v2.1.4

CrowdStrike · Sep 23, 2021 · 266b69a · 266b69a
1 parent 096a740
commit 266b69a
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 29 deletions.
diff --git a/Private/Private.ps1 b/Private/Private.ps1
@@ -745,34 +745,17 @@ function Write-Result {
             # Output response header and 'meta' or 'extensions' content
             Write-Verbose "[Write-Result] $($Verbose -join ', ')"
             if ($Json) {
-                ($Json.PSObject.Properties).Where({ $_.Name -eq 'errors' -and $_.Value }).foreach{
-                    ($_.Value).foreach{
-                        # Output errors
-                        $PSCmdlet.WriteError(
-                            [System.Management.Automation.ErrorRecord]::New(
-                                [Exception]::New("$($_.code): $($_.message)"),
-                                $Json.meta.trace_id,
-                                [System.Management.Automation.ErrorCategory]::NotSpecified,
-                                $Request
-                            )
-                        )
-                    }
-                }
                 $ResultFields = ($Json.PSObject.Properties).Where({
                     $_.Name -notmatch '^(errors|extensions|meta)$' -and $_.Value
                 }).foreach{
-                    # Gather field names from result, not including 'errors', 'extensions', or 'meta'
+                    # Gather field names from result and exclude 'errors', 'extensions', and 'meta'
                     $_.Name
                 }
                 if ($ResultFields -and ($ResultFields | Measure-Object).Count -eq 1) {
-                    if ($ResultFields[0] -eq 'combined' -and $Json.$ResultFields[0].resources) {
+                    if ($ResultFields[0] -eq 'combined' -and $Json.($ResultFields[0]).resources) {
                         # Output 'combined.resources'
-                        ($Json.($ResultFields[0]).resources).PSObject.Properties.Value
-                    } elseif ($ResultFields[0] -eq 'data') {
-                        # Output 'data.entities'
-                        $Json.($ResultFields[0]).PSObject.Properties.Value
+                        $Json.($ResultFields[0]).resources.PSObject.Properties.Value
                     } else {
-                        # Output single field
                         $Json.($ResultFields[0])
                     }
                 } elseif ($ResultFields) {
@@ -789,6 +772,19 @@ function Write-Result {
                         $Json.meta | Select-Object $MetaFields
                     }
                 }
+                ($Json.PSObject.Properties).Where({ $_.Name -eq 'errors' -and $_.Value }).foreach{
+                    ($_.Value).foreach{
+                        # Output errors from Json response
+                        $PSCmdlet.WriteError(
+                            [System.Management.Automation.ErrorRecord]::New(
+                                [Exception]::New("$($_.code): $($_.message)"),
+                                $Json.meta.trace_id,
+                                [System.Management.Automation.ErrorCategory]::NotSpecified,
+                                $Request
+                            )
+                        )
+                    }
+                }
             } else {
                 # Output Result.Content as [string]
                 ($Request.Result.Content).ReadAsStringAsync().Result

diff --git a/Public/identity-graphql.ps1 b/Public/identity-graphql.ps1
@@ -0,0 +1,44 @@
+function Invoke-FalconIdentityGraph {
+<#
+.Synopsis
+Interact with Falcon Identity using GraphQL
+.Description
+Requires 'identity-graphql:write'.
+.Parameter Query
+GraphQL query statement
+.Example
+PS>Invoke-FalconIdentityGraph -Query 'entities(roles:[BuiltinAdministratorRole] sortKey:PRIMARY_DISPLAY_NAME
+sortOrder:ASCENDING first:5) {nodes{primaryDisplayName secondaryDisplayName}}'
+
+Query the primary and secondary display names for the first 5 Administrator accounts, sorted in ascending order
+by primary display name.
+.Example
+PS>Invoke-FalconIdentityGraph -Query 'entities(types:[USER] minRiskScoreSeverity:MEDIUM sortKey:
+RISK_SCORE sortOrder:DESCENDING first:10) {nodes{primaryDisplayName secondaryDisplayName isHuman:hasRole(
+type:HumanUserAccountRole) isProgrammatic:hasRole(type:ProgrammaticUserAccountRole) ... on UserEntity{
+emailAddresses} riskScore riskScoreSeverity riskFactors {type severity}}}'
+
+Query the top 10 users with the highest risk score and display basic information about their accounts and
+the risk factors contributing to their score.
+#>
+    [CmdletBinding(DefaultParameterSetName = '/identity-protection/combined/graphql/v1:post')]
+    param(
+        [Parameter(ParameterSetName = '/identity-protection/combined/graphql/v1:post', Mandatory = $true,
+            Position = 1)]
+        [string] $Query
+    )
+    begin {
+        $Param = @{
+            Path    = "$($Script:Falcon.Hostname)/identity-protection/combined/graphql/v1"
+            Method  = 'post'
+            Headers = @{
+                Accept      = 'application/json'
+                ContentType = 'application/json'
+            }
+            Body = ConvertTo-Json -InputObject @{ query = "{$($PSBoundParameters.Query)}" } -Compress 
+        }
+    }
+    process {
+        Write-Result ($Script:Falcon.Api.Invoke($Param))
+    }
+}
diff --git a/Public/psfalcon.ps1 b/Public/psfalcon.ps1
@@ -1645,32 +1645,31 @@ function Invoke-FalconRtr {
                         $_['Timeout'] = $PSBoundParameters.Timeout
                     }
                 }
-                # Request session and capture initialization result
+                # Start session
                 $InitRequest = Start-FalconSession @InitParam
-                $InitResult = Get-RtrResult -Object $InitRequest.hosts -Output $Group
                 if ($InitRequest.batch_id) {
+                    # Capture session initialization result
+                    $InitResult = Get-RtrResult -Object $InitRequest.hosts -Output $Group
                     $InitResult | Where-Object { $_.session_id } | ForEach-Object {
-                        # Add batch_id to initialized sessions and clear 'stdout' result
+                        # Add batch_id and clear 'stdout'
                         $_.batch_id = $InitRequest.batch_id
                         $_.stdout = $null
                     }
-                    # Perform command request and capture result
+                    # Perform command request
                     $CmdRequest = & $InvokeCmd @CmdParam -BatchId $InitRequest.batch_id
-                    $CmdResult = if ($InvokeCmd -eq 'Invoke-FalconBatchGet') {
+                    if ($InvokeCmd -eq 'Invoke-FalconBatchGet') {
                         # Capture 'hosts' for 'Invoke-FalconBatchGet'
                         $CmdContent = Get-RtrResult -Object $CmdRequest.hosts -Output $InitResult
                         $CmdContent | Where-Object { $_.session_id -and $_.complete -eq $true } | ForEach-Object {
-                            # Update 'batch_get_cmd_req_id'
+                            # Add 'batch_get_cmd_req_id' to output
                             Add-Property -Object $_ -Name 'batch_get_cmd_req_id' -Value (
                                 $CmdRequest.batch_get_cmd_req_id)
                         }
                         $CmdContent
                     } else {
+                        # Output result
                         Get-RtrResult -Object $CmdRequest -Output $InitResult
                     }
-                    $CmdResult
-                } else {
-                    $InitResult
                 }
             }
         } catch {