Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ BUG ] Get-FalconRole and Get-FalconUser return incorrect roles #313

Closed
simonjTMCZ opened this issue May 12, 2023 · 8 comments
Closed

[ BUG ] Get-FalconRole and Get-FalconUser return incorrect roles #313

simonjTMCZ opened this issue May 12, 2023 · 8 comments
Assignees
@bk-cs
Labels
bug Something isn't working

Comments

@simonjTMCZ
Copy link

simonjTMCZ commented May 12, 2023
edited by bk-cs
Loading

Describe the bug
Get-FalconRole and Get-FalconUser return incorrect roles assigned to a user.

I have 4 custom user roles created - ITOPS, SOCBASIC, SOCADM, CSADMIN - and I have assigned them to all users as needed. I am not using any of the built-in CS roles anymore.

When I use PSfalcon, I get something like this (I do not use these roles, they are not assigned to users):
falcon_console_guest,response_workflow_author,remote_responder_one,falconhost_analyst,scheduled_report_analyst...

When I use swagger (/user-management/combined/user-roles/v1), it gives me correct answer:

  {
    "uuid": "d4****************************eb2",
    "cid": "3b****************************4",
    "role_id": "fac7c47add5242538f592946747a7191",
    "role_name": "CSADMIN",
    "grant_type": "direct"
  }

To Reproduce
Get-FalconUser -Include $INCL -Filter "assigned_cids:['150********************31']" -Detailed

or

Get-FalconRole -UserId <MYUSERID> -Cid '150********************31'

Expected behavior
Both PSfalcon commands must return correct set of assigned roles.

Environment (please complete the following information):

  • OS: Windows 10
  • PowerShell: 5.1.19041.2673
  • PSFalcon: 2.2.4
@simonjTMCZ simonjTMCZ added the bug Something isn't working label May 12, 2023
@bk-cs bk-cs changed the title [ BUG ] Get-FalconRole and Get-FalconUser return incorrect roles [ BUG ] Get-FalconRole and Get-FalconUser return incorrect roles May 12, 2023
@bk-cs
Copy link
Collaborator

bk-cs commented May 12, 2023
edited
Loading

Can you clarify what you mean when you say "the roles aren't returned"? In my experience, custom roles are labelled by their identifier and not a "custom name". This is what is returned by the API.

When a new role is created, an identifier shows for the role when using Get-FalconRole with no parameters:

PS C:\> Get-FalconRole
VERBOSE: 09:10:42 [Get-FalconRole] /user-management/queries/roles/v1:get
VERBOSE: 09:10:42 [ApiClient.Invoke] GET https://api.crowdstrike.com/user-management/queries/roles/v1
VERBOSE: 09:10:42 [ApiClient.Invoke] Accept=application/json
VERBOSE: 09:10:42 [ApiClient.Invoke] 200: OK
VERBOSE: 09:10:42 [ApiClient.Invoke] Connection=keep-alive, Strict-Transport-Security=max-age=15724800;
includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-1,
X-Cs-Traceid=adc6bba3-cb74-4b34-b273-1d2a53e9fa8b, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5999, Date=Fri, 12 May
 2023 16:10:43 GMT, Server=nginx
VERBOSE: 09:10:42 [Write-Result] query_time=0.017971311, powered_by=cs.flightcontrolapi,
trace_id=adc6bba3-cb74-4b34-b273-1d2a53e9fa8b

6df995d6e7b54a208965e7f4811ae8e4

When checking by Cid and UserId, an identifier shows for the role:

PS C:\> Get-FalconRole -Cid $Cid -UserId $UserId
VERBOSE: 09:03:08 [Get-FalconRole] /user-management/queries/roles/v1:get
VERBOSE: 09:03:08 [ApiClient.Invoke] GET
https://api.crowdstrike.com/user-management/queries/roles/v1?user_uuid=REDACTED&cid=REDACTED
VERBOSE: 09:03:08 [ApiClient.Invoke] Accept=application/json
VERBOSE: 09:03:08 [ApiClient.Invoke] 200: OK
VERBOSE: 09:03:08 [ApiClient.Invoke] Connection=keep-alive, Strict-Transport-Security=max-age=15724800;
includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-1,
X-Cs-Traceid=885bb710-2eb3-454d-8286-0d43b8f69c6e, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5995, Date=Fri, 12 May
 2023 16:03:09 GMT, Server=nginx
VERBOSE: 09:03:08 [Write-Result] query_time=0.03713781, powered_by=cs.flightcontrolapi,
trace_id=885bb710-2eb3-454d-8286-0d43b8f69c6e

6df995d6e7b54a208965e7f4811ae8e4

The custom role identifier also displays when running your command above:

PS C:\> Get-FalconUser -Filter "assigned_cids:['$Cid']" -Detailed -Include roles
VERBOSE: [ApiClient.Invoke] GET
https://api.crowdstrike.com/user-management/queries/users/v1?filter=assigned_cids:['REDACTED']
VERBOSE: [ApiClient.Invoke] ContentType=application/json, Accept=application/json
VERBOSE: [ApiClient.Invoke] 200: OK
VERBOSE: [ApiClient.Invoke] Connection=keep-alive, Strict-Transport-Security=max-age=15724800; includeSubDomains,
max-age=31536000; includeSubDomains, X-Cs-Region=us-1, X-Cs-Traceid=a8be72cc-b636-4ff9-8bea-6573d224e920,
X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5997, Date=Fri, 12 May 2023 16:30:58 GMT, Server=nginx
VERBOSE: [Write-Result] meta.powered_by=cs.flightcontrolapi, meta.pagination.offset=0,
meta.trace_id=a8be72cc-b636-4ff9-8bea-6573d224e920, meta.pagination.total=1, meta.query_time=0.004978607,
meta.pagination.limit=100
VERBOSE: [ApiClient.Invoke] POST https://api.crowdstrike.com/user-management/entities/users/GET/v1
VERBOSE: [ApiClient.Invoke] ContentType=application/json, Accept=application/json
VERBOSE: [ApiClient.Invoke] {"ids":["REDACTED"]}
VERBOSE: [ApiClient.Invoke] 200: OK
VERBOSE: [ApiClient.Invoke] Connection=keep-alive, Strict-Transport-Security=max-age=15724800; includeSubDomains,
max-age=31536000; includeSubDomains, X-Cs-Region=us-1, X-Cs-Traceid=f2795a37-87bc-4f84-9c63-3392958ed298,
X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5996, Date=Fri, 12 May 2023 16:30:58 GMT, Server=nginx
VERBOSE: [Write-Result] meta.query_time=0.013687534, meta.trace_id=f2795a37-87bc-4f84-9c63-3392958ed298,
meta.powered_by=cs.flightcontrolapi
VERBOSE: [ApiClient.Invoke] GET
https://api.crowdstrike.com/user-management/queries/roles/v1?user_uuid=REDACTED
VERBOSE: [ApiClient.Invoke] Accept=application/json
VERBOSE: [ApiClient.Invoke] 200: OK
VERBOSE: [ApiClient.Invoke] Connection=keep-alive, Strict-Transport-Security=max-age=15724800; includeSubDomains,
max-age=31536000; includeSubDomains, X-Cs-Region=us-1, X-Cs-Traceid=4a13cac5-51e1-40f5-9d7e-f61651ecacba,
X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5995, Date=Fri, 12 May 2023 16:30:58 GMT, Server=nginx
VERBOSE: [Write-Result] meta.query_time=0.081751653, meta.trace_id=4a13cac5-51e1-40f5-9d7e-f61651ecacba,
meta.powered_by=cs.flightcontrolapi


uuid          : REDACTED
cid           : REDACTED
uid           : bk***@crowdstrike.com
first_name    : B***
last_name     : K***
last_login_at : 2023-05-12T15:58:07.473297Z
created_at    : 2022-08-15T19:54:17.376Z
roles         : {6df995d6e7b54a208965e7f4811ae8e4, falcon_console_guest, scheduled_report_admin,
                kubernetes_protection_analyst...}

@bk-cs
Copy link
Collaborator

bk-cs commented May 12, 2023

I think I see the problem. All of these parameters are causing PSFalcon to hit GET /user-management/queries/roles/v1, but never GET /user-management/combined/roles/v1. This seems to be due to parameter positioning within PowerShell. I'm troubleshooting in v2.2.6 now.

bk-cs added a commit that referenced this issue May 12, 2023
@bk-cs
Issue #313
28b6cf7 
Reorganized parameter positioning for `Get-FalconRole`.

Removed automatic redirection of `Id` values from `Get-FalconRole` when matching a `cid` (because it also matches custom role identifiers).

Removed `UserId` as a parameter for the `/user-management/queries/roles/v1:get` endpoint when using `Get-FalconRole` because the same data is returned by the `/combined/` endpoint and they have overlapping parameters.

Added `DirectOnly` parameter to `Get-FalconRole`.
@bk-cs
Copy link
Collaborator

bk-cs commented May 12, 2023
edited
Loading

Can you try replacing your local user-management.ps1 file with the changes I made and retry your tests?

Assuming you're using 2.2.4, use this command to update the file, then reload PowerShell and re-import PSFalcon:

(Invoke-WebRequest https://raw.githubusercontent.com/CrowdStrike/psfalcon/28b6cf77183505d7b254b5587864b83564ed66be/public/user-management.ps1).Content > $HOME\WindowsPowerShell\Modules\PSFalcon\2.2.4\public\user-management.ps1

If using the most current version (2.2.5), please change the destination path to reflect that.

@simonjTMCZ
Copy link
Author

Your change works well - it returns correct set of roles.
Although, the format of the result changed completely:

@{
uuid=d42;
cid=151;
role_id=fac191;
role_name=PLATFORM_ADMINS;
grant_type=user_group;
cid_group_id=ab77e;
cid_group_name=Default;
user_group_id=bb1b;
user_group_name=MSSP_Admins;
parent_cid=3b********4;
}

But I think you are aware of that.
If it stays like this I can easily live with that as long as the data is correct :-)

J.

@simonjTMCZ
Copy link
Author

Hello again. Any idea of when this fix could be available in production?
I need to give the company's CISO a timeplan. Right now the identity management project regarding CS is stopped because of the bug.
Thank you in advance.

J.

@bk-cs
Copy link
Collaborator

bk-cs commented May 24, 2023

I have not yet determined the next release date. I typically issue a new release once a significant number of changes have happened with the CrowdStrike APIs, or a significant performance increase is added in the general PSFalcon code. This usually falls around every 30-60 days.

Were you able to apply the fix above? That should resolve the issue for you, and it can be applied after any PSFalcon installation.

@bk-cs bk-cs mentioned this issue Nov 13, 2023
Closed
@dkang-firmus
Copy link

Hello! Leaving a note for our friends from parallel universes and intersecting timelines that have led them to this space.

My PowerShell module path is different, mine was:
C:\Users\REDACTED\Documents\WindowsPowerShell\Modules\PSFalcon\2.2.5\public\user-management.ps1
Therefore, I used the following command:

(Invoke-WebRequest https://raw.githubusercontent.com/CrowdStrike/psfalcon/28b6cf77183505d7b254b5587864b83564ed66be/public/user-management.ps1).Content > C:\Users\REDACTED\Documents\WindowsPowerShell\Modules\PSFalcon\2.2.5\public\user-management.ps1

Before applying the patch:

Get-FalconRole -Id REDACTED


help_desk
image_admin
security_lead
horizon_read_only_analyst
falconhost_read_only
response_workflow_author
event_viewer
firewall_manager
intel_admin
idp_policy_manager
desktop_support
remote_responder_one
discover_admin
horizon_admin
**and many more**

After applying the patch:

Get-FalconRole -Id REDACTED


uuid       : REDACTED
cid        : REDACTED
role_id    : falconhost_admin
role_name  : Falcon Administrator
grant_type : direct

uuid       : REDACTED
cid        : REDACTED
role_id    : remote_responder_three
role_name  : Real Time Responder - Administrator
grant_type : direct

@bk-cs bk-cs mentioned this issue Nov 22, 2023
Merged
5 tasks
@bk-cs
Copy link
Collaborator

bk-cs commented Nov 22, 2023

Resolved in 2.2.6 release which has been published to GitHub and will be published on the PowerShell Gallery soon.

@bk-cs bk-cs closed this as completed Nov 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bk-cs bk-cs

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bk-cs @simonjTMCZ @dkang-firmus