Closed PolarBearGod closed 11 months ago
I won't move to enabling -Partial
by default, either in the script or in the function because the likelihood that someone will accidentally perform an action on a host is way too high (having hostname abc
affect hosts abc
, abcd
, abcde
, etc. -- case is not the only thing affected by the partial match).
How many hosts are in the CSV? The number of contained hosts doesn't match the number of errors in your screenshot.
20 unique machines were in the CSV (there was some duplicates). 2 were no longer valid assets, so action was taken against 18.
Were the contained hosts the same ones that generated errors?
The host names in the errors are the same AIDs below.
I won't move to enabling -Partial by default,
Ah I see why that might cause a problem; however, there is a larger problem in that Find-FalconHostName
is case sensitive. Not sure about others but a host name might be gathered in many ways other than the CS console, so there are situations in which hostName1
will never match against Hostname1
even though they are the same machine.
20 unique machines were in the CSV (there was some duplicates). 2 were no longer valid assets, so action was taken against 18.
Something doesn't line up there. There are 25 warnings. Are 7 from duplicates? If they are duplicates and they were found, it shouldn't be producing a warning and is likely due to a bug that I should find and fix.
Ah I see why that might cause a problem; however, there is a larger problem in that Find-FalconHostName is case sensitive.
It's not that Find-FalconHostname
is case sensitive -- the APIs themselves are case sensitive. The command is passing the values (in groups of 20) to Get-FalconHost
and either using -Filter "hostname:'value'"
(partial match, not case sensitive) or -Filter "hostname:['value']"
(exact match, case sensitive).
It's not that
Find-FalconHostname
is case sensitive -- the APIs themselves are case sensitive.
Well that is just unfortunate. Is there anyway to over come that other than having a strong naming convention or ensuring all names are capitalized in the console?
As far as I'm aware, no. I think the underlying data is stored case sensitive, and I don't see that changing.
Thank BK appreciate your support on this.
Description of your question While using the
network-contain-a-list-of-hostnames-from-a-csv-file.ps1
script, I found that theFind-FalconHostName
does a console check for the hostname and matches it based on the sensitivity of the case as found in the CrowdStrike mothership. While I can do aFind-FalconHostname -Partial
command to overcome the case sensitivity, the output in the PowerShell console shows as "No match found for '[ENDPOINTNAME]'."; however, below that error the actual scripted command works. Is this the expected behavior behind that command?To Reproduce Update the following script to account for case insensitivity:
network-contain-a-list-of-hostnames-from-a-csv-file.ps1
to use the following commandFind-FalconHostname -Partial
on line 22. In the hostname list, change the host names to mixed case, upper, and or lower case.Expected behavior If a hostname is actually found regardless of case, it should not show "No match" in the PowerShell console.
Environment (please complete the following information):
Additional context Example of the minor issue.
Partial Solution or Thought The scripts that use
Find-FalconHostname
might be best to be updated with the-Partial
switch by default as some names in the CS Console are mixed case depending on origin and someone might confuse a "no match" with the host not existing. Alternatively the function itself could account for case insensitivity by default?