[ BUG ] `Import-FalconConfig` unable to ingest `SensorUpdatePolicy.json`

[TomCullenMoon]

Describe the bug First Bug: Attempting to export the "SensorUpdatePolicy" (actually doesn't matter which "Select" is chosen). When the JSON is created, the Import-FalconConfig generates an error when it tries to import the JSON file. Examining the JSON file, about 900 lines down an 1800 line file shows the following JSON error:

}]
[
{

I'm not a JSON expert, but VSCode shows this to be in error, and removing the [] and replacing with a "," creates a "good" JSON file.

Second Bug: Import-FalconConfig After fixing the JSON file above, the Import-FalconConfig still generates an error when attempting to use the exported JSON file. I am taking the export from our Production environment and attempting to import into a non-parent-child CID Development environment.

PS C:\TEMP> $Error[0] | Select *

writeErrorStream      : True
PSMessageDetails      : 
Exception             : System.Management.Automation.ParameterBindingValidationException: Cannot validate argument on parameter 'Id'. The argument "" does not match the "^[a-fA-F0-9]{32}$" pattern. Supply an argument that matches "^[a-fA-F0-9]{32}$" and try the command again. ---> System.Management.Automation.ValidationMetadataException: The argument "" does not match the "^[a-fA-F0-9]{32}$" pattern. Supply an argument that matches "^[a-fA-F0-9]{32}$" and try the command again.
                           at System.Management.Automation.ValidatePatternAttribute.ValidateElement(Object element)
                           at System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal parameter, 
                        CompiledCommandParameter parameterMetadata, ParameterBindingFlags flags)
                           --- End of inner exception stack trace ---
                           at System.Management.Automation.CmdletParameterBinderController.BindValueFromPipelineByPropertyName(PSObject 
                        inputToOperateOn, MergedCompiledCommandParameter parameter, ParameterBindingFlags flags)
                           at System.Management.Automation.CmdletParameterBinderController.BindUnboundParametersForBindingStateInParameterSe
                        t(PSObject inputToOperateOn, CurrentlyBinding currentlyBinding, UInt32 validParameterSets)
                           at System.Management.Automation.CmdletParameterBinderController.BindUnboundParametersForBindingState(PSObject 
                        inputToOperateOn, CurrentlyBinding currentlyBinding, UInt32 validParameterSets)
                           at System.Management.Automation.CmdletParameterBinderController.BindPipelineParametersPrivate(PSObject 
                        inputToOperateOn)
                           at System.Management.Automation.CmdletParameterBinderController.BindPipelineParameters(PSObject inputToOperateOn)
                           at System.Management.Automation.CommandProcessor.Read()
TargetObject          : @{policy_id=; platform_id=1; default_inbound=DENY; default_outbound=ALLOW; enforce=False; test_mode=False; 
                        local_logging=False; rule_group_ids=System.Object[]; created_by=crowdstrike-release; 
                        created_on=2022-01-11T23:09:21.494401045Z; modified_by=crowdstrike-release; 
                        modified_on=2022-01-11T23:09:21.494401045Z; tracking=NjE1NzI6MjI=}
CategoryInfo          : InvalidData: (@{policy_id=; p...g=NjE1NzI6MjI=}:PSObject) [Edit-FalconFirewallSetting], 
                        ParameterBindingValidationException
FullyQualifiedErrorId : ParameterArgumentValidationError,Edit-FalconFirewallSetting
ErrorDetails          : 
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at Import-FalconConfig<Process>, C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.5\public\psf-config.ps1: 
                        line 763
                        at <ScriptBlock>, <No file>: line 18
PipelineIterationInfo : {}

Environment (please complete the following information):

• OS: Windows 10
• PowerShell: 5.1
• PSFalcon: 2.2.5

[bk-cs]

Sorry, I think I dropped this one. SensorUpdatePolicy.json can't have a blank array in it--there should only be one array containing all the sensor update policies within it. Are you still able to replicate this with the 2.2.6 release?

[TomCullenMoon]

I think ...maybe... this was a chicken-and-egg error. Let me explain. We were tasked to move our stand-alone CrowdStrike environment into Flight Control as a child. 20K clients and years of CrowdStrike management and this was going to be a first. We wanted to try it out first before committing Production.

I asked for a Dev instance, and CrowdStrike assigned us a CID based on my existing email address domain. This meant the CID was sort-of attached to the Production CID (something unexpected for us). I tried using your FalconConfig commands to move items from Production to this new CID and started getting the errors above - and submitted this ticket.

Due to the "Dev CID attached to Production" and some other weirdness, we decided to start over with a new CID that was wholly disconnected from Production with an alternate email domain name. Again I tried to copy over Production information using FalconConfig, and I got the same errors. I had to do the work manually to build Dev...so I started with building some Sensor Update Policies...the console wouldn't let me until I built some Group Policies...which wouldn't let me until I added a client.....then it struck me....after adding a client and a group, would your tool work to copy over a Sensor Update Policy without error, and it was successful this time.

So, I'm thinking that your tool works fine. It was my ignorance to expect it to work in a brand new empty environment....it needs clients/groups/etc to bind Sensor Policies and Firewall Policies that it is copying over. Sorry for my long-winded explanation.

[bk-cs]

No worries, thank you for the clarification!