Issue #310: Added default timeout of one minute for all requests in an effort to help produce error messages
when a file download does not complete.
Issue #369: Corrected Find-FalconHostname so it outputs the entire list of results instead of stopping with
the first initial 100.
Issue #370: Changed all identifier parameter aliases from uppercase to lowercase to resolve matching issues
when using Turkish as the default display language.
Issue #375: Added a second delay for Invoke-FalconDeploy between commands when using the offline queue to
ensure that the proper processing order is retained.
Issue #380: Updated Compare-ImportData function to analyze items by each individual platform (or
platform_name) to resolve bug where FirewallGroup items were being ignored.
Issue #382: Removed output of successfully downloaded file information from Invoke-Falcon private function
and relocated within the Invoke() class function to prevent Index out of range error on successful download
requests.
Issue #385: Re-wrote Add-FalconSensorTag and Remove-FalconSensorTag commands properly append/remove tags
across all OSes, and fix issue where tags weren't applied at all.
Issue #391: Removed pattern validation for the Id parameter for Get-FalconAsset to prevent errors when
unexpected (but legitimate) Id values are provided.
Issue #393: Updated Import-FalconConfig to properly remove rule_group_ids that aren't tied to
FirewallGroup items that are also created during import.
Issue #396: Added maximum count of 1000 identifiers when building body content during Get-FalconAlert
requests.
Issue #397: Added Action parameter to define multiple actions to perform in a single request when using
Invoke-FalconAlertAction or Invoke-FalconIncidentAction.
Issue #399: Updated how field_values properties are selected to ensure that they're correctly passed as an
array when using New-FalconIoaRule.
Issue #401: Added Confirm-CidValue private function to check Cid input for checksum, remove it when present,
and return the Cid value in lower case.
Issue #411: Added Include with value of scan_file to Get-FalconScan, and added ScanId to
Get-FalconScanFile to support Include for Get-FalconScan.
Issue #412: Added Limit of 500 to Get-FalconScan and Get-FalconScanFile to ensure both limit and
offset are passed during pagination.
General Changes
Added a weekly check of the PSGallery for PSFalcon module updates if the PSFalcon module was originally
installed via the PSGallery. Update status is kept in a file called update_check.json in the base PSFalcon
module folder. If the connection to the PSGallery fails, the update check is disabled. Deleting update_check.json
will re-attempt connection the next time the module is loaded.
Updated internal Build-Query function to automatically URL encode provided values during submission instead
of only previously encoding +.
Updated internal Log() method for [ApiClient] to support Falcon NGSIEM and CrowdStrike Parsing Standard.
Added UserAgent value to [ApiClient] object for use with Log() method.
Updated Request-FalconToken and Show-FalconModule to use new UserAgent value under [ApiClient].
Removed filtering for unique values when supplying an array of identifiers to a command. This was originally
added to prevent problems related to an array containing the same identifier twice, but it adds a lot of
processing time when a large list of identifiers is provided. PSFalcon will now pass all given identifiers on
to the relevant API, meaning that new error messages might appear if a user is not properly error checking
their scripts and filtering out duplicate identifier values.
Added Test-ActionParameter private function to support new Action parameter for Invoke-FalconAlertAction
and Invoke-FalconIncidentAction.
Added Select-CertificateProperty private function to support the new Edit-FalconCertificateExclusion and
New-FalconCertificateExclusion commands.
Corrected verbose output for various commands to ensure that the relevant command name was displayed when
Invoke-Falcon makes a request to the target API.
Re-wrote the internal function Confirm-Parameter to reduce necessary parameters when calling the function.
Added internal Remove-EmptyValue function to strip empty values before submission when necessary.
Corrected bug found when implementing new v2 endpoint for Get-FalconAsset -IoT where after would not
be added properly when paginating without another criteria (i.e. filter, sort, etc.) using -All.
Compressed SensorTag commands into a reusable function to de-duplicate code.
Renamed the Array parameter to InputObject to better match PowerShell style for the following commands:
Edit-FalconDeviceControlPolicy, Edit-FalconFirewallPolicy, Edit-FalconIoc, Edit-FalconPreventionPolicy,
Edit-FalconReconNotification, Edit-FalconReconRule, Edit-FalconResponsePolicy,
Edit-FalconSensorUpdatePolicy, Find-FalconHostname, New-FalconDeviceControlPolicy,
New-FalconFirewallPolicy, New-FalconHostGroup, New-FalconIoc, New-FalconPreventionPolicy,
New-FalconReconRule, New-FalconResponsePolicy, and New-FalconSensorUpdatePolicy.
Array has been kept as an alias to prevent issues with existing scripts.
Changed the prefix from Horizon to Cloud for the following commands:
Edit-FalconHorizonAwsAccount, Edit-FalconHorizonAzureAccount, Edit-FalconHorizonPolicy,
Edit-FalconHorizonSchedule, Get-FalconFimChange, Get-FalconHorizonAwsAccount, Get-FalconHorizonAwsLink,
Get-FalconHorizonAzureAccount, Get-FalconHorizonAzureCertificate, Get-FalconHorizonAzureGroup,
Get-FalconHorizonIoa, Get-FalconHorizonIoaEvent, Get-FalconHorizonIoaUser, Get-FalconHorizonIom,
Get-FalconHorizonPolicy, Get-FalconHorizonSchedule, New-FalconHorizonAwsAccount,
New-FalconHorizonAzureAccount, New-FalconHorizonAzureGroup, Receive-FalconHorizonAwsScript,
Receive-FalconHorizonAzureScript, Remove-FalconHorizonAwsAccount, Remove-FalconHorizonAzureAccount, and
Remove-FalconHorizonAzureGroup.
The original command names have been kept as aliases to prevent issues with existing scripts.
Removed Compare-FalconPreventionPhase and accompanying policy json files due to Falcon Prevention Policy UI
changes that enabled policy comparison in the Falcon console.
Command Changes
Add-FalconSensorTag
Re-written to properly evaluate add tags across all OSes.
Added support for passing uninstallation token when adding tags on MacOS (and presumably Linux in the future).
Added properties to output to increase transparency in the use of RTR and the status of tag additions.
Edit-FalconCloudAwsAccount
Added Environment, DspmEnabled, DspmRole and TargetOu.
Edit-FalconIoaRule
Updated to use /ioarules/entities/rules/v2:patch endpoint.
Edit-FalconMlExclusion
Added DescendentProcess.
Edit-FalconSvExclusion
Added DescendentProcess.
Edit-FalconReconRule
Added BreachMonitorOnly.
Edit-FalconFileVantageRule
Added ContentRegistryValues, HashCapture and RegKeyPermission.
Export-FalconConfig
Added error message when unable to create export in current directory.
Get-FalconAlert
Updated to use /alerts/queries/alerts/v2:get endpoint.
Added IncludeHidden (used when submitting Id values).
Get-FalconAsset
Updated to use new /discover/queries/iot-hosts/v2:get endpoint with -IoT.
Added -External switch to search for external assets.
Updated to use new /discover/combined/hosts/v1:get endpoint when using -Detailed.
Updated to use new /discover/combined/applications/v1:get when using -Application and -Detailed.
The facet property has been joined together with Include for the relevant new /combined/ API
endpoints for consistency with earlier PSFalcon version.
Added error messages when invalid Limit or facet values (as Include) are supplied for their
respective API endpoint. Tab-completion for Include will first offer all available values, and the
command will error if one of the supplied values is invalid based on the eventual API endpoint
being targeted.
Updated code to properly append login_event when used with -Include for respective aid (when
searching for Host) or account_id (when searching for Account) values.
Get-FalconCloudAwsAccount
Added CspmLite.
Renamed IsHorizonAcct parameter to IsFcsAccount. Kept IsHorizonAcct as an alias.
Get-FalconCloudAzureAccount
Added CspmLite.
Renamed IsHorizonAcct parameter to IsFcsAccount. Kept IsHorizonAcct as an alias.
Get-FalconContainerSensor
Added check to verify proper credentials are available to avoid 401: Unauthorized errors when a token is not
present.
Get-FalconInstaller
Updated to use new v2 endpoints.
Get-FalconIocHost
Updated to use /iocs/aggregates/device-count/v1:get endpoint.
Get-FalconReconRule
Added SecondarySort.
Get-FalconRole
Added Detailed switch.
Get-FalconSensorTag
Re-written to pull tags directly from devices API instead of using RTR on Linux and Mac.
Get-FalconUninstallToken
Re-wrote command to group all device_id values together and make requests in appropriately sized groups,
instead of individually when using Include. This should drastically increase performance when requesting
large numbers of uninstall_token values with other device properties included.
Get-FalconVulnerability
Updated Limit to a maximum of 5,000 for Detailed requests. If retrieving identifiers only, the command
will force Limit to a maximum of 400.
Invoke-FalconAlertAction
Added Action for performing multiple actions on alerts in a single request. Thanks @datorr2!
Invoke-FalconIncidentAction
Added Action for performing multiple actions on incidents in a single request. Thanks @datorr2!
Removed mandatory attribute from Value to ensure that it works when using unassign with Name parameter.
Invoke-FalconMobileAction
Updated to use /enrollments/entities/details/v4:post endpoint.
Added EnrollmentType.
Import-FalconConfig
Added additional verbose output during analysis of items to import to help with future troubleshooting.
Added additional verbose output to show when rule_group_ids are being assigned and/or the removal of
non-existent values when FirewallPolicy items are being created and modified.
Added FirewallPolicy settings values to final CSV output.
Added various improvements for handling SensorUpdatePolicy with unavailable sensor build versions. When
an invalid build version is found, it is stripped. When a build is updated with a matching tagged version,
sensor_version and stage are also updated. These changes also affect variants for LinuxArm64.
Fixed issues preventing SensorUpdatePolicy from being evaluated for changes with ModifyExisting. Updated
final output to properly record changes.
Various improvements related to policy analysis and changes for policy settings.
Invoke-FalconAlertAction
Added IncludeHidden.
Invoke-FalconRtr
Forced the private function that is keeping the the RTR session alive every 30 seconds by default to help
prevent results from being lost when hosts that recently went offline (i.e. didn't meet the cutoff for
the offline queue) delay the RTR session start long enough for the session itself to die before the eventual
command is properly issued. This should help eliminate cases of Invoke-FalconRtr "not doing anything"
because a host is unable to be added to the session and/or the results aren't returned quickly enough after
the session begins.
New-FalconCloudGcpAccount
Updated to use new /cloud-connect-cspm-gcp/entities/account/v2:post endpoint.
Added ServiceAccountId, ClientId, ClientEmail, PrivateKey, PrivateKeyId, ProjectId, and
ServiceAccountCondition.
New-FalconCloudAwsAccount
Added DspmEnabled and DspmRole.
New-FalconFileVantageRule
Added ContentRegistryValues, HashCapture and RegKeyPermission.
New-FalconSvExclusion
Added IsDescendentProcess.
New-FalconReconRule
Added BreachMonitorOnly.
Added OriginatingTemplateId.
New-FalconFileVantageRule
Added ContentRegistryValues.
Receive-FalconCloudAwsScript
Added OrganizationId, Template, Account, AccountType,AwsProfile, CustomRole, BehaviorAssessment,
SensorManagement, and ExistingCloudtrail.
Receive-FalconCloudAzureScript
Added AzureManagementGroup.
Receive-FalconInstaller
Updated to use new v2 endpoint.
Register-FalconEventCollector
Updated to support Falcon NGSIEM HTTP Event Collector ingestion.
Remove-FalconContainerImage
Updated to use new /container-security/entities/base-images/v1:delete endpoint.
Remove-FalconSensorTag
Re-written to properly evaluate and remove specific tags across all OSes.
Added support for passing uninstallation token when removing tags on MacOS (and presumably Linux in the future).
Added properties to output to increase transparency in the use of RTR and the status of tag removal.
Request-FalconRegistryCredential
Removed mandatory requirement for SensorType and added a prompt if it is not present.
Added additional error messages to notify when token or expires_in is missing from a token request response.
Made various changes to ensure all token-related content was properly cached/retrieved from cache.
Request-FalconToken
Added us-gov-2 as Cloud and Hostname option.
Send-FalconEvent
Updated to support Falcon NGSIEM HTTP Event Collector ingestion.
New Commands
cloud-connect-cspm-azure
cloud-connect-cspm-gcp
configuration-assessment
container-security
delivery-settings
exclusions
fem
filevantage
host-migration
intel
loggingapi
plugins
psf-sensors
snapshots
threatgraph
workflows
Issues Resolved
Find-FalconHostnameso it outputs the entire list of results instead of stopping with the first initial 100.Invoke-FalconDeploybetween commands when using the offline queue to ensure that the proper processing order is retained.Compare-ImportDatafunction to analyze items by each individualplatform(orplatform_name) to resolve bug whereFirewallGroupitems were being ignored.Invoke-Falconprivate function and relocated within theInvoke()class function to preventIndex out of range erroron successful download requests.Add-FalconSensorTagandRemove-FalconSensorTagcommands properly append/remove tags across all OSes, and fix issue where tags weren't applied at all.Idparameter forGet-FalconAssetto prevent errors when unexpected (but legitimate)Idvalues are provided.Import-FalconConfigto properly removerule_group_idsthat aren't tied toFirewallGroupitems that are also created during import.Get-FalconAlertrequests.Actionparameter to define multiple actions to perform in a single request when usingInvoke-FalconAlertActionorInvoke-FalconIncidentAction.field_valuesproperties are selected to ensure that they're correctly passed as an array when usingNew-FalconIoaRule.Confirm-CidValueprivate function to checkCidinput for checksum, remove it when present, and return theCidvalue in lower case.Includewith value ofscan_filetoGet-FalconScan, and addedScanIdtoGet-FalconScanFileto supportIncludeforGet-FalconScan.Limitof500toGet-FalconScanandGet-FalconScanFileto ensure bothlimitandoffsetare passed during pagination.General Changes
update_check.jsonin the base PSFalcon module folder. If the connection to the PSGallery fails, the update check is disabled. Deletingupdate_check.jsonwill re-attempt connection the next time the module is loaded.Build-Queryfunction to automatically URL encode provided values during submission instead of only previously encoding+.Log()method for[ApiClient]to support Falcon NGSIEM and CrowdStrike Parsing Standard.UserAgentvalue to[ApiClient]object for use withLog()method.Request-FalconTokenandShow-FalconModuleto use newUserAgentvalue under[ApiClient].Test-ActionParameterprivate function to support newActionparameter forInvoke-FalconAlertActionandInvoke-FalconIncidentAction.Select-CertificatePropertyprivate function to support the newEdit-FalconCertificateExclusionandNew-FalconCertificateExclusioncommands.Invoke-Falconmakes a request to the target API.Confirm-Parameterto reduce necessary parameters when calling the function.Remove-EmptyValuefunction to strip empty values before submission when necessary.Get-FalconAsset -IoTwhereafterwould not be added properly when paginating without another criteria (i.e.filter,sort, etc.) using-All.SensorTagcommands into a reusable function to de-duplicate code.Renamed the
Arrayparameter toInputObjectto better match PowerShell style for the following commands:Edit-FalconDeviceControlPolicy,Edit-FalconFirewallPolicy,Edit-FalconIoc,Edit-FalconPreventionPolicy,Edit-FalconReconNotification,Edit-FalconReconRule,Edit-FalconResponsePolicy,Edit-FalconSensorUpdatePolicy,Find-FalconHostname,New-FalconDeviceControlPolicy,New-FalconFirewallPolicy,New-FalconHostGroup,New-FalconIoc,New-FalconPreventionPolicy,New-FalconReconRule,New-FalconResponsePolicy, andNew-FalconSensorUpdatePolicy.Arrayhas been kept as an alias to prevent issues with existing scripts.Changed the prefix from
HorizontoCloudfor the following commands:Edit-FalconHorizonAwsAccount,Edit-FalconHorizonAzureAccount,Edit-FalconHorizonPolicy,Edit-FalconHorizonSchedule,Get-FalconFimChange,Get-FalconHorizonAwsAccount,Get-FalconHorizonAwsLink,Get-FalconHorizonAzureAccount,Get-FalconHorizonAzureCertificate,Get-FalconHorizonAzureGroup,Get-FalconHorizonIoa,Get-FalconHorizonIoaEvent,Get-FalconHorizonIoaUser,Get-FalconHorizonIom,Get-FalconHorizonPolicy,Get-FalconHorizonSchedule,New-FalconHorizonAwsAccount,New-FalconHorizonAzureAccount,New-FalconHorizonAzureGroup,Receive-FalconHorizonAwsScript,Receive-FalconHorizonAzureScript,Remove-FalconHorizonAwsAccount,Remove-FalconHorizonAzureAccount, andRemove-FalconHorizonAzureGroup.The original command names have been kept as aliases to prevent issues with existing scripts.
Compare-FalconPreventionPhaseand accompanying policy json files due to Falcon Prevention Policy UI changes that enabled policy comparison in the Falcon console.Command Changes
Add-FalconSensorTag
Edit-FalconCloudAwsAccount
Environment,DspmEnabled,DspmRoleandTargetOu.Edit-FalconIoaRule
/ioarules/entities/rules/v2:patchendpoint.Edit-FalconMlExclusion
DescendentProcess.Edit-FalconSvExclusion
DescendentProcess.Edit-FalconReconRule
BreachMonitorOnly.Edit-FalconFileVantageRule
ContentRegistryValues,HashCaptureandRegKeyPermission.Export-FalconConfig
Get-FalconAlert
/alerts/queries/alerts/v2:getendpoint.IncludeHidden(used when submittingIdvalues).Get-FalconAsset
/discover/queries/iot-hosts/v2:getendpoint with-IoT.-Externalswitch to search for external assets./discover/combined/hosts/v1:getendpoint when using-Detailed./discover/combined/applications/v1:getwhen using-Applicationand-Detailed.facetproperty has been joined together withIncludefor the relevant new/combined/API endpoints for consistency with earlier PSFalcon version.Limitorfacetvalues (asInclude) are supplied for their respective API endpoint. Tab-completion forIncludewill first offer all available values, and the command will error if one of the supplied values is invalid based on the eventual API endpoint being targeted.login_eventwhen used with-Includefor respectiveaid(when searching for Host) oraccount_id(when searching for Account) values.Get-FalconCloudAwsAccount
CspmLite.IsHorizonAcctparameter toIsFcsAccount. KeptIsHorizonAcctas an alias.Get-FalconCloudAzureAccount
CspmLite.IsHorizonAcctparameter toIsFcsAccount. KeptIsHorizonAcctas an alias.Get-FalconContainerSensor
401: Unauthorizederrors when a token is not present.Get-FalconInstaller
Get-FalconIocHost
/iocs/aggregates/device-count/v1:getendpoint.Get-FalconReconRule
SecondarySort.Get-FalconRole
Detailedswitch.Get-FalconSensorTag
Get-FalconUninstallToken
device_idvalues together and make requests in appropriately sized groups, instead of individually when usingInclude. This should drastically increase performance when requesting large numbers ofuninstall_tokenvalues with other device properties included.Get-FalconVulnerability
Limitto a maximum of 5,000 forDetailedrequests. If retrieving identifiers only, the command will forceLimitto a maximum of 400.Invoke-FalconAlertAction
Actionfor performing multiple actions on alerts in a single request. Thanks @datorr2!Invoke-FalconIncidentAction
Actionfor performing multiple actions on incidents in a single request. Thanks @datorr2!Valueto ensure that it works when usingunassignwithNameparameter.Invoke-FalconMobileAction
/enrollments/entities/details/v4:postendpoint.EnrollmentType.Import-FalconConfig
rule_group_idsare being assigned and/or the removal of non-existent values whenFirewallPolicyitems are being created and modified.FirewallPolicysettings values to final CSV output.SensorUpdatePolicywith unavailable sensorbuildversions. When an invalid build version is found, it is stripped. When abuildis updated with a matching tagged version,sensor_versionandstageare also updated. These changes also affectvariantsforLinuxArm64.SensorUpdatePolicyfrom being evaluated for changes withModifyExisting. Updated final output to properly record changes.Invoke-FalconAlertAction
IncludeHidden.Invoke-FalconRtr
Invoke-FalconRtr"not doing anything" because a host is unable to be added to the session and/or the results aren't returned quickly enough after the session begins.New-FalconCloudGcpAccount
/cloud-connect-cspm-gcp/entities/account/v2:postendpoint.ServiceAccountId,ClientId,ClientEmail,PrivateKey,PrivateKeyId,ProjectId, andServiceAccountCondition.New-FalconCloudAwsAccount
DspmEnabledandDspmRole.New-FalconFileVantageRule
ContentRegistryValues,HashCaptureandRegKeyPermission.New-FalconSvExclusion
IsDescendentProcess.New-FalconReconRule
BreachMonitorOnly.OriginatingTemplateId.New-FalconFileVantageRule
ContentRegistryValues.Receive-FalconCloudAwsScript
OrganizationId,Template,Account,AccountType,AwsProfile,CustomRole,BehaviorAssessment,SensorManagement, andExistingCloudtrail.Receive-FalconCloudAzureScript
AzureManagementGroup.Receive-FalconInstaller
Register-FalconEventCollector
Remove-FalconContainerImage
/container-security/entities/base-images/v1:deleteendpoint.Remove-FalconSensorTag
Request-FalconRegistryCredential
SensorTypeand added a prompt if it is not present.tokenorexpires_inis missing from a token request response.Request-FalconToken
us-gov-2asCloudandHostnameoption.Send-FalconEvent