2.2.7 #420
bk-cs
announced in
Announcements
2.2.7
#420
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
New Commands
cloud-connect-cspm-azure
cloud-connect-cspm-gcp
configuration-assessment
container-security
delivery-settings
exclusions
fem
filevantage
host-migration
intel
loggingapi
plugins
psf-sensors
snapshots
threatgraph
workflows
Issues Resolved
Receive-FalconInstaller
fails due to timeout #310: Added default timeout of one minute for all requests in an effort to help produce error messageswhen a file download does not complete.
Find-FalconHostname
returns maximum of 100 results #369: CorrectedFind-FalconHostname
so it outputs the entire list of results instead of stopping withthe first initial 100.
400: The ids parameter must be present...
error when using Turkish display language #370: Changed all identifier parameter aliases from uppercase to lowercase to resolve matching issueswhen using Turkish as the default display language.
Invoke-FalconDeploy
incorrect execution order when queued #375: Added a second delay forInvoke-FalconDeploy
between commands when using the offline queue toensure that the proper processing order is retained.
Import-FalconConfig
ignoresFirewallGroup
#380: UpdatedCompare-ImportData
function to analyze items by each individualplatform
(orplatform_name
) to resolve bug whereFirewallGroup
items were being ignored.Receive
commands generateindex out of range
errors even when successful #382: Removed output of successfully downloaded file information fromInvoke-Falcon
private functionand relocated within the
Invoke()
class function to preventIndex out of range error
on successful downloadrequests.
Add-SensorTag
andRemove-SensorTag
dont append/remove tags even through reboot #385: Re-wroteAdd-FalconSensorTag
andRemove-FalconSensorTag
commands properly append/remove tagsacross all OSes, and fix issue where tags weren't applied at all.
Id
does not match pattern when usingGet-FalconAsset
#391: Removed pattern validation for theId
parameter forGet-FalconAsset
to prevent errors whenunexpected (but legitimate)
Id
values are provided.Import-FalconConfig
improperly assigns non-existentrule_group_ids
when creatingFilewallPolicy
#393: UpdatedImport-FalconConfig
to properly removerule_group_ids
that aren't tied toFirewallGroup
items that are also created during import.Get-FalconAlert -All -Detailed
returns413 - Request Too Large
#396: Added maximum count of 1000 identifiers when building body content duringGet-FalconAlert
requests.
Invoke-FalconAlertAction
andInvoke-FalconIncidentAction
to allow for multiple actions in one API query #397: AddedAction
parameter to define multiple actions to perform in a single request when usingInvoke-FalconAlertAction
orInvoke-FalconIncidentAction
.New-FalconIoaRule
generates400
error when following wiki example #399: Updated howfield_values
properties are selected to ensure that they're correctly passed as anarray when using
New-FalconIoaRule
.Cid
parameter when usingAdd-FalconRole
#401: AddedConfirm-CidValue
private function to checkCid
input for checksum, remove it when present,and return the
Cid
value in lower case.Get-FalconScanFile
results toInclude
forGet-FalconScan
#411: AddedInclude
with value ofscan_file
toGet-FalconScan
, and addedScanId
toGet-FalconScanFile
to supportInclude
forGet-FalconScan
.Get-FalconScan
andGet-FalconScanFile
limited to 100 results #412: AddedLimit
of500
toGet-FalconScan
andGet-FalconScanFile
to ensure bothlimit
andoffset
are passed during pagination.General Changes
Added a weekly check of the PSGallery for PSFalcon module updates if the PSFalcon module was originally
installed via the PSGallery. Update status is kept in a file called
update_check.json
in the base PSFalconmodule folder. If the connection to the PSGallery fails, the update check is disabled. Deleting
update_check.json
will re-attempt connection the next time the module is loaded.
Updated internal
Build-Query
function to automatically URL encode provided values during submission insteadof only previously encoding
+
.Updated internal
Log()
method for[ApiClient]
to support Falcon NGSIEM and CrowdStrike Parsing Standard.Added
UserAgent
value to[ApiClient]
object for use withLog()
method.Updated
Request-FalconToken
andShow-FalconModule
to use newUserAgent
value under[ApiClient]
.Removed filtering for unique values when supplying an array of identifiers to a command. This was originally
added to prevent problems related to an array containing the same identifier twice, but it adds a lot of
processing time when a large list of identifiers is provided. PSFalcon will now pass all given identifiers on
to the relevant API, meaning that new error messages might appear if a user is not properly error checking
their scripts and filtering out duplicate identifier values.
Added
Test-ActionParameter
private function to support newAction
parameter forInvoke-FalconAlertAction
and
Invoke-FalconIncidentAction
.Added
Select-CertificateProperty
private function to support the newEdit-FalconCertificateExclusion
andNew-FalconCertificateExclusion
commands.Corrected verbose output for various commands to ensure that the relevant command name was displayed when
Invoke-Falcon
makes a request to the target API.Re-wrote the internal function
Confirm-Parameter
to reduce necessary parameters when calling the function.Added internal
Remove-EmptyValue
function to strip empty values before submission when necessary.Corrected bug found when implementing new v2 endpoint for
Get-FalconAsset -IoT
whereafter
would notbe added properly when paginating without another criteria (i.e.
filter
,sort
, etc.) using-All
.Compressed
SensorTag
commands into a reusable function to de-duplicate code.Renamed the
Array
parameter toInputObject
to better match PowerShell style for the following commands:Edit-FalconDeviceControlPolicy
,Edit-FalconFirewallPolicy
,Edit-FalconIoc
,Edit-FalconPreventionPolicy
,Edit-FalconReconNotification
,Edit-FalconReconRule
,Edit-FalconResponsePolicy
,Edit-FalconSensorUpdatePolicy
,Find-FalconHostname
,New-FalconDeviceControlPolicy
,New-FalconFirewallPolicy
,New-FalconHostGroup
,New-FalconIoc
,New-FalconPreventionPolicy
,New-FalconReconRule
,New-FalconResponsePolicy
, andNew-FalconSensorUpdatePolicy
.Array
has been kept as an alias to prevent issues with existing scripts.Changed the prefix from
Horizon
toCloud
for the following commands:Edit-FalconHorizonAwsAccount
,Edit-FalconHorizonAzureAccount
,Edit-FalconHorizonPolicy
,Edit-FalconHorizonSchedule
,Get-FalconFimChange
,Get-FalconHorizonAwsAccount
,Get-FalconHorizonAwsLink
,Get-FalconHorizonAzureAccount
,Get-FalconHorizonAzureCertificate
,Get-FalconHorizonAzureGroup
,Get-FalconHorizonIoa
,Get-FalconHorizonIoaEvent
,Get-FalconHorizonIoaUser
,Get-FalconHorizonIom
,Get-FalconHorizonPolicy
,Get-FalconHorizonSchedule
,New-FalconHorizonAwsAccount
,New-FalconHorizonAzureAccount
,New-FalconHorizonAzureGroup
,Receive-FalconHorizonAwsScript
,Receive-FalconHorizonAzureScript
,Remove-FalconHorizonAwsAccount
,Remove-FalconHorizonAzureAccount
, andRemove-FalconHorizonAzureGroup
.The original command names have been kept as aliases to prevent issues with existing scripts.
Removed
Compare-FalconPreventionPhase
and accompanying policy json files due to Falcon Prevention Policy UIchanges that enabled policy comparison in the Falcon console.
Command Changes
Add-FalconSensorTag
Edit-FalconCloudAwsAccount
Environment
,DspmEnabled
,DspmRole
andTargetOu
.Edit-FalconIoaRule
/ioarules/entities/rules/v2:patch
endpoint.Edit-FalconMlExclusion
DescendentProcess
.Edit-FalconSvExclusion
DescendentProcess
.Edit-FalconReconRule
BreachMonitorOnly
.Edit-FalconFileVantageRule
ContentRegistryValues
,HashCapture
andRegKeyPermission
.Export-FalconConfig
Get-FalconAlert
/alerts/queries/alerts/v2:get
endpoint.IncludeHidden
(used when submittingId
values).Get-FalconAsset
/discover/queries/iot-hosts/v2:get
endpoint with-IoT
.-External
switch to search for external assets./discover/combined/hosts/v1:get
endpoint when using-Detailed
./discover/combined/applications/v1:get
when using-Application
and-Detailed
.facet
property has been joined together withInclude
for the relevant new/combined/
APIendpoints for consistency with earlier PSFalcon version.
Limit
orfacet
values (asInclude
) are supplied for theirrespective API endpoint. Tab-completion for
Include
will first offer all available values, and thecommand will error if one of the supplied values is invalid based on the eventual API endpoint
being targeted.
login_event
when used with-Include
for respectiveaid
(whensearching for Host) or
account_id
(when searching for Account) values.Get-FalconCloudAwsAccount
CspmLite
.IsHorizonAcct
parameter toIsFcsAccount
. KeptIsHorizonAcct
as an alias.Get-FalconCloudAzureAccount
CspmLite
.IsHorizonAcct
parameter toIsFcsAccount
. KeptIsHorizonAcct
as an alias.Get-FalconContainerSensor
401: Unauthorized
errors when a token is notpresent.
Get-FalconInstaller
Get-FalconIocHost
/iocs/aggregates/device-count/v1:get
endpoint.Get-FalconReconRule
SecondarySort
.Get-FalconRole
Detailed
switch.Get-FalconSensorTag
Get-FalconUninstallToken
device_id
values together and make requests in appropriately sized groups,instead of individually when using
Include
. This should drastically increase performance when requestinglarge numbers of
uninstall_token
values with other device properties included.Get-FalconVulnerability
Limit
to a maximum of 5,000 forDetailed
requests. If retrieving identifiers only, the commandwill force
Limit
to a maximum of 400.Invoke-FalconAlertAction
Action
for performing multiple actions on alerts in a single request. Thanks @datorr2!Invoke-FalconIncidentAction
Action
for performing multiple actions on incidents in a single request. Thanks @datorr2!Value
to ensure that it works when usingunassign
withName
parameter.Invoke-FalconMobileAction
/enrollments/entities/details/v4:post
endpoint.EnrollmentType
.Import-FalconConfig
rule_group_ids
are being assigned and/or the removal ofnon-existent values when
FirewallPolicy
items are being created and modified.FirewallPolicy
settings values to final CSV output.SensorUpdatePolicy
with unavailable sensorbuild
versions. Whenan invalid build version is found, it is stripped. When a
build
is updated with a matching tagged version,sensor_version
andstage
are also updated. These changes also affectvariants
forLinuxArm64
.SensorUpdatePolicy
from being evaluated for changes withModifyExisting
. Updatedfinal output to properly record changes.
Invoke-FalconAlertAction
IncludeHidden
.Invoke-FalconRtr
prevent results from being lost when hosts that recently went offline (i.e. didn't meet the cutoff for
the offline queue) delay the RTR session start long enough for the session itself to die before the eventual
command is properly issued. This should help eliminate cases of
Invoke-FalconRtr
"not doing anything"because a host is unable to be added to the session and/or the results aren't returned quickly enough after
the session begins.
New-FalconCloudGcpAccount
/cloud-connect-cspm-gcp/entities/account/v2:post
endpoint.ServiceAccountId
,ClientId
,ClientEmail
,PrivateKey
,PrivateKeyId
,ProjectId
, andServiceAccountCondition
.New-FalconCloudAwsAccount
DspmEnabled
andDspmRole
.New-FalconFileVantageRule
ContentRegistryValues
,HashCapture
andRegKeyPermission
.New-FalconSvExclusion
IsDescendentProcess
.New-FalconReconRule
BreachMonitorOnly
.OriginatingTemplateId
.New-FalconFileVantageRule
ContentRegistryValues
.Receive-FalconCloudAwsScript
OrganizationId
,Template
,Account
,AccountType
,AwsProfile
,CustomRole
,BehaviorAssessment
,SensorManagement
, andExistingCloudtrail
.Receive-FalconCloudAzureScript
AzureManagementGroup
.Receive-FalconInstaller
Register-FalconEventCollector
Remove-FalconContainerImage
/container-security/entities/base-images/v1:delete
endpoint.Remove-FalconSensorTag
Request-FalconRegistryCredential
SensorType
and added a prompt if it is not present.token
orexpires_in
is missing from a token request response.Request-FalconToken
us-gov-2
asCloud
andHostname
option.Send-FalconEvent
This discussion was created from the release 2.2.7.
Beta Was this translation helpful? Give feedback.
All reactions