Recent Releases of psfalcon

Removed Commands

ioa

Get-FalconCloudIoaEvent
Get-FalconCloudIoaUser

New Commands

billing-dashboards-usage

Get-FalconHostAverage

device-content

Get-FalconContentState

identity-protection

Get-FalconIdentityRule
New-FalconIdentityRule
Remove-FalconIdentityRule

policy-content-update

Edit-FalconContentPolicy
Get-FalconContentPolicy
Get-FalconContentPolicyMember
Invoke-FalconContentPolicyAction
New-FalconContentPolicy
Remove-FalconContentPolicy
Set-FalconContentPrecedence

quickscanpro

Remove-FalconQuickScan
Remove-FalconQuickScanFile
Send-FalconQuickScanFile

snapshots

Get-FalconSnapshotCredential
New-FalconSnapshotAwsAccount

Issues Resolved

Issue #421: Updated internal function to evaluate FalconSensorTags and re-wrote scripts for FalconSensorTag manipulation through Real-time Response to fix the inability to add/remove FalconSensorTags on Linux. This also fixed the same issue that was impacting MacOS hosts.
Issue #424: Increased [System.Net.Http.HttpClient] default timeout to 5 minutes from 1 minute. Updated Invoke-FalconAdminCommand, Invoke-FalconCommand, and Invoke-FalconResponderCommand to only attempt to append batch_id to results that have a session_id.
Issue #426: Updated Uninstall-FalconSensor to properly select bash uninstall script when targeting Linux hosts.
Issue #427: Added tar to valid Command list for Invoke-FalconAdminCommand and Invoke-FalconResponderCommand and corrected Invoke-FalconAdminCommand to properly include the Command value update query.
Issue #433: Modified Edit-FalconFirewallGroup to ensure that null values for rule_ids and rule_versions are converted into empty arrays, and that single values are forced into arrays.
Issue #435: Updated uninstall_sensor.sh script to incorporate the use of systemd to uninstall falcon-sensor on Linux hosts utilizing some additional code from an existing uninstaller script. Thanks @carlosmmatos and @cs-APreston-ghAccount!

General Changes

Fixed some error message output for Request-FalconToken and Test-FalconToken.

Command Changes

ConvertTo-FalconFirewallRule

Added protocol as a required field for the Map table and rule creation.

Edit-FalconReconRule

Added MatchOnTsqResultType.

Export-FalconConfig

Added ContentPolicy as a value for Select parameter.

Get-FalconChannelControl

Renamed to Get-FalconContentControl. Get-FalconChannelControl has been kept as an alias.

Get-FalconHost

Added content_state as an Include value.

Get-FalconIoaExclusion

Added ClRegex and IfnRegex.

Get-FalconQuickScan

Updated to use new QuickScan Pro API.

Get-FalconVulnerability

Updated to set Limit to 400 when using All without Detailed to prevent 5000 is an invalid page size, must be between 1 and 400 error.

Import-FalconConfig

Added support for Content Update policies.
Added ContentPolicy as a value for ModifyExisting and ModifyDefault parameters.

Invoke-FalconAdminCommand

Added tar as a valid Command value.

Invoke-FalconResponderCommand

Added tar as a valid Command value.
Added update query as a valid Command which was mistakenly removed in a previous release.

New-FalconCompleteCase

Added MalwareSubmissionId and ReconRuleType.

New-FalconQuickScan

Updated to use new QuickScan Pro API, which is replacing the regular QuickScan API.

New-FalconReconRule

Added MatchOnTsqResultType.

Receive-FalconCloudAwsScript

Added DspmEnabled, DspmRegion, and DspmRole.

Receive-FalconScheduledReport

Updated to use a combination of the last_execution.id and report_params.format fields to define a filename if Path is left undefined and is being passed a report via pipeline. This will ensure that "scheduled reports" (i.e. vulnerability reports) are successfully downloaded without providing a Path.

Set-FalconChannelControl

Renamed to Set-FalconContentControl. Set-FalconChannelControl has been kept as an alias.

- PowerShell
Published by bk-cs over 1 year ago

New Commands

cloud-connect-cspm-azure

Get-FalconCloudAzureGroup
New-FalconCloudAzureGroup
Remove-FalconCloudAzureGroup

cloud-connect-cspm-gcp

Get-FalconCloudGcpAccount
Get-FalconCloudGcpServiceAccount
Invoke-FalconCloudGcpHealthCheck
Receive-FalconCloudGcpScript
Remove-FalconCloudGcpAccount

configuration-assessment

Get-FalconConfigAssessmentRule

container-security

Edit-FalconContainerPolicy
Edit-FalconContainerPolicyGroup
Get-FalconContainer
Get-FalconContainerAlert
Get-FalconContainerAssessment
Get-FalconContainerCluster
Get-FalconContainerDetection
Get-FalconContainerCount
Get-FalconContainerDriftIndicator
Get-FalconContainerImage
Get-FalconContainerIom
Get-FalconContainerNode
Get-FalconContainerPackage
Get-FalconContainerPod
Get-FalconContainerPolicy
Get-FalconContainerPolicyExclusion
Get-FalconContainerPolicyGroup
Get-FalconContainerVulnerability
New-FalconContainerImage
New-FalconContainerPolicy
New-FalconContainerPolicyExclusion
New-FalconContainerPolicyGroup
Remove-FalconContainerPolicy
Remove-FalconContainerPolicyGroup
Set-FalconContainerPolicyPrecedence

delivery-settings

Get-FalconChannelControl
Set-FalconChannelControl

exclusions

Edit-FalconCertificateExclusion
Get-FalconCertificate
Get-FalconCertificateExclusion
New-FalconCertificateExclusion
Remove-FalconCertificateExclusion

fem

Edit-FalconAsset

filevantage

Get-FalconFileVantageAction
Get-FalconFileVantageContent
Invoke-FalconFileVantageAction
Invoke-FalconFileVantageWorkflow

host-migration

Get-FalconMigration
Get-FalconMigrationCid
Get-FalconMigrationHost
Invoke-FalconMigrationAction
New-FalconMigration
Start-FalconMigration
Stop-FalconMigration
Remove-FalconMigration
Rename-FalconMigration

intel

Get-FalconMalwareFamily

loggingapi

Get-FalconFoundryRepository
Get-FalconFoundrySearch
Get-FalconFoundryView

plugins

Get-FalconWorkflowIntegration

psf-sensors

Set-FalconSensorTag (Thanks @LyleWB)

snapshots

Get-FalconSnapshot
Get-FalconSnapshotScan
New-FalconSnapshotScan

threatgraph

Get-FalconThreatGraphIndicator
Get-FalconThreatGraphVertex
Get-FalconThreatGraphEdge

workflows

Export-FalconWorkflow
Get-FalconWorkflow
Get-FalconWorkflowAction
Get-FalconWorkflowInput
Get-FalconWorkflowTrigger
Import-FalconWorkflow
Invoke-FalconWorkflow
Redo-FalconWorkflow

Issues Resolved

Issue #310: Added default timeout of one minute for all requests in an effort to help produce error messages when a file download does not complete.
Issue #369: Corrected Find-FalconHostname so it outputs the entire list of results instead of stopping with the first initial 100.
Issue #370: Changed all identifier parameter aliases from uppercase to lowercase to resolve matching issues when using Turkish as the default display language.
Issue #375: Added a second delay for Invoke-FalconDeploy between commands when using the offline queue to ensure that the proper processing order is retained.
Issue #380: Updated Compare-ImportData function to analyze items by each individual platform (or platform_name) to resolve bug where FirewallGroup items were being ignored.
Issue #382: Removed output of successfully downloaded file information from Invoke-Falcon private function and relocated within the Invoke() class function to prevent Index out of range error on successful download requests.
Issue #385: Re-wrote Add-FalconSensorTag and Remove-FalconSensorTag commands properly append/remove tags across all OSes, and fix issue where tags weren't applied at all.
Issue #391: Removed pattern validation for the Id parameter for Get-FalconAsset to prevent errors when unexpected (but legitimate) Id values are provided.
Issue #393: Updated Import-FalconConfig to properly remove rule_group_ids that aren't tied to FirewallGroup items that are also created during import.
Issue #396: Added maximum count of 1000 identifiers when building body content during Get-FalconAlert requests.
Issue #397: Added Action parameter to define multiple actions to perform in a single request when using Invoke-FalconAlertAction or Invoke-FalconIncidentAction.
Issue #399: Updated how field_values properties are selected to ensure that they're correctly passed as an array when using New-FalconIoaRule.
Issue #401: Added Confirm-CidValue private function to check Cid input for checksum, remove it when present, and return the Cid value in lower case.
Issue #411: Added Include with value of scan_file to Get-FalconScan, and added ScanId to Get-FalconScanFile to support Include for Get-FalconScan.
Issue #412: Added Limit of 500 to Get-FalconScan and Get-FalconScanFile to ensure both limit and offset are passed during pagination.

General Changes

Added a weekly check of the PSGallery for PSFalcon module updates if the PSFalcon module was originally installed via the PSGallery. Update status is kept in a file called update_check.json in the base PSFalcon module folder. If the connection to the PSGallery fails, the update check is disabled. Deleting update_check.json will re-attempt connection the next time the module is loaded.
Updated internal Build-Query function to automatically URL encode provided values during submission instead of only previously encoding +.
Updated internal Log() method for [ApiClient] to support Falcon NGSIEM and CrowdStrike Parsing Standard.
Added UserAgent value to [ApiClient] object for use with Log() method.
Updated Request-FalconToken and Show-FalconModule to use new UserAgent value under [ApiClient].
Removed filtering for unique values when supplying an array of identifiers to a command. This was originally added to prevent problems related to an array containing the same identifier twice, but it adds a lot of processing time when a large list of identifiers is provided. PSFalcon will now pass all given identifiers on to the relevant API, meaning that new error messages might appear if a user is not properly error checking their scripts and filtering out duplicate identifier values.
Added Test-ActionParameter private function to support new Action parameter for Invoke-FalconAlertAction and Invoke-FalconIncidentAction.
Added Select-CertificateProperty private function to support the new Edit-FalconCertificateExclusion and New-FalconCertificateExclusion commands.
Corrected verbose output for various commands to ensure that the relevant command name was displayed when Invoke-Falcon makes a request to the target API.
Re-wrote the internal function Confirm-Parameter to reduce necessary parameters when calling the function.
Added internal Remove-EmptyValue function to strip empty values before submission when necessary.
Corrected bug found when implementing new v2 endpoint for Get-FalconAsset -IoT where after would not be added properly when paginating without another criteria (i.e. filter, sort, etc.) using -All.
Compressed SensorTag commands into a reusable function to de-duplicate code.
Renamed the Array parameter to InputObject to better match PowerShell style for the following commands: Edit-FalconDeviceControlPolicy, Edit-FalconFirewallPolicy, Edit-FalconIoc, Edit-FalconPreventionPolicy, Edit-FalconReconNotification, Edit-FalconReconRule, Edit-FalconResponsePolicy, Edit-FalconSensorUpdatePolicy, Find-FalconHostname, New-FalconDeviceControlPolicy, New-FalconFirewallPolicy, New-FalconHostGroup, New-FalconIoc, New-FalconPreventionPolicy, New-FalconReconRule, New-FalconResponsePolicy, and New-FalconSensorUpdatePolicy.

Array has been kept as an alias to prevent issues with existing scripts. * Changed the prefix from Horizon to Cloud for the following commands: Edit-FalconHorizonAwsAccount, Edit-FalconHorizonAzureAccount, Edit-FalconHorizonPolicy, Edit-FalconHorizonSchedule, Get-FalconFimChange, Get-FalconHorizonAwsAccount, Get-FalconHorizonAwsLink, Get-FalconHorizonAzureAccount, Get-FalconHorizonAzureCertificate, Get-FalconHorizonAzureGroup, Get-FalconHorizonIoa, Get-FalconHorizonIoaEvent, Get-FalconHorizonIoaUser, Get-FalconHorizonIom, Get-FalconHorizonPolicy, Get-FalconHorizonSchedule, New-FalconHorizonAwsAccount, New-FalconHorizonAzureAccount, New-FalconHorizonAzureGroup, Receive-FalconHorizonAwsScript, Receive-FalconHorizonAzureScript, Remove-FalconHorizonAwsAccount, Remove-FalconHorizonAzureAccount, and Remove-FalconHorizonAzureGroup.

The original command names have been kept as aliases to prevent issues with existing scripts. * Removed Compare-FalconPreventionPhase and accompanying policy json files due to Falcon Prevention Policy UI changes that enabled policy comparison in the Falcon console.

Command Changes

Add-FalconSensorTag

Re-written to properly evaluate add tags across all OSes.
Added support for passing uninstallation token when adding tags on MacOS (and presumably Linux in the future).
Added properties to output to increase transparency in the use of RTR and the status of tag additions.

Edit-FalconCloudAwsAccount

Added Environment, DspmEnabled, DspmRole and TargetOu.

Edit-FalconIoaRule

Updated to use /ioarules/entities/rules/v2:patch endpoint.

Edit-FalconMlExclusion

Added DescendentProcess.

Edit-FalconSvExclusion

Added DescendentProcess.

Edit-FalconReconRule

Added BreachMonitorOnly.

Edit-FalconFileVantageRule

Added ContentRegistryValues, HashCapture and RegKeyPermission.

Export-FalconConfig

Added error message when unable to create export in current directory.

Get-FalconAlert

Updated to use /alerts/queries/alerts/v2:get endpoint.
Added IncludeHidden (used when submitting Id values).

Get-FalconAsset

Updated to use new /discover/queries/iot-hosts/v2:get endpoint with -IoT.
Added -External switch to search for external assets.
Updated to use new /discover/combined/hosts/v1:get endpoint when using -Detailed.
Updated to use new /discover/combined/applications/v1:get when using -Application and -Detailed.
The facet property has been joined together with Include for the relevant new /combined/ API endpoints for consistency with earlier PSFalcon version.
Added error messages when invalid Limit or facet values (as Include) are supplied for their respective API endpoint. Tab-completion for Include will first offer all available values, and the command will error if one of the supplied values is invalid based on the eventual API endpoint being targeted.
Updated code to properly append login_event when used with -Include for respective aid (when searching for Host) or account_id (when searching for Account) values.

Get-FalconCloudAwsAccount

Added CspmLite.
Renamed IsHorizonAcct parameter to IsFcsAccount. Kept IsHorizonAcct as an alias.

Get-FalconCloudAzureAccount

Added CspmLite.
Renamed IsHorizonAcct parameter to IsFcsAccount. Kept IsHorizonAcct as an alias.

Get-FalconContainerSensor

Added check to verify proper credentials are available to avoid 401: Unauthorized errors when a token is not present.

Get-FalconInstaller

Updated to use new v2 endpoints.

Get-FalconIocHost

Updated to use /iocs/aggregates/device-count/v1:get endpoint.

Get-FalconReconRule

Added SecondarySort.

Get-FalconRole

Added Detailed switch.

Get-FalconSensorTag

Re-written to pull tags directly from devices API instead of using RTR on Linux and Mac.

Get-FalconUninstallToken

Re-wrote command to group all device_id values together and make requests in appropriately sized groups, instead of individually when using Include. This should drastically increase performance when requesting large numbers of uninstall_token values with other device properties included.

Get-FalconVulnerability

Updated Limit to a maximum of 5,000 for Detailed requests. If retrieving identifiers only, the command will force Limit to a maximum of 400.

Invoke-FalconAlertAction

Added Action for performing multiple actions on alerts in a single request. Thanks @datorr2!

Invoke-FalconIncidentAction

Added Action for performing multiple actions on incidents in a single request. Thanks @datorr2!
Removed mandatory attribute from Value to ensure that it works when using unassign with Name parameter.

Invoke-FalconMobileAction

Updated to use /enrollments/entities/details/v4:post endpoint.
Added EnrollmentType.

Import-FalconConfig

Added additional verbose output during analysis of items to import to help with future troubleshooting.
Added additional verbose output to show when rule_group_ids are being assigned and/or the removal of non-existent values when FirewallPolicy items are being created and modified.
Added FirewallPolicy settings values to final CSV output.
Added various improvements for handling SensorUpdatePolicy with unavailable sensor build versions. When an invalid build version is found, it is stripped. When a build is updated with a matching tagged version, sensor_version and stage are also updated. These changes also affect variants for LinuxArm64.
Fixed issues preventing SensorUpdatePolicy from being evaluated for changes with ModifyExisting. Updated final output to properly record changes.
Various improvements related to policy analysis and changes for policy settings.

Invoke-FalconAlertAction

Added IncludeHidden.

Invoke-FalconRtr

Forced the private function that is keeping the the RTR session alive every 30 seconds by default to help prevent results from being lost when hosts that recently went offline (i.e. didn't meet the cutoff for the offline queue) delay the RTR session start long enough for the session itself to die before the eventual command is properly issued. This should help eliminate cases of Invoke-FalconRtr "not doing anything" because a host is unable to be added to the session and/or the results aren't returned quickly enough after the session begins.

New-FalconCloudGcpAccount

Updated to use new /cloud-connect-cspm-gcp/entities/account/v2:post endpoint.
Added ServiceAccountId, ClientId, ClientEmail, PrivateKey, PrivateKeyId, ProjectId, and ServiceAccountCondition.

New-FalconCloudAwsAccount

Added DspmEnabled and DspmRole.

New-FalconFileVantageRule

Added ContentRegistryValues, HashCapture and RegKeyPermission.

New-FalconSvExclusion

Added IsDescendentProcess.

New-FalconReconRule

Added BreachMonitorOnly.
Added OriginatingTemplateId.

New-FalconFileVantageRule

Added ContentRegistryValues.

Receive-FalconCloudAwsScript

Added OrganizationId, Template, Account, AccountType,AwsProfile, CustomRole, BehaviorAssessment, SensorManagement, and ExistingCloudtrail.

Receive-FalconCloudAzureScript

Added AzureManagementGroup.

Receive-FalconInstaller

Updated to use new v2 endpoint.

Register-FalconEventCollector

Updated to support Falcon NGSIEM HTTP Event Collector ingestion.

Remove-FalconContainerImage

Updated to use new /container-security/entities/base-images/v1:delete endpoint.

Remove-FalconSensorTag

Re-written to properly evaluate and remove specific tags across all OSes.
Added support for passing uninstallation token when removing tags on MacOS (and presumably Linux in the future).
Added properties to output to increase transparency in the use of RTR and the status of tag removal.

Request-FalconRegistryCredential

Removed mandatory requirement for SensorType and added a prompt if it is not present.
Added additional error messages to notify when token or expires_in is missing from a token request response.
Made various changes to ensure all token-related content was properly cached/retrieved from cache.

Request-FalconToken

Added us-gov-2 as Cloud and Hostname option.

Send-FalconEvent

Updated to support Falcon NGSIEM HTTP Event Collector ingestion.

- PowerShell
Published by bk-cs over 1 year ago

psfalcon - 2.2.6

New Commands

cloud-connect-azure

Get-FalconDiscoverAzureTenant

configuration-assessment

Get-FalconConfigAssessment
Get-FalconConfigAssessmentLogic

falcon-complete-dashboards

Get-FalconCompleteAlert

filevantage

Add-FalconFileVantageHostGroup
Add-FalconFileVantageRuleGroup
Edit-FalconFileVantageExclusion
Edit-FalconFileVantagePolicy
Edit-FalconFileVantageRule
Edit-FalconFileVantageRuleGroup
Get-FalconFileVantageExclusion
Get-FalconFileVantagePolicy
Get-FalconFileVantageRule
Get-FalconFileVantageRuleGroup
New-FalconFileVantageExclusion
New-FalconFileVantagePolicy
New-FalconFileVantageRule
New-FalconFileVantageRuleGroup
Remove-FalconFileVantageExclusion
Remove-FalconFileVantageHostGroup
Remove-FalconFileVantagePolicy
Remove-FalconFileVantageRule
Remove-FalconFileVantageRuleGroup
Set-FalconFileVantagePrecedence
Set-FalconFileVantageRulePrecedence
Set-FalconFileVantageRuleGroupPrecedence

identity-protection

Get-FalconIdentityHost

real-time-response

Get-FalconLibraryScript

Removed Commands

cloud-connect-aws (deprecated)

Confirm-FalconDiscoverAwsAccess
Edit-FalconDiscoverAwsAccount
Get-FalconDiscoverAwsAccount
Get-FalconDiscoverAwsLink
Get-FalconDiscoverAwsSetting
New-FalconDiscoverAwsAccount
Receive-FalconDiscoverAwsScript
Remove-FalconDiscoverAwsAccount
Update-FalconDiscoverAwsSetting

cloud-connect-azure (deprecated)

Get-FalconDiscoverAzureAccount
Get-FalconDiscoverAzureCertificate
Get-FalconDiscoverAzureTenant
New-FalconDiscoverAzureAccount
Receive-FalconDiscoverAzureScript
Update-FalconDiscoverAzureAccount

cloud-connect-gcp (deprecated)

Get-FalconDiscoverGcpAccount
New-FalconDiscoverGcpAccount
Receive-FalconDiscoverGcpScript

discover

Get-FalconDiscoverNetwork
Get-FalconDiscoverRule
Get-FalconDiscoverScan
Get-FalconDiscoverScanner

settings-discover (deprecated)

Get-FalconDiscoverAwsScript

Issues Resolved

Issue #313: Reorganized parameters for Get-FalconRole and removed UserId from a specific ParameterSet to ensure proper output.
Issue #315: Modified script used by Uninstall-FalconSensor to match 64 instead of equal 64-bit to correct error caused when bit value is reported as 64 bit instead of 64-bit.
Issue #316: Added if check to Confirm-Parameter for $Required and $Allowed to ensure that blank values do not count when verifying objects under PowerShell Core.
Issue #327: Modified Invoke-FalconDeploy to properly change directories and execute scripts when working with .cmd and .bat files. Thanks @MatthewCKelly!
Issue #342: Modified Invoke-FalconMalQuery and Get-FalconMalQuery to select the reqid,reqtype and/or status properties in their final output, when present.
Issue #360: Fixed bug where Get-FalconAsset would not append results when using -Include login_event with a single asset result.
Issue #363: Added critical as a severity for Edit-FalconHorizonPolicy.

General Changes

Modified all authorization token validation checks to request a new token when the current token is due to expire within 4 minutes instead of 1 minute. This should help reduce the number of expired authorization tokens during long-running requests (like Get-FalconVulnerability).
Migrated Wait-RetryAfter function from private\Private.ps1 to class\Class.ps1 under ApiClient.Invoke() function.
Streamlined ApiClient.Invoke() under class\Class.ps1 in an effort to improve verbose logging and performance.
Modified private functions Invoke-Falcon and Request-FalconToken to compensate for changes to ApiClient.Invoke().
Modified Write-Result to ensure each error will be individually produced when a single API call generates multiple errors.
Rearranged how ApiClient.Invoke() downloads files to eliminate "index out of range" error.
Added format\format.json to contain API endpoint body/formdata/query parameters for easier updates when large numbers of API endpoints are modified at once.
Added function Get-EndpointFormat to private\Private.ps1 to read body/formdata/query parameters from format.json.
Replaced tab of four spaces with two to reduce file sizes across module.
Moved code that replaces the user input parameters with proper parameter names for body payloads from the private Invoke-Falcon function into the private Build-Content function.
Renamed Inputs variable (and accompanying parameter for the Invoke-Falcon function, used by commands when making a request) to UserInput in keeping with PowerShell style.
Updated prevention policy settings for Compare-FalconPreventionPhase.
Updated Write-Result to remove meta from output when meta.pagination.total equals 0 to account for some -Detailed results returning meta information instead of an empty response (unlike a non -Detailed result, which would return nothing, as expected).
Updated private Add-Include function to provide error messages when unable to pull results instead of a silent failure with no output in the related -Include property.
Updated reference policies used by Compare-FalconPreventionPhase.

Command Changes

Add-FalconSensorTag

Fixed bug where n was being split into separate tags due to an incorrect quote. Thanks @soggysec!
Removed support for pre-6.42 Windows sensors given that they are no longer supported and don't have CsSensorSettings.exe.
Isolated the scripts being run to add sensor tags into new files contained under the script folder. ### Edit-FalconHorizonAwsAccount
Added autocomplete values for CloudTrailRegion.
Added IamRoleArn, BehaviorAssessmentEnabled, SensorManagementEnabled, RemediationRegion, and RemediationTouAccepted. ### Edit-FalconHorizonPolicy
Updated AccountId to accept multiple identifiers. ### Edit-FalconReconNotification
Added IdpSendStatus and Message. ### Edit-FalconFirewallLocationSetting
Added LocationPrecedence. ### Edit-FalconIoc
Added Array parameter for submitting many IOCs for modification, and set as the default parameter set when utilizing the pipeline.
Set maximum of 2,000 IOCs per request when using Array. ### Export-FalconConfig
Added FileVantagePolicy (including FileVantageExclusion) and FileVantageRuleGroup (including FileVantageRule). CrowdStrike-created policies and rule groups are excluded from the export because they are auto-generated and can not be modified.
Updated to force HostGroup when exporting FileVantagePolicy to evaluate host_groups.
Updated to force FileVantageRuleGroup when exporting FileVantagePolicy to evaluate rule_groups and assign them to policies. ### Get-FalconAlert
Removed pattern validation for Id parameter, due to new varying identifier types found in testing. ### Get-FalconBuild
Added Stage. ### Get-FalconContainerAccount
Updated Location to correctly submit as locations to the API endpoint. ### Get-FalconContainerAwsAccount
Added IsHorizonAcct. ### Get-FalconContainerCluster
Added Status. ### Get-FalconContainerVulnerability
Corrected error that prevented the submission of applicationPackages. ### Get-FalconFimChange
Updated to use new v3 endpoint, replacing Offset with After.
Renamed command to Get-FalconFileVantageChange, but kept Get-FalconFimChange as an alias. ### Get-FalconHorizonAwsAccount
Added IamRoleArn and Migrated. ### Get-FalconHorizonAzureAccount
Added TenantId. ### Get-FalconHorizonAzureCertificate
Added YearsValid. ### Get-FalconHorizonIoa
Added ResourceId, ResourceUuid, and Since. ### Get-FalconHost
Updated the Login switch to use new v2 endpoint. The initial API is limited to 10 ids values per request, which means that using -Include login_history will be substantially slower until the API limit is increased. ### Get-FalconHostGroup
Updated Include to use a filtered Get-FalconHost search when adding members which avoids the 10k maximum limit from the previously used Get-FalconHostGroupMember command. ### Get-FalconRole
Reorganized parameter positioning.
Removed automatic redirection of Id values when matching a Cid (because it also matches custom role identifiers).
Removed UserId as a parameter for the /user-management/queries/roles/v1:get endpoint because the same data is returned by the /combined/ endpoint and they have overlapping parameters.
Added DirectOnly parameter to Get-FalconRole. ### Get-FalconScan
Updated to use /ods/entities/scans/v2:get endpoint. ### Get-FalconSensorTag
Isolated the scripts being run to retrieve tags into new files contained under the script folder. ### Get-FalconSession
Added Cid and CommandInfo, which facilitate the display of all Real-time Response sessions within the authorized CID. ### Import-FalconConfig
Added an error message when filenames within the target archive do not correspond with files typically created by Export-FalconConfig. Thanks @JFresh15 and @soggysec!
Added additional verbose output when the command updates id values for groups and rule_groups objects.
Added additional verbose output when the command updates build values for Sensor Update policies.
Fixed a bug where Linux Sensor Update policies would not be created due to a missing build for LinuxArm64 policy variants.
Added FileVantagePolicy and FileVantageRuleGroup as ModifyExisting options.
Updated Comment output to specify why certain items were ignored using NoModifyDefault and NoModifyExisting.
Added code to compensate and properly match when importing into a new cloud and the "latest" tagged build is renamed for a SensorUpdatePolicy. ### Invoke-FalconAdminCommand
Added falconscript as a Command option. ### Invoke-FalconAlertAction
Removed pattern validation for Id due to new varying identifier types found in testing.
Updated to use new v3 endpoint. ### Invoke-FalconContainerScan
Corrected scan-type to scan_type during submission. ### Invoke-FalconDeploy
Modified to ensure that the timeout value was 600 seconds when on the put step.
Updated GroupId to use a filtered Get-FalconHost search which avoids the 10k maximum limit from the previously used Get-FalconHostGroupMember command. ### Invoke-FalconRtr
Added falconscript as a Command option.
Updated GroupId to use a filtered Get-FalconHost search which avoids the 10k maximum limit from the previously used Get-FalconHostGroupMember command. ### New-FalconHorizonAwsAccount
Added autocomplete values for CloudTrailRegion.
Added AccountType, BehaviorAssessmentEnabled, IamRoleArn, IsMaster, SensorManagementEnabled, and UseExistingCloudtrail. ### New-FalconHorizonAzureAccount
Added ClientId, AccountType, DefaultSubscription, and YearsValid. ### New-FalconIoc
Set maximum of 2,000 IOCs per request when using Array. ### New-FalconScheduledScan
Added ScanInclusion. ### Receive-FalconContainerYaml
Added IsSelfManagedCluster. ### Receive-FalconHorizonAwsScript
Added Id. ### Receive-FalconHorizonAzureScript
Added SubscriptionId, Template, and AccountType. ### Receive-FalconRule
Added IfNoneMatch and IfModifiedSince. ### Remove-FalconCidGroupMember
Updated to use /mssp/entities/cid-group-members/v2:delete endpoint. ### Remove-FalconHorizonAzureAccount
Added TenantId and RetainTenant. ### Remove-FalconReconRule
Added DeleteNotification. ### Remove-FalconSample
Updated Id to accept a sha256 value when passed through the pipeline. ### Remove-FalconSensorTag
Removed support for pre-6.42 Windows sensors given that they are no longer supported and don't have CsSensorSettings.exe.
Isolated the scripts being run to remove sensor tags into new files contained under the script folder. ### Send-FalconPutFile
Added maximum character length for Name. ### Send-FalconScript
Added maximum character length for Name. ### Start-FalconScan
Added ScanInclusion. ### Uninstall-FalconSensor
Added code to uninstall only the currently installed version of Falcon when multiple versions are detected on a Windows host.
Isolated the scripts being run to uninstall Falcon into new files contained under the script folder.

- PowerShell
Published by bk-cs over 2 years ago

psfalcon - 2.2.5

New Commands

container-security

discover

falconx

Receive-FalconMemoryDump

fwmgr

kubernetes-protection

Issues Resolved

Issue #283: Added platform during creation of FirewallGroup items when using Import-FalconConfig.
Issue #294: Modified the FQL query being used by Get-FalconQueue to account for an API change that made the previous query stop working.
Issue #295: Added code to the sub-function Invoke-Loop inside Invoke-Falcon to strip all query parameters when paginating Get-FalconHorizonIom.
Issue #296: Updated Get-FalconAsset to ensure proper attachment of login_event results for each asset when using -Include login_event.
Issue #283: Modified New-FalconSensorUpdatePolicy to remove scheduler under settings when set as disabled to prevent errors when creating policies.

General Changes

Updated reference policies for Compare-FalconPreventionPhase.
Switched from using Write-Verbose to PSCmdlet.WriteVerbose() to increase content when using Verbose with commands.
Added additional verbose message output when commands send their requests to display the endpoint being used.
Added (local) timestamp at the beginning of verbose output messages through the creation of a Verbose function within class\Class.ps1 and the private function unnamed.
Added Start-RtrUpdate and Stop-RtrUpdate functions to manage PowerShell background jobs to refresh Real-time Response sessions when using Invoke-FalconRtr or Invoke-FalconDeploy.
Changed the Wait parameter for Invoke-FalconAdminCommand, Invoke-FalconBatchGet, Invoke-FalconCommand, and Invoke-FalconResponderCommand to wait until completion instead of a maximum of 60 seconds.
Added Wait-RtrCommand and Wait-RtrGet private functions when using Wait with Real-time Response commands.
Streamlined some of the code of Write-Result to increase performance.
Updated Get-RtrResult function (used by Invoke-FalconRtr and Invoke-FalconDeploy) to include properties that are blank in output. This will ensure that piping to CSV does not present problems when certain hosts respond with different properties (i.e. stderr on some results and not others).
Ensured the Test-FqlStatement function was properly used with each command's Filter parameter.
Slightly changed descriptions of commands to match how required permissions are labeled within the Falcon UI.
Modified PSFalcon.psd1 to remove duplicate load of class\Class.ps1.

Command Changes

Confirm-FalconGetFile

Corrected invalid ValidatePattern value for Id parameter. ### Edit-FalconDetection
Removed ignored as an option for Status to conform with API change. ### Edit-FalconDeviceControlPolicy
Added parameters to allow modification of custom notifications for the default Windows policy ### Find-FalconDuplicate
Added Platform parameter to filter by a specific platform when retrieving hosts (instead of providing a lists through the Hosts parameter). ### Find-FalconHostname
Raised filtered search group count from 20 to 100. ### Get-FalconAsset
Raised filtered search groups count from 20 to 100 when using -Include login_event.
Added Application switch to search for applications inventoried by Falcon Discover.
Added IoT switch to search for IoT assets inventoried by Falcon Discover. ### Get-FalconContainerVulnerability
Added Application parameter for filtering application packages. ### Get-FalconDeviceControlPolicy
Added parameters to allow retrieval of the default Windows policy with custom notifications ### Get-FalconHorizonIoa
Added parameter AccountId and removed Region.
Set CloudPlatform as mandatory instead of generating an error when it was not included. ### Get-FalconHorizonIom
Updated to use new endpoints /detects/entities/iom/v2:get and /detects/queries/iom/v2:get.
New parameter set includes typical parameters like Filter and Sort. Old parameters are no longer available, but similar functionality can be found using proper Filter statements. ### Get-FalconHorizonPolicy
Updated to use new /settings/entities/policy-details/v2:get endpoint when supplying an Id value.
Removed Detailed switch because the base endpoint always returns detailed results. ### Get-FalconHost
Added policy_names as an option for Include to append policy_name under device_policies results (when possible). ### Get-FalconRole
Removed Detailed from command because all results have detailed information in the related parameter set.
Added All and Total to relevant parameter set. ### Get-FalconUser
Raised filtered search groups count from 20 to 100 when using Username. ### Get-FalconQueue
Added HostId parameter to restrict queued session search to specific host identifiers. ### Get-FalconZta
Added Filter, Sort, Limit, After, Detailed, All, and Total parameters in support of new API endpoint GET /zero-trust-assessment/queries/assessments/v1. ### Invoke-FalconDeploy
Added Set-Location to force location to temporary directory when running executable on target host(s).
Removed pipeline support for GroupId so that Invoke-FalconHostAction results could be piped through the HostId parameter. ### Invoke-FalconRtr
Added additional verbose output.
Increased the default Timeout for session creation and command requests to 600 seconds when not defined.
Updated to set a Timeout of 2 seconds less than defined Timeout for batch sessions (or 58 seconds if not defined) and 3600 seconds for single-host sessions when using runscript and not specifying Timeout inside Argument.
Removed Select-Object code (which ensured all objects had the same final output) to greatly increase performance.
Removed pipeline support for GroupId so that Invoke-FalconHostAction results can be piped through the HostId parameter.
Added Sort-Object when generating list of Command values to ensure it's provided in alphabetical order.
Added single quotes when using auto-complete for Command values that have a space. ### New-FalconCompleteCase
Updated to use new v2 API endpoint.

- PowerShell
Published by bk-cs about 3 years ago

psfalcon - 2.2.4

New Commands

Issues Resolved

Issue #255: Added missing parameters and maximum limit of 100 'ids' per 'detailed' request for Get-FalconUser.
Issue #256: Removed type definition when creating build tag variables. Added filter to ensure that LinuxArm64 builds were only being checked when they were using tagged versions.
Issue #260: @datorr2 fixed ConvertTo-IoaExclusion and ConvertTo-MlExclusion generating errors about missing properties when detection objects were not passed via the pipeline.
Issue #263: Added additional property check to Import-FalconConfig to prevent sha256 IOCs from being ignored and marked as 'Exists' when they didn't actually exist in the target CID.
Issue #266: Fixed typo which prevented output of results for Get-FalconContainerCluster.

General Changes

Renamed mobile-enrollment.ps1 to enrollments.ps1 to match URL prefix.
Renamed psf-humio.ps1 to psf-logscale.ps1 to match product name change.
Updated references of Humio to Falcon LogScale.
Created Select-Property private function for validating the presence of specific properties within [object[]] values. This function is used to output error messages when the proper sub-property values (or string values themselves) are not found in objects submitted via the pipeline.
Created [ApiClient]::StreamType() method to ensure that (a supported) 'type' is included when submitting a 'file' or 'upfile' formdata payload.
Updated internal New-ShouldMessage function to ensure that Formdata payloads are displayed when using -WhatIf parameter (with some exceptions).
Streamlined Confirm-Property internal function for validating pipeline input.
Added BodyArray to Invoke-Falcon internal function to force body payloads into a Json array when required.
Moved 'ShouldMessage' output during Invoke-Falcon so that the body payload is shown after Json conversion instead of before.
Added warning messages to [ApiClient]::Invoke() when X-Api-Deprecation header responses are detected.
Updated reference policy Json files for Compare-FalconPreventionPhase.
Updated Invoke-Falcon to output meta content when no other results are available and no errors were produced, to prevent certain endpoints from outputting errors and meta together.
Added various 'ShouldProcess' messages to support the testing of PSFalcon commands using dummy data, including a notification when a user will be prompted for their API client information because they do not have an active authorization token.

Command Changes

Updated to use their new respective v2 API endpoints:

Edit-FalconFirewallSetting
Get-FalconCidGroup
Get-FalconCidGroupMember
Get-FalconDiscoverAwsAccount
Get-FalconMemberCid
Get-FalconUserGroup
Get-FalconUserGroupMember
Remove-FalconDiscoverAwsAccount ### Added HostTimeout parameter, re-ordered positioning and updated Timeout and HostTimeout ranges from 30-600 to 1-600:
Invoke-FalconAdminCommand
Invoke-FalconBatchGet
Invoke-FalconCommand
Invoke-FalconResponderCommand
Start-FalconSession ### Added FromParent parameter:
Edit-FalconIoc
Get-FalconIoc
Remove-FalconIoc ### Added ContentFormat and TriggerMatchless parameters:
Edit-FalconReconAction
New-FalconReconAction ### Added BreachMonitoring and SubstringMatching parameters:
Edit-FalconReconRule
New-FalconReconRule ### Added State parameter:
Get-FalconHorizonIoaEvent
Get-FalconHorizonIoaUser ### Modified to prevent an error message about client permissions when using -WhatIf:
Get-FalconMalQueryQuota
Get-FalconQuickScanQuota
Get-FalconSubmissionQuota ### Added a forced HostTimeout value to ensure that multi-host sessions are used
Invoke-FalconDeploy
Invoke-FalconRtr ### Updated DetectionId and IncidentId to submit as hashtables with id property, rather than an array of string values:
Edit-FalconCompleteCase
New-FalconCompleteCase ### Modified how Filename is submitted to prevent potential errors:
Edit-FalconIoaExclusion
New-FalconIoc

Add-FalconRole

Removed deprecated endpoint /user-roles/entities/user-roles/v1:post. This command now uses the /user-management/entities/user-role-actions/v1:post endpoint exclusively (using action: grant).
Changed parameter positions and removed pipeline support for Id.
Cid is now a required parameter due to the endpoint change. Cid is included in a Get-FalconUser -Detailed result. ### Edit-FalconFirewallGroup
Added Validate parameter to utilize new /fwmgr/entities/rule-groups/validation/v1:patch endpoint. ### Edit-FalconHorizonPolicy
Added Region, TagExcluded and AccountId parameters. ### Edit-FalconHorizonSchedule
Added NextScanTimestamp parameter. ### Edit-FalconIoaExclusion
Added PatternId and PatternName parameters. ### Find-FalconHostname
Added Partial switch to perform non-exact matches, an idea from Reddit user 'Runsonempty'!
Added Include parameter. ### Get-FalconActor
Added Include parameter to allow the addition of tactic_and_technique results from Get-FalconAttck. ### Get-FalconDiscoverAwsAccount
Because the new v2 endpoint no longer includes them, Filter and Sort have been removed from available parameters, but Migrated, OrganizationId and ScanType have been added.
Detailed has been removed because a single call now includes details. ### Get-FalconHorizonIoaEvent
Renamed UserIds parameter to UserId but kept UserIds as an alias. ### Get-FalconHorizonSchedule
Changed CloudPlatform to mandatory, as the API no longer returns results without specifying a value. ### Get-FalconIndicator
Added IncludeRelation parameter. ### Get-FalconRole
Added error message when a user attempts to pipeline a detailed Get-FalconUser result to Get-FalconRole.
Added auto-complete for Id using list of roles from authorized CID. ### Get-FalconUser
Added All and Total parameters. These were mistakenly missed in the 2.2.3 release.
Added maximum of 100 user ids per 'detailed' request. ### Import-FalconConfig
Added loop to retry creation of Ioc items after excluding failures and those that were successfully created.
Updated to ensure that 'Created' results are not generated when creation of an Ioc actually failed. ### New-FalconDiscoverAwsAccount
Updated to use new /cloud-connect-aws/entities/account/v2:post endpoint. Parameters have changed to match new endpoint. ### New-FalconFirewallGroup
Added Validate parameter to utilize new /fwmgr/entities/rule-groups/validation/v1:post endpoint.
Added Platform parameter, with auto-complete using Get-FalconFirewallPlatform for available values. ### New-FalconIoaExclusion
Added check to remove the value all when submitted within GroupId. While all will allow the creation of globally applied Machine Learning and Sensor Visibility exclusions, IOA exclusions expect no groups value. This also fixes Import-FalconConfig failing to create IoaExclusion because all being an invalid Host Group identifier errors. ### New-FalconSubmission
Repositioned parameters and added pipeline support for SubmitName and Sha256. ### Remove-FalconRole
Removed deprecated endpoint /user-roles/entities/user-roles/v1:delete. This command now uses the /user-management/entities/user-role-actions/v1:post endpoint exclusively (using action: revoke).
Changed parameter positions and removed pipeline support for Id.
Cid is now a required parameter due to the endpoint change. Cid is included in a Get-FalconUser -Detailed result. ### Revoke-FalconToken
Updated to suppress error message when command is used without a valid authorization token present. ### Send-FalconCompleteAttachment
Updated filename verification pattern and added check to ensure that filesize is less than 15MB. ### Send-FalconSample
Renamed parameter FileName to Name to match Send-FalconSampleArchive when redirecting sample archives. FileName was retained as an alias. ### Start-FalconSession
Added Timeout parameter to Start-FalconSession when working with single-host sessions. Timeout would previously force a batch session to be created even if a single host was submitted. Now that Timeout also works for single host sessions, HostTimeout or ExistingBatchId must be used to force creation of a batch session.

- PowerShell
Published by bk-cs over 3 years ago

psfalcon - 2.2.3

New Commands

psf-policies

Compare-FalconPreventionPhase

ti

Get-FalconTailoredEvent
Get-FalconTailoredRule

Issues resolved

Issue #241 Updated Confirm-Parameter to eliminate Cannot validate argument on parameter 'Array'. Key cannot be null. (Parameter 'key') errors generated when using Import-FalconConfig.
Issue #242 Modified Edit-FalconDetection to check whether a status value is present with a comment value during command execution rather than during parameter validation. This will prevent errors from occurring when parameters are specified in an unexpected order.
Issue #246 Created Confirm-Property function to properly filter Rule content for both [hashtable] and [PSCustomObject] rules. This will eliminate errors caused by [hashtable] objects being improperly filtered in PowerShell 5.1.
Issue #247 Updated Write-Warning to use a PSCmdlet method in order to properly support WarningVariable.

General Changes

Created Confirm-Property private function to filter [hashtable] and [PSCustomObject] into pre-defined properties containing values.
Updated comment-based help to link directly to specific wiki pages for each command. Using Get-Help <command> -Online will launch the appropriate wiki page. These pages will be updated with current examples present within existing wiki pages, and those pages will be re-organized.
Modified Get-ParamSet private function to look for ids and samples as potential body values to break into groups of Max values, instead of only ids.
Updated Falcon X references to Falcon Intelligence due to product name change.

Command Changes

Updated Invoke-FalconIdentityGraph to no longer modify the GraphQL statement when attempting to use All for pagination. Renamed Query parameter to String and made it work for both query and mutation statements but kept Query as an alias. Now, when your statement includes a 'Cursor' variable definition and the required pageInfo { hasNextPage endCursor } properties, All will automatically paginate results. If either of those requirements are missing, a warning message will be displayed and pagination will not occur.
Modified Get-FalconUser to remove deprecated API when using Username parameter. Username now submits filtered searches for provided uid values to the appropriate /user-management/ API.
Added Max of 1,000 sha256 values for New-FalconQuickScan.
Added sha256 as a PipelineByPropertyName value for New-FalconQuickScan to support pipeline input from Send-FalconSample.
Added pattern validation to Remove-FalconUser for the Id parameter.
Modified Status parameter for Edit-FalconDetection to support ValueFromPipelineByPropertyName and changed parameter to position 3.
Modified Edit-FalconSensorUpdatePolicy and New-FalconSensorUpdatePolicy to filter out properties with empty string values in order to prevent errors when creating and/or modifying Sensor Update policies.
Modified Import-FalconConfig to prevent an attempt to modify a policy when the policy was not successfully created earlier in the import process. Also ensured that the precedence warnings when existing policies were found would only be displayed once.

- PowerShell
Published by bk-cs over 3 years ago

psfalcon - 2.2.2

New Commands

cloud-connect-azure

Get-FalconDiscoverAzureCertificate

cloud-connect-cspm-azure

Get-FalconHorizonAzureCertificate

mobile-enrollment

Invoke-FalconMobileAction

psf-devices

Find-FalconHostname

user-management

Invoke-FalconUserAction

General Changes

Re-organized public functions into files named for their URL prefix rather than their respective Swagger collection (which sometimes would match the prefix and sometimes wouldn't). Because of the number of endpoints that fell under 'policy', it is segmented into specific files.
The public users.ps1 and user-roles.ps1 files have been consolidated under user-management.ps1 and merged with new /user-management/ endpoints.
Updated IPv4 regex used by Test-RegexValue private function.
Streamlined looping functionality (used with All parameter). Updated all commands to output groups of results as they are retrieved instead of the entire result set at the end of a loop. Also verified that authorization tokens are properly refreshed during a long running loop.

Command Changes

Modified Add-FalconSensorTag and Remove-FalconSensorTag to include the uninstall token of the target device and while adding and removing sensor tags with CsSensorSettings.exe on Windows sensor versions v6.42 and above.
Modified Get-FalconSensorTag to return the FalconSensorTags values listed in a devices API response if the target device is Windows sensor version 6.42 or above. If CsSensorSettings.exe is updated to include a method to get sensor tags, Get-FalconSensorTag will use that method in the future.
Removed mandatory requirement for TenantId parameter within the Get-FalconDiscoverAzureAccount command.
Updated Invoke-FalconAlertAction to use the new v2 endpoint which includes formatting corrections.
Based on code provided by @SleepySysadmin, Invoke-FalconIdentityGraph now has an All parameter when using Query!

When used with a query that includes pageInfo{endCursor hasNextPage}, results will be paginated automatically and only relevant data will be output (similar to the rest of the PSFalcon commands) instead of the entire object.

All will automatically be added if a query begins with ($after: Cursor) and has after in the query parameters, as it is assumed that all results are expected.

If pageInfo is not provided in the query and All is specified, a warning message will be generated.

A query without All will produce the same results as earlier versions of the module.

Added Mutation parameter to Invoke-FalconIdentityGraph.
Updated Add-FalconRole, Edit-FalconUser, Get-FalconUser, New-FalconUser, Remove-FalconRole, and Remove-FalconUser, to use new /user-management/ endpoints where appropriate. These commands behave as they did before, unless using additional parameters to signify that requests are being performed within a multi-CID environment.
Get-FalconRole has been updated to produce results from new /user-management/ endpoints.

Resolved Issues

Issue 170: Invoke-Loop changes should eliminate token failures during retrieval of large result sets.
Issue 222: Updated comparison process to ensure an imported policy would be properly added to the list of items to be modified, whether or not it was going to be created. Removed existing copy policy operation from creation process.
Issue 223: Removed extraneous 'Endpoint' definition that was generating an error.
Issue 231: Corrected addition of FirewallRule when using Export-FalconConfig -Item FirewallGroup. This fix should also resolve issues when exporting HostGroup and a singular 'exclusion' item.
Issue 232: Re-added 'Outfile' designation for Path parameter in Receive-FalconArtifact. This should have been present and was accidentally removed in an earlier module version.

- PowerShell
Published by bk-cs over 3 years ago

psfalcon - 2.2.1

New Commands

alerts.ps1 Get-FalconAlert Invoke-FalconAlertAction
container-upload.ps1 Get-FalconContainerAssessment Remove-FalconContainerImage
container-security.ps1 Get-FalconContainerSensor Remove-FalconRegistryCredential Request-FalconRegistryCredential Show-FalconRegistryCredential

General Changes

Enabled the use of '-WhatIf' and '-Confirm' by adding 'ShouldProcess' support across the module. This also required the renaming of the existing '-Confirm' parameter to '-Wait' for 'Invoke-FalconAdminCommand', 'Invoke-FalconBatchGet', 'Invoke-FalconCommand' and 'Invoke-FalconResponderCommand'.
Updated ApiClient.Invoke() to remove blank verbose output when 'Headers' are not specified during a request.
Created 'Get-ContainerUrl' to convert cached Hostname value into a valid 'container-upload' URL value when using 'container-upload' commands.
Created 'New-ShouldMessage' function to generate the output message when '-Confirm' or '-WhatIf' is used with a command.
Added 'HostUrl' parameter to 'Invoke-Falcon' to force the use of 'container-upload' base URL instead of the cached Falcon API hostname.
Updated 'Test-FqlStatement' private function to allow for the use of either single or double quotation marks.
Updated RegEx patterns when validating input to look for a more restrictive list of characters to better match expected values.
Various comment-based help text updates and typo corrections.
The online help files (accessed using 'Update-Help') for PSFalcon are no longer valid for this and future releases as comment-based help has been included for individual commands. Using 'Get-Help -Online' for any PSFalcon command will link you directly to the PSFalcon Wiki which includes command examples that were previously provided through the online help.
Renamed 'falcon-container.ps1' to 'container-security.ps1'. Removed 'container-upload.ps1' and moved commands into 'container-security.ps1'.
Modified private 'Get-ContainerUrl' function to include a 'Registry' switch to output the Falcon container registry URL for related commands.

Command Changes

Add-FalconRole, Remove-FalconRole Updated to use 'Get-FalconRole' to determine valid 'Id' values for auto-completion.
Add-FalconGroupingTag, Add-FalconSensorTag, Remove-FalconGroupingTag, Remove-FalconSensorTag Renamed 'Tags' to 'Tag' while retaining 'Tags' as an alias.
Edit-FalconIoc, New-FalconIoc Added 'android' and 'ios' as valid 'Platform' values and 'MobileAction' parameter.
Export-FalconConfig Updated to include the export of 'platform_default' policies.
Export-FalconReport Updated to force the creation of the same columns for every result.
Get-FalconContainerToken Command has been removed and replaced with 'Request-FalconRegistryCredential' which combines requests for your Falcon container registry password, username (modified CID value) and authorization token, which are cached within the PSFalcon module, similar to 'Request-FalconToken'.
Get-FalconFirewallRule Updated to output rules in order of specified 'Id' values when using the 'Id' parameter. This solves an issue where rules are provided in order of the 'id' property when they were retrieved using the 'family' property and are returned out of order (in respect to the 'family' values).
Get-FalconHost Updated to use new 'POST /devices/entities/devices/v2' endpoint when requesting host details, which greatly improves performance when using 'Get-FalconHost -Detailed'.
Get-FalconKernel Corrected maximum number for 'Limit' parameter (500).
Get-FalconScript, Get-FalconPutFile Updated to use new v2 endpoints which include workflow-related schema and information.
Get-FalconUninstallToken Added 'Include' parameter.
Import-FalconConfig Renamed 'Force' parameter to 'AssignExisting'. Retained 'Force' as an alias.

Added 'ModifyDefault' to modify 'platform_default' policies to match settings from import for specified values.

Added 'ModifyExisting' to modify existing items to match settings from import for specified values. Although 'FirewallGroup' is included, rules are not currently being modified. They will be included as part of a future PSFalcon update.

Invoke-FalconBatchGet Added 'batchgetcmdreqid' to each individual host result.
Invoke-FalconDeploy Added 'tgz' as a supported 'Archive' format.

Added 'cmd' as a supported 'File' and 'Run' format using 'cmd.exe' in place of 'powershell.exe'.

Modified 'Run' to execute a custom script that launches a secondary process when provided with a script file. This ensures that the process will execute and not wait for completion (similar to a regular executable when being used with the 'run' Real-time Response command). Standard output and error streams are redirected to 'stdout.log' and 'stderr.log' within the temporary 'FalconDeploy' directory.

Added 'Include' parameter.

Invoke-FalconIncidentAction Added 'unassign' and 'updateassignedto_v2' actions.
Invoke-FalconRtr Updated to create Real-time Response sessions in groups of 10,000.
New-FalconHostGroup Added type 'staticByID'.
New-FalconSubmission Added 'macOS_10.15' for parameter 'EnvironmentId'.
Uninstall-FalconSensor Added timeout value (120 seconds) to reduce the chance of no 'status' value being returned.

Added 'Include' parameter.

Resolved Issues

Issue #211: Added try/catch to 'Get-FalconHost' when using '-Include group_names' to suppress errors when hosts have no groups.
Issue #212: Added actions to 'Invoke-FalconIncidentAction'.
Issue #219: Indirectly fixed issue with changes that were already made to 'Invoke-FalconDeploy'.

- PowerShell
Published by bk-cs almost 4 years ago

psfalcon - 2.2.0

New Commands

* spotlight-vulnerabilities.ps1
  Get-FalconVulnerabilityLogic

General Changes

* Re-added basic help information to each command. This will increase module size, but will eliminate the
  need to 'Update-Help' to get descriptions for each command, its parameters and the required API
  permission(s).

* Thanks to some knowledge shared by @kra-ts, PowerShell pipeline support is now cross-module and no longer
  restricted to specific commands!

  Before this release, PSFalcon supported pipeline input when a command accepted a single 'id'. With these
  changes, PSFalcon collects multiple 'ids' passed through the pipeline, groups them and sends appropriately
  sized API requests.

  This change also required the re-positioning of many parameters, the addition of aliases, and the majority of
  [array] parameters being converted into [string[]] or [int[]]. When it was logically possible, [array] values
  were also converted into [object[]] to allow for the processing of both 'id' and 'detailed' values.

* Warning messages have been added when hosts are not included in a batch Real-time Response session
  ('Start-FalconSession') or when Real-time Response commands produce errors ('Invoke-FalconCommand',
  'Invoke-FalconResponderCommand', 'Invoke-FalconAdminCommand', 'Invoke-FalconBatchGet') so it will be more
  obvious what happened when hosts are missing from the final result that was passed through the pipeline.

* Renamed plural parameters ('Ids') to singular ('Id') to follow PowerShell best practices. Each updated
  parameter kept maintains the plural version as an alias (or the original parameter name when switching to the
  singular was not possible due to incompatibilities with PowerShell) to prevent errors with existing scripts.

* Modified commands to use the alias values for parameters instead of the 'Fields' variable that was used to
  to rename parameters to fit API submission structure. Removing 'Fields' also enabled the removal of the
  private function 'Update-FieldName'.

* When applicable, the 'Id' parameter attributes were modified to ensure that 'Get-Help' properly displayed
  that the parameter name needs to be explicitly included.

* Added case enforcement to all 'ValidateSet' values. This ensures that proper case is used with parameters
  that have a pre-defined list of accepted values and preventing errors from the resulting API.

* Added 'raw_array' as a field to be used when defining the format of a 'body' submission inside of a PSFalcon
  command. Using it will instruct the module to create a 'body' object that has a base [array] value containing
  the object properties to be converted to Json.

* Updated 'Build-Formdata' private function to attempt to gather file content for the 'content' field, or
  supply the original value if that fails. This change was made to allow 'Send-FalconScript' to use a file
  path or string-based script content.

* Created 'Add-Include' private function to append 'Include' content to command results.

* Created 'Assert-Extension' private function to validate a given file extension when using 'Receive' commands.

* Renamed 'Add-Property' private function to 'Set-Property' and updated it to add a property when it doesn't
  exist, or update the value if it does exist.

* Updated 'Get-RtrCommand' private function to output available Real-time Response commands by permission,
  or all available Real-time Response commands if permission is not defined.

* Created 'Test-OutFile' private function to validate the presence of an existing file and generate error
  messages when using 'Receive' commands.

* Moved verbose output of 'body' and 'formdata' payloads from 'Build-Content' to ApiClient.Invoke() during a
  request. This ensures that individual submissions are displayed, rather than the initial submission before it
  has been broken up into groups.

* Moved verbose output of Header keys and values within an API response from 'Write-Result' to
  ApiClient.Invoke(). 'Write-Result' continues to display the 'meta' Json values due to the addition of an
  internal function called 'Write-Meta'.

* Added '-Force' parameter to the following commands to overwrite an existing file when present:
  Export-FalconConfig
  Receive-FalconHorizonAwsScript
  Receive-FalconHorizonAzureScript
  Receive-FalconDiscoverAzureScript
  Receive-FalconDiscoverGcpScript
  Receive-FalconIntel
  Receive-FalconRule
  Receive-FalconArtifact
  Receive-FalconContainerYaml
  Receive-FalconMalQuerySample
  Receive-FalconCompleteAttachment
  Receive-FalconGetFile
  Receive-FalconSample
  Receive-FalconScheduledReport
  Receive-FalconInstaller

* Added '-Include' parameter to append 'members' to the following commands:
  Get-FalconHostGroup
  Get-FalconDeviceControlPolicy
  Get-FalconFirewallPolicy
  Get-FalconPreventionPolicy
  Get-FalconResponsePolicy
  Get-FalconSensorUpdatePolicy

* Updated commands that output to CSV ('Import-FalconConfig', 'Export-FalconReport', 'Get-FalconQueue',
'Invoke-FalconDeploy') to send their results to 'Write-Output' when unable to write to CSV.

* Removed position attribute from all pagination parameters ('After', 'Offset', 'NextToken').

Command Changes

* Confirm-FalconGetFile, Remove-FalconGetFile
  Updated to use v2 API endpoint that includes upload progress.

* ConvertTo-FalconMlExclusion, ConvertTo-FalconIoaExclusion
  Commands have been corrected to properly produce individual exclusions for each relevant behavior within a
  detection (rather than one exclusion with values from multiple behaviors).

* Edit-FalconFirewallSetting, Edit-FalconHorizonPolicy
  Renamed '-PolicyId' to '-Id'.

* Export-FalconConfig
  Now includes 'Script' (Real-time Response scripts) as an exportable item.

  Output filename now contains a 'FileDateTime' timestamp instead of simply 'FileDate'. This was done to
  match changes made to 'Import-FalconConfig'.

* Find-FalconDuplicate
  Updated to accommodate multiple 'Filter' values.

* Get-FalconAsset
  Added '-Account' and '-Login' switch parameters to toggle access of Falcon Discover user account assets
  and user login events.

  Added '-Include' to append login events both the default hardware asset and user account output.

* Get-FalconDetection
  Added valid 'Sort' values.

* Get-FalconFirewallPolicy
  Re-added the 'policy_id' in the 'settings' sub-object that is created when using '-Include settings'. This
  was originally removed for being redundant, but needed to be restored to be utilized by the 
  'Copy-FalconFirewallPolicy' command.

* Get-FalconHorizonIoa, Get-FalconHorizonIoaEvent, Get-FalconHorizonIoaUser, Get-FalconHorizonIom
  Removed 'Mandatory' status for '-CloudPlatform', instead populating it if 'AwsAccountId' (or 'AccountId',
  in the case of 'Get-FalconHorizonIom'), 'AzureSubscriptionId', or 'AzureTenantId' are provided. Without one
  of the four values, the command will produce an exception.

* Get-FalconHorizonIoaEvent, Get-FalconHorizonIoaUser
  Replaced '-AccountId' with '-AwsAccountId' and added '-AzureSubscriptionId' and '-AzureTenantId' to match
  'Get-FalconHorizonIoa'.

* Get-FalconHorizonIom
  Renamed parameter '-AwsAccountId' to '-AccountId', which accepts an AWS account ID or GCP Project Number
  value. Also corrected the accepted '-Status' value 'recurring' to 'reoccurring'.

* Get-FalconHost
  '-Detailed' output will no longer be forced when using '-Include group_names', and instead will include
  'device_id' and 'groups'. Using '-Detailed' and '-Include group_names' maintains full output.

  Added 'online_state' to '-Include' to retrieve detail from new 'online status' API.

  Added '-State' switch to be used with '-Id' to retrieve detail from the new 'online status' API.

* Get-FalconQueue
  Updated command to write progress to host stream instead of verbose stream.

* Get-FalconVulnerability
  Added 'evaluation_logic' to the 'Facet' parameter.

* Import-FalconConfig
  Completely re-written to utilize the pipeline and excluded items (with the reason they were excluded) are
  now included within the resulting CSV output.

  Now includes 'Script' (Real-time Response scripts) as an importable item.

  Output filename now contains a 'FileDateTime' timestamp instead of simply 'FileDate'. This was done because
  verbosity of the output was increased and appending to an existing file would cause output problems.

  Removed warning message that was generated when no items were created because the CSV output now displays
  both excluded and created items.

* Invoke-FalconBatchGet, Invoke-FalconCommand, Invoke-FalconAdminCommand, Invoke-FalconResponderCommand
  Added a new '-Confirm' parameter to confirm and retrieve the output from both single-host commands and batch
  'get' commands.

  'Invoke-FalconAdminCommand' and 'Invoke-FalconResponderCommand' will now redirect to 'Invoke-FalconBatchGet'
  when used to 'get' within a multi-host session.

  Each of the commands now appends 'batch_id' to the output of commands issued within a batch session.

* Invoke-FalconCommand, Invoke-FalconAdminCommand, Invoke-FalconResponderCommand, Invoke-FalconRtr
  Split the 'eventlog' command into 'eventlog backup', 'eventlog export', 'eventlog list', and 'eventlog view'.

* Invoke-FalconDeploy
  Contribution from @soggysec: Changed '-Path' to '-File' (with a 'Path' alias) and added '-Archive' (with a
  corresponding '-Run' parameter) to allow for a file or archive to be specified. If 'Archive' is used,
  Real-time Response will be used to 'runscript' and extract the files, then 'run' the specified 'Run' file,
  allowing the deployment of files that require additional files to be present in order to execute.

  Added 'mkdir' step to create a temporary folder in order to ensure that a unique file will be 'put' and 'run'
  each time, instead of failing when a previous 'put' occurred. CSV output was slightly modified as a result.

  If you specify a .ps1, .sh or .zsh file within the '-File' or '-Run' parameter, the command will use
  'runscript' instead of 'run'.

* Invoke-FalconRtr
  Updated to use 'Get-RtrCommand' private function to determine valid 'Command' values automatically from the
  other Real-time Response commands.

  Added 'Include' parameter to append device properties to output.

* New-FalconDeviceControlPolicy, New-FalconFirewallPolicy, New-FalconPreventionPolicy
  Removed the '-CloneId' parameter from the following commands due to inconsistencies in created policies. The
  'Copy-Falcon...Policy' commands continue to be available for use instead.

* Request-FalconToken
  Contribution from @kra-ts: Added support for a CCID value in the '-MemberCid' parameter which leads to the
  checksum value being silently dropped but the CID itself being accepted.

* Send-FalconScript
  Updated to allow 'Path' to contain string based script content or a path to a file.

* Start-FalconSession
  Now uses '-Id' to define both single-host and multi-host sessions. When a single host identifier is passed in
  the pipeline, a single-host session will be created. A multi-host session can be forced by specifying the
  'Timeout' or 'ExistingBatchId' parameter(s).

  Additionally, this command now appends 'batch_id' to each host that was successfully initiated within a
  multi-host session.

- PowerShell
Published by bk-cs about 4 years ago

psfalcon - 2.1.9

General Changes

Added 'Select-Object' to 'Get-ChildItem' output to force the display of FullName, Length and LastWriteTime due to differences with how PowerShell displays Get-ChildItem on non-Windows devices.

Resolved Issues * Issue #190: Modified Json conversion of 'stdout' when using 'runscript' with 'Invoke-FalconRtr' to reduce the opportunity of null output.

- PowerShell
Published by bk-cs about 4 years ago

psfalcon - 2.1.8

New Commands * sensor-update-policies.ps1 'Get-FalconKernel'

Command Changes * Added 'cswindiag' command to 'Invoke-FalconRtr' and 'Invoke-FalconAdminCommand'.

Changed 'Limit' maximum for 'Get-FalconVulnerability' to 400 to match API.
Added support for local Humio instances within 'Register-FalconEventCollector' while maintaining auto- complete for Humio Cloud. Thank you @kra-ts!
Added 'No queued Real-time Response sessions available' error when using 'Get-FalconQueue' when there are no queued sessions.
Added automatic Json conversion of 'stdout' and 'stderr' output when using 'runscript' with 'Invoke-FalconRtr', simplifying the use of results from scripts that were designed for Falcon Workflows.
Added 'iOS' and 'Android' as valid values for 'platform_name' for 'Edit-FalconPreventionPolicy' and 'New-FalconPreventionPolicy'.
Added pipeline support for 'Remove-FalconPutFile' and 'Remove-FalconScript'.
Added the undocumented 'detectionsuppress' and 'detectionunsuppress' to 'Invoke-FalconHostAction'.

Resolved Issues * Issue #187: Fixed typo which was causing array values to only show a single value (instead of all values) when using 'Export-FalconReport'.

- PowerShell
Published by bk-cs about 4 years ago

psfalcon - 2.1.7

New Commands

* filevantage.ps1
'Get-FalconFimChange'

* message-center.ps1
'Add-FalconCompleteActivity'
'Edit-FalconCompleteCase'
'New-FalconCompleteCase'
'Get-FalconCompleteActivity'
'Get-FalconCompleteCase'
'Receive-FalconCompleteAttachment'
'Send-FalconCompleteAttachment'

* psf-humio.ps1
'Register-FalconEventCollector'
'Send-FalconEvent'
'Show-FalconEventCollector'
'Unregister-FalconEventCollector'

New Functionality

* Added the ability to PSFalcon content to a Humio instance. A specific parser is not required because the
content sent by PSFalcon uses the documented Humio event structure.

* 'Register-FalconEventCollector' is used to define your Humio cloud, ingest token and the events to log,
'Show-FalconEventCollector' can be used for confirmation, and 'Remove-FalconEventCollector' can be used to
disable logging.

* The 'Enable' parameter for 'Register-FalconEventCollector' defines the data that will be sent to Humio. The
value 'requests' sends  PSFalcon requests while 'responses' sends API responses.

* Added 'Send-FalconEvent' to generate Humio events using the output of a PSFalcon command. This allows
PSFalcon to work as a mechanism to ingest data from the CrowdStrike APIs directly into Humio and does not
require a specific 'Enable' value under 'Register-FalconEventCollector'.

Command Changes

* Added 'group_names' as an 'Include' option for 'Get-FalconHost'. Requires 'host-group:read' permission.

* Added Linux support to 'Uninstall-FalconSensor'.

* Added 'Collector' parameter to 'Request-FalconToken' to allow the addition of a Humio Event Collector during
initial authorization token request.

General Changes

* Changed format of request header verbose output to match result header verbose output.

* Modified 'Test-FqlStatement' to simply validate an FQL statement instead of the statement plus individual
properties. This was changed because of numerous reports of undocumented properties that were usable with
specific APIs but were being blocked by 'Test-FqlStatement'.

Resolved Issues

* Issue #153: Added 'instance_id' as a value for '-Sort' under 'Get-FalconHost'.

* Issue #154: Added check for 'SslProtocols' property before attempting to enforce TLS 1.2 in
'Request-FalconToken'. If not available, TLS 1.2 is set through [System.Net.ServicePointManager]
instead. Thank you for your contribution @Minty123!

* Issue #155: Added colon to correct RegEx pattern for 'New-FalconIoc' and 'Edit-FalconIoc'.

* Issue #158: Fixed typo in 'Get-FalconHost' which prevented the attachment of Zero Trust Assessment results
  when using the 'Include' parameter.

* Issue #164: Modified the filter used to check for existing 'IoaGroup' items, so it no longer checks for
values that don't match 'name' and 'platform', and instead checks for values that don't match 'name' for each
'platform' (so new groups will only be created for the specific platform). Also updated 'Policy' items, as the
behavior was present there too.

- PowerShell
Published by bk-cs over 4 years ago

psfalcon - 2.1.6

New Commands * cspm-registration.ps1 'Get-FalconHorizonIoa' 'Get-FalconHorizonIom'

discover.ps1 'Get-FalconAsset'
psf-policies.ps1 'Copy-FalconDeviceControlPolicy' 'Copy-FalconFirewallPolicy' 'Copy-FalconPreventionPolicy' 'Copy-FalconResponsePolicy' 'Copy-FalconSensorUpdatePolicy'
scheduled-report.ps1 'Invoke-FalconScheduledReport' 'Redo-FalconScheduledReport'

Command Changes * Added 'put-and-run' to 'Invoke-FalconAdminCommand' and 'Invoke-FalconRtr'.

Changed 'Get-FalconMalQuery' parameter from '-Ids' to '-Id' to signify that the endpoint only accepts one request at a time.
Removed '-Detailed' from 'Invoke-FalconMalQuery' because it was not supposed to be there.
Added '-Description' to 'New-FalconDeviceControlPolicy'. Whoops.
Added '-Include' to 'Get-FalconFirewallPolicy' to include firewall settings with a policy result.
Added '-LocalLogging' to 'Edit-FalconFirewallSetting' to support new Firewall Management policy setting.
Added pipeline support for parameters in 'Edit-FalconFirewallSetting'. 'Copy-FalconFirewallPolicy' uses the pipeline to supply settings during the duplication of an existing policy.

General Changes * Updated 'Invoke-Loop' to account for new pagination token style used in 'Get-FalconHorizonIoa' and 'Get-FalconHorizonIom'.

Re-wrote 'Write-Result' to reduce total code and improve for handling of errors from the 'identity-protection' API. As a result, errors produced by 'Write-Result' are now shown as compressed Json objects rather than a string (which only expected 'code' and 'message'--typical with most Falcon APIs).
Fixed an issue with 'Write-Result' that prevented the output of 'meta' properties in the verbose stream. An earlier version of PSFalcon mistakenly hid this output.
Re-wrote portions of 'Request-FalconToken' to eliminate 'call depth overflow' errors generated due to how the '308: Permanent Redirection' response is handled in PowerShell 5.1. Redirection should now function properly.

GitHub Issues * Issue #134: Modified RegEx pattern for 'Add-FalconGroupingTag' and 'Remove-FalconGroupingTag' to allow all characters in the initial tag value, then updated the command to use the 'Test-RegexValue' to validate that each value is a valid tag.

Issue #135: Added check to validate both 'status' and 'comment' value are present when submitting 'comment' with 'Edit-FalconDetection'. Also forced the input of lower case status values, as improperly-cased 'status' values will cause a '400: Failed to validate resource' error.
Issue #136: Corrected 'Invoke-FalconMalQuery' to submit 'options' as a hashtable rather than an array, which was causing all requests to fail (including those made with 'Search-FalconMalQueryHash').
Issue #138: Updated 'Test-FqlStatement' to account for multiple 'exact match' values, and used operator groups to more efficiently check , and independently within an FQL 'filter' string.
Issue #140: Updated the base [System.Net.Http.HttpClientHandler] to automatically decompress gzip files when presented with them from an API.
Issue #143: Updated 'Get-FalconScheduledReport -Execution' to work properly with the '-Detailed' parameter.
Issue #144: Updated 'Test-FqlStatement' to allow colon characters in the value portion of an FQL statement.
Issue #146: Updated 'Invoke-FalconRtr' to access the 'Initialize-Output' function when using both 'HostIds' and 'GroupId', instead of just 'HostIds'.

- PowerShell
Published by bk-cs over 4 years ago

psfalcon - 2.1.5

New Commands * ml-exclusions 'ConvertTo-FalconMlExclusion'

self-service-ioa-exclusions 'ConvertTo-FalconIoaExclusion'

General Changes * Updated module license to 'The Unlicense' to be in-line with similar projects (falconpy, gofalcon).

Added an authorization token check earlier in the private function 'Invoke-Falcon'. This change is designed to help prevent "An invalid request URI was provided. The request URI must either be an absolute URI or BaseAddress must be set" errors from appearing when a command prompts for ClientId/ClientSecret because an authorization token had not been previously requested.
Added more explicit error messages to 'Request-FalconToken', 'Show-FalconModule' and 'Test-FalconToken' to make it more obvious when errors are produced due to a failure during the loading of the module, or when an authorization token has not been requested.
Updated 'Invoke-Falcon' private function to allow the return of an un-formatted [System.Net.Http. HttpResponseMessage] using the '-RawOutput' switch for commands that need 'meta' content. This reduces the number of 'unique' commands that don't pass through 'Invoke-Falcon'.
Added additional authorization token checks to commands that don't use 'Invoke-Falcon'.
Modified 'foreach' method being used throughout module to increase performance (where applicable).
Updated most commands to move the 'Param' definition into the process{} block. This change was made to match the changes required for commands that have added 'pipeline' support.
Moved commands from 'Public\psfalcon.ps1' into new, smaller files due to intermittent errors that may be related to file size:

'Public\psf-config.ps1' 'Public\psf-devices.ps1' 'Public\psf-output.ps1' 'Public\psf-real-time-response.ps1' 'Public\psf-sensors.ps1'
Updated the conversion of 'last X days/hours' for the '-Filter' parameter to work when last/days/hours is properly capitalized, instead of only lower case.
Added private function 'Test-FqlStatement' to validate the values provided to '-Filter' and provide the opportunity to generate error messages before submission to the Falcon APIs.
Renamed private function 'Confirm-String' to 'Test-RegexValue' to prevent any future overlap due to generic naming.

Command Changes * Added support for passing identifier values through the pipeline to the commands: 'Start-FalconSession', 'Update-FalconSession'

Added email string RegEx validation to the commands: 'Edit-FalconReconAction', 'Get-FalconUser', 'New-FalconReconAction', 'New-FalconUser'
Added '-Include' parameter (or additional values) to append data to the commands: 'Get-FalconQueue', 'Get-FalconUser', 'Get-FalconHost', 'Invoke-FalconHostAction'
Added '-HostId' parameter to 'Invoke-FalconRtr' to allow for single-host sessions and the use of 'Invoke-FalconRtr' as the foundation of 'SensorTag' commands.
Updated 'Add-FalconSensorTag', 'Get-FalconSensorTag', 'Remove-FalconSensorTag': Added support for Linux and Mac hosts Added '-Ids' parameter for multi-host support Modified output to include 'cid', 'device_id', and 'tags'
Updated 'Uninstall-FalconSensor': Modified output to include include 'cid', 'device_id' and 'status' Added error message when command is used with Linux/Mac hosts until support is added in the future
Updated 'Start-FalconSession' to a maximum of 10,000 identifiers to match API changes.
Increased Real-time Response batch size from 500 to 1,000 for the commands: 'Invoke-FalconRtr', 'Invoke-FalconDeploy'
Added support for new API to 'Get-FalconVulnerability' (including 'Facet' parameter, which is functionally similar to what PSFalcon does with '-Include') and raised 'Limit' from 400 to 5,000.

GitHub Issues * Issue #112: Updated 'Invoke-FalconHostGroupAction' to properly convert to Json and fixed an additional formatting error.

Issue #113: Updated 'Invoke-FalconDeploy' to check for 'complete = true' plus the lack of a 'stderr' output to verify success when using 'put' instead of checking the 'stdout' value, which is different between OS versions. Also changed the absolute path for the 'run' command to ensure it works with Linux and Mac, and added a 'mod_file' step to make the file executable on Linux hosts.
Issue #116: Updated 'Uninstall-FalconSensor' to request the maintenance mode token when appropriate.
Issue #119: Re-organized how the private function 'Build-Content' adds 'query' input to requests, so that the parameter will be passed in exactly as specified by the 'Format.Query' property when using 'Invoke-Falcon', instead of forcing lower case values using the PowerShell parameter name.
Issue #131: Updated 'Class.ps1' to change how header values were added/removed from the [System.Net.Http. HttpClientHandler] object before/after running a 'Receive' command. This should resolve 'An error occurred while enumerating through a collection: Collection was modified' errors in PowerShell 5.1.
Issue #132: Updated 'Add-FalconSensorTag', 'Get-FalconSensorTag' and 'Remove-FalconSensorTag' to change method used to split 'GroupingTags' values when running on Windows hosts. Previous method was incorrectly splitting on unexpected characters, causing tag values to not be gathered properly for display and manipulation.

- PowerShell
Published by bk-cs over 4 years ago

psfalcon - 2.1.4

New Commands

identity-graphql 'Invoke-FalconIdentityGraph'
psfalcon 'Add-FalconSensorTag' 'Get-FalconSensorTag' 'Remove-FalconSensorTag'

General Changes

Added support for results from Identity Protection APIs to 'Write-Result'.

Command Changes

Updated the 'Sort' values for the following commands: 'Get-FalconCidGroup', 'Get-FalconCidGroupMember', 'Get-FalconGroupRole', 'Get-FalconIoaGroup', 'Get-FalconIoaRole', 'Get-FalconIoc', 'Get-FalconMemberCid', 'Get-FalconScheduledReport', 'Get-FalconQuarantine', 'Get-FalconUserGroup', 'Get-FalconUserGroupMember'.
Updated the 'Limit' values for the following commands: 'Get-FalconBehavior', 'Get-FalconIncident'.
Updated the following commands to generate an error when the 'Path' parameter is given a directory: 'Edit-FalconScript', 'Send-FalconPutFile', 'Send-FalconSample', 'Send-FalconScript'.
Add-FalconHostTag Renamed to 'Add-FalconGroupingTag' to clarify purpose and prevent confusion with 'Add-FalconSensorTag'.
Get-FalconHost Added list of accepted 'Sort' values based on related 'Filter' values accepted by 'devices-scroll' API.
Invoke-FalconDeploy Added check for OS version and 'cd_temp' step to change to a default temporary directory (\Windows\Temp or /tmp) before the 'put' and 'run' commands.
Invoke-FalconRtr Suppressed output of session init 'stdout' value so it doesn't display when the following command results in an error.
Remove-FalconHostTag Renamed to 'Remove-FalconGroupingTag' to clarify purpose and prevent confusion with 'Remove-FalconSensorTag'.
Request-FalconToken Added 'Authorization token request failed' message when token request fails to ensure that an error is produced when an HTTP 403 response is suppressed from the oauth2 API.

GitHub Issues

Issue #79: Fixed bug with 'Invoke-FalconRtr' using the 'get' command that prevented completion of 'get' requests and output of 'batchgetcmdreqid' value.
Issue #82: Fixed typo causing relative 'Last X days/hours' value to not be properly calculated.
Issue #84: Added break to abort requests when missing authorization token.
Issue #85: Modified 'Update-FieldName' to ensure evaluation of [boolean] parameters.

- PowerShell
Published by bk-cs over 4 years ago

psfalcon - 2.1.3

New Commands * psfalcon 'Uninstall-FalconSensor'

quarantine 'Get-FalconQuarantine' 'Invoke-FalconQuarantineAction' 'Test-FalconQuarantineAction'

Command Changes * Invoke-FalconRtr Fixed typo which prevented 'hostgroupid' from showing up on output when using '-GroupId'.

Added error message to prevent the use of a '-GroupId' with more than 10,000 members (as the API won't return more than 10,000).

Invoke-FalconDeploy Added error message to prevent the use of a '-GroupId' with more than 10,000 members (as the API won't return more than 10,000).
New-FalconUser Added password complexity check to '-Password' parameter.

GitHub Issues * Issue #70, #71: Updated the 'Depth' value of 'ConvertTo-Json' throughout module. * Issue #73: Fixed the grouping of ids for 'Invoke-FalconHostAction'.

- PowerShell
Published by bk-cs over 4 years ago

psfalcon - 2.1.2

New Commands * container-security 'Get-FalconContainerToken'

scheduled-report 'Get-FalconScheduledReport' 'Receive-FalconScheduledReport'
self-service-ioa-exclusions 'New-FalconIoaExclusion'

Command Changes * Export-FalconConfig Added 'IoaExclusion' to '-Items'.

Get-FalconHost Added '-Network' parameter to retrieve network address history using host identifier(s).

Added '-Login' parameter to retrieve user login history using host identifier(s).

Added '-Include' parameter with values 'loginhistory' and 'networkhistory' to include data with regular output.

Get-FalconZta Added '/zero-trust-assessment/entities/audit/v1:get' endpoint to 'Get-FalconZta' to provide summary-level Zero Trust Assessment results for your entire CID.
Import-FalconConfig Added 'IoaExclusion' for import and assignment.

GitHub Issues * Issue #67: Solved. Apparently you can't use a trailing slash for 'HelpInfoUri'... * Issue #68: Fixed typo which prevented 'Remove-FalconReconNotification' from being available * Issue #69: Moved code from 'begin{}' block to 'process{}' block for relevant commands.

- PowerShell
Published by bk-cs almost 5 years ago

psfalcon - 2.1.1

General Changes

Changed class [Falcon] to [ApiClient]. [ApiClient] is generic and can work with other APIs, which helps enable the use of [ApiClient] for other scripts or modules. It includes a '.Path()' method to convert relative to absolute filepaths, and '.Invoke()' which accepts a hashtable of parameters ('Path', 'Method', 'Headers', 'Outfile', 'Formdata' and 'Body') and produces a [System.Net.Http.HttpResponseMessage].
[ApiClient] now uses a single [System.Net.Http.HttpClient] and [System.Net.Http.HttpClientHandler] instead of rebuilding during each request, which follows Microsoft's recommendations and greatly increases performance.
PSFalcon no longer outputs to 'Write-Debug', meaning that the '-Debug' parameter will no longer provide any additional information. Similar output is provided to 'Write-Verbose' instead. 'Write-Verbose' output has been modified to include response header information that was not previously visible.
Re-wrote and re-organized the module manifest (PSFalcon.psd1) and 'Private' functions (Private.ps1).
Removed decimal second values from output when converting from relative time ('last 1 days') to RFC-3339.
Added 'Confirm-String' to output 'type' based on RegEx matching. Used to validate values in commands like 'Show-FalconMap'. This will probably be worked in to validate relevant values in other commands in the future.
The 'Invoke-Loop' function (which powers the '-All' parameter) now produces an error when a loop ends and there are results remaining (API limit).
Renamed 'Public' scripts to be organized by their permission (rather than URL path) and included some commands that were previously in 'Public\scripts.ps1'. Renamed 'Public\scripts.ps1' to 'Public\psfalcon.ps1'.
All 'Public' functions (commands that users type) have been re-written to use static parameters, which removed the custom '-Help' parameter and supports the use of 'Get-Help'. The help content has also been moved online. Use 'Update-Help -Module PSFalcon' to download extended help information, including examples previously accessible through the GitHub-based PSFalcon Wiki.
Added '.Roles' in-line comment to functions which allows users to 'Get-Help -Role ' and find commands that are available based on required API permission. For instance, typing 'Get-Help -Role devices:read' will display the 'Get-FalconHost' command, while 'Get-Help -Role devices:write' lists 'Add-FalconHostTag', 'Invoke-FalconHostAction' and 'Remove-FalconHostTag'. Wildcards (devices:*, *:write) are supported.
Modified 'meta' output from commands. Previously, if the field 'writes' was present under 'meta', the command result would output the sub-field 'resourcesaffected'. Now the command will output 'writes', leading to a result of '@{ writes = @{ resourcesaffected = [int] }}' rather than '@{ resources_affected = [int] }'. This will allow for the output of unexpected results, but may impact existing scripts.
Updated the '-Array' parameter to validate objects within the array for required fields when submitting multiple policies/groups/rules/notifications to create/edit in one request.
Updated commands with an '-Id' parameter to accept 'Id' from the pipeline (property and value).

New Commands

cspm-registration 'Edit-FalconHorizonAwsAccount' 'Get-FalconHorizonIoaEvent' 'Get-FalconHorizonIoaUser'
d4c-registration 'Receive-FalconDiscoverAzureScript'
iocs 'Get-FalconIocHost' 'Get-FalconIocProcess'
kubernetes-protection 'Edit-FalconContainerAwsAccount' 'Get-FalconContainerAwsAccount' 'Get-FalconContainerCloud' 'Get-FalconContainerCluster' 'Invoke-FalconContainerScan' 'Edit-FalconDiscoverAzureAccount' 'New-FalconContainerAwsAccount' 'New-FalconContainerKey' 'Receive-FalconContainerYaml' 'Remove-FalconContainerAwsAccount'
psfalcon 'Send-FalconWebhook'
recon-monitoring-rules 'Edit-FalconReconNotification' 'Get-FalconReconRulePreview'

Command Changes * Edit-FalconHorizonAzureAccount Added parameters to utilize '/cloud-connect-cspm-azure/entities/default-subscription-id/v1'.

Edit-FalconFirewallGroup Updated to retrieve required values when not provided. Removed '-Tracking'.
Edit-FalconFirewallSetting Renamed '-PolicyId' to '-Id'.

Updated to retrieve required required values when not provided. Removed '-Tracking'.

Removed '-IsDefaultPolicy' parameter as it doesn't seem to do anything.

Edit-FalconIoaGroup Updated to retrieve required required values when not provided. Removed '-RulegroupVersion'.
Edit-FalconIoaRule Updated to retrieve required required values when not provided. Removed '-RulegroupVersion'.
Export-FalconConfig Changed archive name to 'FalconConfig.zip' from 'FalconConfig.zip'.
Export-FalconReport Re-written to display results based on the object, rather than static 'properties' of a result, meaning it is no longer 'hard-coded' to display results a certain way. See 'Get-Help Export-FalconReport' for more explanation.

Added '-WhatIf' support to show the resulting export rather than exporting to CSV.

Find-FalconDuplicate Updated command to retrieve Host results automatically when '-Hosts' is not provided.

Added '-Filter' parameter to use additional property to determine whether a device is a duplicate. See 'Get-Help Find-FalconDuplicate' for more information.

Updated to exclude devices with empty values (both 'hostname' and any provided '-Filter').

Updated output to include 'cid' to avoid potential problems if 'Find-FalconDuplicate' is used within a parent-level CID.

Get-FalconDiscoverAwsSettings Renamed to 'Get-FalconDiscoverAwsSetting'.
Get-FalconFirewallRule Added '-PolicyId' parameter to return rules (in precedence order) from a specific policy.
Get-FalconInstallTokenSettings Renamed to 'Get-FalconInstallTokenSetting'.
Get-FalconIocHost Added '-Total' to provide the functionality of the command 'Get-FalconIocTotal'.
Get-FalconIocProcess Added '-Ids' to provide the functionality of the command 'Get-FalconProcess'.
Import-FalconConfig Added warning when creating 'IoaGroup' to make it clear that Custom IOA Rule Groups are not assigned to Prevention policies (due to a limitation in data from the related APIs).

Added '-Force' parameter to assign items to matching Host Groups (by 'name') that are present within the CID.

Added warning messages ('[missing_assignment]') when items are unable to be created due to missing Host Groups.

Invoke-FalconCommand, Invoke-FalconResponderCommand, Invoke-FalconAdminCommand Re-organized positioning to place '-SessionId' and '-BatchId' in front.
Invoke-FalconBatchGet Re-organized positioning to place '-BatchId' in front.

Changed output format so that, nstead of returning the entire Json response, the result will have the properties 'batchgetcmdreqid' and 'hosts' (similar to how 'Start-FalconSession' displays a batch session result).

Invoke-FalconDeploy Added '-GroupId' to run the command against a Host Group. Parameter positioning has been re-organized to compensate.
Edit-FalconIoaGroup Updated to retrieve required values from existing rule group when not provided.
Edit-FalconIoaRule Updated to retrieve required values from existing rule when not provided.
Invoke-FalconRTR Added '-GroupId' to run a Real-time Response command against a Host Group. Parameter positioning has been re-organized to compensate.

Removed all 'single host' Real-time Response code. Now 'Invoke-FalconRTR' always uses batch sessions, which should have minimal impact on the use of the command, but is easier to support.

Remove-FalconGetFile Renamed '-Ids' parameter to '-Id' to reflect single value requirement.
Remove-FalconSession Renamed '-SessionId' to '-Id'.
Request-FalconToken Added '-Hostname' parameter and set as default. '-Cloud' is still available, but needs to be specified with a 'us-1', 'us-2', 'eu-1' or 'us-gov-1' value.

Added support for redirection when requesting an OAuth2 access token. PSFalcon will use 'X-Cs-Region' from response when provided 'Hostname' does not match.

Added TLS 1.2 enforcement and custom 'crowdstrike-psfalcon/' user-agent string.

Added 'ClientId', 'ClientSecret', 'Hostname', and 'Cloud' as named properties that can be passed through the pipeline.

Send-FalconSample Added support for uploading archives.
Update-FalconDiscoverAwsSettings Renamed to 'Update-FalconDiscoverAwsSetting'.

GitHub Issues

Issue #48: Updated 'Invoke-Loop' private function with a more explicit counting method to eliminate endless loops in PowerShell 5.1.
Issue #51: Switched 'Edit-FalconScript' and 'Send-FalconScript' to use the 'content' field rather than 'file'.
Issue #53: 'Wait-RetryAfter' function was re-written to re-calculate the 'X-Cs-WaitRetryAfter' time.
Issue #54: Updated 'Get-FalconHorizonPolicy' with additional '-Service' names.
Issue #59: Updated 'New-Falcon...Policy' commands to use 'clone_id' values in the appropriate places.
Issue #62: Added 'user-agent' to 'Request-FalconToken'.
Issue #63: Modified the way the 'maximum URL length' is calculated to avoid unexpected 'URL too long' HTML response errors from differences between cloud environments.

- PowerShell
Published by bk-cs almost 5 years ago

psfalcon - 2.0.8

New Commands
* Added 'Get-FalconQuickScanQuota' to display QuickScan quota information
* Added commands for global 'overwatch-dashboards' APIs:
    'Get-FalconOverWatchEvent'
    'Get-FalconOverWatchDetection'
    'Get-FalconOverWatchIncident'
* Added commands for 'falcon-complete-dashboards' APIs:
    'Get-FalconCompleteAllowlist'
    'Get-FalconCompleteBlocklist'
    'Get-FalconCompleteCollection'
    'Get-FalconCompleteDetection'
    'Get-FalconCompleteEscalation'
    'Get-FalconCompleteIncident'
    'Get-FalconCompleteRemediation'
* Added commands for 'recon' APIs:
    'Edit-FalconReconAction'
    'Edit-FalconReconRule'
    'Get-FalconReconAction'
    'Get-FalconReconNotification'
    'Get-FalconReconRule'
    'New-FalconReconAction'
    'New-FalconReconRule'
    'Remove-FalconReconAction'
    'Remove-FalconReconRule'
* Added command for 'zero-trust-assessment' API:
    'Get-FalconZTA'

New Parameters
* Added 'Total' switch to each command that has 'offset' or 'after' values to provide the total result
  count rather than the actual results

Changed Commands
* Updated custom indicator commands to match new 'iocs' APIs
    'Edit-FalconIOC'
    'Get-FalconIOC'
    'New-FalconIOC'
    'Remove-FalconIOC'
* Updated 'Invoke-FalconRTR' to fix various issues that would cause 'get' requests to fail with more
  than one host
* Modified 'Confirm-FalconGetFile' to reduce the complexity of the output when checking the status
  of a batch 'get' request -- the command now returns each result with the 'aid' value appended to it
  rather than being sorted by 'aid' (which required additional object manipulation to access relevant
  properties)
* Added a check before 'Receive' commands that will abort the command and output an error if the file
  already exists
* Added custom indicators to 'Export-FalconConfig' and 'Import-FalconConfig'

Removed Commands
* Removed custom indicator commands that no longer have supported APIs
    'Get-IOCHost',
    'Get-IOCProcess'
    'Get-IOCTotal'

Parameter Changes
* Removed '.zip' pattern from 'Receive-FalconMalQuerySample' as single file downloads were not zipped

GitHub Issues
* Issue #45: Updated 'Edit-FalconScript' to correctly convert relative to absolute file path

- PowerShell
Published by bk-cs about 5 years ago

Recent Releases of psfalcon

psfalcon - 2.2.8

Removed Commands

ioa

New Commands

billing-dashboards-usage

device-content

identity-protection

policy-content-update

quickscanpro

snapshots

Issues Resolved

General Changes

Command Changes

ConvertTo-FalconFirewallRule

Edit-FalconReconRule

Export-FalconConfig

Get-FalconChannelControl

Get-FalconHost

Get-FalconIoaExclusion

Get-FalconQuickScan

Get-FalconVulnerability

Import-FalconConfig

Invoke-FalconAdminCommand

Invoke-FalconResponderCommand

New-FalconCompleteCase

New-FalconQuickScan

New-FalconReconRule

Receive-FalconCloudAwsScript

Receive-FalconScheduledReport

Set-FalconChannelControl

psfalcon - 2.2.7

New Commands

cloud-connect-cspm-azure

cloud-connect-cspm-gcp

configuration-assessment

container-security

delivery-settings

exclusions

fem

filevantage

host-migration

intel

loggingapi

plugins

psf-sensors

snapshots

threatgraph

workflows

Issues Resolved

General Changes

Command Changes

Add-FalconSensorTag

Edit-FalconCloudAwsAccount

Edit-FalconIoaRule

Edit-FalconMlExclusion

Edit-FalconSvExclusion

Edit-FalconReconRule

Edit-FalconFileVantageRule

Export-FalconConfig

Get-FalconAlert

Get-FalconAsset

Get-FalconCloudAwsAccount

Get-FalconCloudAzureAccount

Get-FalconContainerSensor

Get-FalconInstaller

Get-FalconIocHost

Get-FalconReconRule

Get-FalconRole

Get-FalconSensorTag

Get-FalconUninstallToken

Get-FalconVulnerability

Invoke-FalconAlertAction

Invoke-FalconIncidentAction

Invoke-FalconMobileAction

Import-FalconConfig

Invoke-FalconAlertAction

Invoke-FalconRtr

New-FalconCloudGcpAccount

New-FalconCloudAwsAccount