search

CrowdStrike / falcon-scripts

Scripts to streamline the deployment and use of the CrowdStrike Falcon sensor
The Unlicense
130 stars 79 forks source link

ToLower function on line 478 of falcon_windows_migrate.ps1 can cause issues #276

Closed cliffporterx closed 3 months ago

cliffporterx commented 3 months ago

For the attribute of $SensorUpdatePolicyName, line 478 of falcon_windows_migrate.ps1 can cause issues due to the ToLower function.

Current line: $filter = "platform_name:'Windows'+name.raw:'$($SensorUpdatePolicyName.ToLower())'" The issue is that per the FQL described on https://github.com/CrowdStrike/psfalcon/wiki/Filtering-Results - it explains that there may be case sensitivity. It appears that SensorUpdatePolicyName is case sensitive.

For example a policy in the console named "N2-Windows" will not have a result, as the script will change this to "n2-windows". If I change the line of the script to: $filter = "platform_name:'Windows'+name.raw:'$($SensorUpdatePolicyName)'"

The attribute will work when I used the proper name with case sensitivity. This line may need to remove the ToLower function and the help note may need to note the case sensitivity when using this attribute.

carlosmmatos commented 3 months ago

@cliffporterx Thanks for bringing this to light. You are correct, this should be case sensitive.