Find-FalconHostName case sensitivity with error?

[PolarBearGod]

Description of your question While using the network-contain-a-list-of-hostnames-from-a-csv-file.ps1 script, I found that the Find-FalconHostName does a console check for the hostname and matches it based on the sensitivity of the case as found in the CrowdStrike mothership. While I can do a Find-FalconHostname -Partial command to overcome the case sensitivity, the output in the PowerShell console shows as "No match found for '[ENDPOINTNAME]'."; however, below that error the actual scripted command works. Is this the expected behavior behind that command?

To Reproduce Update the following script to account for case insensitivity: network-contain-a-list-of-hostnames-from-a-csv-file.ps1 to use the following command Find-FalconHostname -Partial on line 22. In the hostname list, change the host names to mixed case, upper, and or lower case.

Expected behavior If a hostname is actually found regardless of case, it should not show "No match" in the PowerShell console.

Environment (please complete the following information):

• OS: Windows 11
• PowerShell: 7.1.4
• PSFalcon: 2.2.5

Additional context Example of the minor issue.

Partial Solution or Thought The scripts that use Find-FalconHostname might be best to be updated with the -Partial switch by default as some names in the CS Console are mixed case depending on origin and someone might confuse a "no match" with the host not existing. Alternatively the function itself could account for case insensitivity by default?

[bk-cs]

• How many hosts are in the CSV? The number of contained hosts doesn't match the number of errors in your screenshot.
• Were the contained hosts the same ones that generated warnings?

I won't move to enabling -Partial by default, either in the script or in the function because the likelihood that someone will accidentally perform an action on a host is way too high (having hostname abc affect hosts abc, abcd, abcde, etc. -- case is not the only thing affected by the partial match).

[PolarBearGod]

How many hosts are in the CSV? The number of contained hosts doesn't match the number of errors in your screenshot.

20 unique machines were in the CSV (there was some duplicates). 2 were no longer valid assets, so action was taken against 18.

Were the contained hosts the same ones that generated errors?

The host names in the errors are the same AIDs below.

I won't move to enabling -Partial by default,

Ah I see why that might cause a problem; however, there is a larger problem in that Find-FalconHostName is case sensitive. Not sure about others but a host name might be gathered in many ways other than the CS console, so there are situations in which hostName1 will never match against Hostname1 even though they are the same machine.

[bk-cs]

20 unique machines were in the CSV (there was some duplicates). 2 were no longer valid assets, so action was taken against 18.

Something doesn't line up there. There are 25 warnings. Are 7 from duplicates? If they are duplicates and they were found, it shouldn't be producing a warning and is likely due to a bug that I should find and fix.

Ah I see why that might cause a problem; however, there is a larger problem in that Find-FalconHostName is case sensitive.

It's not that Find-FalconHostname is case sensitive -- the APIs themselves are case sensitive. The command is passing the values (in groups of 20) to Get-FalconHost and either using -Filter "hostname:'value'" (partial match, not case sensitive) or -Filter "hostname:['value']" (exact match, case sensitive).

[PolarBearGod]

It's not that Find-FalconHostname is case sensitive -- the APIs themselves are case sensitive.

Well that is just unfortunate. Is there anyway to over come that other than having a strong naming convention or ensuring all names are capitalized in the console?

[bk-cs]

As far as I'm aware, no. I think the underlying data is stored case sensitive, and I don't see that changing.

[PolarBearGod]

Thank BK appreciate your support on this.