bk-cs
commented
1 year ago This is not a bug, and this is correct. -Login is used with -Id to signify that the device_id should be sent to the login history API, instead of the device details API.
You can use the -Include function to request login_history with other device details. Also note that your -Filter parameter should not include curly braces:
Get-FalconHost -Filter "product_type_desc:'Workstation'+serial_number:!'*VMware*'" -Detailed -All -Include login_historyYour example takes 7 minutes because it's requesting each login history individually, instead of sending 100 at a time.
Describe the bug The switch -Login that includes the user login history for a host does not work when the -All switch is used. This means to get that history I have to get ALL hosts then get the login history which increases the number of API calls and delays the output significantly making the same Get-FalconHost call for each device returned in the initial Get-FalconHost -All call.
To Reproduce Try to use Get-FalconHost -All -Login
Expected behavior I would expect the -All and -Login switches to work together to allow for a single API call rather than potentially thousands of individual lookups for user login history.
Environment (please complete the following information):
Additional context Command: Get-FalconHost -all -Detailed -Filter {product_type_desc:"Workstation"} -login Error: Get-FalconHost : Parameter set cannot be resolved using the specified named parameters.
Using the following command takes 7 minutes for 700 POC users. Out total user base will be 30K when deployed
We are moving from SentinelOne which has a column called lastLoggedInUser in their table so is part of the main query by default and which we use to match users to computers.