Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge for 2.2.7 release #419

Merged
merged 308 commits into from
Sep 3, 2024
Merged

Merge for 2.2.7 release #419

merged 308 commits into from
Sep 3, 2024

Conversation

bk-cs
Copy link
Collaborator

@bk-cs bk-cs commented Sep 3, 2024

New Commands

cloud-connect-cspm-azure

  • Get-FalconCloudAzureGroup
  • New-FalconCloudAzureGroup
  • Remove-FalconCloudAzureGroup

cloud-connect-cspm-gcp

  • Get-FalconCloudGcpAccount
  • Get-FalconCloudGcpServiceAccount
  • Invoke-FalconCloudGcpHealthCheck
  • Receive-FalconCloudGcpScript
  • Remove-FalconCloudGcpAccount

configuration-assessment

  • Get-FalconConfigAssessmentRule

container-security

  • Edit-FalconContainerPolicy
  • Edit-FalconContainerPolicyGroup
  • Get-FalconContainer
  • Get-FalconContainerAlert
  • Get-FalconContainerAssessment
  • Get-FalconContainerCluster
  • Get-FalconContainerDetection
  • Get-FalconContainerCount
  • Get-FalconContainerDriftIndicator
  • Get-FalconContainerImage
  • Get-FalconContainerIom
  • Get-FalconContainerNode
  • Get-FalconContainerPackage
  • Get-FalconContainerPod
  • Get-FalconContainerPolicy
  • Get-FalconContainerPolicyExclusion
  • Get-FalconContainerPolicyGroup
  • Get-FalconContainerVulnerability
  • New-FalconContainerImage
  • New-FalconContainerPolicy
  • New-FalconContainerPolicyExclusion
  • New-FalconContainerPolicyGroup
  • Remove-FalconContainerPolicy
  • Remove-FalconContainerPolicyGroup
  • Set-FalconContainerPolicyPrecedence

delivery-settings

  • Get-FalconChannelControl
  • Set-FalconChannelControl

exclusions

  • Edit-FalconCertificateExclusion
  • Get-FalconCertificate
  • Get-FalconCertificateExclusion
  • New-FalconCertificateExclusion
  • Remove-FalconCertificateExclusion

fem

  • Edit-FalconAsset

filevantage

  • Get-FalconFileVantageAction
  • Get-FalconFileVantageContent
  • Invoke-FalconFileVantageAction
  • Invoke-FalconFileVantageWorkflow

host-migration

  • Get-FalconMigration
  • Get-FalconMigrationCid
  • Get-FalconMigrationHost
  • Invoke-FalconMigrationAction
  • New-FalconMigration
  • Start-FalconMigration
  • Stop-FalconMigration
  • Remove-FalconMigration
  • Rename-FalconMigration

intel

  • Get-FalconMalwareFamily

loggingapi

  • Get-FalconFoundryRepository
  • Get-FalconFoundrySearch
  • Get-FalconFoundryView

plugins

  • Get-FalconWorkflowIntegration

psf-sensors

  • Set-FalconSensorTag (Thanks @LyleWB)

snapshots

  • Get-FalconSnapshot
  • Get-FalconSnapshotScan
  • New-FalconSnapshotScan

threatgraph

  • Get-FalconThreatGraphIndicator
  • Get-FalconThreatGraphVertex
  • Get-FalconThreatGraphEdge

workflows

  • Export-FalconWorkflow
  • Get-FalconWorkflow
  • Get-FalconWorkflowAction
  • Get-FalconWorkflowInput
  • Get-FalconWorkflowTrigger
  • Import-FalconWorkflow
  • Invoke-FalconWorkflow
  • Redo-FalconWorkflow

Issues Resolved

General Changes

  • Added a weekly check of the PSGallery for PSFalcon module updates if the PSFalcon module was originally
    installed via the PSGallery. Update status is kept in a file called update_check.json in the base PSFalcon
    module folder. If the connection to the PSGallery fails, the update check is disabled. Deleting update_check.json
    will re-attempt connection the next time the module is loaded.

  • Updated internal Build-Query function to automatically URL encode provided values during submission instead
    of only previously encoding +.

  • Updated internal Log() method for [ApiClient] to support Falcon NGSIEM and CrowdStrike Parsing Standard.

  • Added UserAgent value to [ApiClient] object for use with Log() method.

  • Updated Request-FalconToken and Show-FalconModule to use new UserAgent value under [ApiClient].

  • Removed filtering for unique values when supplying an array of identifiers to a command. This was originally
    added to prevent problems related to an array containing the same identifier twice, but it adds a lot of
    processing time when a large list of identifiers is provided. PSFalcon will now pass all given identifiers on
    to the relevant API, meaning that new error messages might appear if a user is not properly error checking
    their scripts and filtering out duplicate identifier values.

  • Added Test-ActionParameter private function to support new Action parameter for Invoke-FalconAlertAction
    and Invoke-FalconIncidentAction.

  • Added Select-CertificateProperty private function to support the new Edit-FalconCertificateExclusion and
    New-FalconCertificateExclusion commands.

  • Corrected verbose output for various commands to ensure that the relevant command name was displayed when
    Invoke-Falcon makes a request to the target API.

  • Re-wrote the internal function Confirm-Parameter to reduce necessary parameters when calling the function.

  • Added internal Remove-EmptyValue function to strip empty values before submission when necessary.

  • Corrected bug found when implementing new v2 endpoint for Get-FalconAsset -IoT where after would not
    be added properly when paginating without another criteria (i.e. filter, sort, etc.) using -All.

  • Compressed SensorTag commands into a reusable function to de-duplicate code.

  • Renamed the Array parameter to InputObject to better match PowerShell style for the following commands:
    Edit-FalconDeviceControlPolicy, Edit-FalconFirewallPolicy, Edit-FalconIoc, Edit-FalconPreventionPolicy,
    Edit-FalconReconNotification, Edit-FalconReconRule, Edit-FalconResponsePolicy,
    Edit-FalconSensorUpdatePolicy, Find-FalconHostname, New-FalconDeviceControlPolicy,
    New-FalconFirewallPolicy, New-FalconHostGroup, New-FalconIoc, New-FalconPreventionPolicy,
    New-FalconReconRule, New-FalconResponsePolicy, and New-FalconSensorUpdatePolicy.

    Array has been kept as an alias to prevent issues with existing scripts.

  • Changed the prefix from Horizon to Cloud for the following commands:
    Edit-FalconHorizonAwsAccount, Edit-FalconHorizonAzureAccount, Edit-FalconHorizonPolicy,
    Edit-FalconHorizonSchedule, Get-FalconFimChange, Get-FalconHorizonAwsAccount, Get-FalconHorizonAwsLink,
    Get-FalconHorizonAzureAccount, Get-FalconHorizonAzureCertificate, Get-FalconHorizonAzureGroup,
    Get-FalconHorizonIoa, Get-FalconHorizonIoaEvent, Get-FalconHorizonIoaUser, Get-FalconHorizonIom,
    Get-FalconHorizonPolicy, Get-FalconHorizonSchedule, New-FalconHorizonAwsAccount,
    New-FalconHorizonAzureAccount, New-FalconHorizonAzureGroup, Receive-FalconHorizonAwsScript,
    Receive-FalconHorizonAzureScript, Remove-FalconHorizonAwsAccount, Remove-FalconHorizonAzureAccount, and
    Remove-FalconHorizonAzureGroup.

    The original command names have been kept as aliases to prevent issues with existing scripts.

  • Removed Compare-FalconPreventionPhase and accompanying policy json files due to Falcon Prevention Policy UI
    changes that enabled policy comparison in the Falcon console.

Command Changes

Add-FalconSensorTag

  • Re-written to properly evaluate add tags across all OSes.
  • Added support for passing uninstallation token when adding tags on MacOS (and presumably Linux in the future).
  • Added properties to output to increase transparency in the use of RTR and the status of tag additions.

Edit-FalconCloudAwsAccount

  • Added Environment, DspmEnabled, DspmRole and TargetOu.

Edit-FalconIoaRule

  • Updated to use /ioarules/entities/rules/v2:patch endpoint.

Edit-FalconMlExclusion

  • Added DescendentProcess.

Edit-FalconSvExclusion

  • Added DescendentProcess.

Edit-FalconReconRule

  • Added BreachMonitorOnly.

Edit-FalconFileVantageRule

  • Added ContentRegistryValues, HashCapture and RegKeyPermission.

Export-FalconConfig

  • Added error message when unable to create export in current directory.

Get-FalconAlert

  • Updated to use /alerts/queries/alerts/v2:get endpoint.
  • Added IncludeHidden (used when submitting Id values).

Get-FalconAsset

  • Updated to use new /discover/queries/iot-hosts/v2:get endpoint with -IoT.
  • Added -External switch to search for external assets.
  • Updated to use new /discover/combined/hosts/v1:get endpoint when using -Detailed.
  • Updated to use new /discover/combined/applications/v1:get when using -Application and -Detailed.
  • The facet property has been joined together with Include for the relevant new /combined/ API
    endpoints for consistency with earlier PSFalcon version.
  • Added error messages when invalid Limit or facet values (as Include) are supplied for their
    respective API endpoint. Tab-completion for Include will first offer all available values, and the
    command will error if one of the supplied values is invalid based on the eventual API endpoint
    being targeted.
  • Updated code to properly append login_event when used with -Include for respective aid (when
    searching for Host) or account_id (when searching for Account) values.

Get-FalconCloudAwsAccount

  • Added CspmLite.
  • Renamed IsHorizonAcct parameter to IsFcsAccount. Kept IsHorizonAcct as an alias.

Get-FalconCloudAzureAccount

  • Added CspmLite.
  • Renamed IsHorizonAcct parameter to IsFcsAccount. Kept IsHorizonAcct as an alias.

Get-FalconContainerSensor

  • Added check to verify proper credentials are available to avoid 401: Unauthorized errors when a token is not
    present.

Get-FalconInstaller

  • Updated to use new v2 endpoints.

Get-FalconIocHost

  • Updated to use /iocs/aggregates/device-count/v1:get endpoint.

Get-FalconReconRule

  • Added SecondarySort.

Get-FalconRole

  • Added Detailed switch.

Get-FalconSensorTag

  • Re-written to pull tags directly from devices API instead of using RTR on Linux and Mac.

Get-FalconUninstallToken

  • Re-wrote command to group all device_id values together and make requests in appropriately sized groups,
    instead of individually when using Include. This should drastically increase performance when requesting
    large numbers of uninstall_token values with other device properties included.

Get-FalconVulnerability

  • Updated Limit to a maximum of 5,000 for Detailed requests. If retrieving identifiers only, the command
    will force Limit to a maximum of 400.

Invoke-FalconAlertAction

  • Added Action for performing multiple actions on alerts in a single request. Thanks @datorr2!

Invoke-FalconIncidentAction

  • Added Action for performing multiple actions on incidents in a single request. Thanks @datorr2!
  • Removed mandatory attribute from Value to ensure that it works when using unassign with Name parameter.

Invoke-FalconMobileAction

  • Updated to use /enrollments/entities/details/v4:post endpoint.
  • Added EnrollmentType.

Import-FalconConfig

  • Added additional verbose output during analysis of items to import to help with future troubleshooting.
  • Added additional verbose output to show when rule_group_ids are being assigned and/or the removal of
    non-existent values when FirewallPolicy items are being created and modified.
  • Added FirewallPolicy settings values to final CSV output.
  • Added various improvements for handling SensorUpdatePolicy with unavailable sensor build versions. When
    an invalid build version is found, it is stripped. When a build is updated with a matching tagged version,
    sensor_version and stage are also updated. These changes also affect variants for LinuxArm64.
  • Fixed issues preventing SensorUpdatePolicy from being evaluated for changes with ModifyExisting. Updated
    final output to properly record changes.
  • Various improvements related to policy analysis and changes for policy settings.

Invoke-FalconAlertAction

  • Added IncludeHidden.

Invoke-FalconRtr

  • Forced the private function that is keeping the the RTR session alive every 30 seconds by default to help
    prevent results from being lost when hosts that recently went offline (i.e. didn't meet the cutoff for
    the offline queue) delay the RTR session start long enough for the session itself to die before the eventual
    command is properly issued. This should help eliminate cases of Invoke-FalconRtr "not doing anything"
    because a host is unable to be added to the session and/or the results aren't returned quickly enough after
    the session begins.

New-FalconCloudGcpAccount

  • Updated to use new /cloud-connect-cspm-gcp/entities/account/v2:post endpoint.
  • Added ServiceAccountId, ClientId, ClientEmail, PrivateKey, PrivateKeyId, ProjectId, and
    ServiceAccountCondition.

New-FalconCloudAwsAccount

  • Added DspmEnabled and DspmRole.

New-FalconFileVantageRule

  • Added ContentRegistryValues, HashCapture and RegKeyPermission.

New-FalconSvExclusion

  • Added IsDescendentProcess.

New-FalconReconRule

  • Added BreachMonitorOnly.
  • Added OriginatingTemplateId.

New-FalconFileVantageRule

  • Added ContentRegistryValues.

Receive-FalconCloudAwsScript

  • Added OrganizationId, Template, Account, AccountType,AwsProfile, CustomRole, BehaviorAssessment,
    SensorManagement, and ExistingCloudtrail.

Receive-FalconCloudAzureScript

  • Added AzureManagementGroup.

Receive-FalconInstaller

  • Updated to use new v2 endpoint.

Register-FalconEventCollector

  • Updated to support Falcon NGSIEM HTTP Event Collector ingestion.

Remove-FalconContainerImage

  • Updated to use new /container-security/entities/base-images/v1:delete endpoint.

Remove-FalconSensorTag

  • Re-written to properly evaluate and remove specific tags across all OSes.
  • Added support for passing uninstallation token when removing tags on MacOS (and presumably Linux in the future).
  • Added properties to output to increase transparency in the use of RTR and the status of tag removal.

Request-FalconRegistryCredential

  • Removed mandatory requirement for SensorType and added a prompt if it is not present.
  • Added additional error messages to notify when token or expires_in is missing from a token request response.
  • Made various changes to ensure all token-related content was properly cached/retrieved from cache.

Request-FalconToken

  • Added us-gov-2 as Cloud and Hostname option.

Send-FalconEvent

  • Updated to support Falcon NGSIEM HTTP Event Collector ingestion.

bk-cs added 30 commits December 6, 2023 12:42
Added `Command` value for various commands to ensure that their names would show in verbose output during `Invoke-Falcon` requests
Removed mandatory requirement for `SensorType` when using `Request-FalconRegistryCredential` and added a prompt if it is not present.

Added additional error messages to notify when `token` or `expires_in` is missing from a `Request-FalconRegistryCredential` token request response.

Made various changes to ensure all content was properly cached/retrieved from cache when using `Request-FalconRegistryCredential`.

Added check to verify proper credentials have been cached before `Get-FalconContainerSensor` request.
Forced `Invoke-FalconRtr` to refresh the RTR session it's using every 30 seconds by default to help prevent results from being lost when devices that recently went offline (i.e. and thus didn't meet the cutoff for the offline queue, when used) delay the RTR session start long enough for the session itself to die before a command is properly issued.
Changed refresh time of RTR session to 20 seconds to reduce the chance of sessions dying before initialization results are passed back to `Invoke-FalconRtr`
Re-wrote `Get-FalconUninstallToken` to group all `device_id` values together and make requests in appropriately sized groups, instead of individually when using `Include`.
Modified `Get-FalconUninstallToken` to stop attempting token requests on first failure when multiple `device_id` values are supplied.
Issue #310: Added default client timeout of 1 minute to help generate error messages when file downloads do not complete.
Updated `Get-FalconAlert` to use `/alerts/queries/alerts/v2` endpoint
Added `IsDescendentProcess` to `Edit-FalconMlExclusion`
Added `IsDescendentProcess` to `Edit-FalconSvExclusion` and `New-FalconSvExclusion`
Updated `Get-FalconIocHost` to use `/iocs/aggregates/device-count/v1:get` endpoint
Added error message to `Export-FalconConfig` when unable to create an export in the current location
Issue #375: Added a second delay for `Invoke-FalconDeploy` between commands when using the offline queue to ensure that the proper processing order is retained
Corrected how QueueOffline was being checked when adding delay
Added `IncludeHidden` to `Get-FalconAlert` when submitting `Id` values
Added `IncludeHidden` to `Invoke-FalconAlertAction`
Added `CspmLite` to `Get-FalconHorizonAwsAccount`
Added `CspmLite` to `Get-FalconHorizonAzureAccount`
Added `Environment` to `Edit-FalconHorizonAwsAccount`
Added `Get-FalconHorizonAzureGroup`
Added `Get-FalconHorizonAzureGroup`
Added  `New-FalconHorizonAzureGroup`
Added `New-FalconHorizonAzureGroup`
Issue #380

Updated `Compare-ImportData` function to analyze items by each individual `platform` (or `platform_name`) to resolve bug where `FirewallGroup` items were being ignored

Added additional verbose messaging to indicate how items are being compared during import
Added `Sort` values to `Get-FalconFileVantageChange`
bk-cs added 25 commits August 7, 2024 13:28
Removed commands related to `idp-entities-explorer` endpoins that have been un-published
Updated `New-FalconCloudGcpAccount` to use `/cloud-connect-cspm-gcp/entities/account/v2:post` endpoint
Updated `Edit-FalconCertificateExclusion` and `New-FalconCertificateExclusion` to enforce required properties in `certificate` value.

Created private function `Select-CertificateProperty` to support enforcement of required properties.
Added `New-FalconContainerImage` and updated `Remove-FalconContainerImage` to use new endpoint
Removing until future release
Added draft samples for Fal.Con 2024 Lab
Moving Fal.Con samples to dedicated repo
Removed `id` validation due to results in demo environment not matching
Removed `Compare-FalconPreventionPhase` and accompanying policy json files due to Falcon Prevention Policy UI changes that enabled policy comparison in the Falcon console.
Minor reorganization of `Invoke()` to help prevent null errors when requests fail (like when made behind a proxy).
Updated `Import-FalconConfig` to improve output when `FirewallPolicy` is modified
Moved removal of `rule_group_ids` when no `FirewallGroup` ids are present outside of individual `FirewallGroup` check loop during modification of `FirewallPolicy`.

Added code in `Compare-Settting` for reviewing `DeviceControlPolicy` settings. `classes` and `custom_notifications` still in progress.
@bk-cs bk-cs self-assigned this Sep 3, 2024
@bk-cs bk-cs merged commit c87f096 into master Sep 3, 2024
@bk-cs bk-cs deleted the dev branch September 3, 2024 19:43
@bk-cs bk-cs restored the dev branch September 5, 2024 18:50
@bk-cs bk-cs deleted the dev branch September 5, 2024 18:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants