Closed TomCullenMoon closed 9 months ago
Sorry, I think I dropped this one. SensorUpdatePolicy.json
can't have a blank array in it--there should only be one array containing all the sensor update policies within it. Are you still able to replicate this with the 2.2.6 release?
I think ...maybe... this was a chicken-and-egg error. Let me explain. We were tasked to move our stand-alone CrowdStrike environment into Flight Control as a child. 20K clients and years of CrowdStrike management and this was going to be a first. We wanted to try it out first before committing Production.
I asked for a Dev instance, and CrowdStrike assigned us a CID based on my existing email address domain. This meant the CID was sort-of attached to the Production CID (something unexpected for us). I tried using your FalconConfig commands to move items from Production to this new CID and started getting the errors above - and submitted this ticket.
Due to the "Dev CID attached to Production" and some other weirdness, we decided to start over with a new CID that was wholly disconnected from Production with an alternate email domain name. Again I tried to copy over Production information using FalconConfig, and I got the same errors. I had to do the work manually to build Dev...so I started with building some Sensor Update Policies...the console wouldn't let me until I built some Group Policies...which wouldn't let me until I added a client.....then it struck me....after adding a client and a group, would your tool work to copy over a Sensor Update Policy without error, and it was successful this time.
So, I'm thinking that your tool works fine. It was my ignorance to expect it to work in a brand new empty environment....it needs clients/groups/etc to bind Sensor Policies and Firewall Policies that it is copying over. Sorry for my long-winded explanation.
No worries, thank you for the clarification!
Describe the bug First Bug: Attempting to export the "SensorUpdatePolicy" (actually doesn't matter which "Select" is chosen). When the JSON is created, the Import-FalconConfig generates an error when it tries to import the JSON file. Examining the JSON file, about 900 lines down an 1800 line file shows the following JSON error:
I'm not a JSON expert, but VSCode shows this to be in error, and removing the [] and replacing with a "," creates a "good" JSON file.
Second Bug: Import-FalconConfig After fixing the JSON file above, the Import-FalconConfig still generates an error when attempting to use the exported JSON file. I am taking the export from our Production environment and attempting to import into a non-parent-child CID Development environment.
Environment (please complete the following information):