From fef9f2cc29f68c7a4f7b336edcdaeb8b46a71b5b Mon Sep 17 00:00:00 2001 From: bk-cs <54042976+bk-cs@users.noreply.github.com> Date: Fri, 14 May 2021 13:19:42 -0700 Subject: [PATCH] v2.0.8 Changed Commands * Added custom indicators to 'Export-FalconConfig' and 'Import-FalconConfig' --- PSFalcon.psd1 | 2 ++ Public/config.ps1 | 63 +++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 63 insertions(+), 2 deletions(-) diff --git a/PSFalcon.psd1 b/PSFalcon.psd1 index 083eea80..6d432124 100644 --- a/PSFalcon.psd1 +++ b/PSFalcon.psd1 @@ -419,6 +419,7 @@ PrivateData = @{ # ReleaseNotes of this module. ReleaseNotes = "v2.0.8 + New Commands * Added 'Get-FalconQuickScanQuota' to display QuickScan quota information * Added commands for global 'overwatch-dashboards' APIs: @@ -464,6 +465,7 @@ PrivateData = @{ properties) * Added a check before 'Receive' commands that will abort the command and output an error if the file already exists + * Added custom indicators to 'Export-FalconConfig' and 'Import-FalconConfig' Removed Commands * Removed custom indicator commands that no longer have supported APIs diff --git a/Public/config.ps1 b/Public/config.ps1 index 6704d8d5..813bc2f9 100644 --- a/Public/config.ps1 +++ b/Public/config.ps1 @@ -30,7 +30,8 @@ function Export-Config { [Parameter(Position = 1, ParameterSetName = 'config:Export')] [ValidateSet('HostGroup', 'IOAGroup', 'FirewallGroup', 'DeviceControlPolicy', 'FirewallPolicy', - 'PreventionPolicy', 'ResponsePolicy', 'SensorUpdatePolicy', 'IOAExclusion', 'MLExclusion', 'SVExclusion')] + 'PreventionPolicy', 'ResponsePolicy', 'SensorUpdatePolicy', 'IOC', 'IOAExclusion', 'MLExclusion', + 'SVExclusion')] [array] $Items ) DynamicParam { @@ -87,7 +88,7 @@ function Export-Config { 'config:Export' }).Parameters.Where({ $_.Name -eq 'Items' }).Attributes.ValidValues } [array] $Export += switch ($Export) { - { $_ -match '^(IOA|ML|SV)Exclusion$' -and $Export -notcontains 'HostGroup' } { + { $_ -match '^((IOA|ML|SV)Exclusion|IOC)$' -and $Export -notcontains 'HostGroup' } { 'HostGroup' } { $_ -contains 'FirewallGroup' } { @@ -195,6 +196,13 @@ function Import-Config { 'description', 'comment', 'enabled') Export = @('instance_id', 'name') } + IOC = @{ + Import = @('id', 'type', 'value') + Create = @('type', 'value', 'action', 'platforms', 'source', 'severity', 'description', 'tags', + 'applied_globally', 'host_groups', 'expiration') + Compare = @('type', 'value') + Export = @('id', 'value') + } MLExclusion = @{ Import = @('id', 'value', 'excluded_from', 'groups', 'applied_globally') Compare = @('value') @@ -285,6 +293,10 @@ function Import-Config { # Output IOA groups from import using 'platform' and 'name' match { $_.platform -eq $Result.platform -and $_.name -eq $Result.name } } + { $_ -eq 'IOC' } { + # Output IOCs from import using 'type' and 'value' match + { $_.type -eq $Result.type -and $_.value -eq $Result.value } + } { $_ -like '*Exclusion' } { # Output exclusions from import using 'value' match { $_.value -eq $Result.value } @@ -361,8 +373,46 @@ function Import-Config { $ImportData = Get-ImportData -Item $Item if ($ImportData) { $Content = if ($Item -match '^.*Policy$') { + # Filter to required fields for creating policies $ImportData | Select-Object platform_name, name, description + } elseif ($Item -match '^IOC$') { + foreach ($Import in $ImportData) { + $Fields = foreach ($Value in $ConfigFields.$Item.Create) { + # Filter to required fields for 'IOC' + if ($Import.$Value) { + $Value + } + } + $IOC = $Import | Select-Object $Fields + if ($IOC.applied_globally -eq $true) { + # Output 'IOC' for creation if 'applied_globally' is true + $IOC + } elseif ($ConfigData.HostGroup.Created.id -and $IOC.host_groups) { + $Groups = @( $IOC.host_groups ) | ForEach-Object { + # Get group names from 'HostGroup' import + $OldId = $_ + $Param = @{ + Item = 'HostGroup' + Type = 'Import' + FilterScript = { $_.id -eq $OldId } + } + $Name = (Get-ConfigItem @Param).name + # Match name with created 'HostGroup' + if ($Name) { + $Param.Type = 'Created' + $Param.FilterScript = { $_.name -eq $Name } + (Get-ConfigItem @Param).id + } + } + if ($Groups) { + # Update 'host_groups' with newly created 'HostGroup' ids + $IOC.host_groups = @( $Groups ) + $IOC + } + } + } } else { + # Select fields for 'HostGroup' $ImportData | Select-Object name, group_type, description, assignment_rule | ForEach-Object { if ($_.group_type -eq 'static') { $_.PSObject.Properties.Remove('assignment_rule') @@ -612,6 +662,15 @@ function Import-Config { } } } + foreach ($Pair in $ConfigData.GetEnumerator().Where({ $_.Key -match '^IOC$' })) { + # Create IOCs if corresponding Host Groups were created, or assigned to 'all' + $ConfigData.($Pair.Key)['Created'] = Invoke-ConfigArray -Item $Pair.Key + if ($ConfigData.($Pair.Key).Created) { + foreach ($Item in $ConfigData.($Pair.Key).Created) { + Write-Host "Created $($Pair.Key) '$($Item.type):$($Item.value)'." + } + } + } foreach ($Pair in $ConfigData.GetEnumerator().Where({ $_.Key -match '^(ML|SV)Exclusion$' })) { # Create exclusions if corresponding Host Groups were created, or assigned to 'all' $ImportData = Get-ImportData -Item $Pair.Key