ffalor
commented
1 year ago Thank you for this detailed report on the issue.
Closed mikesch33r closed 1 year ago
ffalor
commented
1 year ago Thank you for this detailed report on the issue.
carlosmmatos
commented
1 year ago Re-opening since we did more troubleshooting and found the existing PR does not address this issue. A new PR with the correct fix is on the way.
Passing the -NewMemberCid flag with a child CID value in a parent/child flight control environment does not actually install the new falcon sensor into the requested Child Cid. Instead, the sensor is installed into the parent CID, which is not the desired behavior. A workaround is available where passing the -NewFalconCid value with the CID-checksum of the child CID actually does install the sensor in the correct child CID. However, the -NewFalconCid parameter should not be required as the code is written, especially if the -NewMemberCid flag is included in the request.
As written, if the $NewFalconCid parameter is NOT included, it calls /sensors/queries/installers/ccid/v1 to retrieve the CID-checksum value for the sensor install. However, in that request, the -MemberCid parameter (which would map to -NewMemberCid, if used) must not be getting passed. More specifically, the token for the /sensors/queries/installers/ccid/v1 request needs to have been retrieved with auth to the child CID via the -MemberCid value.