Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ BUG ] Get-FalconQueue no longer reporting queued sessions #294

Closed
PewlettHackard opened this issue Mar 28, 2023 · 5 comments
Closed

[ BUG ] Get-FalconQueue no longer reporting queued sessions #294

PewlettHackard opened this issue Mar 28, 2023 · 5 comments
Assignees
@bk-cs
Labels
bug Something isn't working

Comments

@PewlettHackard
Copy link

Describe the bug
Despite a hefty list of offline hosts within Falcon; these are not added to the offline queue in PSFalcon when issuing a FalconDeploy command.

To Reproduce

~ $HostIds = (Import-Csv .\hostlist.csv).'Host ID'
~ Invoke-FalconDeploy -File FalconForensicsCollectorBrowser_1.0.277_eu1.exe -Timeout 300 -QueueOffline $True -HostIds $HostIds
~ Get-FalconQueue

[Write-Result] meta.powered_by=empower-api, meta.pagination.offset=0, meta.trace_id=faf499a5-a6cc-4af4-84b7-478d8b69cdfa, meta.pagination.total=0, meta.query_time=0.031280432, meta.pagination.limit=100
No queued Real-time Response sessions available.
At C:\Users\*USER*\Documents\WindowsPowerShell\Modules\PSFalcon\2.2.4\Public\psf-real-time-response.ps1:49 char:35
+ ... Sessions) { throw "No queued Real-time Response sessions available."  ...
    + CategoryInfo          : OperationStopped: (No queued Real-...ions available.:String) [], RuntimeException
    + FullyQualifiedErrorId : No queued Real-time Response sessions available.

Expected behavior
A list of hosts that are offline but in the Offline Queue.

Environment (please complete the following information):

  • OS: Microsoft Windows NT 10.0.22621.0
  • PowerShell: v5.1
  • PSFalcon: v2.2.4

Additional context
Trying to deploy ForensicFalcon out to estate. Many offline hosts offline and are not added to Offline Queue. User conducting the commands has RTR permissions.

Transcript content
Attached below

  1. Set $VerbosePreference = 'Continue'
  2. Run Import-Module, Request-FalconToken, Start-Transcript, Show-FalconModule, the affected PSFalcon commands or script, and Stop-Transcript
  3. Copy/paste transcript content
    PowerShell_transcript.txt
@PewlettHackard PewlettHackard added the bug Something isn't working label Mar 28, 2023
@59e5aaf4
Copy link

Possibly related to CrowdStrike/caracara#78 where an invalid filter uses "1" instead of "True" for the FQL query listing queued sessions; psfalcon does the same.

$ ./test.py RTR_ListAllSessions -p '{"filter":"offline_queued: True+deleted_at: null"}' -q | jq '.body.resources|length'
8
$ ./test.py RTR_ListAllSessions -q | jq '.body.resources|length'
18
$ ./test.py RTR_ListAllSessions -p '{"filter":"offline_queued: 1+deleted_at: null"}' -q | jq '.body.resources|length'
0
$ ./test.py RTR_ListAllSessions -p '{"filter":"offline_queued: zemlkqfjsqdmlkf+deleted_at: null"}' -q | jq '.body.resources|length'
0

side note : queued operations not being visible nor doable in the web UI is really surprising.

btw ; beware, your filter is using commands_queued=1 as a factor to figure out if sessions are offline or not. I couldn't find proper documentation, but it seems "offline_queued" is the proper bit describing if a session is offline ; the following combinations were found on my side ; I'm really not sure what "commands_queued" implies related to the overall session nature.


        "offline_queued": true,
        "commands_queued": true

        "offline_queued": false,
        "commands_queued": true

        "offline_queued": false,
        "commands_queued": false

@bk-cs
Copy link
Collaborator

bk-cs commented Mar 29, 2023
edited
Loading

@59e5aaf4 thank you for the tip! It does seem that something changed in the RTR sessions API causing no values to return when using commands_queued:1 rather than commands_queued:true. I have updated Get-FalconQueue for the next release to resolve this issue.

If you'd like to fix your local copy, you can modify the Public\psf-real-time-response.ps1 file in your local module to change this line from...

        Filter = "(deleted_at:null+commands_queued:1),(created_at:>'last $Days days'+commands_queued:1)"

To...

        Filter = "(deleted_at:null+commands_queued:true),(created_at:>'last $Days days'+commands_queued:true)"

NOTE: Edited issue to clarify that the problem isn't that queuing is failing--it's that you can't view queued sessions due to the API change that caused Get-FalconQueue to stop working.

@bk-cs bk-cs changed the title [ BUG ] <-QueueOffline $true failing to queue up offline hosts> [ BUG ] Get-FalconQueue no longer reporting queued sessions Mar 29, 2023
@PewlettHackard
Copy link
Author

Hi all, can confirm this has given me visibility of the offline queue.

@bk-cs
Copy link
Collaborator

bk-cs commented Mar 30, 2023

Leaving open for people to fix before release.

@bk-cs bk-cs reopened this Mar 30, 2023
@bk-cs bk-cs mentioned this issue Apr 28, 2023
Merged
@bk-cs
Copy link
Collaborator

bk-cs commented May 1, 2023

2.2.5 release

@bk-cs bk-cs closed this as completed May 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bk-cs bk-cs

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@59e5aaf4 @bk-cs @PewlettHackard