[ ENHANCEMENT ] Add command to overwrite SensorTags instead of appending

[LyleWB]

Hi, I wasn't sure if this was the correct place to post this as it's more of a feature request than a bug - apologies in advance if this should be posted elsewhere.

Describe the bug This is a feature request for an "Append" switch to be added to Add-FalconSensorTag. Currently, this command will take the existing tags and add additional tags; retaining the pre-existing ones. I would like a switch to enable/disable retaining the pre-existing tags.

To Reproduce Below is a function I created to replace a sensor grouping tag using the "Remove-FalconSensorTag" & "Add-FalconSensorTag" commands. If you run this function, you will notice that the 2nd RTR script is re-adding the previous tags, because the initial RTR script has not finished running.

function Replace-SensorTags {
    [CmdletBinding()]
    param (
        [Parameter(Mandatory)]
        [string[]]$Before,
        [string[]]$After
    )
    Write-Host "`nRetrieving Hosts"
    $Hosts = @(Get-FalconHost -Detailed -Limit 5000)
    Write-Host Total of $Hosts.count Devices

    foreach($ID in $Hosts) {
        Write-Host Removing $Before tag from $ID.hostname
        Remove-FalconSensorTag -Id $ID.device_id -Tag $Before -QueueOffline $true | Out-Null
        Write-Host Adding $After tag from $ID.hostname `n
        Add-FalconSensorTag -Id $ID.device_id -Tag $After -QueueOffline $true | Out-Null
    }
}

Expected behavior Effectively, I would like the below behaviour, with the default value of $true.

If the -append switch is true - previous tags + new tag. if the -append switch is false - new tag only.

Environment (please complete the following information):

• OS: Windows 10, Windows 11
• PowerShell: 5.1.22621.2506
• PSFalcon: 2.2.5

Additional context We have Flight Control and tag devices within a CID with the services we offer. This allows our analysts to see services offered to each CID. It also allows us to assign Fusion workflows to all CID's and filter by sensor tag (you can't assign workflows to CID groups).

We want to use Sensor tags over Grouping tags so that this can be added to deployment jobs and future devices are automatically tagged.

Transcript content Not possible.

[bk-cs]

I'm not sure that Add-FalconSensorTag is functioning properly at the moment. Otherwise, I expect that your script would do what you are trying to do.

I'd rather not change the command by adding the Append parameter, as my assumption would be that it would not be $true by default (leading to a change in the default behavior of the command, as boolean parameters are $false unless set by the user).

What about a Set-FalconSensorTag command? CsSensorSettings.exe (used to set the tags) does not ever append tags -- it only writes over the existing tags with whatever value you provide. PSFalcon adds the "keep what's there" behavior. Adding a new command would ensure no existing users are impacted but still lead to your desired outcome.

[LyleWB]

I think that would be a good workaround! This issue is similar to the one outlined in the other thread, but it doesn't seem to be an issue with the maintenance token, the tags just aren't passed properly to the "$V" variable in the RTR script. Might be related, might not be.

[bk-cs]

You can re-create the issue that Add-FalconSensorTag is having directly on a device using PowerShell. I've opened a CrowdStrike support ticket to determine if there was a change to CsSensorSettings.exe that can be reverted, since this breaks the ability to use CsSensorSettings.exe in Real-time Response when sensor uninstall protection is enabled.

If the device currently has no tags, this supposedly works (untested, but someone mentioned it to me), and if the device currently has tags, this does nothing:

echo "maintenance token" | & "C:\Program Files\CrowdStrike\CsSensorSettings.exe" set --grouping-tags "tag1,tag2"

It also seems to fail when trying to remove the tags. If you disable sensor uninstall protection, or run this command locally and copy/paste the token when prompted, it works:

"C:\Program Files\CrowdStrike\CsSensorSettings.exe" set --grouping-tags "tag1,tag2"

The problem is that you can't interact with the prompt using Real-time Response, so until echo is fixed, I can't do anything within PSFalcon to resolve it.

[bk-cs]

I added the Set-FalconSensorTag command which will be available in the next release. I'll leave this open until the next release is available.

Thanks for the idea!

[bk-cs]

The 2.2.7 release is now available.