Merge for 2.2.7 release #419
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added `Command` value for various commands to ensure that their names would show in verbose output during `Invoke-Falcon` requests
Removed mandatory requirement for `SensorType` when using `Request-FalconRegistryCredential` and added a prompt if it is not present. Added additional error messages to notify when `token` or `expires_in` is missing from a `Request-FalconRegistryCredential` token request response. Made various changes to ensure all content was properly cached/retrieved from cache when using `Request-FalconRegistryCredential`. Added check to verify proper credentials have been cached before `Get-FalconContainerSensor` request.
Forced `Invoke-FalconRtr` to refresh the RTR session it's using every 30 seconds by default to help prevent results from being lost when devices that recently went offline (i.e. and thus didn't meet the cutoff for the offline queue, when used) delay the RTR session start long enough for the session itself to die before a command is properly issued.
Changed refresh time of RTR session to 20 seconds to reduce the chance of sessions dying before initialization results are passed back to `Invoke-FalconRtr`
Re-wrote `Get-FalconUninstallToken` to group all `device_id` values together and make requests in appropriately sized groups, instead of individually when using `Include`.
Modified `Get-FalconUninstallToken` to stop attempting token requests on first failure when multiple `device_id` values are supplied.
Issue #310: Added default client timeout of 1 minute to help generate error messages when file downloads do not complete.
Updated `Get-FalconAlert` to use `/alerts/queries/alerts/v2` endpoint
Added `IsDescendentProcess` to `Edit-FalconMlExclusion`
Added `IsDescendentProcess` to `Edit-FalconSvExclusion` and `New-FalconSvExclusion`
Updated `Get-FalconIocHost` to use `/iocs/aggregates/device-count/v1:get` endpoint
Added error message to `Export-FalconConfig` when unable to create an export in the current location
Corrected how QueueOffline was being checked when adding delay
Added `IncludeHidden` to `Get-FalconAlert` when submitting `Id` values
Added `IncludeHidden` to `Invoke-FalconAlertAction`
Added `CspmLite` to `Get-FalconHorizonAwsAccount`
Added `CspmLite` to `Get-FalconHorizonAzureAccount`
Added `Environment` to `Edit-FalconHorizonAwsAccount`
Added `Get-FalconHorizonAzureGroup`
Added `Get-FalconHorizonAzureGroup`
Added `New-FalconHorizonAzureGroup`
Added `New-FalconHorizonAzureGroup`
Issue #380 Updated `Compare-ImportData` function to analyze items by each individual `platform` (or `platform_name`) to resolve bug where `FirewallGroup` items were being ignored Added additional verbose messaging to indicate how items are being compared during import
Added `Sort` values to `Get-FalconFileVantageChange`
Removed commands related to `idp-entities-explorer` endpoins that have been un-published
Updated `New-FalconCloudGcpAccount` to use `/cloud-connect-cspm-gcp/entities/account/v2:post` endpoint
Updated `Edit-FalconCertificateExclusion` and `New-FalconCertificateExclusion` to enforce required properties in `certificate` value. Created private function `Select-CertificateProperty` to support enforcement of required properties.
Added `New-FalconContainerImage` and updated `Remove-FalconContainerImage` to use new endpoint
Removing until future release
Added draft samples for Fal.Con 2024 Lab
Moving Fal.Con samples to dedicated repo
Removed `id` validation due to results in demo environment not matching
Removed `Compare-FalconPreventionPhase` and accompanying policy json files due to Falcon Prevention Policy UI changes that enabled policy comparison in the Falcon console.
Minor reorganization of `Invoke()` to help prevent null errors when requests fail (like when made behind a proxy).
Updated `Import-FalconConfig` to improve output when `FirewallPolicy` is modified
Moved removal of `rule_group_ids` when no `FirewallGroup` ids are present outside of individual `FirewallGroup` check loop during modification of `FirewallPolicy`. Added code in `Compare-Settting` for reviewing `DeviceControlPolicy` settings. `classes` and `custom_notifications` still in progress.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New Commands
cloud-connect-cspm-azure
cloud-connect-cspm-gcp
configuration-assessment
container-security
delivery-settings
exclusions
fem
filevantage
host-migration
intel
loggingapi
plugins
psf-sensors
snapshots
threatgraph
workflows
Issues Resolved
Receive-FalconInstallerfails due to timeout #310: Added default timeout of one minute for all requests in an effort to help produce error messageswhen a file download does not complete.
Find-FalconHostnamereturns maximum of 100 results #369: CorrectedFind-FalconHostnameso it outputs the entire list of results instead of stopping withthe first initial 100.
400: The ids parameter must be present...error when using Turkish display language #370: Changed all identifier parameter aliases from uppercase to lowercase to resolve matching issueswhen using Turkish as the default display language.
Invoke-FalconDeployincorrect execution order when queued #375: Added a second delay forInvoke-FalconDeploybetween commands when using the offline queue toensure that the proper processing order is retained.
Import-FalconConfigignoresFirewallGroup#380: UpdatedCompare-ImportDatafunction to analyze items by each individualplatform(orplatform_name) to resolve bug whereFirewallGroupitems were being ignored.Receivecommands generateindex out of rangeerrors even when successful #382: Removed output of successfully downloaded file information fromInvoke-Falconprivate functionand relocated within the
Invoke()class function to preventIndex out of range erroron successful downloadrequests.
Add-SensorTagandRemove-SensorTagdont append/remove tags even through reboot #385: Re-wroteAdd-FalconSensorTagandRemove-FalconSensorTagcommands properly append/remove tagsacross all OSes, and fix issue where tags weren't applied at all.
Iddoes not match pattern when usingGet-FalconAsset#391: Removed pattern validation for theIdparameter forGet-FalconAssetto prevent errors whenunexpected (but legitimate)
Idvalues are provided.Import-FalconConfigimproperly assigns non-existentrule_group_idswhen creatingFilewallPolicy#393: UpdatedImport-FalconConfigto properly removerule_group_idsthat aren't tied toFirewallGroupitems that are also created during import.Get-FalconAlert -All -Detailedreturns413 - Request Too Large#396: Added maximum count of 1000 identifiers when building body content duringGet-FalconAlertrequests.
Invoke-FalconAlertActionandInvoke-FalconIncidentActionto allow for multiple actions in one API query #397: AddedActionparameter to define multiple actions to perform in a single request when usingInvoke-FalconAlertActionorInvoke-FalconIncidentAction.New-FalconIoaRulegenerates400error when following wiki example #399: Updated howfield_valuesproperties are selected to ensure that they're correctly passed as anarray when using
New-FalconIoaRule.Cidparameter when usingAdd-FalconRole#401: AddedConfirm-CidValueprivate function to checkCidinput for checksum, remove it when present,and return the
Cidvalue in lower case.Get-FalconScanFileresults toIncludeforGet-FalconScan#411: AddedIncludewith value ofscan_filetoGet-FalconScan, and addedScanIdtoGet-FalconScanFileto supportIncludeforGet-FalconScan.Get-FalconScanandGet-FalconScanFilelimited to 100 results #412: AddedLimitof500toGet-FalconScanandGet-FalconScanFileto ensure bothlimitandoffsetare passed during pagination.General Changes
Added a weekly check of the PSGallery for PSFalcon module updates if the PSFalcon module was originally
installed via the PSGallery. Update status is kept in a file called
update_check.jsonin the base PSFalconmodule folder. If the connection to the PSGallery fails, the update check is disabled. Deleting
update_check.jsonwill re-attempt connection the next time the module is loaded.
Updated internal
Build-Queryfunction to automatically URL encode provided values during submission insteadof only previously encoding
+.Updated internal
Log()method for[ApiClient]to support Falcon NGSIEM and CrowdStrike Parsing Standard.Added
UserAgentvalue to[ApiClient]object for use withLog()method.Updated
Request-FalconTokenandShow-FalconModuleto use newUserAgentvalue under[ApiClient].Removed filtering for unique values when supplying an array of identifiers to a command. This was originally
added to prevent problems related to an array containing the same identifier twice, but it adds a lot of
processing time when a large list of identifiers is provided. PSFalcon will now pass all given identifiers on
to the relevant API, meaning that new error messages might appear if a user is not properly error checking
their scripts and filtering out duplicate identifier values.
Added
Test-ActionParameterprivate function to support newActionparameter forInvoke-FalconAlertActionand
Invoke-FalconIncidentAction.Added
Select-CertificatePropertyprivate function to support the newEdit-FalconCertificateExclusionandNew-FalconCertificateExclusioncommands.Corrected verbose output for various commands to ensure that the relevant command name was displayed when
Invoke-Falconmakes a request to the target API.Re-wrote the internal function
Confirm-Parameterto reduce necessary parameters when calling the function.Added internal
Remove-EmptyValuefunction to strip empty values before submission when necessary.Corrected bug found when implementing new v2 endpoint for
Get-FalconAsset -IoTwhereafterwould notbe added properly when paginating without another criteria (i.e.
filter,sort, etc.) using-All.Compressed
SensorTagcommands into a reusable function to de-duplicate code.Renamed the
Arrayparameter toInputObjectto better match PowerShell style for the following commands:Edit-FalconDeviceControlPolicy,Edit-FalconFirewallPolicy,Edit-FalconIoc,Edit-FalconPreventionPolicy,Edit-FalconReconNotification,Edit-FalconReconRule,Edit-FalconResponsePolicy,Edit-FalconSensorUpdatePolicy,Find-FalconHostname,New-FalconDeviceControlPolicy,New-FalconFirewallPolicy,New-FalconHostGroup,New-FalconIoc,New-FalconPreventionPolicy,New-FalconReconRule,New-FalconResponsePolicy, andNew-FalconSensorUpdatePolicy.Arrayhas been kept as an alias to prevent issues with existing scripts.Changed the prefix from
HorizontoCloudfor the following commands:Edit-FalconHorizonAwsAccount,Edit-FalconHorizonAzureAccount,Edit-FalconHorizonPolicy,Edit-FalconHorizonSchedule,Get-FalconFimChange,Get-FalconHorizonAwsAccount,Get-FalconHorizonAwsLink,Get-FalconHorizonAzureAccount,Get-FalconHorizonAzureCertificate,Get-FalconHorizonAzureGroup,Get-FalconHorizonIoa,Get-FalconHorizonIoaEvent,Get-FalconHorizonIoaUser,Get-FalconHorizonIom,Get-FalconHorizonPolicy,Get-FalconHorizonSchedule,New-FalconHorizonAwsAccount,New-FalconHorizonAzureAccount,New-FalconHorizonAzureGroup,Receive-FalconHorizonAwsScript,Receive-FalconHorizonAzureScript,Remove-FalconHorizonAwsAccount,Remove-FalconHorizonAzureAccount, andRemove-FalconHorizonAzureGroup.The original command names have been kept as aliases to prevent issues with existing scripts.
Removed
Compare-FalconPreventionPhaseand accompanying policy json files due to Falcon Prevention Policy UIchanges that enabled policy comparison in the Falcon console.
Command Changes
Add-FalconSensorTag
Edit-FalconCloudAwsAccount
Environment,DspmEnabled,DspmRoleandTargetOu.Edit-FalconIoaRule
/ioarules/entities/rules/v2:patchendpoint.Edit-FalconMlExclusion
DescendentProcess.Edit-FalconSvExclusion
DescendentProcess.Edit-FalconReconRule
BreachMonitorOnly.Edit-FalconFileVantageRule
ContentRegistryValues,HashCaptureandRegKeyPermission.Export-FalconConfig
Get-FalconAlert
/alerts/queries/alerts/v2:getendpoint.IncludeHidden(used when submittingIdvalues).Get-FalconAsset
/discover/queries/iot-hosts/v2:getendpoint with-IoT.-Externalswitch to search for external assets./discover/combined/hosts/v1:getendpoint when using-Detailed./discover/combined/applications/v1:getwhen using-Applicationand-Detailed.facetproperty has been joined together withIncludefor the relevant new/combined/APIendpoints for consistency with earlier PSFalcon version.
Limitorfacetvalues (asInclude) are supplied for theirrespective API endpoint. Tab-completion for
Includewill first offer all available values, and thecommand will error if one of the supplied values is invalid based on the eventual API endpoint
being targeted.
login_eventwhen used with-Includefor respectiveaid(whensearching for Host) or
account_id(when searching for Account) values.Get-FalconCloudAwsAccount
CspmLite.IsHorizonAcctparameter toIsFcsAccount. KeptIsHorizonAcctas an alias.Get-FalconCloudAzureAccount
CspmLite.IsHorizonAcctparameter toIsFcsAccount. KeptIsHorizonAcctas an alias.Get-FalconContainerSensor
401: Unauthorizederrors when a token is notpresent.
Get-FalconInstaller
Get-FalconIocHost
/iocs/aggregates/device-count/v1:getendpoint.Get-FalconReconRule
SecondarySort.Get-FalconRole
Detailedswitch.Get-FalconSensorTag
Get-FalconUninstallToken
device_idvalues together and make requests in appropriately sized groups,instead of individually when using
Include. This should drastically increase performance when requestinglarge numbers of
uninstall_tokenvalues with other device properties included.Get-FalconVulnerability
Limitto a maximum of 5,000 forDetailedrequests. If retrieving identifiers only, the commandwill force
Limitto a maximum of 400.Invoke-FalconAlertAction
Actionfor performing multiple actions on alerts in a single request. Thanks @datorr2!Invoke-FalconIncidentAction
Actionfor performing multiple actions on incidents in a single request. Thanks @datorr2!Valueto ensure that it works when usingunassignwithNameparameter.Invoke-FalconMobileAction
/enrollments/entities/details/v4:postendpoint.EnrollmentType.Import-FalconConfig
rule_group_idsare being assigned and/or the removal ofnon-existent values when
FirewallPolicyitems are being created and modified.FirewallPolicysettings values to final CSV output.SensorUpdatePolicywith unavailable sensorbuildversions. Whenan invalid build version is found, it is stripped. When a
buildis updated with a matching tagged version,sensor_versionandstageare also updated. These changes also affectvariantsforLinuxArm64.SensorUpdatePolicyfrom being evaluated for changes withModifyExisting. Updatedfinal output to properly record changes.
Invoke-FalconAlertAction
IncludeHidden.Invoke-FalconRtr
prevent results from being lost when hosts that recently went offline (i.e. didn't meet the cutoff for
the offline queue) delay the RTR session start long enough for the session itself to die before the eventual
command is properly issued. This should help eliminate cases of
Invoke-FalconRtr"not doing anything"because a host is unable to be added to the session and/or the results aren't returned quickly enough after
the session begins.
New-FalconCloudGcpAccount
/cloud-connect-cspm-gcp/entities/account/v2:postendpoint.ServiceAccountId,ClientId,ClientEmail,PrivateKey,PrivateKeyId,ProjectId, andServiceAccountCondition.New-FalconCloudAwsAccount
DspmEnabledandDspmRole.New-FalconFileVantageRule
ContentRegistryValues,HashCaptureandRegKeyPermission.New-FalconSvExclusion
IsDescendentProcess.New-FalconReconRule
BreachMonitorOnly.OriginatingTemplateId.New-FalconFileVantageRule
ContentRegistryValues.Receive-FalconCloudAwsScript
OrganizationId,Template,Account,AccountType,AwsProfile,CustomRole,BehaviorAssessment,SensorManagement, andExistingCloudtrail.Receive-FalconCloudAzureScript
AzureManagementGroup.Receive-FalconInstaller
Register-FalconEventCollector
Remove-FalconContainerImage
/container-security/entities/base-images/v1:deleteendpoint.Remove-FalconSensorTag
Request-FalconRegistryCredential
SensorTypeand added a prompt if it is not present.tokenorexpires_inis missing from a token request response.Request-FalconToken
us-gov-2asCloudandHostnameoption.Send-FalconEvent