search

CrowdStrike / psfalcon

PowerShell for CrowdStrike's OAuth2 APIs
The Unlicense
350 stars 66 forks source link

[ BUG ] `Get-FalconAlert -All -Detailed` returns `413 - Request Too Large` #396

Closed datorr2 closed 1 week ago

datorr2 commented 5 months ago

Describe the bug Get-FalconAlert -All -Detailed produces an HTTP error 413 - Request Too Large

To Reproduce Get-FalconAlert -All -Detailed

Expected behavior All Falcon alerts returned with details.

Environment (please complete the following information):

Additional context Ran command with -Verbose flag and then copied the POST body to check the length. The length of the request was 1058849 bytes, which is over 1 MiB.

Transcript content

**********************
PowerShell transcript start
Start time: 20240325190440
Username: USERNAME
RunAs User: USERNAME
Configuration Name: 
Machine: HOSTNAME (Microsoft Windows NT 10.0.19045.0)
Host Application: C:\Program Files\PowerShell\7\pwsh.dll
Process ID: 14612
PSVersion: 7.4.1
PSEdition: Core
GitCommitId: 7.4.1
OS: Microsoft Windows 10.0.19045
Platform: Win32NT
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1, 6.0, 7.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
WSManStackVersion: 3.0
**********************
Transcript started, output file is .\bug.log
PS>Show-FalconModule

PSVersion      : Core [7.4.1]
ModuleVersion  : v2.2.6 {d893eb9f-f6bb-4a40-9caf-aaff0e42acd1}
ModulePath     : C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.6
UserModulePath : C:\Users\USERNAME\Documents\PowerShell\Modules;C:\Program Files\PowerShell\Modules;c:\program files\powershell\7\Modules;C:\Program
                 Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
UserHome       : C:\Users\USERNAME
UserAgent      : crowdstrike-psfalcon/2.2.6

PS>Get-FalconAlert -All -Detailed
VERBOSE: 19:04:46 [Get-FalconAlert] /alerts/queries/alerts/v1:get
VERBOSE: 19:04:46 [ApiClient.Invoke] GET https://api.laggar.gcw.crowdstrike.com/alerts/queries/alerts/v1?limit=10000
VERBOSE: 19:04:46 [ApiClient.Invoke] Accept=application/json
VERBOSE: 19:04:49 [ApiClient.Invoke] 200: OK
VERBOSE: 19:04:49 [ApiClient.Invoke] Server=nginx, Date=Mon, 25 Mar 2024 23:04:49 GMT, Transfer-Encoding=chunked, Connection=keep-alive, Strict-Transport-Security=max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-gov-1, X-Cs-Traceid=74c156d2-dbcd-4243-8def-572f4860a8e5, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5999
VERBOSE: 19:04:49 [Write-Result] query_time=0.704189434, pagination.offset=0, pagination.limit=10000, pagination.total=12735, writes=, powered_by=detectsapi, trace_id=74c156d2-dbcd-4243-8def-572f4860a8e5
VERBOSE: 19:04:55 [Get-FalconAlert] /alerts/entities/alerts/v2:post
VERBOSE: 19:04:55 [ApiClient.Invoke] POST https://api.laggar.gcw.crowdstrike.com/alerts/entities/alerts/v2
VERBOSE: 19:04:55 [ApiClient.Invoke] ContentType=application/json, Accept=application/json
VERBOSE: 19:04:55 [ApiClient.Invoke] {"composite_ids":[ <IDS REMOVED FOR BREVITY AND DUE TO SENSITIVITY> ]}
VERBOSE: 19:04:56 [ApiClient.Invoke] 413: RequestEntityTooLarge
VERBOSE: 19:04:56 [ApiClient.Invoke] Server=nginx, Date=Mon, 25 Mar 2024 23:04:56 GMT, Connection=keep-alive, Strict-Transport-Security=max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-gov-1, X-Cs-Traceid=79ed51c1-ab3d-459f-b8b9-1362f4156cfb, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5998
VERBOSE: 19:04:56 [Write-Result] query_time=0.018427306, writes=, powered_by=detectsapi, trace_id=79ed51c1-ab3d-459f-b8b9-1362f4156cfb
Write-Result: C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.6\private\Private.ps1:663
Line |
 663 |          Write-Result $Object
     |          ~~~~~~~~~~~~~~~~~~~~
     | {"code":413,"message":"request too large"}
Write-Result: C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.6\private\Private.ps1:663
Line |
 663 |          Write-Result $Object
     |          ~~~~~~~~~~~~~~~~~~~~
     | {"code":413,"message":"request too large"}

PS>Stop-Transcript
**********************
PowerShell transcript end
End time: 20240325190501
**********************
bk-cs commented 5 months ago

Thanks for the report!

It looks like GET /alerts/queries/alerts/v2 returns 10,000 ids, but POST /alerts/entities/alerts/v2 only accepts a maximum of 1,000. PSFalcon isn't breaking up the identifier list into groups of 1,000. Until I fix that, you can work around the problem by retrieving the available alerts like this:

Get-FalconAlert -Limit 1000 -Detailed -All
bk-cs commented 5 months ago

I've implemented a fix to ensure that only 1,000 ids are submitted per request when retrieving details of alerts. This fix will be included in the next PSFalcon release. If you'd like to resolve it for your local module before release, you can replace public\alerts.ps1 and private\Private.ps1 using the steps outlined below.

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/a6a777a3a3e52462ee572d869990beb93b5bc838/public/alerts.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) alerts.ps1)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/a6a777a3a3e52462ee572d869990beb93b5bc838/private/Private.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath private) Private.ps1)

Once these steps have been completed, please close and re-open PowerShell and re-import PSFalcon to ensure that the issue is resolved. Leaving this open for others to apply the fix until the next release.

bk-cs commented 1 week ago

This fix is included in the 2.2.7 release.