2.2.6

[bk-cs]

New Commands

cloud-connect-azure

• Get-FalconDiscoverAzureTenant

configuration-assessment

• Get-FalconConfigAssessment
• Get-FalconConfigAssessmentLogic

falcon-complete-dashboards

• Get-FalconCompleteAlert

filevantage

• Add-FalconFileVantageHostGroup
• Add-FalconFileVantageRuleGroup
• Edit-FalconFileVantageExclusion
• Edit-FalconFileVantagePolicy
• Edit-FalconFileVantageRule
• Edit-FalconFileVantageRuleGroup
• Get-FalconFileVantageExclusion
• Get-FalconFileVantagePolicy
• Get-FalconFileVantageRule
• Get-FalconFileVantageRuleGroup
• New-FalconFileVantageExclusion
• New-FalconFileVantagePolicy
• New-FalconFileVantageRule
• New-FalconFileVantageRuleGroup
• Remove-FalconFileVantageExclusion
• Remove-FalconFileVantageHostGroup
• Remove-FalconFileVantagePolicy
• Remove-FalconFileVantageRule
• Remove-FalconFileVantageRuleGroup
• Set-FalconFileVantagePrecedence
• Set-FalconFileVantageRulePrecedence
• Set-FalconFileVantageRuleGroupPrecedence

identity-protection

• Get-FalconIdentityHost

real-time-response

• Get-FalconLibraryScript

Removed Commands

cloud-connect-aws (deprecated)

• Confirm-FalconDiscoverAwsAccess
• Edit-FalconDiscoverAwsAccount
• Get-FalconDiscoverAwsAccount
• Get-FalconDiscoverAwsLink
• Get-FalconDiscoverAwsSetting
• New-FalconDiscoverAwsAccount
• Receive-FalconDiscoverAwsScript
• Remove-FalconDiscoverAwsAccount
• Update-FalconDiscoverAwsSetting

cloud-connect-azure (deprecated)

• Get-FalconDiscoverAzureAccount
• Get-FalconDiscoverAzureCertificate
• Get-FalconDiscoverAzureTenant
• New-FalconDiscoverAzureAccount
• Receive-FalconDiscoverAzureScript
• Update-FalconDiscoverAzureAccount

cloud-connect-gcp (deprecated)

• Get-FalconDiscoverGcpAccount
• New-FalconDiscoverGcpAccount
• Receive-FalconDiscoverGcpScript

discover

• Get-FalconDiscoverNetwork
• Get-FalconDiscoverRule
• Get-FalconDiscoverScan
• Get-FalconDiscoverScanner

settings-discover (deprecated)

• Get-FalconDiscoverAwsScript

Issues Resolved

• Issue [ BUG ] Get-FalconRole and Get-FalconUser return incorrect roles #313: Reorganized parameters for Get-FalconRole and removed UserId from a specific ParameterSet to
  ensure proper output.
• Issue [ BUG ] Uninstall-FalconSensor fails on some 64-bit Windows machines and returns no status #315: Modified script used by Uninstall-FalconSensor to match 64 instead of equal 64-bit to correct
  error caused when bit value is reported as 64 bit instead of 64-bit.
• Issue [ BUG ] Get-FalconContainerVulnerability validation of Package fails in PowerShell Core #316: Added if check to Confirm-Parameter for $Required and $Allowed to ensure that blank values
  do not count when verifying objects under PowerShell Core.
• Issue [ BUG ] Mismatching execution languages in Invoke-FalconDeploy #327: Modified Invoke-FalconDeploy to properly change directories and execute scripts when working with
  .cmd and .bat files. Thanks @MatthewCKelly!
• Issue [ BUG ] Invoke-FalconMalQuery, Get-FalconMalQuery and Search-FalconMalQueryHash not returning results #342: Modified Invoke-FalconMalQuery and Get-FalconMalQuery to select the reqid,reqtype and/or
  status properties in their final output, when present.
• Issue [ BUG ] Get-FalconAsset does not append login_event when using Include with a single result #360: Fixed bug where Get-FalconAsset would not append results when using -Include login_event with a
  single asset result.
• Issue [ BUG ] Unable to use severity critical with Edit-FalconHorizonPolicy #363: Added critical as a severity for Edit-FalconHorizonPolicy.

General Changes

• Modified all authorization token validation checks to request a new token when the current token is due to
  expire within 4 minutes instead of 1 minute. This should help reduce the number of expired authorization
  tokens during long-running requests (like Get-FalconVulnerability).
• Migrated Wait-RetryAfter function from private\Private.ps1 to class\Class.ps1 under ApiClient.Invoke()
  function.
• Streamlined ApiClient.Invoke() under class\Class.ps1 in an effort to improve verbose logging and
  performance.
• Modified private functions Invoke-Falcon and Request-FalconToken to compensate for changes to
  ApiClient.Invoke().
• Modified Write-Result to ensure each error will be individually produced when a single API call generates
  multiple errors.
• Rearranged how ApiClient.Invoke() downloads files to eliminate "index out of range" error.
• Added format\format.json to contain API endpoint body/formdata/query parameters for easier updates when large
  numbers of API endpoints are modified at once.
• Added function Get-EndpointFormat to private\Private.ps1 to read body/formdata/query parameters from
  format.json.
• Replaced tab of four spaces with two to reduce file sizes across module.
• Moved code that replaces the user input parameters with proper parameter names for body payloads from the
  private Invoke-Falcon function into the private Build-Content function.
• Renamed Inputs variable (and accompanying parameter for the Invoke-Falcon function, used by commands when
  making a request) to UserInput in keeping with PowerShell style.
• Updated prevention policy settings for Compare-FalconPreventionPhase.
• Updated Write-Result to remove meta from output when meta.pagination.total equals 0 to account for
  some -Detailed results returning meta information instead of an empty response (unlike a non -Detailed
  result, which would return nothing, as expected).
• Updated private Add-Include function to provide error messages when unable to pull results instead of a silent
  failure with no output in the related -Include property.
• Updated reference policies used by Compare-FalconPreventionPhase.

Command Changes

Add-FalconSensorTag

• Fixed bug where n was being split into separate tags due to an incorrect quote. Thanks @soggysec!
• Removed support for pre-6.42 Windows sensors given that they are no longer supported and don't have
  CsSensorSettings.exe.
• Isolated the scripts being run to add sensor tags into new files contained under the script folder.

Edit-FalconHorizonAwsAccount

• Added autocomplete values for CloudTrailRegion.
• Added IamRoleArn, BehaviorAssessmentEnabled, SensorManagementEnabled, RemediationRegion, and
  RemediationTouAccepted.

Edit-FalconHorizonPolicy

• Updated AccountId to accept multiple identifiers.

Edit-FalconReconNotification

• Added IdpSendStatus and Message.

Edit-FalconFirewallLocationSetting

• Added LocationPrecedence.

Edit-FalconIoc

• Added Array parameter for submitting many IOCs for modification, and set as the default parameter set when
  utilizing the pipeline.
• Set maximum of 2,000 IOCs per request when using Array.

Export-FalconConfig

• Added FileVantagePolicy (including FileVantageExclusion) and FileVantageRuleGroup (including
  FileVantageRule). CrowdStrike-created policies and rule groups are excluded from the export
  because they are auto-generated and can not be modified.
• Updated to force HostGroup when exporting FileVantagePolicy to evaluate host_groups.
• Updated to force FileVantageRuleGroup when exporting FileVantagePolicy to evaluate rule_groups and
  assign them to policies.

Get-FalconAlert

• Removed pattern validation for Id parameter, due to new varying identifier types found in testing.

Get-FalconBuild

• Added Stage.

Get-FalconContainerAccount

• Updated Location to correctly submit as locations to the API endpoint.

Get-FalconContainerAwsAccount

• Added IsHorizonAcct.

Get-FalconContainerCluster

• Added Status.

Get-FalconContainerVulnerability

• Corrected error that prevented the submission of applicationPackages.

Get-FalconFimChange

• Updated to use new v3 endpoint, replacing Offset with After.
• Renamed command to Get-FalconFileVantageChange, but kept Get-FalconFimChange as an alias.

Get-FalconHorizonAwsAccount

• Added IamRoleArn and Migrated.

Get-FalconHorizonAzureAccount

• Added TenantId.

Get-FalconHorizonAzureCertificate

• Added YearsValid.

Get-FalconHorizonIoa

• Added ResourceId, ResourceUuid, and Since.

Get-FalconHost

• Updated the Login switch to use new v2 endpoint. The initial API is limited to 10 ids values per
  request, which means that using -Include login_history will be substantially slower until the API limit
  is increased.

Get-FalconHostGroup

• Updated Include to use a filtered Get-FalconHost search when adding members which avoids the 10k
  maximum limit from the previously used Get-FalconHostGroupMember command.

Get-FalconRole

• Reorganized parameter positioning.
• Removed automatic redirection of Id values when matching a Cid (because it also matches custom role
  identifiers).
• Removed UserId as a parameter for the /user-management/queries/roles/v1:get endpoint because the same data
  is returned by the /combined/ endpoint and they have overlapping parameters.
• Added DirectOnly parameter to Get-FalconRole.

Get-FalconScan

• Updated to use /ods/entities/scans/v2:get endpoint.

Get-FalconSensorTag

• Isolated the scripts being run to retrieve tags into new files contained under the script folder.

Get-FalconSession

• Added Cid and CommandInfo, which facilitate the display of all Real-time Response sessions within the
  authorized CID.

Import-FalconConfig

• Added an error message when filenames within the target archive do not correspond with files typically created
  by Export-FalconConfig. Thanks @JFresh15 and @soggysec!
• Added additional verbose output when the command updates id values for groups and rule_groups objects.
• Added additional verbose output when the command updates build values for Sensor Update policies.
• Fixed a bug where Linux Sensor Update policies would not be created due to a missing build for LinuxArm64
  policy variants.
• Added FileVantagePolicy and FileVantageRuleGroup as ModifyExisting options.
• Updated Comment output to specify why certain items were ignored using NoModifyDefault and
  NoModifyExisting.
• Added code to compensate and properly match when importing into a new cloud and the "latest" tagged build is
  renamed for a SensorUpdatePolicy.

Invoke-FalconAdminCommand

• Added falconscript as a Command option.

Invoke-FalconAlertAction

• Removed pattern validation for Id due to new varying identifier types found in testing.
• Updated to use new v3 endpoint.

Invoke-FalconContainerScan

• Corrected scan-type to scan_type during submission.

Invoke-FalconDeploy

• Modified to ensure that the timeout value was 600 seconds when on the put step.
• Updated GroupId to use a filtered Get-FalconHost search which avoids the 10k maximum limit from the
  previously used Get-FalconHostGroupMember command.

Invoke-FalconRtr

• Added falconscript as a Command option.
• Updated GroupId to use a filtered Get-FalconHost search which avoids the 10k maximum limit from the
  previously used Get-FalconHostGroupMember command.

New-FalconHorizonAwsAccount

• Added autocomplete values for CloudTrailRegion.
• Added AccountType, BehaviorAssessmentEnabled, IamRoleArn, IsMaster, SensorManagementEnabled, and
  UseExistingCloudtrail.

New-FalconHorizonAzureAccount

• Added ClientId, AccountType, DefaultSubscription, and YearsValid.

New-FalconIoc

• Set maximum of 2,000 IOCs per request when using Array.

New-FalconScheduledScan

• Added ScanInclusion.

Receive-FalconContainerYaml

• Added IsSelfManagedCluster.

Receive-FalconHorizonAwsScript

• Added Id.

Receive-FalconHorizonAzureScript

• Added SubscriptionId, Template, and AccountType.

Receive-FalconRule

• Added IfNoneMatch and IfModifiedSince.

Remove-FalconCidGroupMember

• Updated to use /mssp/entities/cid-group-members/v2:delete endpoint.

Remove-FalconHorizonAzureAccount

• Added TenantId and RetainTenant.

Remove-FalconReconRule

• Added DeleteNotification.

Remove-FalconSample

• Updated Id to accept a sha256 value when passed through the pipeline.

Remove-FalconSensorTag

• Removed support for pre-6.42 Windows sensors given that they are no longer supported and don't have
  CsSensorSettings.exe.
• Isolated the scripts being run to remove sensor tags into new files contained under the script folder.

Send-FalconPutFile

• Added maximum character length for Name.

Send-FalconScript

• Added maximum character length for Name.

Start-FalconScan

• Added ScanInclusion.

Uninstall-FalconSensor

• Added code to uninstall only the currently installed version of Falcon when multiple versions are detected on a
  Windows host.
• Isolated the scripts being run to uninstall Falcon into new files contained under the script folder.

---

This discussion was created from the release 2.2.6.