0 +1,6 @@
+
+#### Integrations
+
+##### CrowdStrike Falcon
+- Updated the Docker image to: *demisto/py3-tools:1.0.0.4257568*.
+- Fixed an issue where the ***fetch-incidents*** command retrieved older detections than the specified date.

Packs/CrowdStrikeFalcon/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "CrowdStrike Falcon",
     "description": "The CrowdStrike Falcon OAuth 2 API (formerly the Falcon Firehose API), enables fetching and resolving detections, searching devices, getting behaviors by ID, containing hosts, and lifting host containment.",
     "support": "xsoar",
-    "currentVersion": "2.3.2",
+    "currentVersion": "2.3.3",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",