From 186b15a804515ce4e84ca83decf99aedc8c790c3 Mon Sep 17 00:00:00 2001 From: bk-cs <54042976+bk-cs@users.noreply.github.com> Date: Fri, 27 Aug 2021 13:35:01 -0700 Subject: [PATCH] v2.1.2 --- PSFalcon.psd1 | 950 ++++++++++-------------- Private/Private.ps1 | 4 +- Public/custom-ioa.ps1 | 10 +- Public/device-control-policies.ps1 | 18 +- Public/devices.ps1 | 58 +- Public/falcon-container.ps1 | 7 + Public/falconx-reports.ps1 | 4 +- Public/falconx-rules.ps1 | 12 +- Public/falconx-sandbox.ps1 | 4 +- Public/firewall-management.ps1 | 28 +- Public/host-group.ps1 | 21 +- Public/ioc.ps1 | 10 +- Public/ml-exclusions.ps1 | 4 +- Public/mssp.ps1 | 28 +- Public/oauth2.ps1 | 9 +- Public/prevention-policies.ps1 | 19 +- Public/psfalcon.ps1 | 69 +- Public/real-time-response-admin.ps1 | 8 +- Public/real-time-response.ps1 | 8 +- Public/recon-monitoring-rules.ps1 | 18 +- Public/response-policies.ps1 | 18 +- Public/samplestore.ps1 | 6 +- Public/scheduled-report.ps1 | 102 +++ Public/self-service-ioa-exclusions.ps1 | 62 +- Public/sensor-installers.ps1 | 4 +- Public/sensor-update-policies.ps1 | 24 +- Public/sensor-visibility-exclusions.ps1 | 4 +- Public/streaming.ps1 | 2 +- Public/usermgmt.ps1 | 8 +- Public/zero-trust-assessment.ps1 | 5 +- 30 files changed, 795 insertions(+), 729 deletions(-) create mode 100644 Public/falcon-container.ps1 create mode 100644 Public/scheduled-report.ps1 diff --git a/PSFalcon.psd1 b/PSFalcon.psd1 index 69179bc9..e1e7ad93 100644 --- a/PSFalcon.psd1 +++ b/PSFalcon.psd1 @@ -1,575 +1,407 @@ @{ - RootModule = 'PSFalcon.psm1' - ModuleVersion = '2.1.1' - CompatiblePSEditions = @('Desktop','Core') - GUID = 'd893eb9f-f6bb-4a40-9caf-aaff0e42acd1' - Author = 'Brendan Kremian' - CompanyName = 'CrowdStrike' - Copyright = '(c) CrowdStrike. All rights reserved.' - Description = 'PowerShell for the CrowdStrike Falcon OAuth2 APIs' - HelpInfoURI = 'https://bk-cs.github.io/help/psfalcon/en-US/' - PowerShellVersion = '5.1' - RequiredAssemblies = @('System.Net.Http') - ScriptsToProcess = @('Class/Class.ps1') - FunctionsToExport = @( - # cloud-connect-aws.ps1 - 'Confirm-FalconDiscoverAwsAccess', - 'Edit-FalconDiscoverAwsAccount', - 'Get-FalconDiscoverAwsAccount', - 'Get-FalconDiscoverAwsSetting', - 'New-FalconDiscoverAwsAccount', - 'Remove-FalconDiscoverAwsAccount', - 'Update-FalconDiscoverAwsSetting', - - # cspm-registration.ps1 - 'Edit-FalconHorizonAwsAccount', - 'Edit-FalconHorizonAzureAccount', - 'Edit-FalconHorizonPolicy', - 'Edit-FalconHorizonSchedule', - 'Get-FalconHorizonAwsAccount', - 'Get-FalconHorizonAwsLink', - 'Get-FalconHorizonAzureAccount', - 'Get-FalconHorizonIoaEvent', - 'Get-FalconHorizonIoaUser', - 'Get-FalconHorizonPolicy', - 'Get-FalconHorizonSchedule', - 'New-FalconHorizonAwsAccount', - 'New-FalconHorizonAzureAccount', - 'Receive-FalconHorizonAwsScript', - 'Receive-FalconHorizonAzureScript', - 'Remove-FalconHorizonAwsAccount', - 'Remove-FalconHorizonAzureAccount', - - # custom-ioa.ps1 - 'Edit-FalconIoaGroup', - 'Edit-FalconIoaRule', - 'Get-FalconIoaGroup', - 'Get-FalconIoaPlatform', - 'Get-FalconIoaRule', - 'Get-FalconIoaSeverity', - 'Get-FalconIoaType', - 'New-FalconIoaGroup', - 'New-FalconIoaRule', - 'Remove-FalconIoaGroup', - 'Remove-FalconIoaRule', - 'Test-FalconIoaRule', - - # d4c-registration.ps1 - 'Get-FalconDiscoverAzureAccount', - 'Get-FalconDiscoverGcpAccount', - 'New-FalconDiscoverAzureAccount', - 'New-FalconDiscoverGcpAccount', - 'Receive-FalconDiscoverAzureScript', - 'Receive-FalconDiscoverGcpScript', - 'Update-FalconDiscoverAzureAccount', - - # detects.ps1 - 'Edit-FalconDetection', - 'Get-FalconDetection', - - # device-control-policies.ps1 - 'Edit-FalconDeviceControlPolicy', - 'Get-FalconDeviceControlPolicy', - 'Get-FalconDeviceControlPolicyMember', - 'Invoke-FalconDeviceControlPolicyAction', - 'New-FalconDeviceControlPolicy', - 'Remove-FalconDeviceControlPolicy', - 'Set-FalconDeviceControlPrecedence', - - # devices.ps1 - 'Add-FalconHostTag', - 'Get-FalconHost', - 'Invoke-FalconHostAction', - 'Remove-FalconHostTag', - - # falconcomplete-dashboard.ps1 - 'Get-FalconCompleteAllowlist', - 'Get-FalconCompleteBlocklist', - 'Get-FalconCompleteCollection', - 'Get-FalconCompleteDetection', - 'Get-FalconCompleteEscalation', - 'Get-FalconCompleteIncident', - 'Get-FalconCompleteRemediation', - - # falconx-actors.ps1 - 'Get-FalconActor', - - # falconx-indicators.ps1 - 'Get-FalconIndicator', - - # falconx-reports.ps1 - 'Get-FalconIntel', - 'Receive-FalconIntel', - - # falconx-rules.ps1 - 'Get-FalconRule', - 'Receive-FalconRule', - - # falconx-sandbox.ps1 - 'Get-FalconReport', - 'Get-FalconSubmission', - 'Get-FalconSubmissionQuota', - 'New-FalconSubmission', - 'Receive-FalconArtifact', - 'Remove-FalconReport', - - # firewall-management.ps1 - 'Edit-FalconFirewallGroup', - 'Edit-FalconFirewallPolicy', - 'Edit-FalconFirewallSetting', - 'Get-FalconFirewallEvent', - 'Get-FalconFirewallField', - 'Get-FalconFirewallGroup', - 'Get-FalconFirewallPlatform', - 'Get-FalconFirewallPolicy', - 'Get-FalconFirewallPolicyMember', - 'Get-FalconFirewallRule', - 'Get-FalconFirewallSetting', - 'Invoke-FalconFirewallPolicyAction', - 'New-FalconFirewallGroup', - 'New-FalconFirewallPolicy', - 'Remove-FalconFirewallGroup', - 'Remove-FalconFirewallPolicy', - 'Set-FalconFirewallPrecedence', - - # host-group.ps1 - 'Edit-FalconHostGroup', - 'Get-FalconHostGroup', - 'Get-FalconHostGroupMember', - 'Invoke-FalconHostGroupAction', - 'New-FalconHostGroup', - 'Remove-FalconHostGroup', - - # incidents.ps1 - 'Get-FalconBehavior', - 'Get-FalconIncident', - 'Get-FalconScore', - 'Invoke-FalconIncidentAction', - - # installation-tokens.ps1 - 'Edit-FalconInstallToken', - 'Get-FalconInstallToken', - 'Get-FalconInstallTokenEvent', - 'Get-FalconInstallTokenSetting', - 'New-FalconInstallToken', - 'Remove-FalconInstallToken', - - # ioc.ps1 - 'Edit-FalconIoc', - 'Get-FalconIoc', - 'New-FalconIoc', - 'Remove-FalconIoc', - - # iocs.ps1 - 'Get-FalconIocHost', - 'Get-FalconIocProcess', - - # kubernetes-protection.ps1 - 'Edit-FalconContainerAwsAccount', - 'Get-FalconContainerAwsAccount', - 'Get-FalconContainerCloud', - 'Get-FalconContainerCluster', - 'Invoke-FalconContainerScan', - 'New-FalconContainerAwsAccount', - 'New-FalconContainerKey', - 'Receive-FalconContainerYaml', - 'Remove-FalconContainerAwsAccount', - - # malquery.ps1 - 'Get-FalconMalQuery', - 'Get-FalconMalQueryQuota', - 'Get-FalconMalQuerySample', - 'Group-FalconMalQuerySample', - 'Invoke-FalconMalQuery', - 'Receive-FalconMalQuerySample', - 'Search-FalconMalQueryHash', - - # ml-exclusions.ps1 - 'Edit-FalconMlExclusion', - 'Get-FalconMlExclusion', - 'New-FalconMlExclusion', - 'Remove-FalconMlExclusion', - - # mssp.ps1 - 'Add-FalconCidGroupMember', - 'Add-FalconGroupRole', - 'Add-FalconUserGroupMember', - 'Edit-FalconCidGroup', - 'Edit-FalconUserGroup', - 'Get-FalconCidGroup', - 'Get-FalconCidGroupMember', - 'Get-FalconGroupRole', - 'Get-FalconMemberCid', - 'Get-FalconUserGroup', - 'Get-FalconUserGroupMember', - 'New-FalconCidGroup', - 'New-FalconUserGroup', - 'Remove-FalconCidGroup', - 'Remove-FalconCidGroupMember', - 'Remove-FalconGroupRole', - 'Remove-FalconUserGroup', - 'Remove-FalconUserGroupMember', - - # oauth2.ps1 - 'Request-FalconToken', - 'Revoke-FalconToken', - 'Test-FalconToken', - - # overwatch-dashboard.ps1 - 'Get-FalconOverWatchEvent', - 'Get-FalconOverWatchDetection', - 'Get-FalconOverWatchIncident', - - # prevention-policies.ps1 - 'Edit-FalconPreventionPolicy', - 'Get-FalconPreventionPolicy', - 'Get-FalconPreventionPolicyMember', - 'Invoke-FalconPreventionPolicyAction', - 'New-FalconPreventionPolicy', - 'Remove-FalconPreventionPolicy', - 'Set-FalconPreventionPrecedence', - - # psfalcon.psd1 - 'Export-FalconConfig', - 'Export-FalconReport', - 'Find-FalconDuplicate', - 'Get-FalconQueue', - 'Import-FalconConfig', - 'Invoke-FalconDeploy', - 'Invoke-FalconRtr', - 'Send-FalconWebhook', - 'Show-FalconMap', - 'Show-FalconModule', - - # quick-scan.ps1 - 'Get-FalconQuickScan', - 'Get-FalconQuickScanQuota', - 'New-FalconQuickScan', - - # real-time-response-admin.ps1 - 'Confirm-FalconAdminCommand', - 'Edit-FalconScript', - 'Get-FalconPutFile', - 'Get-FalconScript', - 'Invoke-FalconAdminCommand', - 'Remove-FalconPutFile', - 'Remove-FalconScript', - 'Send-FalconPutFile', - 'Send-FalconScript', - - # real-time-response.ps1 - 'Confirm-FalconCommand', - 'Confirm-FalconGetFile', - 'Confirm-FalconResponderCommand', - 'Get-FalconSession', - 'Invoke-FalconBatchGet', - 'Invoke-FalconCommand', - 'Invoke-FalconResponderCommand', - 'Receive-FalconGetFile', - 'Remove-FalconCommand', - 'Remove-FalconGetFile', - 'Remove-FalconSession', - 'Start-FalconSession', - 'Update-FalconSession', - - # recon-monitoring-rules.ps1 - 'Edit-FalconReconAction', - 'Edit-FalconReconNotification', - 'Edit-FalconReconRule', - 'Get-FalconReconAction', - 'Get-FalconReconNotification', - 'Get-FalconReconRule', - 'Get-FalconReconRulePreview', - 'New-FalconReconAction', - 'New-FalconReconRule', - 'Remove-FalconReconAction', - 'Remove-FalconReconRule', - 'Remove-FalconReconNotification', - - # response-policies.ps1 - 'Edit-FalconResponsePolicy', - 'Get-FalconResponsePolicy', - 'Get-FalconResponsePolicyMember' - 'Invoke-FalconResponsePolicyAction', - 'New-FalconResponsePolicy', - 'Remove-FalconResponsePolicy', - 'Set-FalconResponsePrecedence', - - # samplestore.ps1 - 'Get-FalconSample', - 'Send-FalconSample', - 'Receive-FalconSample', - 'Remove-FalconSample', - - # self-service-ioa-exclusions.ps1 - 'Edit-FalconIoaExclusion', - 'Get-FalconIoaExclusion', - 'Remove-FalconIoaExclusion', - - # sensor-installers.ps1 - 'Get-FalconCcid', - 'Get-FalconInstaller', - 'Receive-FalconInstaller', - - # sensor-update-policies.ps1 - 'Edit-FalconSensorUpdatePolicy', - 'Get-FalconBuild', - 'Get-FalconSensorUpdatePolicy', - 'Get-FalconSensorUpdatePolicyMember', - 'Get-FalconUninstallToken', - 'Invoke-FalconSensorUpdatePolicyAction', - 'New-FalconSensorUpdatePolicy', - 'Remove-FalconSensorUpdatePolicy', - 'Set-FalconSensorUpdatePrecedence', - - # sensor-visibility-exclusions.ps1 - 'Edit-FalconSvExclusion', - 'Get-FalconSvExclusion', - 'New-FalconSvExclusion', - 'Remove-FalconSvExclusion', - - # spotlight-vulnerabilities.ps1 - 'Get-FalconRemediation', - 'Get-FalconVulnerability', - - # streaming.ps1 - 'Get-FalconStream', - 'Update-FalconStream', - - # usermgmt.ps1 - 'Add-FalconRole', - 'Edit-FalconUser', - 'Get-FalconRole', - 'Get-FalconUser', - 'New-FalconUser', - 'Remove-FalconRole', - 'Remove-FalconUser', - - # zero-trust-assessment.ps1 - 'Get-FalconZta' - ) - CmdletsToExport = @() - VariablesToExport = '*' - AliasesToExport = @() - PrivateData = @{ - PSData = @{ - Tags = @('CrowdStrike','Falcon','OAuth2','REST','API','PSEdition_Desktop','PSEdition_Core', - 'Windows','Linux','MacOS') - LicenseUri = 'https://raw.githubusercontent.com/CrowdStrike/psfalcon/master/LICENSE' - ProjectUri = 'https://github.com/crowdstrike/psfalcon' - IconUri = 'https://raw.githubusercontent.com/CrowdStrike/psfalcon/master/icon.png' - ReleaseNotes = @" -General Changes - -* Changed class [Falcon] to [ApiClient]. [ApiClient] is generic and can work with other APIs, which helps enable - the use of [ApiClient] for other scripts or modules. It includes a '.Path()' method to convert relative to - absolute filepaths, and '.Invoke()' which accepts a hashtable of parameters ('Path', 'Method', 'Headers', - 'Outfile', 'Formdata' and 'Body') and produces a [System.Net.Http.HttpResponseMessage]. - -* [ApiClient] now uses a single [System.Net.Http.HttpClient] and [System.Net.Http.HttpClientHandler] instead of - rebuilding during each request, which follows Microsoft's recommendations and _greatly_ increases performance. - -* PSFalcon no longer outputs to 'Write-Debug', meaning that the '-Debug' parameter will no longer provide - any additional information. Similar output is provided to 'Write-Verbose' instead. 'Write-Verbose' output has - been modified to include response header information that was not previously visible. - -* Re-wrote and re-organized the module manifest (PSFalcon.psd1) and 'Private' functions (Private.ps1). - -* Removed decimal second values from output when converting from relative time ('last 1 days') to RFC-3339. - -* Added 'Confirm-String' to output 'type' based on RegEx matching. Used to validate values in commands like - 'Show-FalconMap'. This will probably be worked in to validate relevant values in other commands in the future. - -* The 'Invoke-Loop' function (which powers the '-All' parameter) now produces an error when a loop ends and there - are results remaining (API limit). - -* Renamed 'Public' scripts to be organized by their permission (rather than URL path) and included some commands - that were previously in 'Public\scripts.ps1'. Renamed 'Public\scripts.ps1' to 'Public\psfalcon.ps1'. - -* All 'Public' functions (commands that users type) have been re-written to use static parameters, which removed - the custom '-Help' parameter and supports the use of 'Get-Help'. The help content has also been moved online. - Use 'Update-Help -Module PSFalcon' to download extended help information, including examples previously - accessible through the GitHub-based PSFalcon Wiki. - -* Added '.Roles' in-line comment to functions which allows users to 'Get-Help -Role ' and find - commands that are available based on required API permission. For instance, typing 'Get-Help -Role devices:read' - will display the 'Get-FalconHost' command, while 'Get-Help -Role devices:write' lists 'Add-FalconHostTag', - 'Invoke-FalconHostAction' and 'Remove-FalconHostTag'. Wildcards (devices:*, *:write) are supported. - -* Modified 'meta' output from commands. Previously, if the field 'writes' was present under 'meta', the command - result would output the sub-field 'resources_affected'. Now the command will output 'writes', leading to a - result of '@{ writes = @{ resources_affected = [int] }}' rather than '@{ resources_affected = [int] }'. This - will allow for the output of unexpected results, but may impact existing scripts. - -* Updated the '-Array' parameter to validate objects within the array for required fields when submitting multiple - policies/groups/rules/notifications to create/edit in one request. - -* Updated commands with an '-Id' parameter to accept 'Id' from the pipeline (property and value). - + RootModule = 'PSFalcon.psm1' + ModuleVersion = '2.1.2' + CompatiblePSEditions = @('Desktop','Core') + GUID = 'd893eb9f-f6bb-4a40-9caf-aaff0e42acd1' + Author = 'Brendan Kremian' + CompanyName = 'CrowdStrike' + Copyright = '(c) CrowdStrike. All rights reserved.' + Description = 'PowerShell for the CrowdStrike Falcon OAuth2 APIs' + HelpInfoURI = 'https://bk-cs.github.io/help/psfalcon/en-US' + PowerShellVersion = '5.1' + RequiredAssemblies = @('System.Net.Http') + ScriptsToProcess = @('Class/Class.ps1') + FunctionsToExport = @( + # cloud-connect-aws.ps1 + 'Confirm-FalconDiscoverAwsAccess', + 'Edit-FalconDiscoverAwsAccount', + 'Get-FalconDiscoverAwsAccount', + 'Get-FalconDiscoverAwsSetting', + 'New-FalconDiscoverAwsAccount', + 'Remove-FalconDiscoverAwsAccount', + 'Update-FalconDiscoverAwsSetting', + + # cspm-registration.ps1 + 'Edit-FalconHorizonAwsAccount', + 'Edit-FalconHorizonAzureAccount', + 'Edit-FalconHorizonPolicy', + 'Edit-FalconHorizonSchedule', + 'Get-FalconHorizonAwsAccount', + 'Get-FalconHorizonAwsLink', + 'Get-FalconHorizonAzureAccount', + 'Get-FalconHorizonIoaEvent', + 'Get-FalconHorizonIoaUser', + 'Get-FalconHorizonPolicy', + 'Get-FalconHorizonSchedule', + 'New-FalconHorizonAwsAccount', + 'New-FalconHorizonAzureAccount', + 'Receive-FalconHorizonAwsScript', + 'Receive-FalconHorizonAzureScript', + 'Remove-FalconHorizonAwsAccount', + 'Remove-FalconHorizonAzureAccount', + + # custom-ioa.ps1 + 'Edit-FalconIoaGroup', + 'Edit-FalconIoaRule', + 'Get-FalconIoaGroup', + 'Get-FalconIoaPlatform', + 'Get-FalconIoaRule', + 'Get-FalconIoaSeverity', + 'Get-FalconIoaType', + 'New-FalconIoaGroup', + 'New-FalconIoaRule', + 'Remove-FalconIoaGroup', + 'Remove-FalconIoaRule', + 'Test-FalconIoaRule', + + # d4c-registration.ps1 + 'Get-FalconDiscoverAzureAccount', + 'Get-FalconDiscoverGcpAccount', + 'New-FalconDiscoverAzureAccount', + 'New-FalconDiscoverGcpAccount', + 'Receive-FalconDiscoverAzureScript', + 'Receive-FalconDiscoverGcpScript', + 'Update-FalconDiscoverAzureAccount', + + # detects.ps1 + 'Edit-FalconDetection', + 'Get-FalconDetection', + + # device-control-policies.ps1 + 'Edit-FalconDeviceControlPolicy', + 'Get-FalconDeviceControlPolicy', + 'Get-FalconDeviceControlPolicyMember', + 'Invoke-FalconDeviceControlPolicyAction', + 'New-FalconDeviceControlPolicy', + 'Remove-FalconDeviceControlPolicy', + 'Set-FalconDeviceControlPrecedence', + + # devices.ps1 + 'Add-FalconHostTag', + 'Get-FalconHost', + 'Invoke-FalconHostAction', + 'Remove-FalconHostTag', + + # falcon-container.ps1 + 'Get-FalconContainerToken', + + # falconcomplete-dashboard.ps1 + 'Get-FalconCompleteAllowlist', + 'Get-FalconCompleteBlocklist', + 'Get-FalconCompleteCollection', + 'Get-FalconCompleteDetection', + 'Get-FalconCompleteEscalation', + 'Get-FalconCompleteIncident', + 'Get-FalconCompleteRemediation', + + # falconx-actors.ps1 + 'Get-FalconActor', + + # falconx-indicators.ps1 + 'Get-FalconIndicator', + + # falconx-reports.ps1 + 'Get-FalconIntel', + 'Receive-FalconIntel', + + # falconx-rules.ps1 + 'Get-FalconRule', + 'Receive-FalconRule', + + # falconx-sandbox.ps1 + 'Get-FalconReport', + 'Get-FalconSubmission', + 'Get-FalconSubmissionQuota', + 'New-FalconSubmission', + 'Receive-FalconArtifact', + 'Remove-FalconReport', + + # firewall-management.ps1 + 'Edit-FalconFirewallGroup', + 'Edit-FalconFirewallPolicy', + 'Edit-FalconFirewallSetting', + 'Get-FalconFirewallEvent', + 'Get-FalconFirewallField', + 'Get-FalconFirewallGroup', + 'Get-FalconFirewallPlatform', + 'Get-FalconFirewallPolicy', + 'Get-FalconFirewallPolicyMember', + 'Get-FalconFirewallRule', + 'Get-FalconFirewallSetting', + 'Invoke-FalconFirewallPolicyAction', + 'New-FalconFirewallGroup', + 'New-FalconFirewallPolicy', + 'Remove-FalconFirewallGroup', + 'Remove-FalconFirewallPolicy', + 'Set-FalconFirewallPrecedence', + + # host-group.ps1 + 'Edit-FalconHostGroup', + 'Get-FalconHostGroup', + 'Get-FalconHostGroupMember', + 'Invoke-FalconHostGroupAction', + 'New-FalconHostGroup', + 'Remove-FalconHostGroup', + + # incidents.ps1 + 'Get-FalconBehavior', + 'Get-FalconIncident', + 'Get-FalconScore', + 'Invoke-FalconIncidentAction', + + # installation-tokens.ps1 + 'Edit-FalconInstallToken', + 'Get-FalconInstallToken', + 'Get-FalconInstallTokenEvent', + 'Get-FalconInstallTokenSetting', + 'New-FalconInstallToken', + 'Remove-FalconInstallToken', + + # ioc.ps1 + 'Edit-FalconIoc', + 'Get-FalconIoc', + 'New-FalconIoc', + 'Remove-FalconIoc', + + # iocs.ps1 + 'Get-FalconIocHost', + 'Get-FalconIocProcess', + + # kubernetes-protection.ps1 + 'Edit-FalconContainerAwsAccount', + 'Get-FalconContainerAwsAccount', + 'Get-FalconContainerCloud', + 'Get-FalconContainerCluster', + 'Invoke-FalconContainerScan', + 'New-FalconContainerAwsAccount', + 'New-FalconContainerKey', + 'Receive-FalconContainerYaml', + 'Remove-FalconContainerAwsAccount', + + # malquery.ps1 + 'Get-FalconMalQuery', + 'Get-FalconMalQueryQuota', + 'Get-FalconMalQuerySample', + 'Group-FalconMalQuerySample', + 'Invoke-FalconMalQuery', + 'Receive-FalconMalQuerySample', + 'Search-FalconMalQueryHash', + + # ml-exclusions.ps1 + 'Edit-FalconMlExclusion', + 'Get-FalconMlExclusion', + 'New-FalconMlExclusion', + 'Remove-FalconMlExclusion', + + # mssp.ps1 + 'Add-FalconCidGroupMember', + 'Add-FalconGroupRole', + 'Add-FalconUserGroupMember', + 'Edit-FalconCidGroup', + 'Edit-FalconUserGroup', + 'Get-FalconCidGroup', + 'Get-FalconCidGroupMember', + 'Get-FalconGroupRole', + 'Get-FalconMemberCid', + 'Get-FalconUserGroup', + 'Get-FalconUserGroupMember', + 'New-FalconCidGroup', + 'New-FalconUserGroup', + 'Remove-FalconCidGroup', + 'Remove-FalconCidGroupMember', + 'Remove-FalconGroupRole', + 'Remove-FalconUserGroup', + 'Remove-FalconUserGroupMember', + + # oauth2.ps1 + 'Request-FalconToken', + 'Revoke-FalconToken', + 'Test-FalconToken', + + # overwatch-dashboard.ps1 + 'Get-FalconOverWatchEvent', + 'Get-FalconOverWatchDetection', + 'Get-FalconOverWatchIncident', + + # prevention-policies.ps1 + 'Edit-FalconPreventionPolicy', + 'Get-FalconPreventionPolicy', + 'Get-FalconPreventionPolicyMember', + 'Invoke-FalconPreventionPolicyAction', + 'New-FalconPreventionPolicy', + 'Remove-FalconPreventionPolicy', + 'Set-FalconPreventionPrecedence', + + # psfalcon.psd1 + 'Export-FalconConfig', + 'Export-FalconReport', + 'Find-FalconDuplicate', + 'Get-FalconQueue', + 'Import-FalconConfig', + 'Invoke-FalconDeploy', + 'Invoke-FalconRtr', + 'Send-FalconWebhook', + 'Show-FalconMap', + 'Show-FalconModule', + + # quick-scan.ps1 + 'Get-FalconQuickScan', + 'Get-FalconQuickScanQuota', + 'New-FalconQuickScan', + + # real-time-response-admin.ps1 + 'Confirm-FalconAdminCommand', + 'Edit-FalconScript', + 'Get-FalconPutFile', + 'Get-FalconScript', + 'Invoke-FalconAdminCommand', + 'Remove-FalconPutFile', + 'Remove-FalconScript', + 'Send-FalconPutFile', + 'Send-FalconScript', + + # real-time-response.ps1 + 'Confirm-FalconCommand', + 'Confirm-FalconGetFile', + 'Confirm-FalconResponderCommand', + 'Get-FalconSession', + 'Invoke-FalconBatchGet', + 'Invoke-FalconCommand', + 'Invoke-FalconResponderCommand', + 'Receive-FalconGetFile', + 'Remove-FalconCommand', + 'Remove-FalconGetFile', + 'Remove-FalconSession', + 'Start-FalconSession', + 'Update-FalconSession', + + # recon-monitoring-rules.ps1 + 'Edit-FalconReconAction', + 'Edit-FalconReconNotification', + 'Edit-FalconReconRule', + 'Get-FalconReconAction', + 'Get-FalconReconNotification', + 'Get-FalconReconRule', + 'Get-FalconReconRulePreview', + 'New-FalconReconAction', + 'New-FalconReconRule', + 'Remove-FalconReconAction', + 'Remove-FalconReconRule', + 'Remove-FalconReconNotification', + + # response-policies.ps1 + 'Edit-FalconResponsePolicy', + 'Get-FalconResponsePolicy', + 'Get-FalconResponsePolicyMember' + 'Invoke-FalconResponsePolicyAction', + 'New-FalconResponsePolicy', + 'Remove-FalconResponsePolicy', + 'Set-FalconResponsePrecedence', + + # samplestore.ps1 + 'Get-FalconSample', + 'Send-FalconSample', + 'Receive-FalconSample', + 'Remove-FalconSample', + + # self-service-ioa-exclusions.ps1 + 'Edit-FalconIoaExclusion', + 'Get-FalconIoaExclusion', + 'New-FalconIoaExclusion', + 'Remove-FalconIoaExclusion', + + # sensor-installers.ps1 + 'Get-FalconCcid', + 'Get-FalconInstaller', + 'Receive-FalconInstaller', + + # sensor-update-policies.ps1 + 'Edit-FalconSensorUpdatePolicy', + 'Get-FalconBuild', + 'Get-FalconSensorUpdatePolicy', + 'Get-FalconSensorUpdatePolicyMember', + 'Get-FalconUninstallToken', + 'Invoke-FalconSensorUpdatePolicyAction', + 'New-FalconSensorUpdatePolicy', + 'Remove-FalconSensorUpdatePolicy', + 'Set-FalconSensorUpdatePrecedence', + + # sensor-visibility-exclusions.ps1 + 'Edit-FalconSvExclusion', + 'Get-FalconSvExclusion', + 'New-FalconSvExclusion', + 'Remove-FalconSvExclusion', + + # scheduled-report.ps1 + 'Get-FalconScheduledReport', + 'Receive-FalconScheduledReport', + + # spotlight-vulnerabilities.ps1 + 'Get-FalconRemediation', + 'Get-FalconVulnerability', + + # streaming.ps1 + 'Get-FalconStream', + 'Update-FalconStream', + + # usermgmt.ps1 + 'Add-FalconRole', + 'Edit-FalconUser', + 'Get-FalconRole', + 'Get-FalconUser', + 'New-FalconUser', + 'Remove-FalconRole', + 'Remove-FalconUser', + + # zero-trust-assessment.ps1 + 'Get-FalconZta' + ) + CmdletsToExport = @() + VariablesToExport = '*' + AliasesToExport = @() + PrivateData = @{ + PSData = @{ + Tags = @('CrowdStrike','Falcon','OAuth2','REST','API','PSEdition_Desktop','PSEdition_Core', + 'Windows','Linux','MacOS') + LicenseUri = 'https://raw.githubusercontent.com/CrowdStrike/psfalcon/master/LICENSE' + ProjectUri = 'https://github.com/crowdstrike/psfalcon' + IconUri = 'https://raw.githubusercontent.com/CrowdStrike/psfalcon/master/icon.png' + ReleaseNotes = @" New Commands +* container-security + 'Get-FalconContainerToken' -* cspm-registration - 'Edit-FalconHorizonAwsAccount' - 'Get-FalconHorizonIoaEvent' - 'Get-FalconHorizonIoaUser' - -* d4c-registration - 'Receive-FalconDiscoverAzureScript' - -* iocs - 'Get-FalconIocHost' - 'Get-FalconIocProcess' - -* kubernetes-protection - 'Edit-FalconContainerAwsAccount' - 'Get-FalconContainerAwsAccount' - 'Get-FalconContainerCloud' - 'Get-FalconContainerCluster' - 'Invoke-FalconContainerScan' - 'Edit-FalconDiscoverAzureAccount' - 'New-FalconContainerAwsAccount' - 'New-FalconContainerKey' - 'Receive-FalconContainerYaml' - 'Remove-FalconContainerAwsAccount' - -* psfalcon - 'Send-FalconWebhook' - -* recon-monitoring-rules - 'Edit-FalconReconNotification' - 'Get-FalconReconRulePreview' - -Command Changes -* Edit-FalconHorizonAzureAccount - Added parameters to utilize '/cloud-connect-cspm-azure/entities/default-subscription-id/v1'. - -* Edit-FalconFirewallGroup - Updated to retrieve required values when not provided. Removed '-Tracking'. - -* Edit-FalconFirewallSetting - Renamed '-PolicyId' to '-Id'. - - Updated to retrieve required required values when not provided. Removed '-Tracking'. +* scheduled-report + 'Get-FalconScheduledReport' + 'Receive-FalconScheduledReport' - Removed '-IsDefaultPolicy' parameter as it doesn't seem to do anything. - -* Edit-FalconIoaGroup - Updated to retrieve required required values when not provided. Removed '-RulegroupVersion'. - -* Edit-FalconIoaRule - Updated to retrieve required required values when not provided. Removed '-RulegroupVersion'. +* self-service-ioa-exclusions + 'New-FalconIoaExclusion' +Command Changes * Export-FalconConfig - Changed archive name to 'FalconConfig_.zip' from 'FalconConfig_.zip'. - -* Export-FalconReport - Re-written to display results based on the object, rather than static 'properties' of a result, meaning it is - no longer 'hard-coded' to display results a certain way. See 'Get-Help Export-FalconReport' for more explanation. - - Added '-WhatIf' support to show the resulting export rather than exporting to CSV. + Added 'IoaExclusion' to '-Items'. -* Find-FalconDuplicate - Updated command to retrieve Host results automatically when '-Hosts' is not provided. +* Get-FalconHost + Added '-Network' parameter to retrieve network address history using host identifier(s). - Added '-Filter' parameter to use additional property to determine whether a device is a duplicate. See 'Get-Help - Find-FalconDuplicate' for more information. + Added '-Login' parameter to retrieve user login history using host identifier(s). - Updated to exclude devices with empty values (both 'hostname' and any provided '-Filter'). + Added '-Include' parameter with values 'login_history' and 'network_history' to include data with regular + output. - Updated output to include 'cid' to avoid potential problems if 'Find-FalconDuplicate' is used within a - parent-level CID. - -* Get-FalconDiscoverAwsSettings - Renamed to 'Get-FalconDiscoverAwsSetting'. - -* Get-FalconFirewallRule - Added '-PolicyId' parameter to return rules (in precedence order) from a specific policy. - -* Get-FalconInstallTokenSettings - Renamed to 'Get-FalconInstallTokenSetting'. - -* Get-FalconIocHost - Added '-Total' to provide the functionality of the command 'Get-FalconIocTotal'. - -* Get-FalconIocProcess - Added '-Ids' to provide the functionality of the command 'Get-FalconProcess'. +* Get-FalconZta + Added '/zero-trust-assessment/entities/audit/v1:get' endpoint to 'Get-FalconZta' to provide summary-level + Zero Trust Assessment results for your entire CID. * Import-FalconConfig - Added warning when creating 'IoaGroup' to make it clear that Custom IOA Rule Groups are not assigned to - Prevention policies (due to a limitation in data from the related APIs). - - Added '-Force' parameter to assign items to matching Host Groups (by 'name') that are present within the CID. - - Added warning messages ('[missing_assignment]') when items are unable to be created due to missing Host Groups. - -* Invoke-FalconCommand, Invoke-FalconResponderCommand, Invoke-FalconAdminCommand - Re-organized positioning to place '-SessionId' and '-BatchId' in front. - -* Invoke-FalconBatchGet - Re-organized positioning to place '-BatchId' in front. - - Changed output format so that, nstead of returning the entire Json response, the result will have the properties - 'batch_get_cmd_req_id' and 'hosts' (similar to how 'Start-FalconSession' displays a batch session result). - -* Invoke-FalconDeploy - Added '-GroupId' to run the command against a Host Group. Parameter positioning has been re-organized to - compensate. - -* Edit-FalconIoaGroup - Updated to retrieve required values from existing rule group when not provided. - -* Edit-FalconIoaRule - Updated to retrieve required values from existing rule when not provided. - -* Invoke-FalconRTR - Added '-GroupId' to run a Real-time Response command against a Host Group. Parameter positioning has been - re-organized to compensate. - - Removed all 'single host' Real-time Response code. Now 'Invoke-FalconRTR' always uses batch sessions, which - should have minimal impact on the use of the command, but is easier to support. - -* Remove-FalconGetFile - Renamed '-Ids' parameter to '-Id' to reflect single value requirement. - -* Remove-FalconSession - Renamed '-SessionId' to '-Id'. - -* Request-FalconToken - Added '-Hostname' parameter and set as default. '-Cloud' is still available, but needs to be specified with a - 'us-1', 'us-2', 'eu-1' or 'us-gov-1' value. - - Added support for redirection when requesting an OAuth2 access token. PSFalcon will use 'X-Cs-Region' from - response when provided 'Hostname' does not match. - - Added TLS 1.2 enforcement and custom 'crowdstrike-psfalcon/' user-agent string. - - Added 'ClientId', 'ClientSecret', 'Hostname', and 'Cloud' as named properties that can be passed through the - pipeline. - -* Send-FalconSample - Added support for uploading archives. - -* Update-FalconDiscoverAwsSettings - Renamed to 'Update-FalconDiscoverAwsSetting'. + Added 'IoaExclusion' for import and assignment. GitHub Issues - -* Issue #48: Updated 'Invoke-Loop' private function with a more explicit counting method to eliminate endless - loops in PowerShell 5.1. - -* Issue #51: Switched 'Edit-FalconScript' and 'Send-FalconScript' to use the 'content' field rather than 'file'. - -* Issue #53: 'Wait-RetryAfter' function was re-written to re-calculate the 'X-Cs-WaitRetryAfter' time. - -* Issue #54: Updated 'Get-FalconHorizonPolicy' with additional '-Service' names. - -* Issue #59: Updated 'New-Falcon...Policy' commands to use 'clone_id' values in the appropriate places. - -* Issue #62: Added 'user-agent' to 'Request-FalconToken'. - -* Issue #63: Modified the way the 'maximum URL length' is calculated to avoid unexpected 'URL too long' HTML - response errors from differences between cloud environments. +* Issue #67: Solved. Apparently you can't use a trailing slash for 'HelpInfoUri'... +* Issue #68: Fixed typo which prevented 'Remove-FalconReconNotification' from being available +* Issue #69: Moved code from 'begin{}' block to 'process{}' block for relevant commands. "@ - } - } + } + } } \ No newline at end of file diff --git a/Private/Private.ps1 b/Private/Private.ps1 index d4c4a124..00e81c91 100644 --- a/Private/Private.ps1 +++ b/Private/Private.ps1 @@ -772,11 +772,11 @@ function Update-FieldName { [object] $Inputs ) process { + # Update user input field names for API submission if ($Fields.Keys -and $Inputs.Keys) { - # Update user input field names for API submission ($Fields.Keys).foreach{ if ($Inputs.$_) { - $Inputs.Add($Fields.$_, $Inputs.$_) + $Inputs["$($Fields.$_)"] = $Inputs.$_ [void] $Inputs.Remove($_) } } diff --git a/Public/custom-ioa.ps1 b/Public/custom-ioa.ps1 index aa40773f..024e1b1e 100644 --- a/Public/custom-ioa.ps1 +++ b/Public/custom-ioa.ps1 @@ -18,11 +18,11 @@ function Edit-FalconIoaGroup { [Parameter(ParameterSetName = '/ioarules/entities/rule-groups/v1:patch', Position = 5)] [string] $Comment ) - begin { + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName - Inputs = Update-FieldName -Fields $Fields -Inputs $PSBoundParameters + Inputs = $PSBoundParameters Format = @{ Body = @{ root = @('description', 'rulegroup_version', 'name', 'enabled', 'id', 'comment') @@ -41,12 +41,10 @@ function Edit-FalconIoaGroup { } else { $Existing.$_ } - $PSBoundParameters.Add($_,$Value) + $PSBoundParameters[$_] = $Value } } } - } - process { Invoke-Falcon @Param } } @@ -102,7 +100,7 @@ function Edit-FalconIoaRule { } else { $Existing.$_ } - $PSBoundParameters.Add($_,$Value) + $PSBoundParameters[$_] = $Value } } } diff --git a/Public/device-control-policies.ps1 b/Public/device-control-policies.ps1 index 7cc9f6dd..ab9110b0 100644 --- a/Public/device-control-policies.ps1 +++ b/Public/device-control-policies.ps1 @@ -34,6 +34,8 @@ function Edit-FalconDeviceControlPolicy { $Fields = @{ Array = 'resources' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = '/policy/entities/device-control/v1:patch' @@ -45,8 +47,6 @@ function Edit-FalconDeviceControlPolicy { } } } - } - process { Invoke-Falcon @Param } } @@ -139,7 +139,7 @@ function Get-FalconDeviceControlPolicyMember { [Parameter(ParameterSetName = '/policy/queries/device-control-members/v1:get')] [switch] $Total ) - begin { + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -148,8 +148,6 @@ function Get-FalconDeviceControlPolicyMember { Query = @('sort', 'offset', 'filter', 'id', 'limit') } } - } - process { Invoke-Falcon @Param } } @@ -174,15 +172,17 @@ function Invoke-FalconDeviceControlPolicyAction { $Fields = @{ name = 'action_name' } - $PSBoundParameters.Add('Ids', @( $PSBoundParameters.Id )) + } + process { + $PSBoundParameters['Ids'] = @( $PSBoundParameters.Id ) [void] $PSBoundParameters.Remove('Id') if ($PSBoundParameters.GroupId) { - $PSBoundParameters.Add('action_parameters', @( + $PSBoundParameters['action_parameters'] = @( @{ name = 'group_id' value = $PSBoundParameters.GroupId } - )) + ) [void] $PSBoundParameters.Remove('GroupId') } $Param = @{ @@ -196,8 +196,6 @@ function Invoke-FalconDeviceControlPolicyAction { } } } - } - process { Invoke-Falcon @Param } } diff --git a/Public/devices.ps1 b/Public/devices.ps1 index 3b4196e6..69cfe1f4 100644 --- a/Public/devices.ps1 +++ b/Public/devices.ps1 @@ -13,7 +13,7 @@ function Add-FalconHostTag { $Fields = @{ Ids = 'device_ids' } - $PSBoundParameters.Add('action', 'add') + $PSBoundParameters['action'] = 'add' $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -33,6 +33,10 @@ function Get-FalconHost { [CmdletBinding(DefaultParameterSetName = '/devices/queries/devices-scroll/v1:get')] param( [Parameter(ParameterSetName = '/devices/entities/devices/v1:get', Mandatory = $true, Position = 1)] + [Parameter(ParameterSetName = '/devices/combined/devices/login-history/v1:post', Mandatory = $true, + Position = 1)] + [Parameter(ParameterSetName = '/devices/combined/devices/network-address-history/v1:post', + Mandatory = $true, Position = 1)] [ValidatePattern('^\w{32}$')] [array] $Ids, @@ -53,8 +57,20 @@ function Get-FalconHost { [Parameter(ParameterSetName = '/devices/queries/devices-hidden/v1:get', Position = 4)] [string] $Offset, + [Parameter(ParameterSetName = '/devices/queries/devices-scroll/v1:get', Position = 5)] + [Parameter(ParameterSetName = '/devices/queries/devices-hidden/v1:get', Position = 5)] + [ValidateSet('login_history', 'network_history')] + [array] $Include, + [Parameter(ParameterSetName = '/devices/queries/devices-hidden/v1:get', Mandatory = $true)] [switch] $Hidden, + + [Parameter(ParameterSetName = '/devices/combined/devices/login-history/v1:post', Mandatory = $true)] + [switch] $Login, + + [Parameter(ParameterSetName = '/devices/combined/devices/network-address-history/v1:post', + Mandatory = $true)] + [switch] $Network, [Parameter(ParameterSetName = '/devices/queries/devices-scroll/v1:get')] [Parameter(ParameterSetName = '/devices/queries/devices-hidden/v1:get')] @@ -73,13 +89,43 @@ function Get-FalconHost { Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Inputs = $PSBoundParameters - Format = @{ - Query = @('ids', 'filter', 'sort', 'limit', 'offset') - } } } process { - Invoke-Falcon @Param + $Param['Format'] = if ($Param.Endpoint -match 'post$') { + @{ Body = @{ root = @('ids') }} + } else { + @{ Query = @('ids', 'filter', 'sort', 'limit', 'offset') } + } + $Request = Invoke-Falcon @Param + if ($PSBoundParameters.Include) { + if (!$Request.device_id) { + $Request = ($Request).foreach{ + ,[PSCustomObject] @{ device_id = $_ } + } + } + if ($PSBoundParameters.Include -contains 'login_history') { + foreach ($Object in (& $MyInvocation.MyCommand.Name -Ids $Request.device_id -Login)) { + $AddParam = @{ + Object = $Request | Where-Object { $_.device_id -eq $Object.device_id } + Name = 'login_history' + Value = $Object.recent_logins + } + Add-Property @AddParam + } + } + if ($PSBoundParameters.Include -contains 'network_history') { + foreach ($Object in (& $MyInvocation.MyCommand.Name -Ids $Request.device_id -Network)) { + $AddParam = @{ + Object = $Request | Where-Object { $_.device_id -eq $Object.device_id } + Name = 'network_history' + Value = $Object.history + } + Add-Property @AddParam + } + } + } + $Request } } function Invoke-FalconHostAction { @@ -135,7 +181,7 @@ function Remove-FalconHostTag { $Fields = @{ Ids = 'device_ids' } - $PSBoundParameters.Add('action', 'remove') + $PSBoundParameters['action'] = 'remove' $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName diff --git a/Public/falcon-container.ps1 b/Public/falcon-container.ps1 new file mode 100644 index 00000000..67554872 --- /dev/null +++ b/Public/falcon-container.ps1 @@ -0,0 +1,7 @@ +function Get-FalconContainerToken { + [CmdletBinding(DefaultParameterSetName = '/container-security/entities/image-registry-credentials/v1:get')] + param() + process { + Invoke-Falcon -Endpoint $PSCmdlet.ParameterSetName + } +} \ No newline at end of file diff --git a/Public/falconx-reports.ps1 b/Public/falconx-reports.ps1 index c202d546..e79daa1f 100644 --- a/Public/falconx-reports.ps1 +++ b/Public/falconx-reports.ps1 @@ -78,7 +78,7 @@ function Receive-FalconIntel { })] [string] $Path ) - begin { + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -91,8 +91,6 @@ function Receive-FalconIntel { Outfile = 'path' } } - } - process { Invoke-Falcon @Param } } \ No newline at end of file diff --git a/Public/falconx-rules.ps1 b/Public/falconx-rules.ps1 index 087da323..1230606f 100644 --- a/Public/falconx-rules.ps1 +++ b/Public/falconx-rules.ps1 @@ -93,12 +93,12 @@ function Receive-FalconRule { })] [string] $Path ) - begin { - if ($PSBoundParameters.Path -match '\.(gz|gzip)$') { - $PSBoundParameters.Add('format', 'gzip') - $Accept = 'application/gzip' + process { + $Accept = if ($PSBoundParameters.Path -match '\.(gz|gzip)$') { + $PSBoundParameters['format'] = 'gzip' + 'application/gzip' } else { - $Accept = 'application/zip' + 'application/zip' } $Param = @{ Command = $MyInvocation.MyCommand.Name @@ -112,8 +112,6 @@ function Receive-FalconRule { Outfile = 'path' } } - } - process { Invoke-Falcon @Param } } \ No newline at end of file diff --git a/Public/falconx-sandbox.ps1 b/Public/falconx-sandbox.ps1 index 4b173720..3e247870 100644 --- a/Public/falconx-sandbox.ps1 +++ b/Public/falconx-sandbox.ps1 @@ -215,7 +215,7 @@ function Receive-FalconArtifact { })] [string] $Path ) - begin { + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -227,8 +227,6 @@ function Receive-FalconArtifact { Query = @('name', 'id') } } - } - process { Invoke-Falcon @Param } } diff --git a/Public/firewall-management.ps1 b/Public/firewall-management.ps1 index 90525172..6d86e389 100644 --- a/Public/firewall-management.ps1 +++ b/Public/firewall-management.ps1 @@ -36,12 +36,14 @@ function Edit-FalconFirewallGroup { [string] $Comment ) begin { - $PSBoundParameters.Add('diff_type', 'application/json-patch+json') $Fields = @{ DiffOperations = 'diff_operations' RuleIds = 'rule_ids' RuleVersions = 'rule_versions' } + } + process { + $PSBoundParameters['diff_type'] = 'application/json-patch+json' $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -73,12 +75,10 @@ function Edit-FalconFirewallGroup { } else { $Group.$_ } - $PSBoundParameters.Add($_,$Value) + $PSBoundParameters[$_] = $Value } } } - } - process { if ($PSBoundParameters.Tracking) { Invoke-Falcon @Param } else { @@ -119,6 +119,8 @@ function Edit-FalconFirewallPolicy { $Fields = @{ Array = 'resources' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = '/policy/entities/firewall/v1:patch' @@ -130,8 +132,6 @@ function Edit-FalconFirewallPolicy { } } } - } - process { Invoke-Falcon @Param } } @@ -192,7 +192,7 @@ function Edit-FalconFirewallSetting { 'SilentlyContinue') } if ($Existing) { - $PSBoundParameters.Add($_,($Existing.$_)) + $PSBoundParameters[$_] = $Existing.$_ } } } @@ -471,7 +471,7 @@ function Get-FalconFirewallPolicyMember { [switch] $Total ) - begin { + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -480,8 +480,6 @@ function Get-FalconFirewallPolicyMember { Query = @('sort', 'offset', 'filter', 'id', 'limit') } } - } - process { Invoke-Falcon @Param } } @@ -596,15 +594,17 @@ function Invoke-FalconFirewallPolicyAction { $Fields = @{ name = 'action_name' } - $PSBoundParameters.Add('Ids', @( $PSBoundParameters.Id )) + } + process { + $PSBoundParameters['Ids'] = @( $PSBoundParameters.Id ) [void] $PSBoundParameters.Remove('Id') if ($PSBoundParameters.GroupId) { - $PSBoundParameters.Add('action_parameters', @( + $PSBoundParameters['action_parameters'] = @( @{ name = 'group_id' value = $PSBoundParameters.GroupId } - )) + ) [void] $PSBoundParameters.Remove('GroupId') } $Param = @{ @@ -618,8 +618,6 @@ function Invoke-FalconFirewallPolicyAction { } } } - } - process { Invoke-Falcon @Param } } diff --git a/Public/host-group.ps1 b/Public/host-group.ps1 index 394e614c..43b63827 100644 --- a/Public/host-group.ps1 +++ b/Public/host-group.ps1 @@ -19,6 +19,8 @@ function Edit-FalconHostGroup { $Fields = @{ AssignmentRule = 'assignment_rule' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -29,8 +31,6 @@ function Edit-FalconHostGroup { } } } - } - process { Invoke-Falcon @Param } } @@ -122,7 +122,7 @@ function Get-FalconHostGroupMember { [Parameter(ParameterSetName = '/devices/queries/host-group-members/v1:get')] [switch] $Total ) - begin { + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -131,8 +131,6 @@ function Get-FalconHostGroupMember { Query = @('id', 'filter', 'sort', 'limit', 'offset') } } - } - process { Invoke-Falcon @Param } } @@ -154,10 +152,10 @@ function Invoke-FalconHostGroupAction { [ValidatePattern('^\w{32}$')] [array] $HostIds ) - begin { + process { $Param = @{ - Path = ("$($Script:Falcon.Hostname)/devices/entities/host-group-actions/v1?" + - "action_name=$($PSBoundParameters.Name)") + Path = "$($Script:Falcon.Hostname)/devices/entities/host-group-actions/v1?action_name=$( + $PSBoundParameters.Name)" Method = 'post' Headers = @{ Accept = 'application/json' @@ -171,13 +169,10 @@ function Invoke-FalconHostGroupAction { } ids = @( $PSBoundParameters.Id ) } - $Max = 500 - } - process { - for ($i = 0; $i -lt ($PSBoundParameters.HostIds | Measure-Object).Count; $i += $Max) { + for ($i = 0; $i -lt ($PSBoundParameters.HostIds | Measure-Object).Count; $i += 500) { $Clone = $Param.Clone() $Clone.Add('Body', $Body.Clone()) - $IdString = ($PSBoundParameters.HostIds[$i..($i + ($Max - 1))] | ForEach-Object { + $IdString = ($PSBoundParameters.HostIds[$i..($i + 499)] | ForEach-Object { "'$_'" }) -join ',' $Clone.Body.action_parameters.value = "(device_id:[$IdString])" diff --git a/Public/ioc.ps1 b/Public/ioc.ps1 index 84129a33..9482afb0 100644 --- a/Public/ioc.ps1 +++ b/Public/ioc.ps1 @@ -58,6 +58,11 @@ function Edit-FalconIoc { HostGroups = 'host_groups' IgnoreWarnings = 'ignore_warnings' } + } + process { + if (!$PSBoundParameters.HostGroups -and !$PSBoundParameters.AppliedGlobally) { + throw "'HostGroups' or 'AppliedGlobally' must be provided." + } $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -71,11 +76,6 @@ function Edit-FalconIoc { } } } - } - process { - if (!$PSBoundParameters.HostGroups -and !$PSBoundParameters.AppliedGlobally) { - throw "'HostGroups' or 'AppliedGlobally' must be provided." - } Invoke-Falcon @Param } } diff --git a/Public/ml-exclusions.ps1 b/Public/ml-exclusions.ps1 index 22d7378e..02b920ba 100644 --- a/Public/ml-exclusions.ps1 +++ b/Public/ml-exclusions.ps1 @@ -20,6 +20,8 @@ function Edit-FalconMlExclusion { $Fields = @{ GroupIds = 'groups' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -30,8 +32,6 @@ function Edit-FalconMlExclusion { } } } - } - process { Invoke-Falcon @Param } } diff --git a/Public/mssp.ps1 b/Public/mssp.ps1 index 771de45c..f1555c1f 100644 --- a/Public/mssp.ps1 +++ b/Public/mssp.ps1 @@ -14,6 +14,8 @@ function Add-FalconCidGroupMember { $Fields = @{ Id = 'cid_group_id' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -24,8 +26,6 @@ function Add-FalconCidGroupMember { } } } - } - process { Invoke-Falcon @Param } } @@ -82,6 +82,8 @@ function Add-FalconUserGroupMember { Id = 'user_group_id' UserIds = 'user_uuids' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -92,8 +94,6 @@ function Add-FalconUserGroupMember { } } } - } - process { Invoke-Falcon @Param } } @@ -115,6 +115,8 @@ function Edit-FalconCidGroup { $Fields = @{ Id = 'cid_group_id' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -125,8 +127,6 @@ function Edit-FalconCidGroup { } } } - } - process { Invoke-Falcon @Param } } @@ -148,6 +148,8 @@ function Edit-FalconUserGroup { $Fields = @{ Id = 'user_group_id' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -158,8 +160,6 @@ function Edit-FalconUserGroup { } } } - } - process { Invoke-Falcon @Param } } @@ -247,6 +247,8 @@ function Get-FalconCidGroupMember { CID = 'cid' Ids = 'cid_group_ids' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -255,8 +257,6 @@ function Get-FalconCidGroupMember { Query = @('cid_group_ids', 'offset', 'limit', 'sort', 'cid') } } - } - process { Invoke-Falcon @Param } } @@ -545,6 +545,8 @@ function Remove-FalconCidGroupMember { $Fields = @{ Id = 'cid_group_id' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -555,8 +557,6 @@ function Remove-FalconCidGroupMember { } } } - } - process { Invoke-Falcon @Param } } @@ -637,6 +637,8 @@ function Remove-FalconUserGroupMember { Id = 'user_group_id' UserIds = 'user_uuids' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -647,8 +649,6 @@ function Remove-FalconUserGroupMember { } } } - } - process { Invoke-Falcon @Param } } \ No newline at end of file diff --git a/Public/oauth2.ps1 b/Public/oauth2.ps1 index de27b0af..3907d7b9 100644 --- a/Public/oauth2.ps1 +++ b/Public/oauth2.ps1 @@ -60,6 +60,8 @@ function Request-FalconToken { } return $Output } + } + process { if ($PSBoundParameters.Cloud) { # Convert 'Cloud' to 'Hostname' $Value = switch ($PSBoundParameters.Cloud) { @@ -68,7 +70,7 @@ function Request-FalconToken { 'us-1' { 'https://api.crowdstrike.com' } 'us-2' { 'https://api.us-2.crowdstrike.com' } } - $PSBoundParameters.Add('Hostname', $Value) + $PSBoundParameters['Hostname'] = $Value [void] $PSBoundParameters.Remove('Cloud') } if (!$Script:Falcon) { @@ -76,7 +78,8 @@ function Request-FalconToken { $Script:Falcon = Get-ApiCredential $PSBoundParameters $Script:Falcon.Add('Api', [ApiClient]::New()) $Script:Falcon.Api.Handler.SslProtocols = 'Tls12' - $Script:Falcon.Api.Client.DefaultRequestHeaders.UserAgent.ParseAdd("crowdstrike-psfalcon/2.1.1") + $Version = (Show-FalconModule).ModuleVersion.Split(' {')[0] -replace 'v', $null + $Script:Falcon.Api.Client.DefaultRequestHeaders.UserAgent.ParseAdd("crowdstrike-psfalcon/$Version") } else { (Get-ApiCredential $PSBoundParameters).GetEnumerator().foreach{ if ($Script:Falcon.($_.Key) -ne $_.Value) { @@ -85,8 +88,6 @@ function Request-FalconToken { } } } - } - process { if ($Script:Falcon.ClientId -and $Script:Falcon.ClientSecret) { $Param = @{ Path = "$($Script:Falcon.Hostname)/oauth2/token" diff --git a/Public/prevention-policies.ps1 b/Public/prevention-policies.ps1 index eb5c9ca6..0ec00bde 100644 --- a/Public/prevention-policies.ps1 +++ b/Public/prevention-policies.ps1 @@ -34,6 +34,9 @@ function Edit-FalconPreventionPolicy { $Fields = @{ Array = 'resources' } + } + process { + $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = '/policy/entities/prevention/v1:patch' @@ -45,8 +48,6 @@ function Edit-FalconPreventionPolicy { } } } - } - process { Invoke-Falcon @Param } } @@ -139,7 +140,7 @@ function Get-FalconPreventionPolicyMember { [Parameter(ParameterSetName = '/policy/queries/prevention-members/v1:get')] [switch] $Total ) - begin { + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -148,8 +149,6 @@ function Get-FalconPreventionPolicyMember { Query = @('sort', 'offset', 'filter', 'id', 'limit') } } - } - process { Invoke-Falcon @Param } } @@ -175,10 +174,12 @@ function Invoke-FalconPreventionPolicyAction { $Fields = @{ name = 'action_name' } - $PSBoundParameters.Add('Ids', @( $PSBoundParameters.Id )) + } + process { + $PSBoundParameters['Ids'] = @( $PSBoundParameters.Id ) [void] $PSBoundParameters.Remove('Id') if ($PSBoundParameters.GroupId) { - $PSBoundParameters.Add('action_parameters', @( + $PSBoundParameters['action_parameters'] = @( @{ name = if ($PSBoundParameters.Name -match 'rule-group$') { 'rule_group_id' @@ -187,7 +188,7 @@ function Invoke-FalconPreventionPolicyAction { } value = $PSBoundParameters.GroupId } - )) + ) [void] $PSBoundParameters.Remove('GroupId') } $Param = @{ @@ -201,8 +202,6 @@ function Invoke-FalconPreventionPolicyAction { } } } - } - process { Invoke-Falcon @Param } } diff --git a/Public/psfalcon.ps1 b/Public/psfalcon.ps1 index e0701491..177436b1 100644 --- a/Public/psfalcon.ps1 +++ b/Public/psfalcon.ps1 @@ -16,9 +16,6 @@ function Export-FalconReport { [object] $Object ) begin { - if ($PSBoundParameters.Path) { - $OutputPath = $Script:Falcon.Api.Path($PSBoundParameters.Path) - } function Get-Array ($Array, $Output, $Name) { foreach ($Item in $Array) { if ($Item.PSObject.TypeNames -contains 'System.Management.Automation.PSCustomObject') { @@ -91,9 +88,7 @@ function Export-FalconReport { } } } - # Create output object $Output = [PSCustomObject] @{} - } process { foreach ($Item in $PSBoundParameters.Object) { @@ -110,17 +105,23 @@ function Export-FalconReport { Add-Property @AddParam } } - if ($OutputPath) { + if ($PSBoundParameters.Path) { # Output to CSV - $Output | Export-Csv -Path $OutputPath -NoTypeInformation -Append + $ExportParam = @{ + InputObject = $Output + Path = $Script:Falcon.Api.Path($PSBoundParameters.Path) + NoTypeInformation = $true + Append = $true + } + Export-Csv @ExportParam } else { # Output to console $Output } } end { - if ($OutputPath -and (Test-Path $OutputPath)) { - Get-ChildItem $OutputPath + if ($ExportParam -and (Test-Path $ExportParam.Path)) { + Get-ChildItem $ExportParam.Path } } } @@ -384,7 +385,7 @@ function Import-FalconConfig { } IoaExclusion = @{ Import = @('id', 'cl_regex', 'ifn_regex', 'name', 'pattern_id', 'pattern_name', 'groups', - 'comment', 'description') + 'comment', 'description', 'applied_globally') } IoaGroup = @{ Import = @('id', 'platform', 'name', 'description', 'rules', 'enabled', 'version') @@ -690,7 +691,7 @@ function Import-FalconConfig { } } } - foreach ($Pair in $ConfigData.GetEnumerator().Where({ $_.Key -match '^(Ioc|(Ml|Sv)Exclusion)$' -and + foreach ($Pair in $ConfigData.GetEnumerator().Where({ $_.Key -match '^(Ioc|(Ioa|Ml|Sv)Exclusion)$' -and $_.Value.Import })) { # Create IOCs and exclusions if assigned to 'all' or can be assigned to Host Groups if ($Pair.Key -eq 'Ioc') { @@ -700,8 +701,54 @@ function Import-FalconConfig { Write-Host "Created $($Pair.Key) '$($Item.type):$($Item.value)'." } } + } elseif ($Pair.Key -eq 'IoaExclusion') { + $ConfigData.($Pair.Key)['Created'] = foreach ($Import in $Pair.Value.Import) { + # Create Ioa exclusions + $Content = @{ + Name = $Import.name + PatternId = $Import.pattern_id + PatternName = $Import.pattern_name + ClRegex = $Import.cl_regex + IfnRegex = $Import.ifn_regex + } + @('description', 'comment').foreach{ + if ($Import.$_) { + $Content[$_] = $Import.$_ + } + } + if ($Import.groups) { + $Content['GroupIds'] = foreach ($Name in $Import.groups.name) { + # Get Host Group identifier + $Param = @{ + Item = 'HostGroup' + Type = 'Created' + FilterScript = { $_.name -eq $Name } + } + $CreatedId = (Get-ConfigItem @Param).id + if ($CreatedId) { + ,$CreatedId + } elseif ($ForceEnabled -eq $true) { + ,(Get-ConfigItem @Param -Type 'Cid').id + } + } + } + if ($Import.applied_globally -eq $true -or $Content.GroupIds) { + $Param = @{ + Command = "New-Falcon$($Pair.Key)" + Content = $Content + } + $Created = Invoke-ConfigItem @Param + if ($Created) { + Write-Host "Created $($Pair.Key) '$($Created.name)'." + } + $Created + } else { + Write-Warning "Unable to create '$($Content.name)' [missing_assignment]" + } + } } else { $ConfigData.($Pair.Key)['Created'] = foreach ($Import in $Pair.Value.Import) { + # Create Ml/Sv exclusions $Content = @{ Value = $Import.value } diff --git a/Public/real-time-response-admin.ps1 b/Public/real-time-response-admin.ps1 index 81896b44..a567076a 100644 --- a/Public/real-time-response-admin.ps1 +++ b/Public/real-time-response-admin.ps1 @@ -11,7 +11,7 @@ function Confirm-FalconAdminCommand { ) begin { if (!$PSBoundParameters.SequenceId) { - $PSBoundParameters.Add('sequence_id', 0) + $PSBoundParameters['sequence_id'] = 0 } $Fields = @{ CloudRequestId = 'cloud_request_id' @@ -73,6 +73,8 @@ function Edit-FalconScript { Path = 'content' PermissionType = 'permission_type' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -85,8 +87,6 @@ function Edit-FalconScript { 'content') } } - } - process { Invoke-Falcon @Param } } @@ -221,7 +221,7 @@ function Invoke-FalconAdminCommand { } else { $PSBoundParameters.Command } - $PSBoundParameters.Add('command_string', $CommandString) + $PSBoundParameters['command_string'] = $CommandString $Fields = @{ BatchId = 'batch_id' Command = 'base_command' diff --git a/Public/real-time-response.ps1 b/Public/real-time-response.ps1 index c3c2c21d..fb028017 100644 --- a/Public/real-time-response.ps1 +++ b/Public/real-time-response.ps1 @@ -11,7 +11,7 @@ function Confirm-FalconCommand { ) begin { if (!$PSBoundParameters.SequenceId) { - $PSBoundParameters.Add('sequence_id', 0) + $PSBoundParameters['sequence_id'] = 0 } $Fields = @{ CloudRequestId = 'cloud_request_id' @@ -87,7 +87,7 @@ function Confirm-FalconResponderCommand { ) begin { if (!$PSBoundParameters.SequenceId) { - $PSBoundParameters.Add('sequence_id', 0) + $PSBoundParameters['sequence_id'] = 0 } $Fields = @{ CloudRequestId = 'cloud_request_id' @@ -250,7 +250,7 @@ function Invoke-FalconCommand { } else { $PSBoundParameters.Command } - $PSBoundParameters.Add('command_string', $CommandString) + $PSBoundParameters['command_string'] = $CommandString $Fields = @{ BatchId = 'batch_id' Command = 'base_command' @@ -320,7 +320,7 @@ function Invoke-FalconResponderCommand { } else { $PSBoundParameters.Command } - $PSBoundParameters.Add('command_string', $CommandString) + $PSBoundParameters['command_string'] = $CommandString $Fields = @{ BatchId = 'batch_id' Command = 'base_command' diff --git a/Public/recon-monitoring-rules.ps1 b/Public/recon-monitoring-rules.ps1 index 9dadc768..65d5f2a2 100644 --- a/Public/recon-monitoring-rules.ps1 +++ b/Public/recon-monitoring-rules.ps1 @@ -19,7 +19,7 @@ function Edit-FalconReconAction { [string] $Status ) - begin { + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -30,8 +30,6 @@ function Edit-FalconReconAction { } } } - } - process { Invoke-Falcon @Param } } @@ -68,6 +66,11 @@ function Edit-FalconReconNotification { [Parameter(ParameterSetName = '/recon/entities/notifications/v1:patch', Mandatory = $true, Position = 3)] [string] $Status ) + begin { + $Fields = @{ + AssignedToUuid = 'assigned_to_uuid' + } + } process { if ($PSBoundParameters.Array) { # Edit notifications in batches of 500 @@ -84,9 +87,6 @@ function Edit-FalconReconNotification { Write-Result ($Script:Falcon.Api.Invoke($Param)) } } else { - $Fields = @{ - AssignedToUuid = 'assigned_to_uuid' - } $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -474,7 +474,7 @@ function Remove-FalconReconAction { [ValidatePattern('^\w{8}-\w{4}-\w{4}-\w{4}-\w{12}$')] [string] $Id ) - begin { + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -483,8 +483,6 @@ function Remove-FalconReconAction { Query = @('id') } } - } - process { Invoke-Falcon @Param } } @@ -509,7 +507,7 @@ function Remove-FalconReconRule { Invoke-Falcon @Param } } -function Remove-FalconNotification { +function Remove-FalconReconNotification { [CmdletBinding(DefaultParameterSetName = '/recon/entities/notifications/v1:delete')] param( [Parameter(ParameterSetName = '/recon/entities/notifications/v1:delete', Mandatory = $true, Position = 1)] diff --git a/Public/response-policies.ps1 b/Public/response-policies.ps1 index 1da1fd26..5b5d48aa 100644 --- a/Public/response-policies.ps1 +++ b/Public/response-policies.ps1 @@ -34,6 +34,8 @@ function Edit-FalconResponsePolicy { $Fields = @{ Array = 'resources' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = '/policy/entities/response/v1:patch' @@ -45,8 +47,6 @@ function Edit-FalconResponsePolicy { } } } - } - process { Invoke-Falcon @Param } } @@ -139,7 +139,7 @@ function Get-FalconResponsePolicyMember { [Parameter(ParameterSetName = '/policy/queries/response-members/v1:get')] [switch] $Total ) - begin { + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -148,8 +148,6 @@ function Get-FalconResponsePolicyMember { Query = @('sort', 'offset', 'filter', 'id', 'limit') } } - } - process { Invoke-Falcon @Param } } @@ -174,15 +172,17 @@ function Invoke-FalconResponsePolicyAction { $Fields = @{ name = 'action_name' } - $PSBoundParameters.Add('Ids', @( $PSBoundParameters.Id )) + } + process { + $PSBoundParameters['Ids'] = @( $PSBoundParameters.Id ) [void] $PSBoundParameters.Remove('Id') if ($PSBoundParameters.GroupId) { - $PSBoundParameters.Add('action_parameters', @( + $PSBoundParameters['action_parameters'] = @( @{ name = 'group_id' value = $PSBoundParameters.GroupId } - )) + ) } $Param = @{ Command = $MyInvocation.MyCommand.Name @@ -195,8 +195,6 @@ function Invoke-FalconResponsePolicyAction { } } } - } - process { Invoke-Falcon @Param } } diff --git a/Public/samplestore.ps1 b/Public/samplestore.ps1 index b89acafd..d948f8e5 100644 --- a/Public/samplestore.ps1 +++ b/Public/samplestore.ps1 @@ -50,6 +50,8 @@ function Receive-FalconSample { Id = 'ids' PasswordProtected = 'password_protected' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -62,8 +64,6 @@ function Receive-FalconSample { Outfile = 'path' } } - } - process { Invoke-Falcon @Param } } @@ -115,7 +115,7 @@ function Send-FalconSample { ) begin { if (!$PSBoundParameters.FileName) { - $PSBoundParameters.Add('FileName',([System.IO.Path]::GetFileName($PSBoundParameters.Path))) + $PSBoundParameters['FileName'] = [System.IO.Path]::GetFileName($PSBoundParameters.Path) } $Fields = @{ FileName = if ($PSBoundParameters.Path -match '\.zip$') { diff --git a/Public/scheduled-report.ps1 b/Public/scheduled-report.ps1 new file mode 100644 index 00000000..48dd5956 --- /dev/null +++ b/Public/scheduled-report.ps1 @@ -0,0 +1,102 @@ +function Get-FalconScheduledReport { + [CmdletBinding(DefaultParameterSetName = '/reports/queries/scheduled-reports/v1:get')] + param( + [Parameter(ParameterSetName = '/reports/entities/scheduled-reports/v1:get', Mandatory = $true, + Position = 1)] + [Parameter(ParameterSetName = '/reports/entities/report-executions/v1:get', Mandatory = $true, + Position = 1)] + [array] $Ids, + + [Parameter(ParameterSetName = '/reports/queries/scheduled-reports/v1:get', Position = 1)] + [Parameter(ParameterSetName = '/reports/queries/report-executions/v1:get', Position = 1)] + [string] $Filter, + + [Parameter(ParameterSetName = '/reports/queries/scheduled-reports/v1:get', Position = 2)] + [Parameter(ParameterSetName = '/reports/queries/report-executions/v1:get', Position = 2)] + [string] $Query, + + [Parameter(ParameterSetName = '/reports/queries/scheduled-reports/v1:get', Position = 3)] + [Parameter(ParameterSetName = '/reports/queries/report-executions/v1:get', Position = 3)] + [ValidateSet('created_on', 'last_updated_on', 'last_execution_on', 'next_execution_on')] + [string] $Sort, + + [Parameter(ParameterSetName = '/reports/queries/scheduled-reports/v1:get', Position = 4)] + [Parameter(ParameterSetName = '/reports/queries/report-executions/v1:get', Position = 4)] + [ValidateRange(1,5000)] + [int] $Limit, + + [Parameter(ParameterSetName = '/reports/queries/scheduled-reports/v1:get', Position = 5)] + [Parameter(ParameterSetName = '/reports/queries/report-executions/v1:get', Position = 5)] + [int] $Offset, + + [Parameter(ParameterSetName = '/reports/queries/report-executions/v1:get', Mandatory = $true)] + [Parameter(ParameterSetName = '/reports/entities/report-executions/v1:get', Mandatory = $true)] + [switch] $Execution, + + [Parameter(ParameterSetName = '/reports/queries/scheduled-reports/v1:get')] + [Parameter(ParameterSetName = '/reports/queries/report-executions/v1:get')] + [switch] $Detailed, + + [Parameter(ParameterSetName = '/reports/queries/scheduled-reports/v1:get')] + [Parameter(ParameterSetName = '/reports/queries/report-executions/v1:get')] + [switch] $All, + + [Parameter(ParameterSetName = '/reports/queries/scheduled-reports/v1:get')] + [Parameter(ParameterSetName = '/reports/queries/report-executions/v1:get')] + [switch] $Total + ) + begin { + $Fields = @{ + Query = 'q' + } + $Param = @{ + Command = $MyInvocation.MyCommand.Name + Endpoint = $PSCmdlet.ParameterSetName + Inputs = Update-FieldName -Fields $Fields -Inputs $PSBoundParameters + Format = @{ + Query = @('sort', 'limit', 'ids', 'filter', 'offset', 'q') + } + } + } + process { + Invoke-Falcon @Param + } +} +function Receive-FalconScheduledReport { + [CmdletBinding(DefaultParameterSetName = '/reports/entities/report-executions-download/v1:get')] + param( + [Parameter(ParameterSetName = '/reports/entities/report-executions-download/v1:get', Mandatory = $true, + ValueFromPipelineByPropertyName = $true, ValueFromPipeline = $true, Position = 1)] + #[ValidatePattern('^\d{2,}$')] + [string] $Id, + + [Parameter(ParameterSetName = '/reports/entities/report-executions-download/v1:get', Mandatory = $true, + Position = 2)] + [ValidatePattern('\.(csv|json)$')] + [ValidateScript({ + if (Test-Path $_) { + throw "An item with the specified name $_ already exists." + } else { + $true + } + })] + [string] $Path + ) + process { + $PSBoundParameters['ids'] = @( $PSBoundParameters.Id ) + [void] $PSBoundParameters.Remove('id') + $Param = @{ + Command = $MyInvocation.MyCommand.Name + Endpoint = $PSCmdlet.ParameterSetName + Inputs = $PSBoundParameters + Headers = @{ + Accept = 'application/octet-stream' + } + Format = @{ + Query = @('ids') + Outfile = 'path' + } + } + Invoke-Falcon @Param + } +} \ No newline at end of file diff --git a/Public/self-service-ioa-exclusions.ps1 b/Public/self-service-ioa-exclusions.ps1 index aab91748..080391fc 100644 --- a/Public/self-service-ioa-exclusions.ps1 +++ b/Public/self-service-ioa-exclusions.ps1 @@ -31,6 +31,8 @@ function Edit-FalconIoaExclusion { GroupIds = 'groups' IfnRegex = 'ifn_regex' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -41,8 +43,6 @@ function Edit-FalconIoaExclusion { } } } - } - process { Invoke-Falcon @Param } } @@ -93,6 +93,64 @@ function Get-FalconIoaExclusion { Invoke-Falcon @Param } } +function New-FalconIoaExclusion { + [CmdletBinding(DefaultParameterSetName = '/policy/entities/ioa-exclusions/v1:post')] + param( + [Parameter(ParameterSetName = '/policy/entities/ioa-exclusions/v1:post', Mandatory = $true, + Position = 1)] + [string] $Name, + + [Parameter(ParameterSetName = '/policy/entities/ioa-exclusions/v1:post', Mandatory = $true, + Position = 2)] + [ValidatePattern('^\d+$')] + [string] $PatternId, + + [Parameter(ParameterSetName = '/policy/entities/ioa-exclusions/v1:post', Mandatory = $true, + Position = 3)] + [string] $PatternName, + + [Parameter(ParameterSetName = '/policy/entities/ioa-exclusions/v1:post', Mandatory = $true, + Position = 4)] + [string] $ClRegex, + + [Parameter(ParameterSetName = '/policy/entities/ioa-exclusions/v1:post', Mandatory = $true, + Position = 5)] + [string] $IfnRegex, + + [Parameter(ParameterSetName = '/policy/entities/ioa-exclusions/v1:post', Position = 7)] + [ValidatePattern('^\w{32}$')] + [array] $GroupIds, + + [Parameter(ParameterSetName = '/policy/entities/ioa-exclusions/v1:post', Position = 8)] + [string] $Description, + + [Parameter(ParameterSetName = '/policy/entities/ioa-exclusions/v1:post', Position = 9)] + [string] $Comment + ) + begin { + $Fields = @{ + ClRegex = 'cl_regex' + GroupIds = 'groups' + IfnRegex = 'ifn_regex' + PatternId = 'pattern_id' + PatternName = 'pattern_name' + } + } + process { + $Param = @{ + Command = $MyInvocation.MyCommand.Name + Endpoint = $PSCmdlet.ParameterSetName + Inputs = Update-FieldName -Fields $Fields -Inputs $PSBoundParameters + Format = @{ + Body = @{ + root = @('cl_regex', 'ifn_regex', 'groups', 'name', 'pattern_id', 'pattern_name', + 'description', 'comment') + } + } + } + Invoke-Falcon @Param + } +} function Remove-FalconIoaExclusion { [CmdletBinding(DefaultParameterSetName = '/policy/entities/ioa-exclusions/v1:delete')] param( diff --git a/Public/sensor-installers.ps1 b/Public/sensor-installers.ps1 index 0ffaefdd..83452db4 100644 --- a/Public/sensor-installers.ps1 +++ b/Public/sensor-installers.ps1 @@ -72,7 +72,7 @@ function Receive-FalconInstaller { })] [string] $Path ) - begin { + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -85,8 +85,6 @@ function Receive-FalconInstaller { Outfile = 'path' } } - } - process { Invoke-Falcon @Param } } \ No newline at end of file diff --git a/Public/sensor-update-policies.ps1 b/Public/sensor-update-policies.ps1 index dd3a7f39..2242e395 100644 --- a/Public/sensor-update-policies.ps1 +++ b/Public/sensor-update-policies.ps1 @@ -34,6 +34,8 @@ function Edit-FalconSensorUpdatePolicy { $Fields = @{ Array = 'resources' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = '/policy/entities/sensor-update/v2:patch' @@ -45,8 +47,6 @@ function Edit-FalconSensorUpdatePolicy { } } } - } - process { Invoke-Falcon @Param } } @@ -160,7 +160,7 @@ function Get-FalconSensorUpdatePolicyMember { [Parameter(ParameterSetName = '/policy/queries/sensor-update-members/v1:get')] [switch] $Total ) - begin { + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -169,8 +169,6 @@ function Get-FalconSensorUpdatePolicyMember { Query = @('sort', 'offset', 'filter', 'id', 'limit') } } - } - process { Invoke-Falcon @Param } } @@ -178,7 +176,7 @@ function Get-FalconUninstallToken { [CmdletBinding(DefaultParameterSetName = '/policy/combined/reveal-uninstall-token/v1:post')] param( [Parameter(ParameterSetName = '/policy/combined/reveal-uninstall-token/v1:post', Mandatory = $true, - Position = 1)] + ValueFromPipeline = $true, Position = 1)] [ValidatePattern('^(\w{32}|MAINTENANCE)$')] [string] $DeviceId, @@ -190,6 +188,8 @@ function Get-FalconUninstallToken { DeviceId = 'device_id' AuditMessage = 'audit_message' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -200,8 +200,6 @@ function Get-FalconUninstallToken { } } } - } - process { Invoke-Falcon @Param } } @@ -226,15 +224,17 @@ function Invoke-FalconSensorUpdatePolicyAction { $Fields = @{ name = 'action_name' } - $PSBoundParameters.Add('Ids', @( $PSBoundParameters.Id )) + } + process { + $PSBoundParameters['Ids'] = @( $PSBoundParameters.Id ) [void] $PSBoundParameters.Remove('Id') if ($PSBoundParameters.GroupId) { - $PSBoundParameters.Add('action_parameters', @( + $PSBoundParameters['action_parameters'] = @( @{ name = 'group_id' value = $PSBoundParameters.GroupId } - )) + ) [void] $PSBoundParameters.Remove('GroupId') } $Param = @{ @@ -248,8 +248,6 @@ function Invoke-FalconSensorUpdatePolicyAction { } } } - } - process { Invoke-Falcon @Param } } diff --git a/Public/sensor-visibility-exclusions.ps1 b/Public/sensor-visibility-exclusions.ps1 index b0101077..22b4fd22 100644 --- a/Public/sensor-visibility-exclusions.ps1 +++ b/Public/sensor-visibility-exclusions.ps1 @@ -20,6 +20,8 @@ function Edit-FalconSvExclusion { $Fields = @{ GroupIds = 'groups' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -30,8 +32,6 @@ function Edit-FalconSvExclusion { } } } - } - process { Invoke-Falcon @Param } } diff --git a/Public/streaming.ps1 b/Public/streaming.ps1 index caf2e4ae..8f0befa7 100644 --- a/Public/streaming.ps1 +++ b/Public/streaming.ps1 @@ -37,7 +37,7 @@ function Update-FalconStream { begin { $Endpoint = $PSCmdlet.ParameterSetName -replace '{partition}', $PSBoundParameters.Partition [void] $PSBoundParameters.Remove('Partition') - $PSBoundParameters.Add('action_name', 'refresh_active_stream_session') + $PSBoundParameters['action_name'] = 'refresh_active_stream_session' $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $Endpoint diff --git a/Public/usermgmt.ps1 b/Public/usermgmt.ps1 index 8c447676..6ffe09ca 100644 --- a/Public/usermgmt.ps1 +++ b/Public/usermgmt.ps1 @@ -47,6 +47,8 @@ function Edit-FalconUser { $Fields = @{ Id = 'user_uuid' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -58,8 +60,6 @@ function Edit-FalconUser { } } } - } - process { Invoke-Falcon @Param } } @@ -82,6 +82,8 @@ function Get-FalconRole { $Fields = @{ UserId = 'user_uuid' } + } + process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName @@ -90,8 +92,6 @@ function Get-FalconRole { Query = @('ids', 'user_uuid') } } - } - process { Invoke-Falcon @Param } } diff --git a/Public/zero-trust-assessment.ps1 b/Public/zero-trust-assessment.ps1 index 2eb5d67e..0a35b14a 100644 --- a/Public/zero-trust-assessment.ps1 +++ b/Public/zero-trust-assessment.ps1 @@ -1,8 +1,7 @@ function Get-FalconZta { - [CmdletBinding(DefaultParameterSetName = '/zero-trust-assessment/entities/assessments/v1:get')] + [CmdletBinding(DefaultParameterSetName = '/zero-trust-assessment/entities/audit/v1:get')] param( - [Parameter(ParameterSetName = '/zero-trust-assessment/entities/assessments/v1:get', Mandatory = $true, - Position = 1)] + [Parameter(ParameterSetName = '/zero-trust-assessment/entities/assessments/v1:get', Position = 1)] [ValidatePattern('^\w{32}$')] [array] $Ids )