2.2.6 #367
Merged
2.2.6 #367
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Added `IamRoleArn` parameter to `New-FalconDiscoverAwsAccount`
Modified timeout for `Invoke-FalconDeploy` to default to 600 when using `put` and use `$Timeout` for other commands
Rearranged how `ApiClient.Invoke()` downloads files to eliminate "index out of range" error.
Created new `format.json` file to contain endpoint body/formdata/query parameter info for easier updating when there are large number of changes to API endpoints.
Added function `Get-EndpointFormat` to read body/formdata/query parameters from `format.json`. Replaced tab of four spaces with two to reduce file size. Moved code that replaces the user input parameters with proper parameter names for body payloads from the `Invoke-Falcon` function into the `Build-Content` function.
Replaced tab of four spaces with two to reduce file size.
Renamed `Inputs` to `UserInput` in keeping with PowerShell style. Replaced tab of four spaces with two to reduce file sizes.
Renamed `$Inputs` to `$UserInput`
Replaced tab of four spaces with two to reduce file size. Added code to import `format\format.json` when creating `$Script:Falcon` variable during initial access token request.
Replaced tab of four spaces with two to reduce file size. Renamed `Inputs` to `UserInput` in keeping with PowerShell style.
Replaced tab of four spaces with two to reduce file size. Renamed `Inputs` to `UserInput` in keeping with PowerShell style. Added `TenantId` and `ObjectId` parameters to `Update-FalconDiscoverAzureAccount`. Added parameters `TenantId`, `Status`, `Limit`, `Offset`, `All` and `Total` to `Get-FalconDiscoverAzureAccount`. Added `YearsValid` parameter to `Get-FalconDiscoverAzureCertificate`. Added parameters `ClientId`, `YearsValid`, `AccountType`, and `DefaultSubscription` to `New-FalconDiscoverAzureAccount`.
Replaced tab of four spaces with two to reduce file size.
Bug fixes for parameters generating errors when using `Invoke-FalconHostAction` with `Build-Content`
Bugfixes for when `Build-Content` adds single string values (instead of an array) to `$Expected` when validating user input
Modified commands to use `format.json` for parameter definition
Restructured to have single path values with method under it, instead of `path:method`, as used by PSFalcon
Updated `Get-EndpointFormat` to match the way endpoint values are stored (method under path, instead of `path:method`)
Added `CustomUrl` to `Request-FalconToken` for internal troubleshooting
Bugfix for `Get-EndpointFormat` when an endpoint is provided that has no parameters
Fixed bug where a single returned 'Get-FalconAsset' result would not append 'login_event' history with 'Include'
Re-ordered file content related parameters and added descriptions
Updated how host_groups/rule_groups are assigned when creating/modifying FileVantagePolicy Still need to add functionality to remove assigned rule_groups/host_groups when they don't make the config archive being imported and analyze policy for settings/rule changes beyond groups/enablement status
A couple more changes for how rule_groups/host_groups are assigned to FileVantagePolicy to match existing structure
Updated Export-FalconConfig to add FileVantageRuleGroup when exporting FileVantagePolicy
Added validation of properties in `repeated` object and defined formatting for body payload so that `repeated` was properly submitted during a request when using `New-FalconFileVantageExclusion`
* Import-FalconConfig Suppressed output of verbose message when old identifier did not change to a new identifier. Added creation of `exclusions` when creating `FileVantagePolicy`. Compressed creation of `rule_groups` and `host_groups` for `FileVantagePolicy`.
Added validation and body format for `Edit-FalconFileVantageExclusion`
Updated `Set-Property` to avoid errors checking for existing properties under certain conditions when using `Import-FalconConfig`
Removed validation for `ScheduleStart` and `ScheduleEnd` for `New-FalconFileVantageExclusion` and `Edit-FalconFileVantageExclusion`
Added code to `Import-FalconConfig` to evaluate and modify exclusions assigned to `FileVantagePolicy`
Added `precedence` to `Edit-FalconFileVantageRule` and fixed typo in parameter description for `New-FalconFileVantageRule`
Added support for modification of `FileVantageRuleGroup`, `FileVantageRule` and corrected some bugs with `FileVantageExclusion` under `FileVantagePolicy`
Added code to compensate and still properly match when importing into a new cloud and the "latest" tagged build is renamed for a SensorUpdatePolicy. Added "Ignored" message when a `FileVantageRuleGroup` is ignored due to a lack of required changes.
Updated `Invoke-FalconAlertAction` to use new `/alerts/entities/alerts/v3:patch` endpoint.
Updated `Get-FalconHost -Login` to use `v2` endpoint and added appropriate limit.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
2.2.6
Updates for 2.2.6 release
Added features and functionality
Added Commands
cloud-connect-azure
configuration-assessment
falcon-complete-dashboards
filevantage
identity-protection
real-time-response
Removed Commands
cloud-connect-aws (deprecated)
cloud-connect-azure (deprecated)
cloud-connect-gcp (deprecated)
discover
settings-discover (deprecated)
Issues resolved
Get-FalconRoleandGet-FalconUserreturn incorrect roles #313: Reorganized parameters forGet-FalconRoleand removedUserIdfrom a specific ParameterSet toensure proper output.
Uninstall-FalconSensorfails on some 64-bit Windows machines and returns no status #315: Modified script used byUninstall-FalconSensortomatch 64instead ofequal 64-bitto correcterror caused when bit value is reported as
64 bitinstead of64-bit.Get-FalconContainerVulnerabilityvalidation ofPackagefails in PowerShell Core #316: Addedifcheck toConfirm-Parameterfor$Requiredand$Allowedto ensure that blank valuesdo not count when verifying objects under PowerShell Core.
Invoke-FalconDeploy#327: ModifiedInvoke-FalconDeployto properly change directories and execute scripts when working with.cmdand.batfiles. Thanks @MatthewCKelly!Invoke-FalconMalQuery,Get-FalconMalQueryandSearch-FalconMalQueryHashnot returning results #342: ModifiedInvoke-FalconMalQueryandGet-FalconMalQueryto select thereqid,reqtypeand/orstatusproperties in their final output, when present.Get-FalconAssetdoes not appendlogin_eventwhen usingIncludewith a single result #360: Fixed bug whereGet-FalconAssetwould not append results when using-Include login_eventwith asingle asset result.
criticalwithEdit-FalconHorizonPolicy#363: Addedcriticalas a severity forEdit-FalconHorizonPolicy.Other
General Changes
expire within 4 minutes instead of 1 minute. This should help reduce the number of expired authorization
tokens during long-running requests (like
Get-FalconVulnerability).Wait-RetryAfterfunction fromprivate\Private.ps1toclass\Class.ps1underApiClient.Invoke()function.
ApiClient.Invoke()underclass\Class.ps1in an effort to improve verbose logging andperformance.
Invoke-FalconandRequest-FalconTokento compensate for changes toApiClient.Invoke().Write-Resultto ensure each error will be individually produced when a single API call generatesmultiple errors.
ApiClient.Invoke()downloads files to eliminate "index out of range" error.format\format.jsonto contain API endpoint body/formdata/query parameters for easier updates when largenumbers of API endpoints are modified at once.
Get-EndpointFormattoprivate\Private.ps1to read body/formdata/query parameters fromformat.json.private
Invoke-Falconfunction into the privateBuild-Contentfunction.Inputsvariable (and accompanying parameter for theInvoke-Falconfunction, used by commands whenmaking a request) to
UserInputin keeping with PowerShell style.Compare-FalconPreventionPhase.Write-Resultto removemetafrom output whenmeta.pagination.totalequals 0 to account forsome
-Detailedresults returningmetainformation instead of an empty response (unlike a non-Detailedresult, which would return nothing, as expected).
Add-Includefunction to provide error messages when unable to pull results instead of a silentfailure with no output in the related
-Includeproperty.Compare-FalconPreventionPhase.Command Changes
Add-FalconSensorTag
nwas being split into separate tags due to an incorrect quote. Thanks @soggysec!CsSensorSettings.exe.scriptfolder.Edit-FalconHorizonAwsAccount
CloudTrailRegion.IamRoleArn,BehaviorAssessmentEnabled,SensorManagementEnabled,RemediationRegion, andRemediationTouAccepted.Edit-FalconHorizonPolicy
AccountIdto accept multiple identifiers.Edit-FalconReconNotification
IdpSendStatusandMessage.Edit-FalconFirewallLocationSetting
LocationPrecedence.Edit-FalconIoc
Arrayparameter for submitting many IOCs for modification, and set as the default parameter set whenutilizing the pipeline.
Array.Export-FalconConfig
FileVantagePolicy(includingFileVantageExclusion) andFileVantageRuleGroup(includingFileVantageRule). CrowdStrike-created policies and rule groups are excluded from the exportbecause they are auto-generated and can not be modified.
HostGroupwhen exportingFileVantagePolicyto evaluatehost_groups.FileVantageRuleGroupwhen exportingFileVantagePolicyto evaluaterule_groupsandassign them to policies.
Get-FalconAlert
Idparameter, due to new varying identifier types found in testing.Get-FalconBuild
Stage.Get-FalconContainerAccount
Locationto correctly submit aslocationsto the API endpoint.Get-FalconContainerAwsAccount
IsHorizonAcct.Get-FalconContainerCluster
Status.Get-FalconContainerVulnerability
applicationPackages.Get-FalconFimChange
v3endpoint, replacingOffsetwithAfter.Get-FalconFileVantageChange, but keptGet-FalconFimChangeas an alias.Get-FalconHorizonAwsAccount
IamRoleArnandMigrated.Get-FalconHorizonAzureAccount
TenantId.Get-FalconHorizonAzureCertificate
YearsValid.Get-FalconHorizonIoa
ResourceId,ResourceUuid, andSince.Get-FalconHost
Loginswitch to use newv2endpoint. The initial API is limited to 10idsvalues perrequest, which means that using
-Include login_historywill be substantially slower until the API limitis increased.
Get-FalconHostGroup
Includeto use a filteredGet-FalconHostsearch when addingmemberswhich avoids the 10kmaximum limit from the previously used
Get-FalconHostGroupMembercommand.Get-FalconRole
Idvalues when matching aCid(because it also matches custom roleidentifiers).
UserIdas a parameter for the/user-management/queries/roles/v1:getendpoint because the same datais returned by the
/combined/endpoint and they have overlapping parameters.DirectOnlyparameter toGet-FalconRole.Get-FalconScan
/ods/entities/scans/v2:getendpoint.Get-FalconSensorTag
scriptfolder.Get-FalconSession
CidandCommandInfo, which facilitate the display of all Real-time Response sessions within theauthorized CID.
Import-FalconConfig
by
Export-FalconConfig. Thanks @JFresh15 and @soggysec!idvalues forgroupsandrule_groupsobjects.buildvalues for Sensor Update policies.buildfor LinuxArm64policy variants.
FileVantagePolicyandFileVantageRuleGroupasModifyExistingoptions.Commentoutput to specify why certain items were ignored usingNoModifyDefaultandNoModifyExisting.renamed for a
SensorUpdatePolicy.Invoke-FalconAdminCommand
falconscriptas aCommandoption.Invoke-FalconAlertAction
Iddue to new varying identifier types found in testing.v3endpoint.Invoke-FalconContainerScan
scan-typetoscan_typeduring submission.Invoke-FalconDeploy
putstep.GroupIdto use a filteredGet-FalconHostsearch which avoids the 10k maximum limit from thepreviously used
Get-FalconHostGroupMembercommand.Invoke-FalconRtr
falconscriptas aCommandoption.GroupIdto use a filteredGet-FalconHostsearch which avoids the 10k maximum limit from thepreviously used
Get-FalconHostGroupMembercommand.New-FalconHorizonAwsAccount
CloudTrailRegion.AccountType,BehaviorAssessmentEnabled,IamRoleArn,IsMaster,SensorManagementEnabled, andUseExistingCloudtrail.New-FalconHorizonAzureAccount
ClientId,AccountType,DefaultSubscription, andYearsValid.New-FalconIoc
Array.New-FalconScheduledScan
ScanInclusion.Receive-FalconContainerYaml
IsSelfManagedCluster.Receive-FalconHorizonAwsScript
Id.Receive-FalconHorizonAzureScript
SubscriptionId,Template, andAccountType.Receive-FalconRule
IfNoneMatchandIfModifiedSince.Remove-FalconCidGroupMember
/mssp/entities/cid-group-members/v2:deleteendpoint.Remove-FalconHorizonAzureAccount
TenantIdandRetainTenant.Remove-FalconReconRule
DeleteNotification.Remove-FalconSample
Idto accept asha256value when passed through the pipeline.Remove-FalconSensorTag
CsSensorSettings.exe.scriptfolder.Send-FalconPutFile
Name.Send-FalconScript
Name.Start-FalconScan
ScanInclusion.Uninstall-FalconSensor
Windows host.
scriptfolder.