search

CrowdStrike / psfalcon

PowerShell for CrowdStrike's OAuth2 APIs
The Unlicense
350 stars 66 forks source link

[ BUG ] `New-FalconReconRule` generating `Invalid Request` error with single rule #381

Open jashley92 opened 7 months ago

jashley92 commented 7 months ago

Describe the bug The documented examples for New-FalconReconRule generate an Invalid Request error

To Reproduce Attempt to create a rule with New-FalconReconRule

Environment (please complete the following information):

Additional context Tried multiple different devices, multiple api keys

Transcript content

**********************
Windows PowerShell transcript start
Start time: 20240212143113
Username: [Domain]\[Redacted]
RunAs User: [Domain]\[Redacted]
Configuration Name:
Machine: [Server] (Microsoft Windows NT 10.0.17763.0)
Host Application: C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
Process ID: 8144
PSVersion: 5.1.17763.5202
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17763.5202
BuildVersion: 10.0.17763.5202
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is C:\Users\[Redacted]\Documents\PowerShell_transcript.[Server].b_zQgO6w.20240212143113.txt
PS C:\Users\[Redacted]> Show-FalconModule

PSVersion      : Desktop [5.1.17763.5202]
ModuleVersion  : v2.2.6 {d893eb9f-f6bb-4a40-9caf-aaff0e42acd1}
ModulePath     : C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.6
UserModulePath : C:\Users\[Redacted]\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;D:\Program Files (x86)\Microsoft SQL
                 Server\150\Tools\PowerShell\Modules\
UserHome       : C:\Users\[Redacted]
UserAgent      : crowdstrike-psfalcon/2.2.6

PS C:\Users\[Redacted]> New-FalconReconRule -Name "psfalcon_example_1" -Topic "SA_VIP" -Filter "phrase:'psfalcon_example_phrase'" -Priority "low" -Permission public -verbose
VERBOSE: 14:31:33 [New-FalconReconRule] /recon/entities/rules/v1:post
VERBOSE: 14:31:33 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/recon/entities/rules/v1
VERBOSE: 14:31:33 [ApiClient.Invoke] ContentType=application/json, Accept=application/json
VERBOSE: 14:31:33 [ApiClient.Invoke] {"filter":"phrase:\u0027psfalcon_example_phrase\u0027","priority":"low","name":"psfalcon_example_1","permissions":"public","topic":"SA_VIP"}
VERBOSE: 14:31:33 [ApiClient.Invoke] 400: BadRequest
VERBOSE: 14:31:33 [ApiClient.Invoke] Connection=keep-alive, Pragma=no-cache, Strict-Transport-Security=max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=cc8e0f9f-d06a-4e29-a892-08ad1dc05c3a, X-Frame-Options=SAMEORIGIN, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5841, Cache-Control=no-store, must-revalidate, no-cache, Date=Mon, 12 Feb 2024 19:31:33 GMT, Server=nginx
VERBOSE: 14:31:33 [Write-Result] query_time=0.000437981, powered_by=recon, trace_id=cc8e0f9f-d06a-4e29-a892-08ad1dc05c3a
Write-Result : {"code":400,"message":"Invalid request","message_key":"INVALID_REQUEST"}
At C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.6\private\Private.ps1:663 char:9
+         Write-Result $Object
+         ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (@{resources=Sys...ystem.Object[]}:PSObject) [Write-Result], Exception
    + FullyQualifiedErrorId : Write-Result
Write-Result : {"code":400,"message":"Invalid request","message_key":"INVALID_REQUEST"}
At C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.6\private\Private.ps1:663 char:9
+         Write-Result $Object
+         ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (@{resources=Sys...ystem.Object[]}:PSObject) [Write-Result], Exception
    + FullyQualifiedErrorId : Write-Result

PS C:\Users\[Redacted]> Stop-Transcript
**********************
Windows PowerShell transcript end
End time: 20240212143141
**********************
jashley92 commented 7 months ago

Forgot to mention, API Key works when using API directly via Postman.

bk-cs commented 7 months ago

Forgot to mention, API Key works when using API directly via Postman.

Thanks for the added detail! Are you submitting the same fields when creating the rule using Postman?

bk-cs commented 7 months ago

It appears that PSFalcon is incorrectly sending your single rule as an individual object, instead of forcing it into an array (expected by the API). You can work around the problem by creating your rule using the example below until I fix it:

[PSCustomObject]@{ filter = "phrase:'psfalcon_example_phrase'"; priority = 'low'; name = 'psfalcon_example_1'; permissions = 'public'; topic = 'SA_VIP' } | New-FalconReconRule
jashley92 commented 6 months ago

Excellent! The workaround works perfect. Thank you so much!