[ BUG ] `Invoke-FalconScheduledReport` uses "next scheduled search" search window

[harrim4n]

Describe the bug When invoking a scheduled report, the report uses the schedule / search period of the next upcoming report. This means that if a report is to be run next in 6 days and has a period of 7 days, it will search 1 day in the past and 6 days in the future.

To Reproduce

1. Create new scheduled search with schedule of, e.g., every 7 days
2. Call Invoke-FalconScheduledReport for new report
3. Investigate output of function call

Expected behavior I would expect the scheduled report to run with an end time of "now" - at the time of invocation. Ideally, it would be possible to "manually" specify a start time / search window, but it should at least search the configured time period in the past - not (partially) in the future.

Environment (please complete the following information):

• OS: Debian 11
• PowerShell: 7.3.3
• PSFalcon: 2.2.5

Transcript content

PS > Invoke-FalconScheduledReport -id REDACTED

id                  : REDACTED
customer_id         : REDACTED
user_uuid           : REDACTED
user_id             : REDACTED
type                : event_search
scheduled_report_id : REDACTED
execution_metadata  : @{subtype=splunk; unscheduled_execution_type=Manual; xdr_params=; xdr_data=; retry_performed=False; retry_report_execution_id=; retry_allowed=False}
result_metadata     : @{execution_start=; execution_duration=0; execution_delay=0; execution_finish=; queue_start=6/5/2023 8:37:22 AM; queue_duration=0; report_finish=; report_file_name=; result_count=0; result_id=; 
                      search_window_start=6/5/2023 9:00:00 AM; search_window_end=6/12/2023 9:00:00 AM}
status              : PENDING
status_display      : Execution queued
status_msg          : 
shared_with         : {}
created_on          : 2023-06-05T08:37:22.08421929Z
last_updated_on     : 2023-06-05T08:37:22.08421929Z
expiration_on       : 2023-07-05T08:37:22.08421929Z

PS > Get-Date                    

Monday, June 5, 2023 08:37:47 AM

[bk-cs]

A scheduled search is created within the Falcon console to run for a specific period of time (i.e. "allow search to run between these dates", designated by search_window_start to search_window_end). The search frequency defines how often the search executes within that range (every 7 days/24 hours/5 minutes etc.).

Invoke-FalconScheduledReport (which calls POST /reports/entities/scheduled-reports/execution/v1) runs the search using the corresponding identifier and the predefined search criteria--it doesn't decide the range of the search.

If I'm understanding correctly, you're saying that when a search is executed, it's run from now until X time, and you'd like it to be from X time until now?

[harrim4n]

Not quite, it's not run from now until X time, but instead it uses the search period of when the search that would be executed next according to the preset schedule. That could (at worst, if the scheduled search just ran) be from now until X time and from X time until now (at best, if the scheduled search is just about the be started).

The problem with this is that on average 50% of the search window is in the future - where there obviously are no events to be found. And in the worst case, the entire search window is in the future.

Ideally, it would be possible to provide a custom search window when calling the API endpoint. To stick to your nomenclature, I would expect the invoked search to run from X time until now, where x is either supplied manually or at least defaults to the predefined search period.

[bk-cs]

Thanks for the clarification. It sounds like you want to create an IDEA (feature request) from within your Falcon console for this specific API to update the API request to include a search range when initiating it. I don't have control over these APIs personally, and ideas from customers can attract votes and get added more quickly.