Releases: CrowdStrike/psfalcon
2.2.8
Removed Commands
ioa
- Get-FalconCloudIoaEvent
- Get-FalconCloudIoaUser
New Commands
billing-dashboards-usage
- Get-FalconHostAverage
device-content
- Get-FalconContentState
identity-protection
- Get-FalconIdentityRule
- New-FalconIdentityRule
- Remove-FalconIdentityRule
policy-content-update
- Edit-FalconContentPolicy
- Get-FalconContentPolicy
- Get-FalconContentPolicyMember
- Invoke-FalconContentPolicyAction
- New-FalconContentPolicy
- Remove-FalconContentPolicy
- Set-FalconContentPrecedence
quickscanpro
- Remove-FalconQuickScan
- Remove-FalconQuickScanFile
- Send-FalconQuickScanFile
snapshots
- Get-FalconSnapshotCredential
- New-FalconSnapshotAwsAccount
Issues Resolved
- Issue #421: Updated internal function to evaluate FalconSensorTags and re-wrote scripts for FalconSensorTag
manipulation through Real-time Response to fix the inability to add/remove FalconSensorTags on Linux. This
also fixed the same issue that was impacting MacOS hosts. - Issue #424: Increased
[System.Net.Http.HttpClient]
default timeout to 5 minutes from 1 minute. Updated
Invoke-FalconAdminCommand
,Invoke-FalconCommand
, andInvoke-FalconResponderCommand
to only attempt to
appendbatch_id
to results that have asession_id
. - Issue #426: Updated
Uninstall-FalconSensor
to properly select bash uninstall script when targeting Linux
hosts. - Issue #427: Added
tar
to validCommand
list forInvoke-FalconAdminCommand
and
Invoke-FalconResponderCommand
and correctedInvoke-FalconAdminCommand
to properly include theCommand
valueupdate query
. - Issue #433: Modified
Edit-FalconFirewallGroup
to ensure thatnull
values forrule_ids
andrule_versions
are converted into empty arrays, and that single values are forced into arrays. - Issue #435: Updated
uninstall_sensor.sh
script to incorporate the use ofsystemd
to uninstallfalcon-sensor
on Linux hosts utilizing some additional code from an existing uninstaller script. Thanks @carlosmmatos and
@cs-APreston-ghAccount!
General Changes
- Fixed some error message output for
Request-FalconToken
andTest-FalconToken
.
Command Changes
ConvertTo-FalconFirewallRule
- Added
protocol
as a required field for theMap
table and rule creation.
Edit-FalconReconRule
- Added
MatchOnTsqResultType
.
Export-FalconConfig
- Added
ContentPolicy
as a value forSelect
parameter.
Get-FalconChannelControl
- Renamed to
Get-FalconContentControl
.Get-FalconChannelControl
has been kept as an alias.
Get-FalconHost
- Added
content_state
as anInclude
value.
Get-FalconIoaExclusion
- Added
ClRegex
andIfnRegex
.
Get-FalconQuickScan
- Updated to use new QuickScan Pro API.
Get-FalconVulnerability
- Updated to set
Limit
to400
when usingAll
withoutDetailed
to prevent
5000 is an invalid page size, must be between 1 and 400
error.
Import-FalconConfig
- Added support for Content Update policies.
- Added
ContentPolicy
as a value forModifyExisting
andModifyDefault
parameters.
Invoke-FalconAdminCommand
- Added
tar
as a validCommand
value.
Invoke-FalconResponderCommand
- Added
tar
as a validCommand
value. - Added
update query
as a validCommand
which was mistakenly removed in a previous release.
New-FalconCompleteCase
- Added
MalwareSubmissionId
andReconRuleType
.
New-FalconQuickScan
- Updated to use new QuickScan Pro API, which is replacing the regular QuickScan API.
New-FalconReconRule
- Added
MatchOnTsqResultType
.
Receive-FalconCloudAwsScript
- Added
DspmEnabled
,DspmRegion
, andDspmRole
.
Receive-FalconScheduledReport
- Updated to use a combination of the
last_execution.id
andreport_params.format
fields to define a
filename ifPath
is left undefined and is being passed a report via pipeline. This will ensure that
"scheduled reports" (i.e. vulnerability reports) are successfully downloaded without providing aPath
.
Set-FalconChannelControl
- Renamed to
Set-FalconContentControl
.Set-FalconChannelControl
has been kept as an alias.
2.2.7
New Commands
cloud-connect-cspm-azure
- Get-FalconCloudAzureGroup
- New-FalconCloudAzureGroup
- Remove-FalconCloudAzureGroup
cloud-connect-cspm-gcp
- Get-FalconCloudGcpAccount
- Get-FalconCloudGcpServiceAccount
- Invoke-FalconCloudGcpHealthCheck
- Receive-FalconCloudGcpScript
- Remove-FalconCloudGcpAccount
configuration-assessment
- Get-FalconConfigAssessmentRule
container-security
- Edit-FalconContainerPolicy
- Edit-FalconContainerPolicyGroup
- Get-FalconContainer
- Get-FalconContainerAlert
- Get-FalconContainerAssessment
- Get-FalconContainerCluster
- Get-FalconContainerDetection
- Get-FalconContainerCount
- Get-FalconContainerDriftIndicator
- Get-FalconContainerImage
- Get-FalconContainerIom
- Get-FalconContainerNode
- Get-FalconContainerPackage
- Get-FalconContainerPod
- Get-FalconContainerPolicy
- Get-FalconContainerPolicyExclusion
- Get-FalconContainerPolicyGroup
- Get-FalconContainerVulnerability
- New-FalconContainerImage
- New-FalconContainerPolicy
- New-FalconContainerPolicyExclusion
- New-FalconContainerPolicyGroup
- Remove-FalconContainerPolicy
- Remove-FalconContainerPolicyGroup
- Set-FalconContainerPolicyPrecedence
delivery-settings
- Get-FalconChannelControl
- Set-FalconChannelControl
exclusions
- Edit-FalconCertificateExclusion
- Get-FalconCertificate
- Get-FalconCertificateExclusion
- New-FalconCertificateExclusion
- Remove-FalconCertificateExclusion
fem
- Edit-FalconAsset
filevantage
- Get-FalconFileVantageAction
- Get-FalconFileVantageContent
- Invoke-FalconFileVantageAction
- Invoke-FalconFileVantageWorkflow
host-migration
- Get-FalconMigration
- Get-FalconMigrationCid
- Get-FalconMigrationHost
- Invoke-FalconMigrationAction
- New-FalconMigration
- Start-FalconMigration
- Stop-FalconMigration
- Remove-FalconMigration
- Rename-FalconMigration
intel
- Get-FalconMalwareFamily
loggingapi
- Get-FalconFoundryRepository
- Get-FalconFoundrySearch
- Get-FalconFoundryView
plugins
- Get-FalconWorkflowIntegration
psf-sensors
- Set-FalconSensorTag (Thanks @LyleWB)
snapshots
- Get-FalconSnapshot
- Get-FalconSnapshotScan
- New-FalconSnapshotScan
threatgraph
- Get-FalconThreatGraphIndicator
- Get-FalconThreatGraphVertex
- Get-FalconThreatGraphEdge
workflows
- Export-FalconWorkflow
- Get-FalconWorkflow
- Get-FalconWorkflowAction
- Get-FalconWorkflowInput
- Get-FalconWorkflowTrigger
- Import-FalconWorkflow
- Invoke-FalconWorkflow
- Redo-FalconWorkflow
Issues Resolved
- Issue #310: Added default timeout of one minute for all requests in an effort to help produce error messages
when a file download does not complete. - Issue #369: Corrected
Find-FalconHostname
so it outputs the entire list of results instead of stopping with
the first initial 100. - Issue #370: Changed all identifier parameter aliases from uppercase to lowercase to resolve matching issues
when using Turkish as the default display language. - Issue #375: Added a second delay for
Invoke-FalconDeploy
between commands when using the offline queue to
ensure that the proper processing order is retained. - Issue #380: Updated
Compare-ImportData
function to analyze items by each individualplatform
(or
platform_name
) to resolve bug whereFirewallGroup
items were being ignored. - Issue #382: Removed output of successfully downloaded file information from
Invoke-Falcon
private function
and relocated within theInvoke()
class function to preventIndex out of range error
on successful download
requests. - Issue #385: Re-wrote
Add-FalconSensorTag
andRemove-FalconSensorTag
commands properly append/remove tags
across all OSes, and fix issue where tags weren't applied at all. - Issue #391: Removed pattern validation for the
Id
parameter forGet-FalconAsset
to prevent errors when
unexpected (but legitimate)Id
values are provided. - Issue #393: Updated
Import-FalconConfig
to properly removerule_group_ids
that aren't tied to
FirewallGroup
items that are also created during import. - Issue #396: Added maximum count of 1000 identifiers when building body content during
Get-FalconAlert
requests. - Issue #397: Added
Action
parameter to define multiple actions to perform in a single request when using
Invoke-FalconAlertAction
orInvoke-FalconIncidentAction
. - Issue #399: Updated how
field_values
properties are selected to ensure that they're correctly passed as an
array when usingNew-FalconIoaRule
. - Issue #401: Added
Confirm-CidValue
private function to checkCid
input for checksum, remove it when present,
and return theCid
value in lower case. - Issue #411: Added
Include
with value ofscan_file
toGet-FalconScan
, and addedScanId
to
Get-FalconScanFile
to supportInclude
forGet-FalconScan
. - Issue #412: Added
Limit
of500
toGet-FalconScan
andGet-FalconScanFile
to ensure bothlimit
and
offset
are passed during pagination.
General Changes
-
Added a weekly check of the PSGallery for PSFalcon module updates if the PSFalcon module was originally
installed via the PSGallery. Update status is kept in a file calledupdate_check.json
in the base PSFalcon
module folder. If the connection to the PSGallery fails, the update check is disabled. Deletingupdate_check.json
will re-attempt connection the next time the module is loaded. -
Updated internal
Build-Query
function to automatically URL encode provided values during submission instead
of only previously encoding+
. -
Updated internal
Log()
method for[ApiClient]
to support Falcon NGSIEM and CrowdStrike Parsing Standard. -
Added
UserAgent
value to[ApiClient]
object for use withLog()
method. -
Updated
Request-FalconToken
andShow-FalconModule
to use newUserAgent
value under[ApiClient]
. -
Removed filtering for unique values when supplying an array of identifiers to a command. This was originally
added to prevent problems related to an array containing the same identifier twice, but it adds a lot of
processing time when a large list of identifiers is provided. PSFalcon will now pass all given identifiers on
to the relevant API, meaning that new error messages might appear if a user is not properly error checking
their scripts and filtering out duplicate identifier values. -
Added
Test-ActionParameter
private function to support newAction
parameter forInvoke-FalconAlertAction
andInvoke-FalconIncidentAction
. -
Added
Select-CertificateProperty
private function to support the newEdit-FalconCertificateExclusion
and
New-FalconCertificateExclusion
commands. -
Corrected verbose output for various commands to ensure that the relevant command name was displayed when
Invoke-Falcon
makes a request to the target API. -
Re-wrote the internal function
Confirm-Parameter
to reduce necessary parameters when calling the function. -
Added internal
Remove-EmptyValue
function to strip empty values before submission when necessary. -
Corrected bug found when implementing new v2 endpoint for
Get-FalconAsset -IoT
whereafter
would not
be added properly when paginating without another criteria (i.e.filter
,sort
, etc.) using-All
. -
Compressed
SensorTag
commands into a reusable function to de-duplicate code. -
Renamed the
Array
parameter toInputObject
to better match PowerShell style for the following commands:
Edit-FalconDeviceControlPolicy
,Edit-FalconFirewallPolicy
,Edit-FalconIoc
,Edit-FalconPreventionPolicy
,
Edit-FalconReconNotification
,Edit-FalconReconRule
,Edit-FalconResponsePolicy
,
Edit-FalconSensorUpdatePolicy
,Find-FalconHostname
,New-FalconDeviceControlPolicy
,
New-FalconFirewallPolicy
,New-FalconHostGroup
,New-FalconIoc
,New-FalconPreventionPolicy
,
New-FalconReconRule
,New-FalconResponsePolicy
, andNew-FalconSensorUpdatePolicy
.Array
has been kept as an alias to prevent issues with existing scripts. -
Changed the prefix from
Horizon
toCloud
for the following commands:
Edit-FalconHorizonAwsAccount
,Edit-FalconHorizonAzureAccount
,Edit-FalconHorizonPolicy
,
Edit-FalconHorizonSchedule
,Get-FalconFimChange
,Get-FalconHorizonAwsAccount
,Get-FalconHorizonAwsLink
,
Get-FalconHorizonAzureAccount
,Get-FalconHorizonAzureCertificate
,Get-FalconHorizonAzureGroup
,
Get-FalconHorizonIoa
,Get-FalconHorizonIoaEvent
,Get-FalconHorizonIoaUser
,Get-FalconHorizonIom
,
Get-FalconHorizonPolicy
,Get-FalconHorizonSchedule
,New-FalconHorizonAwsAccount
,
New-FalconHorizonAzureAccount
,New-FalconHorizonAzureGroup
,Receive-FalconHorizonAwsScript
,
Receive-FalconHorizonAzureScript
,Remove-FalconHorizonAwsAccount
,Remove-FalconHorizonAzureAccount
, and
Remove-FalconHorizonAzureGroup
.The original command names have been kept as aliases to prevent issues with existing scripts.
-
Removed
Compare-FalconPreventionPhase
and accompanying policy json files due to Falcon Prevention Policy UI
changes that enabled policy comparison in the Falcon console.
Command Changes
Add-FalconSensorTag
- Re-written to properly evaluate add tags across all OSes.
- Added support for passing uninstallation token when adding tags on MacOS (and presumably Linux in the future).
- Added properties to output to increase transparency in the use of RTR and the status of tag additions.
Edit-FalconCloudAwsAccount
- Added
Environment
,DspmEnabled
,DspmRole
andTargetOu
.
Edit-FalconIoaRule
- Updated to use
/ioarules/entities/rules/v2:patch
endpoint.
Edit-FalconMlExclusion
- Added
DescendentProcess
.
Edit-FalconSvExclusion
- Added
DescendentProcess
.
Edit-FalconReconRule
- Added
BreachMonitorOnly
.
Edit-FalconFileVantageRule
...
2.2.6
New Commands
cloud-connect-azure
- Get-FalconDiscoverAzureTenant
configuration-assessment
- Get-FalconConfigAssessment
- Get-FalconConfigAssessmentLogic
falcon-complete-dashboards
- Get-FalconCompleteAlert
filevantage
- Add-FalconFileVantageHostGroup
- Add-FalconFileVantageRuleGroup
- Edit-FalconFileVantageExclusion
- Edit-FalconFileVantagePolicy
- Edit-FalconFileVantageRule
- Edit-FalconFileVantageRuleGroup
- Get-FalconFileVantageExclusion
- Get-FalconFileVantagePolicy
- Get-FalconFileVantageRule
- Get-FalconFileVantageRuleGroup
- New-FalconFileVantageExclusion
- New-FalconFileVantagePolicy
- New-FalconFileVantageRule
- New-FalconFileVantageRuleGroup
- Remove-FalconFileVantageExclusion
- Remove-FalconFileVantageHostGroup
- Remove-FalconFileVantagePolicy
- Remove-FalconFileVantageRule
- Remove-FalconFileVantageRuleGroup
- Set-FalconFileVantagePrecedence
- Set-FalconFileVantageRulePrecedence
- Set-FalconFileVantageRuleGroupPrecedence
identity-protection
- Get-FalconIdentityHost
real-time-response
- Get-FalconLibraryScript
Removed Commands
cloud-connect-aws (deprecated)
- Confirm-FalconDiscoverAwsAccess
- Edit-FalconDiscoverAwsAccount
- Get-FalconDiscoverAwsAccount
- Get-FalconDiscoverAwsLink
- Get-FalconDiscoverAwsSetting
- New-FalconDiscoverAwsAccount
- Receive-FalconDiscoverAwsScript
- Remove-FalconDiscoverAwsAccount
- Update-FalconDiscoverAwsSetting
cloud-connect-azure (deprecated)
- Get-FalconDiscoverAzureAccount
- Get-FalconDiscoverAzureCertificate
- Get-FalconDiscoverAzureTenant
- New-FalconDiscoverAzureAccount
- Receive-FalconDiscoverAzureScript
- Update-FalconDiscoverAzureAccount
cloud-connect-gcp (deprecated)
- Get-FalconDiscoverGcpAccount
- New-FalconDiscoverGcpAccount
- Receive-FalconDiscoverGcpScript
discover
- Get-FalconDiscoverNetwork
- Get-FalconDiscoverRule
- Get-FalconDiscoverScan
- Get-FalconDiscoverScanner
settings-discover (deprecated)
- Get-FalconDiscoverAwsScript
Issues Resolved
- Issue #313: Reorganized parameters for
Get-FalconRole
and removedUserId
from a specific ParameterSet to
ensure proper output. - Issue #315: Modified script used by
Uninstall-FalconSensor
tomatch 64
instead ofequal 64-bit
to correct
error caused when bit value is reported as64 bit
instead of64-bit
. - Issue #316: Added
if
check toConfirm-Parameter
for$Required
and$Allowed
to ensure that blank values
do not count when verifying objects under PowerShell Core. - Issue #327: Modified
Invoke-FalconDeploy
to properly change directories and execute scripts when working with
.cmd
and.bat
files. Thanks @MatthewCKelly! - Issue #342: Modified
Invoke-FalconMalQuery
andGet-FalconMalQuery
to select thereqid
,reqtype
and/or
status
properties in their final output, when present. - Issue #360: Fixed bug where
Get-FalconAsset
would not append results when using-Include login_event
with a
single asset result. - Issue #363: Added
critical
as a severity forEdit-FalconHorizonPolicy
.
General Changes
- Modified all authorization token validation checks to request a new token when the current token is due to
expire within 4 minutes instead of 1 minute. This should help reduce the number of expired authorization
tokens during long-running requests (likeGet-FalconVulnerability
). - Migrated
Wait-RetryAfter
function fromprivate\Private.ps1
toclass\Class.ps1
underApiClient.Invoke()
function. - Streamlined
ApiClient.Invoke()
underclass\Class.ps1
in an effort to improve verbose logging and
performance. - Modified private functions
Invoke-Falcon
andRequest-FalconToken
to compensate for changes to
ApiClient.Invoke()
. - Modified
Write-Result
to ensure each error will be individually produced when a single API call generates
multiple errors. - Rearranged how
ApiClient.Invoke()
downloads files to eliminate "index out of range" error. - Added
format\format.json
to contain API endpoint body/formdata/query parameters for easier updates when large
numbers of API endpoints are modified at once. - Added function
Get-EndpointFormat
toprivate\Private.ps1
to read body/formdata/query parameters from
format.json
. - Replaced tab of four spaces with two to reduce file sizes across module.
- Moved code that replaces the user input parameters with proper parameter names for body payloads from the
privateInvoke-Falcon
function into the privateBuild-Content
function. - Renamed
Inputs
variable (and accompanying parameter for theInvoke-Falcon
function, used by commands when
making a request) toUserInput
in keeping with PowerShell style. - Updated prevention policy settings for
Compare-FalconPreventionPhase
. - Updated
Write-Result
to removemeta
from output whenmeta.pagination.total
equals 0 to account for
some-Detailed
results returningmeta
information instead of an empty response (unlike a non-Detailed
result, which would return nothing, as expected). - Updated private
Add-Include
function to provide error messages when unable to pull results instead of a silent
failure with no output in the related-Include
property. - Updated reference policies used by
Compare-FalconPreventionPhase
.
Command Changes
Add-FalconSensorTag
- Fixed bug where
n
was being split into separate tags due to an incorrect quote. Thanks @soggysec! - Removed support for pre-6.42 Windows sensors given that they are no longer supported and don't have
CsSensorSettings.exe
. - Isolated the scripts being run to add sensor tags into new files contained under the
script
folder.
Edit-FalconHorizonAwsAccount
- Added autocomplete values for
CloudTrailRegion
. - Added
IamRoleArn
,BehaviorAssessmentEnabled
,SensorManagementEnabled
,RemediationRegion
, and
RemediationTouAccepted
.
Edit-FalconHorizonPolicy
- Updated
AccountId
to accept multiple identifiers.
Edit-FalconReconNotification
- Added
IdpSendStatus
andMessage
.
Edit-FalconFirewallLocationSetting
- Added
LocationPrecedence
.
Edit-FalconIoc
- Added
Array
parameter for submitting many IOCs for modification, and set as the default parameter set when
utilizing the pipeline. - Set maximum of 2,000 IOCs per request when using
Array
.
Export-FalconConfig
- Added
FileVantagePolicy
(includingFileVantageExclusion
) andFileVantageRuleGroup
(including
FileVantageRule
). CrowdStrike-created policies and rule groups are excluded from the export
because they are auto-generated and can not be modified. - Updated to force
HostGroup
when exportingFileVantagePolicy
to evaluatehost_groups
. - Updated to force
FileVantageRuleGroup
when exportingFileVantagePolicy
to evaluaterule_groups
and
assign them to policies.
Get-FalconAlert
- Removed pattern validation for
Id
parameter, due to new varying identifier types found in testing.
Get-FalconBuild
- Added
Stage
.
Get-FalconContainerAccount
- Updated
Location
to correctly submit aslocations
to the API endpoint.
Get-FalconContainerAwsAccount
- Added
IsHorizonAcct
.
Get-FalconContainerCluster
- Added
Status
.
Get-FalconContainerVulnerability
- Corrected error that prevented the submission of
applicationPackages
.
Get-FalconFimChange
- Updated to use new
v3
endpoint, replacingOffset
withAfter
. - Renamed command to
Get-FalconFileVantageChange
, but keptGet-FalconFimChange
as an alias.
Get-FalconHorizonAwsAccount
- Added
IamRoleArn
andMigrated
.
Get-FalconHorizonAzureAccount
- Added
TenantId
.
Get-FalconHorizonAzureCertificate
- Added
YearsValid
.
Get-FalconHorizonIoa
- Added
ResourceId
,ResourceUuid
, andSince
.
Get-FalconHost
- Updated the
Login
switch to use newv2
endpoint. The initial API is limited to 10ids
values per
request, which means that using-Include login_history
will be substantially slower until the API limit
is increased.
Get-FalconHostGroup
- Updated
Include
to use a filteredGet-FalconHost
search when addingmembers
which avoids the 10k
maximum limit from the previously usedGet-FalconHostGroupMember
command.
Get-FalconRole
- Reorganized parameter positioning.
- Removed automatic redirection of
Id
values when matching aCid
(because it also matches custom role
identifiers). - Removed
UserId
as a parameter for the/user-management/queries/roles/v1:get
endpoint because the same data
is returned by the/combined/
endpoint and they have overlapping parameters. - Added
DirectOnly
parameter toGet-FalconRole
.
Get-FalconScan
- Updated to use
/ods/entities/scans/v2:get
endpoint.
Get-FalconSensorTag
- Isolated the scripts being run to retrieve tags into new files contained under the
script
folder.
Get-FalconSession
- Added
Cid
andCommandInfo
, which facilitate the display of all Real-time Response sessions within the
authorized CID.
Import-FalconConfig
- Added an error message when filenames within the target archive do not correspond with files typically created
byExport-FalconConfig
. Thanks @JFresh15 and @soggysec! - Added additional verbose output when the command updates
id
values forgroups
andrule_groups
objects. - Added additional verbose output when the command updates
build
values for Sensor Update policies. - Fixed a bug where Linux Sensor Update policies would not be created due to a missing
build
for LinuxArm64
policy variants. - Added
FileVantagePolicy
andFileVantageRuleGroup
asModifyExisting
options. - Updated
Comment
output to specify why certain items were ignored usingNoModifyDefault
and
NoModifyExisting
. - Added code to compensate and properly match when importing into a new cloud and the...
2.2.5
New Commands
container-security
- Edit-FalconContainerRegistry
- Get-FalconContainerRegistry
- New-FalconContainerRegistry
- Remove-FalconContainerRegistry
discover
falconx
fwmgr
- Edit-FalconFirewallLocation
- Edit-FalconFirewallLocationSetting
- Get-FalconFirewallLocation
- New-FalconFirewallLocation
- Remove-FalconFirewallLocation
- Set-FalconFirewallLocationPrecedence
kubernetes-protection
- Get-FalconContainerAccount
- Get-FalconContainerAzureScript
- Get-FalconContainerAzureTenant
- Get-FalconContainerScript
Issues Resolved
- Issue #283: Added
platform
during creation ofFirewallGroup
items when usingImport-FalconConfig
. - Issue #294: Modified the FQL query being used by
Get-FalconQueue
to account for an API change that made the
previous query stop working. - Issue #295: Added code to the sub-function
Invoke-Loop
insideInvoke-Falcon
to strip all query parameters
when paginatingGet-FalconHorizonIom
. - Issue #296: Updated
Get-FalconAsset
to ensure proper attachment oflogin_event
results for each asset when
using-Include login_event
. - Issue #283: Modified
New-FalconSensorUpdatePolicy
to removescheduler
undersettings
when set as
disabled to prevent errors when creating policies.
General Changes
- Updated reference policies for
Compare-FalconPreventionPhase
. - Switched from using
Write-Verbose
toPSCmdlet.WriteVerbose()
to increase content when usingVerbose
with commands. - Added additional verbose message output when commands send their requests to display the endpoint being used.
- Added (local) timestamp at the beginning of verbose output messages through the creation of a
Verbose
function
withinclass\Class.ps1
and the private functionunnamed
. - Added
Start-RtrUpdate
andStop-RtrUpdate
functions to manage PowerShell background jobs to refresh
Real-time Response sessions when usingInvoke-FalconRtr
orInvoke-FalconDeploy
. - Changed the
Wait
parameter forInvoke-FalconAdminCommand
,Invoke-FalconBatchGet
,
Invoke-FalconCommand
, andInvoke-FalconResponderCommand
to wait until completion instead of a maximum of
60 seconds. - Added
Wait-RtrCommand
andWait-RtrGet
private functions when usingWait
with Real-time Response
commands. - Streamlined some of the code of
Write-Result
to increase performance. - Updated
Get-RtrResult
function (used byInvoke-FalconRtr
andInvoke-FalconDeploy
) to include properties
that are blank in output. This will ensure that piping to CSV does not present problems when certain hosts
respond with different properties (i.e.stderr
on some results and not others). - Ensured the
Test-FqlStatement
function was properly used with each command'sFilter
parameter. - Slightly changed descriptions of commands to match how required permissions are labeled within the Falcon UI.
- Modified
PSFalcon.psd1
to remove duplicate load ofclass\Class.ps1
.
Command Changes
Confirm-FalconGetFile
- Corrected invalid
ValidatePattern
value forId
parameter.
Edit-FalconDetection
- Removed
ignored
as an option forStatus
to conform with API change.
Edit-FalconDeviceControlPolicy
- Added parameters to allow modification of custom notifications for the default Windows policy
Find-FalconDuplicate
- Added
Platform
parameter to filter by a specific platform when retrieving hosts (instead of providing a
lists through theHosts
parameter).
Find-FalconHostname
- Raised filtered search group count from 20 to 100.
Get-FalconAsset
- Raised filtered search groups count from 20 to 100 when using
-Include login_event
. - Added
Application
switch to search for applications inventoried by Falcon Discover. - Added
IoT
switch to search for IoT assets inventoried by Falcon Discover.
Get-FalconContainerVulnerability
- Added
Application
parameter for filtering application packages.
Get-FalconDeviceControlPolicy
- Added parameters to allow retrieval of the default Windows policy with custom notifications
Get-FalconHorizonIoa
- Added parameter
AccountId
and removedRegion
. - Set
CloudPlatform
as mandatory instead of generating an error when it was not included.
Get-FalconHorizonIom
- Updated to use new endpoints
/detects/entities/iom/v2:get
and/detects/queries/iom/v2:get
. - New parameter set includes typical parameters like
Filter
andSort
. Old parameters are no longer
available, but similar functionality can be found using properFilter
statements.
Get-FalconHorizonPolicy
- Updated to use new
/settings/entities/policy-details/v2:get
endpoint when supplying anId
value. - Removed
Detailed
switch because the base endpoint always returns detailed results.
Get-FalconHost
- Added
policy_names
as an option forInclude
to appendpolicy_name
underdevice_policies
results (when possible).
Get-FalconRole
- Removed
Detailed
from command because all results have detailed information in the related parameter set. - Added
All
andTotal
to relevant parameter set.
Get-FalconUser
- Raised filtered search groups count from 20 to 100 when using
Username
.
Get-FalconQueue
- Added
HostId
parameter to restrict queued session search to specific host identifiers.
Get-FalconZta
- Added
Filter
,Sort
,Limit
,After
,Detailed
,All
, andTotal
parameters in support of new API
endpointGET /zero-trust-assessment/queries/assessments/v1
.
Invoke-FalconDeploy
- Added
Set-Location
to force location to temporary directory when running executable on target host(s). - Removed pipeline support for
GroupId
so thatInvoke-FalconHostAction
results could be piped through the
HostId
parameter.
Invoke-FalconRtr
- Added additional verbose output.
- Increased the default
Timeout
for session creation and command requests to 600 seconds when not defined. - Updated to set a
Timeout
of 2 seconds less than definedTimeout
for batch sessions (or 58 seconds if not
defined) and 3600 seconds for single-host sessions when usingrunscript
and not specifyingTimeout
inside
Argument
. - Removed
Select-Object
code (which ensured all objects had the same final output) to greatly increase
performance. - Removed pipeline support for
GroupId
so thatInvoke-FalconHostAction
results can be piped through the
HostId
parameter. - Added
Sort-Object
when generating list ofCommand
values to ensure it's provided in alphabetical order. - Added single quotes when using auto-complete for
Command
values that have a space.
New-FalconCompleteCase
- Updated to use new v2 API endpoint.
2.2.4
New Commands
archives
- Expand-FalconSampleArchive
- Get-FalconSampleArchive
- Get-FalconSampleExtraction
- Remove-FalconSampleArchive
- Send-FalconSampleArchive
cloud-connect-aws
- Get-FalconDiscoverAwsLink
- Receive-FalconDiscoverAwsScript
fwmgr
- Test-FalconFirewallPath
image-assessment
- Get-FalconContainerVulnerability
installation-tokens
- Edit-FalconInstallTokenSetting
intel
- Get-FalconAttck
- Get-FalconCve
iocs
- Get-FalconIocAction
- Get-FalconIocPlatform
- Get-FalconIocSeverity
- Get-FalconIocType
kubernetes-protection
- Edit-FalconContainerAzureAccount
- Get-FalconContainerAzureAccount
- New-FalconContainerAzureAccount
- Remove-FalconContainerAzureAccount
ods
- Get-FalconScan
- Get-FalconScanFile
- Get-FalconScanHost
- Get-FalconScheduledScan
- New-FalconScheduledScan
- Remove-FalconScheduledScan
- Start-FalconScan
- Stop-FalconScan
psf-fwmgr
- ConvertTo-FalconFirewallRule
recon
- Get-FalconReconExport
- Get-FalconReconRecord
- Invoke-FalconReconExport
- Receive-FalconReconExport
- Remove-FalconReconExport
settings-discover
- Get-FalconDiscoverAwsScript
Issues Resolved
- Issue #255: Added missing parameters and maximum limit of 100 'ids' per 'detailed' request for
Get-FalconUser
. - Issue #256: Removed type definition when creating build tag variables. Added filter to ensure that LinuxArm64 builds were only being checked when they were using tagged versions.
- Issue #260: @datorr2 fixed
ConvertTo-IoaExclusion
andConvertTo-MlExclusion
generating errors about missing properties when detection objects were not passed via the pipeline. - Issue #263: Added additional property check to
Import-FalconConfig
to preventsha256
IOCs from being ignored and marked as 'Exists' when they didn't actually exist in the target CID. - Issue #266: Fixed typo which prevented output of results for
Get-FalconContainerCluster
.
General Changes
- Renamed
mobile-enrollment.ps1
toenrollments.ps1
to match URL prefix. - Renamed
psf-humio.ps1
topsf-logscale.ps1
to match product name change. - Updated references of
Humio
toFalcon LogScale
. - Created
Select-Property
private function for validating the presence of specific properties within [object[]] values. This function is used to output error messages when the proper sub-property values (or string values themselves) are not found in objects submitted via the pipeline. - Created [ApiClient]::StreamType() method to ensure that (a supported) 'type' is included when submitting a 'file' or 'upfile' formdata payload.
- Updated internal
New-ShouldMessage
function to ensure thatFormdata
payloads are displayed when using-WhatIf
parameter (with some exceptions). - Streamlined
Confirm-Property
internal function for validating pipeline input. - Added
BodyArray
toInvoke-Falcon
internal function to force body payloads into a Json array when required. - Moved 'ShouldMessage' output during
Invoke-Falcon
so that the body payload is shown after Json conversion instead of before. - Added warning messages to [ApiClient]::Invoke() when
X-Api-Deprecation
header responses are detected. - Updated reference policy Json files for
Compare-FalconPreventionPhase
. - Updated
Invoke-Falcon
to outputmeta
content when no other results are available and no errors were produced, to prevent certain endpoints from outputtingerrors
andmeta
together. - Added various 'ShouldProcess' messages to support the testing of PSFalcon commands using dummy data, including a notification when a user will be prompted for their API client information because they do not have an active authorization token.
Command Changes
Updated to use their new respective v2 API endpoints:
- Edit-FalconFirewallSetting
- Get-FalconCidGroup
- Get-FalconCidGroupMember
- Get-FalconDiscoverAwsAccount
- Get-FalconMemberCid
- Get-FalconUserGroup
- Get-FalconUserGroupMember
- Remove-FalconDiscoverAwsAccount
Added HostTimeout
parameter, re-ordered positioning and updated Timeout
and HostTimeout
ranges from 30-600 to 1-600:
- Invoke-FalconAdminCommand
- Invoke-FalconBatchGet
- Invoke-FalconCommand
- Invoke-FalconResponderCommand
- Start-FalconSession
Added FromParent
parameter:
- Edit-FalconIoc
- Get-FalconIoc
- Remove-FalconIoc
Added ContentFormat
and TriggerMatchless
parameters:
- Edit-FalconReconAction
- New-FalconReconAction
Added BreachMonitoring
and SubstringMatching
parameters:
- Edit-FalconReconRule
- New-FalconReconRule
Added State
parameter:
- Get-FalconHorizonIoaEvent
- Get-FalconHorizonIoaUser
Modified to prevent an error message about client permissions when using -WhatIf
:
- Get-FalconMalQueryQuota
- Get-FalconQuickScanQuota
- Get-FalconSubmissionQuota
Added a forced HostTimeout
value to ensure that multi-host sessions are used
- Invoke-FalconDeploy
- Invoke-FalconRtr
Updated DetectionId
and IncidentId
to submit as hashtables with id
property, rather than an array of string values:
- Edit-FalconCompleteCase
- New-FalconCompleteCase
Modified how Filename
is submitted to prevent potential errors:
- Edit-FalconIoaExclusion
- New-FalconIoc
Add-FalconRole
- Removed deprecated endpoint
/user-roles/entities/user-roles/v1:post
. This command now uses the/user-management/entities/user-role-actions/v1:post
endpoint exclusively (usingaction: grant
). - Changed parameter positions and removed pipeline support for
Id
. Cid
is now a required parameter due to the endpoint change.Cid
is included in aGet-FalconUser -Detailed
result.
Edit-FalconFirewallGroup
- Added
Validate
parameter to utilize new/fwmgr/entities/rule-groups/validation/v1:patch
endpoint.
Edit-FalconHorizonPolicy
- Added
Region
,TagExcluded
andAccountId
parameters.
Edit-FalconHorizonSchedule
- Added
NextScanTimestamp
parameter.
Edit-FalconIoaExclusion
- Added
PatternId
andPatternName
parameters.
Find-FalconHostname
- Added
Partial
switch to perform non-exact matches, an idea from Reddit user 'Runs_on_empty'! - Added
Include
parameter.
Get-FalconActor
- Added
Include
parameter to allow the addition oftactic_and_technique
results fromGet-FalconAttck
.
Get-FalconDiscoverAwsAccount
- Because the new v2 endpoint no longer includes them,
Filter
andSort
have been removed from available parameters, butMigrated
,OrganizationId
andScanType
have been added. Detailed
has been removed because a single call now includes details.
Get-FalconHorizonIoaEvent
- Renamed
UserIds
parameter toUserId
but keptUserIds
as an alias.
Get-FalconHorizonSchedule
- Changed
CloudPlatform
to mandatory, as the API no longer returns results without specifying a value.
Get-FalconIndicator
- Added
IncludeRelation
parameter.
Get-FalconRole
- Added error message when a user attempts to pipeline a detailed
Get-FalconUser
result toGet-FalconRole
. - Added auto-complete for
Id
using list of roles from authorized CID.
Get-FalconUser
- Added
All
andTotal
parameters. These were mistakenly missed in the 2.2.3 release. - Added maximum of 100 user ids per 'detailed' request.
Import-FalconConfig
- Added loop to retry creation of
Ioc
items after excluding failures and those that were successfully created. - Updated to ensure that 'Created' results are not generated when creation of an
Ioc
actually failed.
New-FalconDiscoverAwsAccount
- Updated to use new
/cloud-connect-aws/entities/account/v2:post
endpoint. Parameters have changed to match new endpoint.
New-FalconFirewallGroup
- Added
Validate
parameter to utilize new/fwmgr/entities/rule-groups/validation/v1:post
endpoint. - Added
Platform
parameter, with auto-complete usingGet-FalconFirewallPlatform
for available values.
New-FalconIoaExclusion
- Added check to remove the value
all
when submitted withinGroupId
. Whileall
will allow the creation of globally applied Machine Learning and Sensor Visibility exclusions, IOA exclusions expect nogroups
value. This also fixesImport-FalconConfig
failing to createIoaExclusion
becauseall
being an invalid Host Group identifier errors.
New-FalconSubmission
- Repositioned parameters and added pipeline support for
SubmitName
andSha256
.
Remove-FalconRole
- Removed deprecated endpoint
/user-roles/entities/user-roles/v1:delete
. This command now uses the/user-management/entities/user-role-actions/v1:post
endpoint exclusively (usingaction: revoke
). - Changed parameter positions and removed pipeline support for
Id
. Cid
is now a required parameter due to the endpoint change.Cid
is included in aGet-FalconUser -Detailed
result.
Revoke-FalconToken
- Updated to suppress error message when command is used without a valid authorization token present.
Send-FalconCompleteAttachment
- Updated filename verification pattern and added check to ensure that filesize is less than 15MB.
Send-FalconSample
- Renamed parameter
FileName
toName
to matchSend-FalconSampleArchive
when redirecting sample archives.FileName
was retained as an alias.
Start-FalconSession
- Added
Timeout
parameter toStart-FalconSession
when working with single-host sessions.Timeout
would previously force a batch session to be created even if a single host was submitted. Now thatTimeout
also works for single host sessions,HostTimeout
orExistingBatchId
must be used to force creation of a batch session.
2.2.3
New Commands
psf-policies
- Compare-FalconPreventionPhase
ti
- Get-FalconTailoredEvent
- Get-FalconTailoredRule
Issues resolved
-
Issue #241
UpdatedConfirm-Parameter
to eliminateCannot validate argument on parameter 'Array'. Key cannot be null. (Parameter 'key')
errors generated when usingImport-FalconConfig
. -
Issue #242
ModifiedEdit-FalconDetection
to check whether astatus
value is present with acomment
value during command execution rather than during parameter validation. This will prevent errors from occurring when parameters are specified in an unexpected order. -
Issue #246
CreatedConfirm-Property
function to properly filterRule
content for both[hashtable]
and[PSCustomObject]
rules. This will eliminate errors caused by[hashtable]
objects being improperly filtered in PowerShell 5.1. -
Issue #247
UpdatedWrite-Warning
to use a PSCmdlet method in order to properly supportWarningVariable
.
General Changes
-
Created
Confirm-Property
private function to filter[hashtable]
and[PSCustomObject]
into pre-defined properties containing values. -
Updated comment-based help to link directly to specific wiki pages for each command. Using
Get-Help <command> -Online
will launch the appropriate wiki page. These pages will be updated with current examples present within existing wiki pages, and those pages will be re-organized. -
Modified
Get-ParamSet
private function to look forids
andsamples
as potential body values to break into groups ofMax
values, instead of onlyids
. -
Updated Falcon X references to Falcon Intelligence due to product name change.
Command Changes
-
Updated
Invoke-FalconIdentityGraph
to no longer modify the GraphQL statement when attempting to useAll
for pagination. RenamedQuery
parameter toString
and made it work for both query and mutation statements but keptQuery
as an alias. Now, when your statement includes a 'Cursor' variable definition and the requiredpageInfo { hasNextPage endCursor }
properties,All
will automatically paginate results. If either of those requirements are missing, a warning message will be displayed and pagination will not occur. -
Modified
Get-FalconUser
to remove deprecated API when usingUsername
parameter.Username
now submits filtered searches for provideduid
values to the appropriate/user-management/
API. -
Added
Max
of 1,000 sha256 values forNew-FalconQuickScan
. -
Added
sha256
as a PipelineByPropertyName value forNew-FalconQuickScan
to support pipeline input fromSend-FalconSample
. -
Added pattern validation to
Remove-FalconUser
for theId
parameter. -
Modified
Status
parameter forEdit-FalconDetection
to support ValueFromPipelineByPropertyName and changed
parameter to position 3. -
Modified
Edit-FalconSensorUpdatePolicy
andNew-FalconSensorUpdatePolicy
to filter out properties with empty string values in order to prevent errors when creating and/or modifying Sensor Update policies. -
Modified
Import-FalconConfig
to prevent an attempt to modify a policy when the policy was not successfully created earlier in the import process. Also ensured that the precedence warnings when existing policies were found would only be displayed once.
2.2.2
New Commands
cloud-connect-azure
- Get-FalconDiscoverAzureCertificate
cloud-connect-cspm-azure
- Get-FalconHorizonAzureCertificate
mobile-enrollment
- Invoke-FalconMobileAction
psf-devices
- Find-FalconHostname
user-management
- Invoke-FalconUserAction
General Changes
-
Re-organized public functions into files named for their URL prefix rather than their respective Swagger
collection (which sometimes would match the prefix and sometimes wouldn't). Because of the number of endpoints
that fell under 'policy', it is segmented into specific files. -
The public
users.ps1
anduser-roles.ps1
files have been consolidated underuser-management.ps1
and merged
with new /user-management/ endpoints. -
Updated IPv4 regex used by
Test-RegexValue
private function. -
Streamlined looping functionality (used with
All
parameter). Updated all commands to output groups of
results as they are retrieved instead of the entire result set at the end of a loop. Also verified that
authorization tokens are properly refreshed during a long running loop.
Command Changes
-
Modified
Add-FalconSensorTag
andRemove-FalconSensorTag
to include the uninstall token of the target device
and while adding and removing sensor tags withCsSensorSettings.exe
on Windows sensor versions v6.42 and above. -
Modified
Get-FalconSensorTag
to return theFalconSensorTags
values listed in a devices API response if the
target device is Windows sensor version 6.42 or above. IfCsSensorSettings.exe
is updated to include a method
toget
sensor tags,Get-FalconSensorTag
will use that method in the future. -
Removed mandatory requirement for
TenantId
parameter within theGet-FalconDiscoverAzureAccount
command. -
Updated
Invoke-FalconAlertAction
to use the new v2 endpoint which includes formatting corrections. -
Based on code provided by @SleepySysadmin,
Invoke-FalconIdentityGraph
now has anAll
parameter when using
Query
!When used with a query that includes
pageInfo{endCursor hasNextPage}
, results will be paginated automatically
and only relevant data will be output (similar to the rest of the PSFalcon commands) instead of the entire
object.All
will automatically be added if a query begins with ($after: Cursor
) and hasafter
in the query
parameters, as it is assumed that all results are expected.If
pageInfo
is not provided in the query andAll
is specified, a warning message will be generated.A query without
All
will produce the same results as earlier versions of the module. -
Added
Mutation
parameter toInvoke-FalconIdentityGraph
. -
Updated
Add-FalconRole
,Edit-FalconUser
,Get-FalconUser
,New-FalconUser
,Remove-FalconRole
, and
Remove-FalconUser
, to use new/user-management/
endpoints where appropriate. These commands behave as they
did before, unless using additional parameters to signify that requests are being performed within a
multi-CID environment. -
Get-FalconRole
has been updated to produce results from new/user-management/
endpoints.
Resolved Issues
-
Issue 170:
Invoke-Loop
changes should eliminate token failures during retrieval of large result sets. -
Issue 222: Updated comparison process to ensure an imported policy would be properly added to the list of
items to be modified, whether or not it was going to be created. Removed existing copy policy operation from
creation process. -
Issue 223: Removed extraneous 'Endpoint' definition that was generating an error.
-
Issue 231: Corrected addition of
FirewallRule
when usingExport-FalconConfig -Item FirewallGroup
. This fix
should also resolve issues when exportingHostGroup
and a singular 'exclusion' item. -
Issue 232: Re-added 'Outfile' designation for
Path
parameter inReceive-FalconArtifact
. This should have
been present and was accidentally removed in an earlier module version.
2.2.1
New Commands
-
alerts.ps1
Get-FalconAlert
Invoke-FalconAlertAction -
container-upload.ps1
Get-FalconContainerAssessment
Remove-FalconContainerImage -
container-security.ps1
Get-FalconContainerSensor
Remove-FalconRegistryCredential
Request-FalconRegistryCredential
Show-FalconRegistryCredential
General Changes
-
Enabled the use of '-WhatIf' and '-Confirm' by adding 'ShouldProcess' support across the module. This also
required the renaming of the existing '-Confirm' parameter to '-Wait' for 'Invoke-FalconAdminCommand',
'Invoke-FalconBatchGet', 'Invoke-FalconCommand' and 'Invoke-FalconResponderCommand'. -
Updated ApiClient.Invoke() to remove blank verbose output when 'Headers' are not specified during a request.
-
Created 'Get-ContainerUrl' to convert cached Hostname value into a valid 'container-upload' URL value when using
'container-upload' commands. -
Created 'New-ShouldMessage' function to generate the output message when '-Confirm' or '-WhatIf' is used with
a command. -
Added 'HostUrl' parameter to 'Invoke-Falcon' to force the use of 'container-upload' base URL instead of the
cached Falcon API hostname. -
Updated 'Test-FqlStatement' private function to allow for the use of either single or double quotation marks.
-
Updated RegEx patterns when validating input to look for a more restrictive list of characters to better match
expected values. -
Various comment-based help text updates and typo corrections.
-
The online help files (accessed using 'Update-Help') for PSFalcon are no longer valid for this and future
releases as comment-based help has been included for individual commands. Using 'Get-Help -Online'
for any PSFalcon command will link you directly to the PSFalcon Wiki which includes command examples that were
previously provided through the online help. -
Renamed 'falcon-container.ps1' to 'container-security.ps1'. Removed 'container-upload.ps1' and moved commands
into 'container-security.ps1'. -
Modified private 'Get-ContainerUrl' function to include a 'Registry' switch to output the Falcon container
registry URL for related commands.
Command Changes
-
Add-FalconRole, Remove-FalconRole
Updated to use 'Get-FalconRole' to determine valid 'Id' values for auto-completion. -
Add-FalconGroupingTag, Add-FalconSensorTag, Remove-FalconGroupingTag, Remove-FalconSensorTag
Renamed 'Tags' to 'Tag' while retaining 'Tags' as an alias. -
Edit-FalconIoc, New-FalconIoc
Added 'android' and 'ios' as valid 'Platform' values and 'MobileAction' parameter. -
Export-FalconConfig
Updated to include the export of 'platform_default' policies. -
Export-FalconReport
Updated to force the creation of the same columns for every result. -
Get-FalconContainerToken
Command has been removed and replaced with 'Request-FalconRegistryCredential' which combines requests for your
Falcon container registry password, username (modified CID value) and authorization token, which are cached
within the PSFalcon module, similar to 'Request-FalconToken'. -
Get-FalconFirewallRule
Updated to output rules in order of specified 'Id' values when using the 'Id' parameter. This solves an issue
where rules are provided in order of the 'id' property when they were retrieved using the 'family' property and
are returned out of order (in respect to the 'family' values). -
Get-FalconHost
Updated to use new 'POST /devices/entities/devices/v2' endpoint when requesting host details, which greatly
improves performance when using 'Get-FalconHost -Detailed'. -
Get-FalconKernel
Corrected maximum number for 'Limit' parameter (500). -
Get-FalconScript, Get-FalconPutFile
Updated to use new v2 endpoints which include workflow-related schema and information. -
Get-FalconUninstallToken
Added 'Include' parameter. -
Import-FalconConfig
Renamed 'Force' parameter to 'AssignExisting'. Retained 'Force' as an alias.Added 'ModifyDefault' to modify 'platform_default' policies to match settings from import for specified values.
Added 'ModifyExisting' to modify existing items to match settings from import for specified values. Although
'FirewallGroup' is included, rules are not currently being modified. They will be included as part of a future
PSFalcon update. -
Invoke-FalconBatchGet
Added 'batch_get_cmd_req_id' to each individual host result. -
Invoke-FalconDeploy
Added 'tgz' as a supported 'Archive' format.Added 'cmd' as a supported 'File' and 'Run' format using 'cmd.exe' in place of 'powershell.exe'.
Modified 'Run' to execute a custom script that launches a secondary process when provided with a script file.
This ensures that the process will execute and not wait for completion (similar to a regular executable when
being used with the 'run' Real-time Response command). Standard output and error streams are redirected to
'stdout.log' and 'stderr.log' within the temporary 'FalconDeploy' directory.Added 'Include' parameter.
-
Invoke-FalconIncidentAction
Added 'unassign' and 'update_assigned_to_v2' actions. -
Invoke-FalconRtr
Updated to create Real-time Response sessions in groups of 10,000. -
New-FalconHostGroup
Added type 'staticByID'. -
New-FalconSubmission
Added 'macOS_10.15' for parameter 'EnvironmentId'. -
Uninstall-FalconSensor
Added timeout value (120 seconds) to reduce the chance of no 'status' value being returned.Added 'Include' parameter.
Resolved Issues
2.2.0
New Commands
* spotlight-vulnerabilities.ps1
Get-FalconVulnerabilityLogic
General Changes
* Re-added basic help information to each command. This will increase module size, but will eliminate the
need to 'Update-Help' to get descriptions for each command, its parameters and the required API
permission(s).
* Thanks to some knowledge shared by @kra-ts, PowerShell pipeline support is now cross-module and no longer
restricted to specific commands!
Before this release, PSFalcon supported pipeline input when a command accepted a single 'id'. With these
changes, PSFalcon collects multiple 'ids' passed through the pipeline, groups them and sends appropriately
sized API requests.
This change also required the re-positioning of many parameters, the addition of aliases, and the majority of
[array] parameters being converted into [string[]] or [int[]]. When it was logically possible, [array] values
were also converted into [object[]] to allow for the processing of both 'id' and 'detailed' values.
* Warning messages have been added when hosts are not included in a batch Real-time Response session
('Start-FalconSession') or when Real-time Response commands produce errors ('Invoke-FalconCommand',
'Invoke-FalconResponderCommand', 'Invoke-FalconAdminCommand', 'Invoke-FalconBatchGet') so it will be more
obvious what happened when hosts are missing from the final result that was passed through the pipeline.
* Renamed plural parameters ('Ids') to singular ('Id') to follow PowerShell best practices. Each updated
parameter kept maintains the plural version as an alias (or the original parameter name when switching to the
singular was not possible due to incompatibilities with PowerShell) to prevent errors with existing scripts.
* Modified commands to use the alias values for parameters instead of the 'Fields' variable that was used to
to rename parameters to fit API submission structure. Removing 'Fields' also enabled the removal of the
private function 'Update-FieldName'.
* When applicable, the 'Id' parameter attributes were modified to ensure that 'Get-Help' properly displayed
that the parameter name needs to be explicitly included.
* Added case enforcement to all 'ValidateSet' values. This ensures that proper case is used with parameters
that have a pre-defined list of accepted values and preventing errors from the resulting API.
* Added 'raw_array' as a field to be used when defining the format of a 'body' submission inside of a PSFalcon
command. Using it will instruct the module to create a 'body' object that has a base [array] value containing
the object properties to be converted to Json.
* Updated 'Build-Formdata' private function to attempt to gather file content for the 'content' field, or
supply the original value if that fails. This change was made to allow 'Send-FalconScript' to use a file
path or string-based script content.
* Created 'Add-Include' private function to append 'Include' content to command results.
* Created 'Assert-Extension' private function to validate a given file extension when using 'Receive' commands.
* Renamed 'Add-Property' private function to 'Set-Property' and updated it to add a property when it doesn't
exist, or update the value if it does exist.
* Updated 'Get-RtrCommand' private function to output available Real-time Response commands by permission,
or all available Real-time Response commands if permission is not defined.
* Created 'Test-OutFile' private function to validate the presence of an existing file and generate error
messages when using 'Receive' commands.
* Moved verbose output of 'body' and 'formdata' payloads from 'Build-Content' to ApiClient.Invoke() during a
request. This ensures that individual submissions are displayed, rather than the initial submission before it
has been broken up into groups.
* Moved verbose output of Header keys and values within an API response from 'Write-Result' to
ApiClient.Invoke(). 'Write-Result' continues to display the 'meta' Json values due to the addition of an
internal function called 'Write-Meta'.
* Added '-Force' parameter to the following commands to overwrite an existing file when present:
Export-FalconConfig
Receive-FalconHorizonAwsScript
Receive-FalconHorizonAzureScript
Receive-FalconDiscoverAzureScript
Receive-FalconDiscoverGcpScript
Receive-FalconIntel
Receive-FalconRule
Receive-FalconArtifact
Receive-FalconContainerYaml
Receive-FalconMalQuerySample
Receive-FalconCompleteAttachment
Receive-FalconGetFile
Receive-FalconSample
Receive-FalconScheduledReport
Receive-FalconInstaller
* Added '-Include' parameter to append 'members' to the following commands:
Get-FalconHostGroup
Get-FalconDeviceControlPolicy
Get-FalconFirewallPolicy
Get-FalconPreventionPolicy
Get-FalconResponsePolicy
Get-FalconSensorUpdatePolicy
* Updated commands that output to CSV ('Import-FalconConfig', 'Export-FalconReport', 'Get-FalconQueue',
'Invoke-FalconDeploy') to send their results to 'Write-Output' when unable to write to CSV.
* Removed position attribute from all pagination parameters ('After', 'Offset', 'NextToken').
Command Changes
* Confirm-FalconGetFile, Remove-FalconGetFile
Updated to use v2 API endpoint that includes upload progress.
* ConvertTo-FalconMlExclusion, ConvertTo-FalconIoaExclusion
Commands have been corrected to properly produce individual exclusions for each relevant behavior within a
detection (rather than one exclusion with values from multiple behaviors).
* Edit-FalconFirewallSetting, Edit-FalconHorizonPolicy
Renamed '-PolicyId' to '-Id'.
* Export-FalconConfig
Now includes 'Script' (Real-time Response scripts) as an exportable item.
Output filename now contains a 'FileDateTime' timestamp instead of simply 'FileDate'. This was done to
match changes made to 'Import-FalconConfig'.
* Find-FalconDuplicate
Updated to accommodate multiple 'Filter' values.
* Get-FalconAsset
Added '-Account' and '-Login' switch parameters to toggle access of Falcon Discover user account assets
and user login events.
Added '-Include' to append login events both the default hardware asset and user account output.
* Get-FalconDetection
Added valid 'Sort' values.
* Get-FalconFirewallPolicy
Re-added the 'policy_id' in the 'settings' sub-object that is created when using '-Include settings'. This
was originally removed for being redundant, but needed to be restored to be utilized by the
'Copy-FalconFirewallPolicy' command.
* Get-FalconHorizonIoa, Get-FalconHorizonIoaEvent, Get-FalconHorizonIoaUser, Get-FalconHorizonIom
Removed 'Mandatory' status for '-CloudPlatform', instead populating it if 'AwsAccountId' (or 'AccountId',
in the case of 'Get-FalconHorizonIom'), 'AzureSubscriptionId', or 'AzureTenantId' are provided. Without one
of the four values, the command will produce an exception.
* Get-FalconHorizonIoaEvent, Get-FalconHorizonIoaUser
Replaced '-AccountId' with '-AwsAccountId' and added '-AzureSubscriptionId' and '-AzureTenantId' to match
'Get-FalconHorizonIoa'.
* Get-FalconHorizonIom
Renamed parameter '-AwsAccountId' to '-AccountId', which accepts an AWS account ID or GCP Project Number
value. Also corrected the accepted '-Status' value 'recurring' to 'reoccurring'.
* Get-FalconHost
'-Detailed' output will no longer be forced when using '-Include group_names', and instead will include
'device_id' and 'groups'. Using '-Detailed' and '-Include group_names' maintains full output.
Added 'online_state' to '-Include' to retrieve detail from new 'online status' API.
Added '-State' switch to be used with '-Id' to retrieve detail from the new 'online status' API.
* Get-FalconQueue
Updated command to write progress to host stream instead of verbose stream.
* Get-FalconVulnerability
Added 'evaluation_logic' to the 'Facet' parameter.
* Import-FalconConfig
Completely re-written to utilize the pipeline and excluded items (with the reason they were excluded) are
now included within the resulting CSV output.
Now includes 'Script' (Real-time Response scripts) as an importable item.
Output filename now contains a 'FileDateTime' timestamp instead of simply 'FileDate'. This was done because
verbosity of the output was increased and appending to an existing file would cause output problems.
Removed warning message that was generated when no items were created because the CSV output now displays
both excluded and created items.
* Invoke-FalconBatchGet, Invoke-FalconCommand, Invoke-FalconAdminCommand, Invoke-FalconResponderCommand
Added a new '-Confirm' parameter to confirm and retrieve the output from both single-host commands and batch
'get' commands.
'Invoke-FalconAdminCommand' and 'Invoke-FalconResponderCommand' will now redirect to 'Invoke-FalconBatchGet'
when used to 'get' within a multi-host session.
Each of the commands now appends 'batch_id' to the output of commands issued within a batch session.
* Invoke-FalconCommand, Invoke-FalconAdminCommand, Invoke-FalconResponderCommand, Invoke-FalconRtr
Split the 'eventlog' command into 'eventlog backup', 'eventlog export', 'eventlog list', and 'eventlog view'.
* Invoke-FalconDeploy
Contribut...
2.1.9
General Changes
- Added 'Select-Object' to 'Get-ChildItem' output to force the display of FullName, Length and LastWriteTime
due to differences with how PowerShell displays Get-ChildItem on non-Windows devices.
Resolved Issues
- Issue #190: Modified Json conversion of 'stdout' when using 'runscript' with 'Invoke-FalconRtr' to reduce
the opportunity of null output.