[ BUG ] Script execution failing for `Invoke-FalconRtr` `runscript` when using large number of host ids

[amd-arcpatel]

Describe the bug Using Invoke-FalconRtr command to run a powershell script on 200 hosts. When run the script on 3 hosts, it executes successfully, but when using larger number of hosts, there is no result. The RTR audit log shows an open session for each host with no action performed.

To Reproduce With 200+ hostids in $hosts, run the command: Invoke-FalconRtr -Command runscript -Argument "-CloudFile='NacTest.ps1'" -HostId $hosts -QueueOffline $true

Expected behavior Upon successful execution, Powershell prompt displays metadata and RTR audit logs show the commands used.

Environment (please complete the following information):

• OS: Windows 10
• PowerShell: 5.1
• PSFalcon: 2.2.5

Additional context I tested running this exact script with 3 hostids in $hosts and the execution was successful.

Transcript content

---

Transcript started, output file is C:\Users\<redacted>\OneDrive - <redacted>\Documents\PowerShell_transcript.AUS-LX-<redacted>.gT+nzmOC.20230913143422.txt
PS C:\Crowdstrike\NAC> Show-FalconModule

PSVersion      : Desktop [5.1.19041.3031]
ModuleVersion  : v2.2.5 {d893eb9f-f6bb-4a40-9caf-aaff0e42acd1}
ModulePath     : C:\Users\<redacted>\OneDrive - <redacted>\Documents\WindowsPowerShell\Modules\PSFalcon\2.2.5
UserModulePath : C:\Users\<redacted>\OneDrive - <redacted>\Documents\WindowsPowerShell\Modules;C:\Program
                 Files\WindowsPowerShell\Modules;C:\windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files
                 (x86)\Microsoft Azure Information Protection\Powershell
UserHome       : C:\Users\<redacted>
UserAgent      : crowdstrike-psfalcon/2.2.5

PS C:\Crowdstrike\NAC> $hosts=(Import-Csv .\hosts.csv).'aid'

Invoke-FalconRtr -Command runscript -Argument "-CloudFile='NacTest.ps1'" -HostId $hosts -QueueOffline $true

VERBOSE: 14:36:20 [Start-FalconSession] /real-time-response/combined/batch-init-session/v1:post
VERBOSE: 14:36:20 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/real-time-response/combined/batch-init-session/v1?timeout=600
VERBOSE: 14:36:20 [ApiClient.Invoke] ContentType=application/json, Accept=application/json
VERBOSE: 14:36:20 [ApiClient.Invoke] {"queue_offline":true,"host_ids":["<redacted>"]}
PS C:\Crowdstrike\NAC> Stop-Transcript
**********************
Windows PowerShell transcript end
End time: 20230913143924
**********************

[bk-cs]

I suspect this is due to the default timeout value of 600 seconds during the creation of the RTR session. This is also the default length of a session, and if it waits 600 seconds to the devices to respond to the initialization request, the session dies before it's able to return the result.

For the 2.2.6 release, I modified the Invoke-FalconRtr function to use a 30 second timeout during the initialization request, and it seems to have fixed this. Can you try modifying your local copy of $HOME\Documents\WindowsPowerShell\Modules\PSFalcon\2.2.5\public\psf-real-time-response.ps1 and modify this line from...

$Init = @{ Id = $Output.aid; Timeout = $Timeout; QueueOffline = $QueueOffline }

to...

$Init = @{ Id = $Output.aid; Timeout = 30; QueueOffline = $QueueOffline }

...and let me know if that resolves the issue for you? When you re-test, you will need to close and re-open PowerShell and re-import the module.

[amd-arcpatel]

Spot on.. That fixed the issue!! Will thank you in person next week :)

[bk-cs]

This issue will be fixed in the 2.2.6 release. If any other users would like to apply the fix to their local version, run this command:

(Invoke-WebRequest https://raw.githubusercontent.com/CrowdStrike/psfalcon/a8defcca7aedb52caeb198c4600430ecf10d0f58/public/psf-real-time-response.ps1).Content > $HOME\WindowsPowerShell\Modules\PSFalcon\2.2.5\public\psf-real-time-response.ps1

[bk-cs]

Resolved in 2.2.6 release which has been published to GitHub and will be published on the PowerShell Gallery soon.