Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ BUG ] Get-FalconAsset with -Include login_events does not add results for all assets #296

Closed
Tibap opened this issue Apr 4, 2023 · 5 comments
Closed

[ BUG ] Get-FalconAsset with -Include login_events does not add results for all assets #296

Tibap opened this issue Apr 4, 2023 · 5 comments
Assignees
@bk-cs
Labels
bug Something isn't working

Comments

@Tibap
Copy link

Tibap commented Apr 4, 2023

Describe the bug
The Get-FalconAsset commandlet with the "-include 'login_event'" parameter does not work as expected

To Reproduce
1/ Run command to get login events for all falcon assets: Get-FalconAsset -detailed -All -include 'login_event' -Filter "entity_type:'managed'" | select hostname, login_event
Result: Most of the login_events returned are empty. In my environment, just one entry is populated. From the list returned, grab a hostname where there is no login_event for step 2.

2/ Run command with a filter on the specific hostname:
Get-FalconAsset -detailed -All -include 'login_event' -Filter "entity_type:'managed'+hostname:'XXX'" | select hostname, login_event
Result: The login_event information is correctly populated.

Expected behavior
The command to get login events for all falcon assets should work.

Environment (please complete the following information):

  • OS: [Windows 10]
  • PowerShell: [5.1]
  • PSFalcon: [2.2.4]
@Tibap Tibap added the bug Something isn't working label Apr 4, 2023
@bk-cs
Copy link
Collaborator

bk-cs commented Apr 9, 2023

Thank you for the report. I'll investigate and update once I've had time to test.

bk-cs added a commit that referenced this issue Apr 11, 2023
@bk-cs
Issue #296
6c9bd43 
Updated to ensure proper attachment of `login_event` results for each asset when using `-Include login_event`
@bk-cs
Copy link
Collaborator

bk-cs commented Apr 11, 2023

I believe I have this fixed for the next release. Can you please test it on your end and verify whether or not it resolves the issue for you?

First, update your local copy of Public\discover.ps1 with the changes from the upcoming 2.2.5 release:

(Invoke-WebRequest https://raw.githubusercontent.com/CrowdStrike/psfalcon/2.2.5/public/discover.ps1).content > $HOME\Documents\WindowsPowerShell\Modules\PSFalcon\2.2.4\Public\discover.ps1

Then import PSFalcon with the modified file (removing the module first, if already loaded), request your token and run the command again:

if (Get-Module PSFalcon) { Remove-Module PSFalcon }
Import-Module PSFalcon
Request-FalconToken <your API client parameters go here>
Get-FalconAsset -Detailed -All -Include 'login_event' -Filter "entity_type:'managed'" | Select-Object hostname,login_event

@Tibap
Copy link
Author

Tibap commented Apr 13, 2023

Yes, i have login_event for all hosts hosts now. Thanks for the quick fix!

@Tibap Tibap closed this as completed Apr 13, 2023
@bk-cs
Copy link
Collaborator

bk-cs commented Apr 13, 2023

Keeping open for people to utilize fix before release.

@bk-cs bk-cs reopened this Apr 13, 2023
@bk-cs bk-cs changed the title [ BUG ] Get-FalconAsset with include login_events does not work when querying multiple assets [ BUG ] Get-FalconAsset with -Include login_events does not add results for all assets Apr 13, 2023
@bk-cs bk-cs mentioned this issue Apr 28, 2023
Merged
@bk-cs
Copy link
Collaborator

bk-cs commented May 1, 2023

2.2.5 release

@bk-cs bk-cs closed this as completed May 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bk-cs bk-cs

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Tibap @bk-cs