Releases: CrowdStrike/psfalcon
2.1.8
New Commands
- sensor-update-policies.ps1
'Get-FalconKernel'
Command Changes
-
Added 'cswindiag' command to 'Invoke-FalconRtr' and 'Invoke-FalconAdminCommand'.
-
Changed 'Limit' maximum for 'Get-FalconVulnerability' to 400 to match API.
-
Added support for local Humio instances within 'Register-FalconEventCollector' while maintaining auto-
complete for Humio Cloud. Thank you @kra-ts! -
Added 'No queued Real-time Response sessions available' error when using 'Get-FalconQueue' when there are
no queued sessions. -
Added automatic Json conversion of 'stdout' and 'stderr' output when using 'runscript' with
'Invoke-FalconRtr', simplifying the use of results from scripts that were designed for Falcon Workflows. -
Added 'iOS' and 'Android' as valid values for 'platform_name' for 'Edit-FalconPreventionPolicy' and
'New-FalconPreventionPolicy'. -
Added pipeline support for 'Remove-FalconPutFile' and 'Remove-FalconScript'.
-
Added the undocumented 'detection_suppress' and 'detection_unsuppress' to 'Invoke-FalconHostAction'.
Resolved Issues
- Issue #187: Fixed typo which was causing array values to only show a single value (instead of all values)
when using 'Export-FalconReport'.
2.1.7
New Commands
* filevantage.ps1
'Get-FalconFimChange'
* message-center.ps1
'Add-FalconCompleteActivity'
'Edit-FalconCompleteCase'
'New-FalconCompleteCase'
'Get-FalconCompleteActivity'
'Get-FalconCompleteCase'
'Receive-FalconCompleteAttachment'
'Send-FalconCompleteAttachment'
* psf-humio.ps1
'Register-FalconEventCollector'
'Send-FalconEvent'
'Show-FalconEventCollector'
'Unregister-FalconEventCollector'
New Functionality
* Added the ability to PSFalcon content to a Humio instance. A specific parser is not required because the
content sent by PSFalcon uses the documented Humio event structure.
* 'Register-FalconEventCollector' is used to define your Humio cloud, ingest token and the events to log,
'Show-FalconEventCollector' can be used for confirmation, and 'Remove-FalconEventCollector' can be used to
disable logging.
* The 'Enable' parameter for 'Register-FalconEventCollector' defines the data that will be sent to Humio. The
value 'requests' sends PSFalcon requests while 'responses' sends API responses.
* Added 'Send-FalconEvent' to generate Humio events using the output of a PSFalcon command. This allows
PSFalcon to work as a mechanism to ingest data from the CrowdStrike APIs directly into Humio and does not
require a specific 'Enable' value under 'Register-FalconEventCollector'.
Command Changes
* Added 'group_names' as an 'Include' option for 'Get-FalconHost'. Requires 'host-group:read' permission.
* Added Linux support to 'Uninstall-FalconSensor'.
* Added 'Collector' parameter to 'Request-FalconToken' to allow the addition of a Humio Event Collector during
initial authorization token request.
General Changes
* Changed format of request header verbose output to match result header verbose output.
* Modified 'Test-FqlStatement' to simply validate an FQL statement instead of the statement plus individual
properties. This was changed because of numerous reports of undocumented properties that were usable with
specific APIs but were being blocked by 'Test-FqlStatement'.
Resolved Issues
* Issue #153: Added 'instance_id' as a value for '-Sort' under 'Get-FalconHost'.
* Issue #154: Added check for 'SslProtocols' property before attempting to enforce TLS 1.2 in
'Request-FalconToken'. If not available, TLS 1.2 is set through [System.Net.ServicePointManager]
instead. Thank you for your contribution @Minty123!
* Issue #155: Added colon to correct RegEx pattern for 'New-FalconIoc' and 'Edit-FalconIoc'.
* Issue #158: Fixed typo in 'Get-FalconHost' which prevented the attachment of Zero Trust Assessment results
when using the 'Include' parameter.
* Issue #164: Modified the filter used to check for existing 'IoaGroup' items, so it no longer checks for
values that don't match 'name' and 'platform', and instead checks for values that don't match 'name' for each
'platform' (so new groups will only be created for the specific platform). Also updated 'Policy' items, as the
behavior was present there too.
2.1.6
New Commands
-
cspm-registration.ps1
'Get-FalconHorizonIoa'
'Get-FalconHorizonIom' -
discover.ps1
'Get-FalconAsset' -
psf-policies.ps1
'Copy-FalconDeviceControlPolicy'
'Copy-FalconFirewallPolicy'
'Copy-FalconPreventionPolicy'
'Copy-FalconResponsePolicy'
'Copy-FalconSensorUpdatePolicy' -
scheduled-report.ps1
'Invoke-FalconScheduledReport'
'Redo-FalconScheduledReport'
Command Changes
-
Added 'put-and-run' to 'Invoke-FalconAdminCommand' and 'Invoke-FalconRtr'.
-
Changed 'Get-FalconMalQuery' parameter from '-Ids' to '-Id' to signify that the endpoint only accepts one
request at a time. -
Removed '-Detailed' from 'Invoke-FalconMalQuery' because it was not supposed to be there.
-
Added '-Description' to 'New-FalconDeviceControlPolicy'. Whoops.
-
Added '-Include' to 'Get-FalconFirewallPolicy' to include firewall settings with a policy result.
-
Added '-LocalLogging' to 'Edit-FalconFirewallSetting' to support new Firewall Management policy setting.
-
Added pipeline support for parameters in 'Edit-FalconFirewallSetting'. 'Copy-FalconFirewallPolicy' uses
the pipeline to supply settings during the duplication of an existing policy.
General Changes
-
Updated 'Invoke-Loop' to account for new pagination token style used in 'Get-FalconHorizonIoa' and
'Get-FalconHorizonIom'. -
Re-wrote 'Write-Result' to reduce total code and improve for handling of errors from the 'identity-protection'
API. As a result, errors produced by 'Write-Result' are now shown as compressed Json objects rather than a
string (which only expected 'code' and 'message'--typical with most Falcon APIs). -
Fixed an issue with 'Write-Result' that prevented the output of 'meta' properties in the verbose stream. An
earlier version of PSFalcon mistakenly hid this output. -
Re-wrote portions of 'Request-FalconToken' to eliminate 'call depth overflow' errors generated due to how the
'308: Permanent Redirection' response is handled in PowerShell 5.1. Redirection should now function properly.
GitHub Issues
-
Issue #134: Modified RegEx pattern for 'Add-FalconGroupingTag' and 'Remove-FalconGroupingTag' to allow all
characters in the initial tag value, then updated the command to use the 'Test-RegexValue' to validate
that each value is a valid tag. -
Issue #135: Added check to validate both 'status' and 'comment' value are present when submitting 'comment'
with 'Edit-FalconDetection'. Also forced the input of lower case status values, as improperly-cased 'status'
values will cause a '400: Failed to validate resource' error. -
Issue #136: Corrected 'Invoke-FalconMalQuery' to submit 'options' as a hashtable rather than an array, which
was causing all requests to fail (including those made with 'Search-FalconMalQueryHash'). -
Issue #138: Updated 'Test-FqlStatement' to account for multiple 'exact match' values, and used operator groups
to more efficiently check , and independently within an FQL 'filter' string. -
Issue #140: Updated the base [System.Net.Http.HttpClientHandler] to automatically decompress gzip files when
presented with them from an API. -
Issue #143: Updated 'Get-FalconScheduledReport -Execution' to work properly with the '-Detailed' parameter.
-
Issue #144: Updated 'Test-FqlStatement' to allow colon characters in the value portion of an FQL statement.
-
Issue #146: Updated 'Invoke-FalconRtr' to access the 'Initialize-Output' function when using both 'HostIds'
and 'GroupId', instead of just 'HostIds'.
2.1.5
New Commands
-
ml-exclusions
'ConvertTo-FalconMlExclusion' -
self-service-ioa-exclusions
'ConvertTo-FalconIoaExclusion'
General Changes
-
Updated module license to 'The Unlicense' to be in-line with similar projects (falconpy, gofalcon).
-
Added an authorization token check earlier in the private function 'Invoke-Falcon'. This change is designed
to help prevent "An invalid request URI was provided. The request URI must either be an absolute URI or
BaseAddress must be set" errors from appearing when a command prompts for ClientId/ClientSecret because
an authorization token had not been previously requested. -
Added more explicit error messages to 'Request-FalconToken', 'Show-FalconModule' and 'Test-FalconToken' to
make it more obvious when errors are produced due to a failure during the loading of the module, or when
an authorization token has not been requested. -
Updated 'Invoke-Falcon' private function to allow the return of an un-formatted [System.Net.Http.
HttpResponseMessage] using the '-RawOutput' switch for commands that need 'meta' content. This reduces
the number of 'unique' commands that don't pass through 'Invoke-Falcon'. -
Added additional authorization token checks to commands that don't use 'Invoke-Falcon'.
-
Modified 'foreach' method being used throughout module to increase performance (where applicable).
-
Updated most commands to move the 'Param' definition into the process{} block. This change was made to match
the changes required for commands that have added 'pipeline' support. -
Moved commands from 'Public\psfalcon.ps1' into new, smaller files due to intermittent errors that may be
related to file size:'Public\psf-config.ps1'
'Public\psf-devices.ps1'
'Public\psf-output.ps1'
'Public\psf-real-time-response.ps1'
'Public\psf-sensors.ps1' -
Updated the conversion of 'last X days/hours' for the '-Filter' parameter to work when last/days/hours is
properly capitalized, instead of only lower case. -
Added private function 'Test-FqlStatement' to validate the values provided to '-Filter' and provide the
opportunity to generate error messages before submission to the Falcon APIs. -
Renamed private function 'Confirm-String' to 'Test-RegexValue' to prevent any future overlap due to generic
naming.
Command Changes
-
Added support for passing identifier values through the pipeline to the commands:
'Start-FalconSession', 'Update-FalconSession' -
Added email string RegEx validation to the commands:
'Edit-FalconReconAction', 'Get-FalconUser', 'New-FalconReconAction', 'New-FalconUser' -
Added '-Include' parameter (or additional values) to append data to the commands:
'Get-FalconQueue', 'Get-FalconUser', 'Get-FalconHost', 'Invoke-FalconHostAction' -
Added '-HostId' parameter to 'Invoke-FalconRtr' to allow for single-host sessions and the use of
'Invoke-FalconRtr' as the foundation of 'SensorTag' commands. -
Updated 'Add-FalconSensorTag', 'Get-FalconSensorTag', 'Remove-FalconSensorTag':
Added support for Linux and Mac hosts
Added '-Ids' parameter for multi-host support
Modified output to include 'cid', 'device_id', and 'tags' -
Updated 'Uninstall-FalconSensor':
Modified output to include include 'cid', 'device_id' and 'status'
Added error message when command is used with Linux/Mac hosts until support is added in the future -
Updated 'Start-FalconSession' to a maximum of 10,000 identifiers to match API changes.
-
Increased Real-time Response batch size from 500 to 1,000 for the commands:
'Invoke-FalconRtr', 'Invoke-FalconDeploy' -
Added support for new API to 'Get-FalconVulnerability' (including 'Facet' parameter, which is functionally
similar to what PSFalcon does with '-Include') and raised 'Limit' from 400 to 5,000.
GitHub Issues
-
Issue #112: Updated 'Invoke-FalconHostGroupAction' to properly convert to Json and fixed an additional
formatting error. -
Issue #113: Updated 'Invoke-FalconDeploy' to check for 'complete = true' plus the lack of a 'stderr' output
to verify success when using 'put' instead of checking the 'stdout' value, which is different between OS
versions. Also changed the absolute path for the 'run' command to ensure it works with Linux and Mac, and
added a 'mod_file' step to make the file executable on Linux hosts. -
Issue #116: Updated 'Uninstall-FalconSensor' to request the maintenance mode token when appropriate.
-
Issue #119: Re-organized how the private function 'Build-Content' adds 'query' input to requests, so that the
parameter will be passed in exactly as specified by the 'Format.Query' property when using 'Invoke-Falcon',
instead of forcing lower case values using the PowerShell parameter name. -
Issue #131: Updated 'Class.ps1' to change how header values were added/removed from the [System.Net.Http.
HttpClientHandler] object before/after running a 'Receive' command. This should resolve 'An error occurred
while enumerating through a collection: Collection was modified' errors in PowerShell 5.1. -
Issue #132: Updated 'Add-FalconSensorTag', 'Get-FalconSensorTag' and 'Remove-FalconSensorTag' to change method
used to split 'GroupingTags' values when running on Windows hosts. Previous method was incorrectly splitting
on unexpected characters, causing tag values to not be gathered properly for display and manipulation.
2.1.4
New Commands
- identity-graphql
'Invoke-FalconIdentityGraph' - psfalcon
'Add-FalconSensorTag'
'Get-FalconSensorTag'
'Remove-FalconSensorTag'
General Changes
- Added support for results from Identity Protection APIs to 'Write-Result'.
Command Changes
- Updated the 'Sort' values for the following commands:
'Get-FalconCidGroup', 'Get-FalconCidGroupMember', 'Get-FalconGroupRole', 'Get-FalconIoaGroup',
'Get-FalconIoaRole', 'Get-FalconIoc', 'Get-FalconMemberCid', 'Get-FalconScheduledReport',
'Get-FalconQuarantine', 'Get-FalconUserGroup', 'Get-FalconUserGroupMember'. - Updated the 'Limit' values for the following commands:
'Get-FalconBehavior', 'Get-FalconIncident'. - Updated the following commands to generate an error when the 'Path' parameter is given a directory:
'Edit-FalconScript', 'Send-FalconPutFile', 'Send-FalconSample', 'Send-FalconScript'. - Add-FalconHostTag
Renamed to 'Add-FalconGroupingTag' to clarify purpose and prevent confusion with 'Add-FalconSensorTag'. - Get-FalconHost
Added list of accepted 'Sort' values based on related 'Filter' values accepted by 'devices-scroll' API. - Invoke-FalconDeploy
Added check for OS version and 'cd_temp' step to change to a default temporary directory (\Windows\Temp or
/tmp) before the 'put' and 'run' commands. - Invoke-FalconRtr
Suppressed output of session init 'stdout' value so it doesn't display when the following command results in
an error. - Remove-FalconHostTag
Renamed to 'Remove-FalconGroupingTag' to clarify purpose and prevent confusion with 'Remove-FalconSensorTag'. - Request-FalconToken
Added 'Authorization token request failed' message when token request fails to ensure that an error is
produced when an HTTP 403 response is suppressed from the oauth2 API.
GitHub Issues
- Issue #79: Fixed bug with 'Invoke-FalconRtr' using the 'get' command that prevented completion of 'get'
requests and output of 'batch_get_cmd_req_id' value. - Issue #82: Fixed typo causing relative 'Last X days/hours' value to not be properly calculated.
- Issue #84: Added break to abort requests when missing authorization token.
- Issue #85: Modified 'Update-FieldName' to ensure evaluation of [boolean] parameters.
2.1.3
New Commands
-
psfalcon
'Uninstall-FalconSensor' -
quarantine
'Get-FalconQuarantine'
'Invoke-FalconQuarantineAction'
'Test-FalconQuarantineAction'
Command Changes
-
Invoke-FalconRtr
Fixed typo which prevented 'host_group_id' from showing up on output when using '-GroupId'.Added error message to prevent the use of a '-GroupId' with more than 10,000 members (as the API won't return more than 10,000).
-
Invoke-FalconDeploy
Added error message to prevent the use of a '-GroupId' with more than 10,000 members (as the API won't return more than 10,000). -
New-FalconUser
Added password complexity check to '-Password' parameter.
GitHub Issues
2.1.2
New Commands
-
container-security
'Get-FalconContainerToken' -
scheduled-report
'Get-FalconScheduledReport'
'Receive-FalconScheduledReport' -
self-service-ioa-exclusions
'New-FalconIoaExclusion'
Command Changes
-
Export-FalconConfig
Added 'IoaExclusion' to '-Items'. -
Get-FalconHost
Added '-Network' parameter to retrieve network address history using host identifier(s).Added '-Login' parameter to retrieve user login history using host identifier(s).
Added '-Include' parameter with values 'login_history' and 'network_history' to include data with regular
output. -
Get-FalconZta
Added '/zero-trust-assessment/entities/audit/v1:get' endpoint to 'Get-FalconZta' to provide summary-level
Zero Trust Assessment results for your entire CID. -
Import-FalconConfig
Added 'IoaExclusion' for import and assignment.
GitHub Issues
2.1.1
General Changes
-
Changed class [Falcon] to [ApiClient]. [ApiClient] is generic and can work with other APIs, which helps enable
the use of [ApiClient] for other scripts or modules. It includes a '.Path()' method to convert relative to
absolute filepaths, and '.Invoke()' which accepts a hashtable of parameters ('Path', 'Method', 'Headers',
'Outfile', 'Formdata' and 'Body') and produces a [System.Net.Http.HttpResponseMessage]. -
[ApiClient] now uses a single [System.Net.Http.HttpClient] and [System.Net.Http.HttpClientHandler] instead of
rebuilding during each request, which follows Microsoft's recommendations and greatly increases performance. -
PSFalcon no longer outputs to 'Write-Debug', meaning that the '-Debug' parameter will no longer provide
any additional information. Similar output is provided to 'Write-Verbose' instead. 'Write-Verbose' output has
been modified to include response header information that was not previously visible. -
Re-wrote and re-organized the module manifest (PSFalcon.psd1) and 'Private' functions (Private.ps1).
-
Removed decimal second values from output when converting from relative time ('last 1 days') to RFC-3339.
-
Added 'Confirm-String' to output 'type' based on RegEx matching. Used to validate values in commands like
'Show-FalconMap'. This will probably be worked in to validate relevant values in other commands in the future. -
The 'Invoke-Loop' function (which powers the '-All' parameter) now produces an error when a loop ends and there
are results remaining (API limit). -
Renamed 'Public' scripts to be organized by their permission (rather than URL path) and included some commands
that were previously in 'Public\scripts.ps1'. Renamed 'Public\scripts.ps1' to 'Public\psfalcon.ps1'. -
All 'Public' functions (commands that users type) have been re-written to use static parameters, which removed
the custom '-Help' parameter and supports the use of 'Get-Help'. The help content has also been moved online.
Use 'Update-Help -Module PSFalcon' to download extended help information, including examples previously
accessible through the GitHub-based PSFalcon Wiki. -
Added '.Roles' in-line comment to functions which allows users to 'Get-Help -Role <api_role>' and find
commands that are available based on required API permission. For instance, typing 'Get-Help -Role devices:read'
will display the 'Get-FalconHost' command, while 'Get-Help -Role devices:write' lists 'Add-FalconHostTag',
'Invoke-FalconHostAction' and 'Remove-FalconHostTag'. Wildcards (devices:*, *:write) are supported. -
Modified 'meta' output from commands. Previously, if the field 'writes' was present under 'meta', the command
result would output the sub-field 'resources_affected'. Now the command will output 'writes', leading to a
result of '@{ writes = @{ resources_affected = [int] }}' rather than '@{ resources_affected = [int] }'. This
will allow for the output of unexpected results, but may impact existing scripts. -
Updated the '-Array' parameter to validate objects within the array for required fields when submitting multiple
policies/groups/rules/notifications to create/edit in one request. -
Updated commands with an '-Id' parameter to accept 'Id' from the pipeline (property and value).
New Commands
-
cspm-registration
'Edit-FalconHorizonAwsAccount'
'Get-FalconHorizonIoaEvent'
'Get-FalconHorizonIoaUser' -
d4c-registration
'Receive-FalconDiscoverAzureScript' -
iocs
'Get-FalconIocHost'
'Get-FalconIocProcess' -
kubernetes-protection
'Edit-FalconContainerAwsAccount'
'Get-FalconContainerAwsAccount'
'Get-FalconContainerCloud'
'Get-FalconContainerCluster'
'Invoke-FalconContainerScan'
'Edit-FalconDiscoverAzureAccount'
'New-FalconContainerAwsAccount'
'New-FalconContainerKey'
'Receive-FalconContainerYaml'
'Remove-FalconContainerAwsAccount' -
psfalcon
'Send-FalconWebhook' -
recon-monitoring-rules
'Edit-FalconReconNotification'
'Get-FalconReconRulePreview'
Command Changes
-
Edit-FalconHorizonAzureAccount
Added parameters to utilize '/cloud-connect-cspm-azure/entities/default-subscription-id/v1'. -
Edit-FalconFirewallGroup
Updated to retrieve required values when not provided. Removed '-Tracking'. -
Edit-FalconFirewallSetting
Renamed '-PolicyId' to '-Id'.Updated to retrieve required required values when not provided. Removed '-Tracking'.
Removed '-IsDefaultPolicy' parameter as it doesn't seem to do anything.
-
Edit-FalconIoaGroup
Updated to retrieve required required values when not provided. Removed '-RulegroupVersion'. -
Edit-FalconIoaRule
Updated to retrieve required required values when not provided. Removed '-RulegroupVersion'. -
Export-FalconConfig
Changed archive name to 'FalconConfig_.zip' from 'FalconConfig_.zip'. -
Export-FalconReport
Re-written to display results based on the object, rather than static 'properties' of a result, meaning it is
no longer 'hard-coded' to display results a certain way. See 'Get-Help Export-FalconReport' for more explanation.Added '-WhatIf' support to show the resulting export rather than exporting to CSV.
-
Find-FalconDuplicate
Updated command to retrieve Host results automatically when '-Hosts' is not provided.Added '-Filter' parameter to use additional property to determine whether a device is a duplicate. See 'Get-Help
Find-FalconDuplicate' for more information.Updated to exclude devices with empty values (both 'hostname' and any provided '-Filter').
Updated output to include 'cid' to avoid potential problems if 'Find-FalconDuplicate' is used within a
parent-level CID. -
Get-FalconDiscoverAwsSettings
Renamed to 'Get-FalconDiscoverAwsSetting'. -
Get-FalconFirewallRule
Added '-PolicyId' parameter to return rules (in precedence order) from a specific policy. -
Get-FalconInstallTokenSettings
Renamed to 'Get-FalconInstallTokenSetting'. -
Get-FalconIocHost
Added '-Total' to provide the functionality of the command 'Get-FalconIocTotal'. -
Get-FalconIocProcess
Added '-Ids' to provide the functionality of the command 'Get-FalconProcess'. -
Import-FalconConfig
Added warning when creating 'IoaGroup' to make it clear that Custom IOA Rule Groups are not assigned to
Prevention policies (due to a limitation in data from the related APIs).Added '-Force' parameter to assign items to matching Host Groups (by 'name') that are present within the CID.
Added warning messages ('[missing_assignment]') when items are unable to be created due to missing Host Groups.
-
Invoke-FalconCommand, Invoke-FalconResponderCommand, Invoke-FalconAdminCommand
Re-organized positioning to place '-SessionId' and '-BatchId' in front. -
Invoke-FalconBatchGet
Re-organized positioning to place '-BatchId' in front.Changed output format so that, nstead of returning the entire Json response, the result will have the properties
'batch_get_cmd_req_id' and 'hosts' (similar to how 'Start-FalconSession' displays a batch session result). -
Invoke-FalconDeploy
Added '-GroupId' to run the command against a Host Group. Parameter positioning has been re-organized to
compensate. -
Edit-FalconIoaGroup
Updated to retrieve required values from existing rule group when not provided. -
Edit-FalconIoaRule
Updated to retrieve required values from existing rule when not provided. -
Invoke-FalconRTR
Added '-GroupId' to run a Real-time Response command against a Host Group. Parameter positioning has been
re-organized to compensate.Removed all 'single host' Real-time Response code. Now 'Invoke-FalconRTR' always uses batch sessions, which
should have minimal impact on the use of the command, but is easier to support. -
Remove-FalconGetFile
Renamed '-Ids' parameter to '-Id' to reflect single value requirement. -
Remove-FalconSession
Renamed '-SessionId' to '-Id'. -
Request-FalconToken
Added '-Hostname' parameter and set as default. '-Cloud' is still available, but needs to be specified with a
'us-1', 'us-2', 'eu-1' or 'us-gov-1' value.Added support for redirection when requesting an OAuth2 access token. PSFalcon will use 'X-Cs-Region' from
response when provided 'Hostname' does not match.Added TLS 1.2 enforcement and custom 'crowdstrike-psfalcon/' user-agent string.
Added 'ClientId', 'ClientSecret', 'Hostname', and 'Cloud' as named properties that can be passed through the
pipeline. -
Send-FalconSample
Added support for uploading archives. -
Update-FalconDiscoverAwsSettings
Renamed to 'Update-FalconDiscoverAwsSetting'.
GitHub Issues
-
Issue #48: Updated 'Invoke-Loop' private function with a more explicit counting method to eliminate endless
loops in PowerShell 5.1. -
Issue #51: Switched 'Edit-FalconScript' and 'Send-FalconScript' to use the 'content' field rather than 'file'.
-
Issue #53: 'Wait-RetryAfter' function was re-written to re-calculate the 'X-Cs-WaitRetryAfter' time.
-
Issue #54: Updated 'Get-FalconHorizonPolicy' with additional '-Service' names.
-
Issue #59: Updated 'New-Falcon...Policy' commands to use 'clone_id' values in the appropriate places.
-
Issue #62: Added 'user-agent' to 'Request-FalconToken'.
-
Issue #63: Modified the way the 'maximum URL length' is calculated to avoid unexpected 'URL too long' HTML
response errors from differences between cloud environments.
2.0.8
New Commands
* Added 'Get-FalconQuickScanQuota' to display QuickScan quota information
* Added commands for global 'overwatch-dashboards' APIs:
'Get-FalconOverWatchEvent'
'Get-FalconOverWatchDetection'
'Get-FalconOverWatchIncident'
* Added commands for 'falcon-complete-dashboards' APIs:
'Get-FalconCompleteAllowlist'
'Get-FalconCompleteBlocklist'
'Get-FalconCompleteCollection'
'Get-FalconCompleteDetection'
'Get-FalconCompleteEscalation'
'Get-FalconCompleteIncident'
'Get-FalconCompleteRemediation'
* Added commands for 'recon' APIs:
'Edit-FalconReconAction'
'Edit-FalconReconRule'
'Get-FalconReconAction'
'Get-FalconReconNotification'
'Get-FalconReconRule'
'New-FalconReconAction'
'New-FalconReconRule'
'Remove-FalconReconAction'
'Remove-FalconReconRule'
* Added command for 'zero-trust-assessment' API:
'Get-FalconZTA'
New Parameters
* Added 'Total' switch to each command that has 'offset' or 'after' values to provide the total result
count rather than the actual results
Changed Commands
* Updated custom indicator commands to match new 'iocs' APIs
'Edit-FalconIOC'
'Get-FalconIOC'
'New-FalconIOC'
'Remove-FalconIOC'
* Updated 'Invoke-FalconRTR' to fix various issues that would cause 'get' requests to fail with more
than one host
* Modified 'Confirm-FalconGetFile' to reduce the complexity of the output when checking the status
of a batch 'get' request -- the command now returns each result with the 'aid' value appended to it
rather than being sorted by 'aid' (which required additional object manipulation to access relevant
properties)
* Added a check before 'Receive' commands that will abort the command and output an error if the file
already exists
* Added custom indicators to 'Export-FalconConfig' and 'Import-FalconConfig'
Removed Commands
* Removed custom indicator commands that no longer have supported APIs
'Get-IOCHost',
'Get-IOCProcess'
'Get-IOCTotal'
Parameter Changes
* Removed '.zip' pattern from 'Receive-FalconMalQuerySample' as single file downloads were not zipped
GitHub Issues
* Issue #45: Updated 'Edit-FalconScript' to correctly convert relative to absolute file path