-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merge for 2.2.7 release #419
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added `Command` value for various commands to ensure that their names would show in verbose output during `Invoke-Falcon` requests
Removed mandatory requirement for `SensorType` when using `Request-FalconRegistryCredential` and added a prompt if it is not present. Added additional error messages to notify when `token` or `expires_in` is missing from a `Request-FalconRegistryCredential` token request response. Made various changes to ensure all content was properly cached/retrieved from cache when using `Request-FalconRegistryCredential`. Added check to verify proper credentials have been cached before `Get-FalconContainerSensor` request.
Forced `Invoke-FalconRtr` to refresh the RTR session it's using every 30 seconds by default to help prevent results from being lost when devices that recently went offline (i.e. and thus didn't meet the cutoff for the offline queue, when used) delay the RTR session start long enough for the session itself to die before a command is properly issued.
Changed refresh time of RTR session to 20 seconds to reduce the chance of sessions dying before initialization results are passed back to `Invoke-FalconRtr`
Re-wrote `Get-FalconUninstallToken` to group all `device_id` values together and make requests in appropriately sized groups, instead of individually when using `Include`.
Modified `Get-FalconUninstallToken` to stop attempting token requests on first failure when multiple `device_id` values are supplied.
Issue #310: Added default client timeout of 1 minute to help generate error messages when file downloads do not complete.
Updated `Get-FalconAlert` to use `/alerts/queries/alerts/v2` endpoint
Added `IsDescendentProcess` to `Edit-FalconMlExclusion`
Added `IsDescendentProcess` to `Edit-FalconSvExclusion` and `New-FalconSvExclusion`
Updated `Get-FalconIocHost` to use `/iocs/aggregates/device-count/v1:get` endpoint
Added error message to `Export-FalconConfig` when unable to create an export in the current location
Corrected how QueueOffline was being checked when adding delay
Added `IncludeHidden` to `Get-FalconAlert` when submitting `Id` values
Added `IncludeHidden` to `Invoke-FalconAlertAction`
Added `CspmLite` to `Get-FalconHorizonAwsAccount`
Added `CspmLite` to `Get-FalconHorizonAzureAccount`
Added `Environment` to `Edit-FalconHorizonAwsAccount`
Added `Get-FalconHorizonAzureGroup`
Added `Get-FalconHorizonAzureGroup`
Added `New-FalconHorizonAzureGroup`
Added `New-FalconHorizonAzureGroup`
Issue #380 Updated `Compare-ImportData` function to analyze items by each individual `platform` (or `platform_name`) to resolve bug where `FirewallGroup` items were being ignored Added additional verbose messaging to indicate how items are being compared during import
Added `Sort` values to `Get-FalconFileVantageChange`
Removed commands related to `idp-entities-explorer` endpoins that have been un-published
Updated `New-FalconCloudGcpAccount` to use `/cloud-connect-cspm-gcp/entities/account/v2:post` endpoint
Updated `Edit-FalconCertificateExclusion` and `New-FalconCertificateExclusion` to enforce required properties in `certificate` value. Created private function `Select-CertificateProperty` to support enforcement of required properties.
Added `New-FalconContainerImage` and updated `Remove-FalconContainerImage` to use new endpoint
Removing until future release
Added draft samples for Fal.Con 2024 Lab
Moving Fal.Con samples to dedicated repo
Removed `id` validation due to results in demo environment not matching
Removed `Compare-FalconPreventionPhase` and accompanying policy json files due to Falcon Prevention Policy UI changes that enabled policy comparison in the Falcon console.
Minor reorganization of `Invoke()` to help prevent null errors when requests fail (like when made behind a proxy).
Updated `Import-FalconConfig` to improve output when `FirewallPolicy` is modified
Moved removal of `rule_group_ids` when no `FirewallGroup` ids are present outside of individual `FirewallGroup` check loop during modification of `FirewallPolicy`. Added code in `Compare-Settting` for reviewing `DeviceControlPolicy` settings. `classes` and `custom_notifications` still in progress.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New Commands
cloud-connect-cspm-azure
cloud-connect-cspm-gcp
configuration-assessment
container-security
delivery-settings
exclusions
fem
filevantage
host-migration
intel
loggingapi
plugins
psf-sensors
snapshots
threatgraph
workflows
Issues Resolved
Receive-FalconInstaller
fails due to timeout #310: Added default timeout of one minute for all requests in an effort to help produce error messageswhen a file download does not complete.
Find-FalconHostname
returns maximum of 100 results #369: CorrectedFind-FalconHostname
so it outputs the entire list of results instead of stopping withthe first initial 100.
400: The ids parameter must be present...
error when using Turkish display language #370: Changed all identifier parameter aliases from uppercase to lowercase to resolve matching issueswhen using Turkish as the default display language.
Invoke-FalconDeploy
incorrect execution order when queued #375: Added a second delay forInvoke-FalconDeploy
between commands when using the offline queue toensure that the proper processing order is retained.
Import-FalconConfig
ignoresFirewallGroup
#380: UpdatedCompare-ImportData
function to analyze items by each individualplatform
(orplatform_name
) to resolve bug whereFirewallGroup
items were being ignored.Receive
commands generateindex out of range
errors even when successful #382: Removed output of successfully downloaded file information fromInvoke-Falcon
private functionand relocated within the
Invoke()
class function to preventIndex out of range error
on successful downloadrequests.
Add-SensorTag
andRemove-SensorTag
dont append/remove tags even through reboot #385: Re-wroteAdd-FalconSensorTag
andRemove-FalconSensorTag
commands properly append/remove tagsacross all OSes, and fix issue where tags weren't applied at all.
Id
does not match pattern when usingGet-FalconAsset
#391: Removed pattern validation for theId
parameter forGet-FalconAsset
to prevent errors whenunexpected (but legitimate)
Id
values are provided.Import-FalconConfig
improperly assigns non-existentrule_group_ids
when creatingFilewallPolicy
#393: UpdatedImport-FalconConfig
to properly removerule_group_ids
that aren't tied toFirewallGroup
items that are also created during import.Get-FalconAlert -All -Detailed
returns413 - Request Too Large
#396: Added maximum count of 1000 identifiers when building body content duringGet-FalconAlert
requests.
Invoke-FalconAlertAction
andInvoke-FalconIncidentAction
to allow for multiple actions in one API query #397: AddedAction
parameter to define multiple actions to perform in a single request when usingInvoke-FalconAlertAction
orInvoke-FalconIncidentAction
.New-FalconIoaRule
generates400
error when following wiki example #399: Updated howfield_values
properties are selected to ensure that they're correctly passed as anarray when using
New-FalconIoaRule
.Cid
parameter when usingAdd-FalconRole
#401: AddedConfirm-CidValue
private function to checkCid
input for checksum, remove it when present,and return the
Cid
value in lower case.Get-FalconScanFile
results toInclude
forGet-FalconScan
#411: AddedInclude
with value ofscan_file
toGet-FalconScan
, and addedScanId
toGet-FalconScanFile
to supportInclude
forGet-FalconScan
.Get-FalconScan
andGet-FalconScanFile
limited to 100 results #412: AddedLimit
of500
toGet-FalconScan
andGet-FalconScanFile
to ensure bothlimit
andoffset
are passed during pagination.General Changes
Added a weekly check of the PSGallery for PSFalcon module updates if the PSFalcon module was originally
installed via the PSGallery. Update status is kept in a file called
update_check.json
in the base PSFalconmodule folder. If the connection to the PSGallery fails, the update check is disabled. Deleting
update_check.json
will re-attempt connection the next time the module is loaded.
Updated internal
Build-Query
function to automatically URL encode provided values during submission insteadof only previously encoding
+
.Updated internal
Log()
method for[ApiClient]
to support Falcon NGSIEM and CrowdStrike Parsing Standard.Added
UserAgent
value to[ApiClient]
object for use withLog()
method.Updated
Request-FalconToken
andShow-FalconModule
to use newUserAgent
value under[ApiClient]
.Removed filtering for unique values when supplying an array of identifiers to a command. This was originally
added to prevent problems related to an array containing the same identifier twice, but it adds a lot of
processing time when a large list of identifiers is provided. PSFalcon will now pass all given identifiers on
to the relevant API, meaning that new error messages might appear if a user is not properly error checking
their scripts and filtering out duplicate identifier values.
Added
Test-ActionParameter
private function to support newAction
parameter forInvoke-FalconAlertAction
and
Invoke-FalconIncidentAction
.Added
Select-CertificateProperty
private function to support the newEdit-FalconCertificateExclusion
andNew-FalconCertificateExclusion
commands.Corrected verbose output for various commands to ensure that the relevant command name was displayed when
Invoke-Falcon
makes a request to the target API.Re-wrote the internal function
Confirm-Parameter
to reduce necessary parameters when calling the function.Added internal
Remove-EmptyValue
function to strip empty values before submission when necessary.Corrected bug found when implementing new v2 endpoint for
Get-FalconAsset -IoT
whereafter
would notbe added properly when paginating without another criteria (i.e.
filter
,sort
, etc.) using-All
.Compressed
SensorTag
commands into a reusable function to de-duplicate code.Renamed the
Array
parameter toInputObject
to better match PowerShell style for the following commands:Edit-FalconDeviceControlPolicy
,Edit-FalconFirewallPolicy
,Edit-FalconIoc
,Edit-FalconPreventionPolicy
,Edit-FalconReconNotification
,Edit-FalconReconRule
,Edit-FalconResponsePolicy
,Edit-FalconSensorUpdatePolicy
,Find-FalconHostname
,New-FalconDeviceControlPolicy
,New-FalconFirewallPolicy
,New-FalconHostGroup
,New-FalconIoc
,New-FalconPreventionPolicy
,New-FalconReconRule
,New-FalconResponsePolicy
, andNew-FalconSensorUpdatePolicy
.Array
has been kept as an alias to prevent issues with existing scripts.Changed the prefix from
Horizon
toCloud
for the following commands:Edit-FalconHorizonAwsAccount
,Edit-FalconHorizonAzureAccount
,Edit-FalconHorizonPolicy
,Edit-FalconHorizonSchedule
,Get-FalconFimChange
,Get-FalconHorizonAwsAccount
,Get-FalconHorizonAwsLink
,Get-FalconHorizonAzureAccount
,Get-FalconHorizonAzureCertificate
,Get-FalconHorizonAzureGroup
,Get-FalconHorizonIoa
,Get-FalconHorizonIoaEvent
,Get-FalconHorizonIoaUser
,Get-FalconHorizonIom
,Get-FalconHorizonPolicy
,Get-FalconHorizonSchedule
,New-FalconHorizonAwsAccount
,New-FalconHorizonAzureAccount
,New-FalconHorizonAzureGroup
,Receive-FalconHorizonAwsScript
,Receive-FalconHorizonAzureScript
,Remove-FalconHorizonAwsAccount
,Remove-FalconHorizonAzureAccount
, andRemove-FalconHorizonAzureGroup
.The original command names have been kept as aliases to prevent issues with existing scripts.
Removed
Compare-FalconPreventionPhase
and accompanying policy json files due to Falcon Prevention Policy UIchanges that enabled policy comparison in the Falcon console.
Command Changes
Add-FalconSensorTag
Edit-FalconCloudAwsAccount
Environment
,DspmEnabled
,DspmRole
andTargetOu
.Edit-FalconIoaRule
/ioarules/entities/rules/v2:patch
endpoint.Edit-FalconMlExclusion
DescendentProcess
.Edit-FalconSvExclusion
DescendentProcess
.Edit-FalconReconRule
BreachMonitorOnly
.Edit-FalconFileVantageRule
ContentRegistryValues
,HashCapture
andRegKeyPermission
.Export-FalconConfig
Get-FalconAlert
/alerts/queries/alerts/v2:get
endpoint.IncludeHidden
(used when submittingId
values).Get-FalconAsset
/discover/queries/iot-hosts/v2:get
endpoint with-IoT
.-External
switch to search for external assets./discover/combined/hosts/v1:get
endpoint when using-Detailed
./discover/combined/applications/v1:get
when using-Application
and-Detailed
.facet
property has been joined together withInclude
for the relevant new/combined/
APIendpoints for consistency with earlier PSFalcon version.
Limit
orfacet
values (asInclude
) are supplied for theirrespective API endpoint. Tab-completion for
Include
will first offer all available values, and thecommand will error if one of the supplied values is invalid based on the eventual API endpoint
being targeted.
login_event
when used with-Include
for respectiveaid
(whensearching for Host) or
account_id
(when searching for Account) values.Get-FalconCloudAwsAccount
CspmLite
.IsHorizonAcct
parameter toIsFcsAccount
. KeptIsHorizonAcct
as an alias.Get-FalconCloudAzureAccount
CspmLite
.IsHorizonAcct
parameter toIsFcsAccount
. KeptIsHorizonAcct
as an alias.Get-FalconContainerSensor
401: Unauthorized
errors when a token is notpresent.
Get-FalconInstaller
Get-FalconIocHost
/iocs/aggregates/device-count/v1:get
endpoint.Get-FalconReconRule
SecondarySort
.Get-FalconRole
Detailed
switch.Get-FalconSensorTag
Get-FalconUninstallToken
device_id
values together and make requests in appropriately sized groups,instead of individually when using
Include
. This should drastically increase performance when requestinglarge numbers of
uninstall_token
values with other device properties included.Get-FalconVulnerability
Limit
to a maximum of 5,000 forDetailed
requests. If retrieving identifiers only, the commandwill force
Limit
to a maximum of 400.Invoke-FalconAlertAction
Action
for performing multiple actions on alerts in a single request. Thanks @datorr2!Invoke-FalconIncidentAction
Action
for performing multiple actions on incidents in a single request. Thanks @datorr2!Value
to ensure that it works when usingunassign
withName
parameter.Invoke-FalconMobileAction
/enrollments/entities/details/v4:post
endpoint.EnrollmentType
.Import-FalconConfig
rule_group_ids
are being assigned and/or the removal ofnon-existent values when
FirewallPolicy
items are being created and modified.FirewallPolicy
settings values to final CSV output.SensorUpdatePolicy
with unavailable sensorbuild
versions. Whenan invalid build version is found, it is stripped. When a
build
is updated with a matching tagged version,sensor_version
andstage
are also updated. These changes also affectvariants
forLinuxArm64
.SensorUpdatePolicy
from being evaluated for changes withModifyExisting
. Updatedfinal output to properly record changes.
Invoke-FalconAlertAction
IncludeHidden
.Invoke-FalconRtr
prevent results from being lost when hosts that recently went offline (i.e. didn't meet the cutoff for
the offline queue) delay the RTR session start long enough for the session itself to die before the eventual
command is properly issued. This should help eliminate cases of
Invoke-FalconRtr
"not doing anything"because a host is unable to be added to the session and/or the results aren't returned quickly enough after
the session begins.
New-FalconCloudGcpAccount
/cloud-connect-cspm-gcp/entities/account/v2:post
endpoint.ServiceAccountId
,ClientId
,ClientEmail
,PrivateKey
,PrivateKeyId
,ProjectId
, andServiceAccountCondition
.New-FalconCloudAwsAccount
DspmEnabled
andDspmRole
.New-FalconFileVantageRule
ContentRegistryValues
,HashCapture
andRegKeyPermission
.New-FalconSvExclusion
IsDescendentProcess
.New-FalconReconRule
BreachMonitorOnly
.OriginatingTemplateId
.New-FalconFileVantageRule
ContentRegistryValues
.Receive-FalconCloudAwsScript
OrganizationId
,Template
,Account
,AccountType
,AwsProfile
,CustomRole
,BehaviorAssessment
,SensorManagement
, andExistingCloudtrail
.Receive-FalconCloudAzureScript
AzureManagementGroup
.Receive-FalconInstaller
Register-FalconEventCollector
Remove-FalconContainerImage
/container-security/entities/base-images/v1:delete
endpoint.Remove-FalconSensorTag
Request-FalconRegistryCredential
SensorType
and added a prompt if it is not present.token
orexpires_in
is missing from a token request response.Request-FalconToken
us-gov-2
asCloud
andHostname
option.Send-FalconEvent