Issue #313: Reorganized parameters for Get-FalconRole and removed UserId from a specific ParameterSet to
ensure proper output.
Issue #315: Modified script used by Uninstall-FalconSensor to match 64 instead of equal 64-bit to correct
error caused when bit value is reported as 64 bit instead of 64-bit.
Issue #316: Added if check to Confirm-Parameter for $Required and $Allowed to ensure that blank values
do not count when verifying objects under PowerShell Core.
Issue #327: Modified Invoke-FalconDeploy to properly change directories and execute scripts when working with
.cmd and .bat files. Thanks @MatthewCKelly!
Issue #342: Modified Invoke-FalconMalQuery and Get-FalconMalQuery to select the reqid,reqtype and/or
status properties in their final output, when present.
Issue #360: Fixed bug where Get-FalconAsset would not append results when using -Include login_event with a
single asset result.
Issue #363: Added critical as a severity for Edit-FalconHorizonPolicy.
Other
General Changes
Modified all authorization token validation checks to request a new token when the current token is due to
expire within 4 minutes instead of 1 minute. This should help reduce the number of expired authorization
tokens during long-running requests (like Get-FalconVulnerability).
Migrated Wait-RetryAfter function from private\Private.ps1 to class\Class.ps1 under ApiClient.Invoke()
function.
Streamlined ApiClient.Invoke() under class\Class.ps1 in an effort to improve verbose logging and
performance.
Modified private functions Invoke-Falcon and Request-FalconToken to compensate for changes to
ApiClient.Invoke().
Modified Write-Result to ensure each error will be individually produced when a single API call generates
multiple errors.
Rearranged how ApiClient.Invoke() downloads files to eliminate "index out of range" error.
Added format\format.json to contain API endpoint body/formdata/query parameters for easier updates when large
numbers of API endpoints are modified at once.
Added function Get-EndpointFormat to private\Private.ps1 to read body/formdata/query parameters from
format.json.
Replaced tab of four spaces with two to reduce file sizes across module.
Moved code that replaces the user input parameters with proper parameter names for body payloads from the
private Invoke-Falcon function into the private Build-Content function.
Renamed Inputs variable (and accompanying parameter for the Invoke-Falcon function, used by commands when
making a request) to UserInput in keeping with PowerShell style.
Updated prevention policy settings for Compare-FalconPreventionPhase.
Updated Write-Result to remove meta from output when meta.pagination.total equals 0 to account for
some -Detailed results returning meta information instead of an empty response (unlike a non -Detailed
result, which would return nothing, as expected).
Updated private Add-Include function to provide error messages when unable to pull results instead of a silent
failure with no output in the related -Include property.
Updated reference policies used by Compare-FalconPreventionPhase.
Command Changes
Add-FalconSensorTag
Fixed bug where n was being split into separate tags due to an incorrect quote. Thanks @soggysec!
Removed support for pre-6.42 Windows sensors given that they are no longer supported and don't have
CsSensorSettings.exe.
Isolated the scripts being run to add sensor tags into new files contained under the script folder.
Edit-FalconHorizonAwsAccount
Added autocomplete values for CloudTrailRegion.
Added IamRoleArn, BehaviorAssessmentEnabled, SensorManagementEnabled, RemediationRegion, and
RemediationTouAccepted.
Edit-FalconHorizonPolicy
Updated AccountId to accept multiple identifiers.
Edit-FalconReconNotification
Added IdpSendStatus and Message.
Edit-FalconFirewallLocationSetting
Added LocationPrecedence.
Edit-FalconIoc
Added Array parameter for submitting many IOCs for modification, and set as the default parameter set when
utilizing the pipeline.
Set maximum of 2,000 IOCs per request when using Array.
Export-FalconConfig
Added FileVantagePolicy (including FileVantageExclusion) and FileVantageRuleGroup (including
FileVantageRule). CrowdStrike-created policies and rule groups are excluded from the export
because they are auto-generated and can not be modified.
Updated to force HostGroup when exporting FileVantagePolicy to evaluate host_groups.
Updated to force FileVantageRuleGroup when exporting FileVantagePolicy to evaluate rule_groups and
assign them to policies.
Get-FalconAlert
Removed pattern validation for Id parameter, due to new varying identifier types found in testing.
Get-FalconBuild
Added Stage.
Get-FalconContainerAccount
Updated Location to correctly submit as locations to the API endpoint.
Get-FalconContainerAwsAccount
Added IsHorizonAcct.
Get-FalconContainerCluster
Added Status.
Get-FalconContainerVulnerability
Corrected error that prevented the submission of applicationPackages.
Get-FalconFimChange
Updated to use new v3 endpoint, replacing Offset with After.
Renamed command to Get-FalconFileVantageChange, but kept Get-FalconFimChange as an alias.
Get-FalconHorizonAwsAccount
Added IamRoleArn and Migrated.
Get-FalconHorizonAzureAccount
Added TenantId.
Get-FalconHorizonAzureCertificate
Added YearsValid.
Get-FalconHorizonIoa
Added ResourceId, ResourceUuid, and Since.
Get-FalconHost
Updated the Login switch to use new v2 endpoint. The initial API is limited to 10 ids values per
request, which means that using -Include login_history will be substantially slower until the API limit
is increased.
Get-FalconHostGroup
Updated Include to use a filtered Get-FalconHost search when adding members which avoids the 10k
maximum limit from the previously used Get-FalconHostGroupMember command.
Get-FalconRole
Reorganized parameter positioning.
Removed automatic redirection of Id values when matching a Cid (because it also matches custom role
identifiers).
Removed UserId as a parameter for the /user-management/queries/roles/v1:get endpoint because the same data
is returned by the /combined/ endpoint and they have overlapping parameters.
Added DirectOnly parameter to Get-FalconRole.
Get-FalconScan
Updated to use /ods/entities/scans/v2:get endpoint.
Get-FalconSensorTag
Isolated the scripts being run to retrieve tags into new files contained under the script folder.
Get-FalconSession
Added Cid and CommandInfo, which facilitate the display of all Real-time Response sessions within the
authorized CID.
Import-FalconConfig
Added an error message when filenames within the target archive do not correspond with files typically created
by Export-FalconConfig. Thanks @JFresh15 and @soggysec!
Added additional verbose output when the command updates id values for groups and rule_groups objects.
Added additional verbose output when the command updates build values for Sensor Update policies.
Fixed a bug where Linux Sensor Update policies would not be created due to a missing build for LinuxArm64
policy variants.
Added FileVantagePolicy and FileVantageRuleGroup as ModifyExisting options.
Updated Comment output to specify why certain items were ignored using NoModifyDefault and
NoModifyExisting.
Added code to compensate and properly match when importing into a new cloud and the "latest" tagged build is
renamed for a SensorUpdatePolicy.
Invoke-FalconAdminCommand
Added falconscript as a Command option.
Invoke-FalconAlertAction
Removed pattern validation for Id due to new varying identifier types found in testing.
Updated to use new v3 endpoint.
Invoke-FalconContainerScan
Corrected scan-type to scan_type during submission.
Invoke-FalconDeploy
Modified to ensure that the timeout value was 600 seconds when on the put step.
Updated GroupId to use a filtered Get-FalconHost search which avoids the 10k maximum limit from the
previously used Get-FalconHostGroupMember command.
Invoke-FalconRtr
Added falconscript as a Command option.
Updated GroupId to use a filtered Get-FalconHost search which avoids the 10k maximum limit from the
previously used Get-FalconHostGroupMember command.
New-FalconHorizonAwsAccount
Added autocomplete values for CloudTrailRegion.
Added AccountType, BehaviorAssessmentEnabled, IamRoleArn, IsMaster, SensorManagementEnabled, and
UseExistingCloudtrail.
New-FalconHorizonAzureAccount
Added ClientId, AccountType, DefaultSubscription, and YearsValid.
New-FalconIoc
Set maximum of 2,000 IOCs per request when using Array.
New-FalconScheduledScan
Added ScanInclusion.
Receive-FalconContainerYaml
Added IsSelfManagedCluster.
Receive-FalconHorizonAwsScript
Added Id.
Receive-FalconHorizonAzureScript
Added SubscriptionId, Template, and AccountType.
Receive-FalconRule
Added IfNoneMatch and IfModifiedSince.
Remove-FalconCidGroupMember
Updated to use /mssp/entities/cid-group-members/v2:delete endpoint.
Remove-FalconHorizonAzureAccount
Added TenantId and RetainTenant.
Remove-FalconReconRule
Added DeleteNotification.
Remove-FalconSample
Updated Id to accept a sha256 value when passed through the pipeline.
Remove-FalconSensorTag
Removed support for pre-6.42 Windows sensors given that they are no longer supported and don't have
CsSensorSettings.exe.
Isolated the scripts being run to remove sensor tags into new files contained under the script folder.
Send-FalconPutFile
Added maximum character length for Name.
Send-FalconScript
Added maximum character length for Name.
Start-FalconScan
Added ScanInclusion.
Uninstall-FalconSensor
Added code to uninstall only the currently installed version of Falcon when multiple versions are detected on a
Windows host.
Isolated the scripts being run to uninstall Falcon into new files contained under the script folder.
2.2.6
Updates for 2.2.6 release
Added features and functionality
Added Commands
cloud-connect-azure
configuration-assessment
falcon-complete-dashboards
filevantage
identity-protection
real-time-response
Removed Commands
cloud-connect-aws (deprecated)
cloud-connect-azure (deprecated)
cloud-connect-gcp (deprecated)
discover
settings-discover (deprecated)
Issues resolved
Get-FalconRole
and removedUserId
from a specific ParameterSet to ensure proper output.Uninstall-FalconSensor
tomatch 64
instead ofequal 64-bit
to correct error caused when bit value is reported as64 bit
instead of64-bit
.if
check toConfirm-Parameter
for$Required
and$Allowed
to ensure that blank values do not count when verifying objects under PowerShell Core.Invoke-FalconDeploy
to properly change directories and execute scripts when working with.cmd
and.bat
files. Thanks @MatthewCKelly!Invoke-FalconMalQuery
andGet-FalconMalQuery
to select thereqid
,reqtype
and/orstatus
properties in their final output, when present.Get-FalconAsset
would not append results when using-Include login_event
with a single asset result.critical
as a severity forEdit-FalconHorizonPolicy
.Other
General Changes
Get-FalconVulnerability
).Wait-RetryAfter
function fromprivate\Private.ps1
toclass\Class.ps1
underApiClient.Invoke()
function.ApiClient.Invoke()
underclass\Class.ps1
in an effort to improve verbose logging and performance.Invoke-Falcon
andRequest-FalconToken
to compensate for changes toApiClient.Invoke()
.Write-Result
to ensure each error will be individually produced when a single API call generates multiple errors.ApiClient.Invoke()
downloads files to eliminate "index out of range" error.format\format.json
to contain API endpoint body/formdata/query parameters for easier updates when large numbers of API endpoints are modified at once.Get-EndpointFormat
toprivate\Private.ps1
to read body/formdata/query parameters fromformat.json
.Invoke-Falcon
function into the privateBuild-Content
function.Inputs
variable (and accompanying parameter for theInvoke-Falcon
function, used by commands when making a request) toUserInput
in keeping with PowerShell style.Compare-FalconPreventionPhase
.Write-Result
to removemeta
from output whenmeta.pagination.total
equals 0 to account for some-Detailed
results returningmeta
information instead of an empty response (unlike a non-Detailed
result, which would return nothing, as expected).Add-Include
function to provide error messages when unable to pull results instead of a silent failure with no output in the related-Include
property.Compare-FalconPreventionPhase
.Command Changes
Add-FalconSensorTag
n
was being split into separate tags due to an incorrect quote. Thanks @soggysec!CsSensorSettings.exe
.script
folder.Edit-FalconHorizonAwsAccount
CloudTrailRegion
.IamRoleArn
,BehaviorAssessmentEnabled
,SensorManagementEnabled
,RemediationRegion
, andRemediationTouAccepted
.Edit-FalconHorizonPolicy
AccountId
to accept multiple identifiers.Edit-FalconReconNotification
IdpSendStatus
andMessage
.Edit-FalconFirewallLocationSetting
LocationPrecedence
.Edit-FalconIoc
Array
parameter for submitting many IOCs for modification, and set as the default parameter set when utilizing the pipeline.Array
.Export-FalconConfig
FileVantagePolicy
(includingFileVantageExclusion
) andFileVantageRuleGroup
(includingFileVantageRule
). CrowdStrike-created policies and rule groups are excluded from the export because they are auto-generated and can not be modified.HostGroup
when exportingFileVantagePolicy
to evaluatehost_groups
.FileVantageRuleGroup
when exportingFileVantagePolicy
to evaluaterule_groups
and assign them to policies.Get-FalconAlert
Id
parameter, due to new varying identifier types found in testing.Get-FalconBuild
Stage
.Get-FalconContainerAccount
Location
to correctly submit aslocations
to the API endpoint.Get-FalconContainerAwsAccount
IsHorizonAcct
.Get-FalconContainerCluster
Status
.Get-FalconContainerVulnerability
applicationPackages
.Get-FalconFimChange
v3
endpoint, replacingOffset
withAfter
.Get-FalconFileVantageChange
, but keptGet-FalconFimChange
as an alias.Get-FalconHorizonAwsAccount
IamRoleArn
andMigrated
.Get-FalconHorizonAzureAccount
TenantId
.Get-FalconHorizonAzureCertificate
YearsValid
.Get-FalconHorizonIoa
ResourceId
,ResourceUuid
, andSince
.Get-FalconHost
Login
switch to use newv2
endpoint. The initial API is limited to 10ids
values per request, which means that using-Include login_history
will be substantially slower until the API limit is increased.Get-FalconHostGroup
Include
to use a filteredGet-FalconHost
search when addingmembers
which avoids the 10k maximum limit from the previously usedGet-FalconHostGroupMember
command.Get-FalconRole
Id
values when matching aCid
(because it also matches custom role identifiers).UserId
as a parameter for the/user-management/queries/roles/v1:get
endpoint because the same data is returned by the/combined/
endpoint and they have overlapping parameters.DirectOnly
parameter toGet-FalconRole
.Get-FalconScan
/ods/entities/scans/v2:get
endpoint.Get-FalconSensorTag
script
folder.Get-FalconSession
Cid
andCommandInfo
, which facilitate the display of all Real-time Response sessions within the authorized CID.Import-FalconConfig
Export-FalconConfig
. Thanks @JFresh15 and @soggysec!id
values forgroups
andrule_groups
objects.build
values for Sensor Update policies.build
for LinuxArm64 policy variants.FileVantagePolicy
andFileVantageRuleGroup
asModifyExisting
options.Comment
output to specify why certain items were ignored usingNoModifyDefault
andNoModifyExisting
.SensorUpdatePolicy
.Invoke-FalconAdminCommand
falconscript
as aCommand
option.Invoke-FalconAlertAction
Id
due to new varying identifier types found in testing.v3
endpoint.Invoke-FalconContainerScan
scan-type
toscan_type
during submission.Invoke-FalconDeploy
put
step.GroupId
to use a filteredGet-FalconHost
search which avoids the 10k maximum limit from the previously usedGet-FalconHostGroupMember
command.Invoke-FalconRtr
falconscript
as aCommand
option.GroupId
to use a filteredGet-FalconHost
search which avoids the 10k maximum limit from the previously usedGet-FalconHostGroupMember
command.New-FalconHorizonAwsAccount
CloudTrailRegion
.AccountType
,BehaviorAssessmentEnabled
,IamRoleArn
,IsMaster
,SensorManagementEnabled
, andUseExistingCloudtrail
.New-FalconHorizonAzureAccount
ClientId
,AccountType
,DefaultSubscription
, andYearsValid
.New-FalconIoc
Array
.New-FalconScheduledScan
ScanInclusion
.Receive-FalconContainerYaml
IsSelfManagedCluster
.Receive-FalconHorizonAwsScript
Id
.Receive-FalconHorizonAzureScript
SubscriptionId
,Template
, andAccountType
.Receive-FalconRule
IfNoneMatch
andIfModifiedSince
.Remove-FalconCidGroupMember
/mssp/entities/cid-group-members/v2:delete
endpoint.Remove-FalconHorizonAzureAccount
TenantId
andRetainTenant
.Remove-FalconReconRule
DeleteNotification
.Remove-FalconSample
Id
to accept asha256
value when passed through the pipeline.Remove-FalconSensorTag
CsSensorSettings.exe
.script
folder.Send-FalconPutFile
Name
.Send-FalconScript
Name
.Start-FalconScan
ScanInclusion
.Uninstall-FalconSensor
script
folder.