search

CrowdStrike / psfalcon

PowerShell for CrowdStrike's OAuth2 APIs
The Unlicense
370 stars 71 forks source link

[ BUG ] `Get-FalconHost` error on hostname #390

Closed brushenas closed 8 months ago

brushenas commented 8 months ago

Describe the bug When I run the following command , it errors out on some hostnames. not on all hostnames but some. for others it returns the result.

Get-FalconHost -Filter "hostname:'A302120'" -Detailed

Here is the Error I am getting: 

Invoke-Falcon: C:\Users\XXXXXXX\Documents\PowerShell\Modules\PSFalcon\2.2.6\public\discover.ps1:132:7
Line |
 132 |        Invoke-Falcon @Param -UserInput $PSBoundParameters
     |        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot validate argument on parameter 'Id'. The argument
     | "a3b5c66368d547e69420c4a71e7d16dc_ATBMGQujZiHyBu9OZhE1C9hoy6ubm1-VMDcG-ZgYjB5u1A" does not match the "^[a-fA-F0-9]{32}_\w+$"      
     | pattern. Supply an argument that matches "^[a-fA-F0-9]{32}_\w+$" and try the command again.

To Reproduce Just run the command Get-FalconHost on different host names

Expected behavior Should not error out. either return some objects or none.

Environment (please complete the following information):

Transcript content

Get-FalconHost -Filter "hostname:'A302120'" -Detailed

1. Set $VerbosePreference = 'Continue'
2. Run Import-Module, Request-FalconToken, Start-Transcript, Show-FalconModule, the affected PSFalcon commands or script, and Stop-Transcript
PS > $VerbosePreference = 'Continue'    
PS > Request-FalconToken
VERBOSE: 17:26:10 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/oauth2/token
VERBOSE: 17:26:10 [ApiClient.Invoke] Accept=application/json, ContentType=application/x-www-form-urlencoded
VERBOSE: 17:26:10 [ApiClient.Invoke] 201: Created
VERBOSE: 17:26:10 [ApiClient.Invoke] Server=nginx, Date=Sat, 02 Mar 2024 01:26:10 GMT, Connection=keep-alive, X-Cs-Region=us-2, X-Cs-Traceid=ac872b76-dea1-4508-9184-e4f41e7a2aac, X-Ratelimit-Limit=300, X-Ratelimit-Remaining=299, Strict-Transport-Security=max-age=31536000; includeSubDomains
VERBOSE: 17:26:10 [Request-FalconToken] Authorized until: 03/01/2024 17:56:09
PS >  Start-Transcript
Transcript started, output file is C:\Users\XXXXXXX\Documents\PowerShell_transcript.A309261.6+qnmjGW.20240301172631.txt
PS > Show-FalconModule

PSVersion      : Core [7.3.4]
ModuleVersion  : v2.2.6 {d893eb9f-f6bb-4a40-9caf-aaff0e42acd1}
ModulePath     : C:\Users\XXXXXXX\Documents\PowerShell\Modules\PSFalcon\2.2.6
UserModulePath : C:\Users\XXXXXXX\Documents\PowerShell\Modules;C:\Program Files\PowerShell\Modules;c:\program
                 files\powershell\7\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Module 
                 s;C:\Users\XXXXXXX\Documents\WindowsPowerShell\Modules;c:\Users\XXXXXXX\.vscode\extensions\ms-vscode.powershell-202 
                 4.0.0\modules
UserHome       : C:\Users\XXXXXXX
UserAgent      : crowdstrike-psfalcon/2.2.6

PS > Get-FalconAsset -Filter  "hostname:'A302120'"  -Detailed
VERBOSE: 17:27:19 [Get-FalconAsset] /discover/queries/hosts/v1:get
VERBOSE: 17:27:19 [ApiClient.Invoke] GET https://api.us-2.crowdstrike.com/discover/queries/hosts/v1?filter=hostname:'A302120'    
VERBOSE: 17:27:19 [ApiClient.Invoke] Accept=application/json
VERBOSE: 17:27:19 [ApiClient.Invoke] 200: OK
VERBOSE: 17:27:19 [ApiClient.Invoke] Server=nginx, Date=Sat, 02 Mar 2024 01:27:19 GMT, Connection=keep-alive, Strict-Transport-Security=max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=0e6e0ae3-8771-4af2-8a72-fc5df5762ff5, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5997
VERBOSE: 17:27:19 [Write-Result] query_time=0.207477324, pagination.offset=0, pagination.limit=100, pagination.total=2, powered_by=discover-api, trace_id=0e6e0ae3-8771-4af2-8a72-fc5df5762ff5
Invoke-Falcon: C:\Users\XXXXXXX\Documents\PowerShell\Modules\PSFalcon\2.2.6\public\discover.ps1:132:7
Line |
 132 |        Invoke-Falcon @Param -UserInput $PSBoundParameters
     |        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot validate argument on parameter 'Id'. The argument
     | "a3b5c66368d547e69420c4a71e7d16dc_ATBMGQujZiHyBu9OZhE1C9hoy6ubm1-VMDcG-ZgYjB5u1A" does not match the "^[a-fA-F0-9]{32}_\w+$"      
     | pattern. Supply an argument that matches "^[a-fA-F0-9]{32}_\w+$" and try the command again.
PS > Stop-Transcript
Transcript stopped, output file is C:\Users\XXXXXXX\Documents\PowerShell_transcript.A309261.6+qnmjGW.20240301172631.txt
bk-cs commented 8 months ago

You're saying your command is Get-FalconHost, but you're calling the API for Get-FalconAsset. Which one are you trying to use? If it's Get-FalconHost, can you try reinstalling the module? It should not be calling Discover APIs.

Uninstall-Module -Name PSFalcon -AllVersions
Install-Module -Name PSFalcon -Scope CurrentUser
Import-Module -Name PSFalcon
bk-cs commented 8 months ago

Is this still an issue? Did the steps above have any impact?

mcj323s commented 8 months ago

Is this still an issue? Did the steps above have any impact?

Disregard. I ran the Revoke-FalconToken command. The token is no longer failing. The request is processing.

brushenas commented 8 months ago

Sorry I was getting the error on 'Get-FalconAsset with the option "-Detailed" without the "-Detailed" option it was working and returning the Object ID but somehow when you want to have the details it fails randomly on some host objects.

I did uninstall and re-installed the PSFalcom module and it seems like it is working now. I am hoping that I don't get this error anymore because my script was working fine until last week and somehow if started erroring out.

Regarding the function 'Get-FalconHost', I was using that along with the 'Get-FalconAsset' to test and compare what was returned and why one is working and the other one is not. Sorry for the confusion.

I ll keep monitoring the script and will update this post if the error re-occurs.

Thank you very much for your feedback and support. Behruz

brushenas commented 8 months ago

Here you go again, the problem is coming back. Here is a screenshot of the 'Get-FalconAsset' command one without '-Detailed' parameter and the other one with this parameter.

PS C:\MGM\BT\BT API scripts> $filter hostname:'AL210682'

PS C:\MGM\BT\BT API scripts> Get-FalconAsset -Filter $filter a3b5c66368d547e69420c4a71e7d16dc_ATAjBFm4P6dFz7G1S1z73p_oB7-jvtTfevEVORgIOoVsPg PS C>

PS C> Get-FalconAsset -Filter $filter -Detailed

Invoke-Falcon: C:\Users\XXXXXXXXX\Documents\PowerShell\Modules\PSFalcon\2.2.6\public\discover.ps1:132:7 Line | 132 | Invoke-Falcon @Param -UserInput $PSBoundParameters | ~~~~~~~~~~ | Cannot validate argument on parameter 'Id'. The argument | "a3b5c66368d547e69420c4a71e7d16dc_ATAjBFm4P6dFz7G1S1z73poB7-jvtTfevEVORgIOoVsPg" does not match the "^[a-fA-F0-9]{32}\w+$" | pattern. Supply an argument that matches "^[a-fA-F0-9]{32}_\w+$" and try the command again.

PS C:>