Skip to content

Commit

Permalink
v2.1.7
Browse files Browse the repository at this point in the history 
Removed 'Library' commands, due to the release of support for 'Custom Scripts' in Falcon Fusion workflows.

The existing library scripts are going to be re-formatted to be compatible with workflows, so that saving the scripts in your local Falcon instance will be used as the delivery mechanism, instead of requiring PSFalcon for it to work.
  • Loading branch information
@bk-cs
bk-cs committed Jan 28, 2022
1 parent d76d9d2 commit d5f93ac
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 295 deletions.
41 changes: 13 additions & 28 deletions PSFalcon.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -270,10 +270,6 @@
'Show-FalconEventCollector',
'Unregister-FalconEventCollector',

# psf-library.ps1
'Get-FalconLibrary',
'Invoke-FalconLibrary',

# psf-output.ps1
'Export-FalconReport',
'Send-FalconWebhook',
Expand Down Expand Up @@ -442,31 +438,20 @@
'Show-FalconEventCollector'
'Unregister-FalconEventCollector'
* psf-library.ps1
'Get-FalconLibrary'
'Invoke-FalconLibrary'
New Functionality
* Created a GitHub-based Real-time Response library (https://github.com/bk-cs/rtr). The list of available
scripts can be retrieved using 'Get-FalconLibrary'. Including a specific script name will output basic help
information about the script. Scripts can be run on one or more devices using 'Invoke-FalconLibrary'.
* Added the ability to cache a Humio Event Collector (using the relevant 'humio-structured' endpoint) to send
PSFalcon content to a Humio instance. A specific parser is not required because the content sent by PSFalcon
uses the documented Humio event structure.
* 'Register-FalconEventCollector' is used to define your Humio Event Collector, ingest token and the events
to log, 'Show-FalconEventCollector' can be used for confirmation, and 'Remove-FalconEventCollector' can
be used to disable logging.
* The 'Enable' parameter for 'Register-FalconEventCollector' defines the data that will be sent to Humio. Using
'requests' sends the full content of PSFalcon requests, 'responses' sends API responses, and 'library' sends
results from a Real-time Response library script directly from the host(s) to Humio, with #cid, #aid, #host
and #script tags appended.
* Added 'Send-FalconEvent' to use the results of a PSFalcon command to create Humio events. This allows
PSFalcon to work as a mechanism to ingest data from the CrowdStrike APIs directly into Humio on demand and does
not require a specific 'Enable' value under 'Register-FalconEventCollector'.
* Added the ability to PSFalcon content to a Humio instance. A specific parser is not required because the
content sent by PSFalcon uses the documented Humio event structure.
* 'Register-FalconEventCollector' is used to define your Humio cloud, ingest token and the events to log,
'Show-FalconEventCollector' can be used for confirmation, and 'Remove-FalconEventCollector' can be used to
disable logging.
* The 'Enable' parameter for 'Register-FalconEventCollector' defines the data that will be sent to Humio. The
value 'requests' sends PSFalcon requests while 'responses' sends API responses.
* Added 'Send-FalconEvent' to generate Humio events using the output of a PSFalcon command. This allows
PSFalcon to work as a mechanism to ingest data from the CrowdStrike APIs directly into Humio and does not
require a specific 'Enable' value under 'Register-FalconEventCollector'.
Command Changes
* Added 'group_names' as an 'Include' option for 'Get-FalconHost'. Requires 'host-group:read' permission.
Expand Down
90 changes: 0 additions & 90 deletions Private/Private.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -301,96 +301,6 @@ function Convert-Rfc3339 {
(Get-Date).AddHours($Hours),[Xml.XmlDateTimeSerializationMode]::Utc) -replace '\.\d+Z$','Z')"
}
}
function Get-LibraryScript {
[CmdletBinding()]
[OutputType([string])]
param(
[Parameter(Mandatory = $true, Position = 1)]
[string] $Name,

[Parameter(Mandatory = $true, Position = 2)]
[string] $Platform
)
begin {
$Authorization = if ($Script:Falcon.Api.Client.DefaultRequestHeaders.Authorization) {
# Capture current bearer token, then remove it before request to library
$Script:Falcon.Api.Client.DefaultRequestHeaders.Authorization.ToString()
[void] $Script:Falcon.Api.Client.DefaultRequestHeaders.Remove('Authorization')
}
$SHumio = @{
# 'shumio' function for sending data to Humio
Linux = $null
Mac = $null
Windows = 'function shumio($O,$C,$A){$B=$O|%{$I=@{};$_.PSObject.Properties|%{$I[$_.Name]=$_.Value};@' +
'{timestamp=(Get-Date -Format o);attributes=$I}};$Req=@{Uri=null;Method="post";Headers=@{Authori' +
'zation=null;ContentType="application/json"};Body=ConvertTo-Json @(@{tags=@{cid=$C;aid=$A;script' +
'=null};events=@($B)}) -Depth 8 -Compress};[void](iwr @Req -UseBasicParsing)}'
}
$Handling = @{
# Content for handling output after script
Linux = $null
Mac = $null
Windows = 'function anp($O,$N,$V){$O|%{$_.PSObject.Properties.Add((New-Object PSNoteProperty($N,$V))' +
')}}if(!$Obj){$Obj=@{error=null}};$R="HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-' +
'9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default";if(Test-Path "REGISTRY::\$R"' +
'){$K=reg query "$R";$C=(($K -match "CU") -split "REG_BINARY")[-1].Trim().ToLower();$A=(($K -mat' +
'ch "AG") -split "REG_BINARY")[-1].Trim().ToLower()};if (gcm shumio -EA 0){shumio $Obj $C $A};@(' +
'@("cid",$C),@("aid",$A)).foreach{anp $Obj $_[0] $_[1]};$Obj|ConvertTo-Json -Compress'
}
}
process {
if ($PSBoundParameters.Name -notmatch '\.(sh|ps1)$') {
# Set file extension, when not provided
$Extension = switch -Regex ($PSBoundParameters.Platform) {
'^(Linux|Mac)$' { 'sh' }
'^Windows$' { 'ps1' }
}
$PSBoundParameters.Name = @($PSBoundParameters.Name, $Extension) -join '.'
}
$FileString = "$(@($PSBoundParameters.Platform, $PSBoundParameters.Name) -join '/')"
if ($FileString) {
try {
# Make request and output result
$Request = $Script:Falcon.Api.Invoke(@{
Path = "https://raw.githubusercontent.com/bk-cs/library/main/$FileString"
Method = 'get'
Headers = @{ Accept = 'text/plain' }
})
if ($Request.Result.EnsureSuccessStatusCode() -and $Request.Result.Content) {
$Result = Write-Result -Request $Request
if ($Result -and $PSBoundParameters.Platform -eq 'Windows') {
$Output = if ($Result -match '\$Obj\s?=\s?Start-Process') {
'$Obj|ConvertTo-Json -Compress'
} else {
$Handling.($PSBoundParameters.Platform).Replace('error=null',
('error="no_' + (($PSBoundParameters.Name).Split('_',2)[-1] -replace '\.ps1',
$null) + '"')) | ForEach-Object {
if ($Script:Falcon.Api.Collector -and
$Script:Falcon.Api.Collector.Enable -contains 'library') {
@($SHumio.($PSBoundParameters.Platform).Replace('Uri=null',"Uri=`"$(
$Script:Falcon.Api.Collector.Uri)`"").Replace('Authorization=null',
"Authorization=`"Bearer $($Script:Falcon.Api.Collector.Token)`"").Replace(
'script=null',"script=`"$($PSBoundParameters.Name)`""),$_) -join ';'
} else {
$_
}
}
}
@($Result,$Output) -join "`n"
} else {
$Result
}
}
} catch {}
}
}
end {
if ($Authorization) {
# Re-add existing bearer token
$Script:Falcon.Api.Client.DefaultRequestHeaders.Add('Authorization',$Authorization)
}
}
}
function Get-ParamSet {
[CmdletBinding()]
param(
Expand Down
2 changes: 1 addition & 1 deletion Public/psf-humio.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ function Register-FalconEventCollector {
[string] $Token,

[Parameter(ValueFromPipeLineByPropertyName = $true, Position = 3)]
[ValidateSet('library','responses','requests')]
[ValidateSet('responses','requests')]
[array] $Enable
)
process {
Expand Down
176 changes: 0 additions & 176 deletions Public/psf-library.ps1
View file

This file was deleted.

0 comments on commit d5f93ac

Please sign in to comment.