2.2.4

[bk-cs]

New Commands

archives

• Expand-FalconSampleArchive
• Get-FalconSampleArchive
• Get-FalconSampleExtraction
• Remove-FalconSampleArchive
• Send-FalconSampleArchive

cloud-connect-aws

• Get-FalconDiscoverAwsLink
• Receive-FalconDiscoverAwsScript

fwmgr

• Test-FalconFirewallPath

image-assessment

• Get-FalconContainerVulnerability

installation-tokens

• Edit-FalconInstallTokenSetting

intel

• Get-FalconAttck
• Get-FalconCve

iocs

• Get-FalconIocAction
• Get-FalconIocPlatform
• Get-FalconIocSeverity
• Get-FalconIocType

kubernetes-protection

• Edit-FalconContainerAzureAccount
• Get-FalconContainerAzureAccount
• New-FalconContainerAzureAccount
• Remove-FalconContainerAzureAccount

ods

• Get-FalconScan
• Get-FalconScanFile
• Get-FalconScanHost
• Get-FalconScheduledScan
• New-FalconScheduledScan
• Remove-FalconScheduledScan
• Start-FalconScan
• Stop-FalconScan

psf-fwmgr

• ConvertTo-FalconFirewallRule

recon

• Get-FalconReconExport
• Get-FalconReconRecord
• Invoke-FalconReconExport
• Receive-FalconReconExport
• Remove-FalconReconExport

settings-discover

• Get-FalconDiscoverAwsScript

Issues Resolved

• Issue [ BUG ] Get-FalconUser does not include All and Total parameters #255: Added missing parameters and maximum limit of 100 'ids' per 'detailed' request for Get-FalconUser.
• Issue [ BUG ] Import-FalconConfig: Cannot overwrite variable ... error #256: Removed type definition when creating build tag variables. Added filter to ensure that LinuxArm64 builds were only being checked when they were using tagged versions.
• Issue [ BUG ] ConvertTo-FalconIoaExclusion throws an error stating behaviors property is missing when it isn't. #260: @datorr2 fixed ConvertTo-IoaExclusion and ConvertTo-MlExclusion generating errors about missing properties when detection objects were not passed via the pipeline.
• Issue [ BUG ] Import-FalconConfig not creating sha256 Ioc #263: Added additional property check to Import-FalconConfig to prevent sha256 IOCs from being ignored and marked as 'Exists' when they didn't actually exist in the target CID.
• Issue [ BUG ] Get-FalconContainerCluster doesn't return any results #266: Fixed typo which prevented output of results for Get-FalconContainerCluster.

General Changes

• Renamed mobile-enrollment.ps1 to enrollments.ps1 to match URL prefix.
• Renamed psf-humio.ps1 to psf-logscale.ps1 to match product name change.
• Updated references of Humio to Falcon LogScale.
• Created Select-Property private function for validating the presence of specific properties within [object[]] values. This function is used to output error messages when the proper sub-property values (or string values themselves) are not found in objects submitted via the pipeline.
• Created [ApiClient]::StreamType() method to ensure that (a supported) 'type' is included when submitting a 'file' or 'upfile' formdata payload.
• Updated internal New-ShouldMessage function to ensure that Formdata payloads are displayed when using -WhatIf parameter (with some exceptions).
• Streamlined Confirm-Property internal function for validating pipeline input.
• Added BodyArray to Invoke-Falcon internal function to force body payloads into a Json array when required.
• Moved 'ShouldMessage' output during Invoke-Falcon so that the body payload is shown after Json conversion instead of before.
• Added warning messages to [ApiClient]::Invoke() when X-Api-Deprecation header responses are detected.
• Updated reference policy Json files for Compare-FalconPreventionPhase.
• Updated Invoke-Falcon to output meta content when no other results are available and no errors were produced, to prevent certain endpoints from outputting errors and meta together.
• Added various 'ShouldProcess' messages to support the testing of PSFalcon commands using dummy data, including a notification when a user will be prompted for their API client information because they do not have an active authorization token.

Command Changes

Updated to use their new respective v2 API endpoints:

• Edit-FalconFirewallSetting
• Get-FalconCidGroup
• Get-FalconCidGroupMember
• Get-FalconDiscoverAwsAccount
• Get-FalconMemberCid
• Get-FalconUserGroup
• Get-FalconUserGroupMember
• Remove-FalconDiscoverAwsAccount

Added HostTimeout parameter, re-ordered positioning and updated Timeout and HostTimeout ranges from 30-600 to 1-600:

• Invoke-FalconAdminCommand
• Invoke-FalconBatchGet
• Invoke-FalconCommand
• Invoke-FalconResponderCommand
• Start-FalconSession

Added FromParent parameter:

• Edit-FalconIoc
• Get-FalconIoc
• Remove-FalconIoc

Added ContentFormat and TriggerMatchless parameters:

• Edit-FalconReconAction
• New-FalconReconAction

Added BreachMonitoring and SubstringMatching parameters:

• Edit-FalconReconRule
• New-FalconReconRule

Added State parameter:

• Get-FalconHorizonIoaEvent
• Get-FalconHorizonIoaUser

Modified to prevent an error message about client permissions when using -WhatIf:

• Get-FalconMalQueryQuota
• Get-FalconQuickScanQuota
• Get-FalconSubmissionQuota

Added a forced HostTimeout value to ensure that multi-host sessions are used

• Invoke-FalconDeploy
• Invoke-FalconRtr

Updated DetectionId and IncidentId to submit as hashtables with id property, rather than an array of string values:

• Edit-FalconCompleteCase
• New-FalconCompleteCase

Modified how Filename is submitted to prevent potential errors:

• Edit-FalconIoaExclusion
• New-FalconIoc

Add-FalconRole

• Removed deprecated endpoint /user-roles/entities/user-roles/v1:post. This command now uses the /user-management/entities/user-role-actions/v1:post endpoint exclusively (using action: grant).
• Changed parameter positions and removed pipeline support for Id.
• Cid is now a required parameter due to the endpoint change. Cid is included in a Get-FalconUser -Detailed result.

Edit-FalconFirewallGroup

• Added Validate parameter to utilize new /fwmgr/entities/rule-groups/validation/v1:patch endpoint.

Edit-FalconHorizonPolicy

• Added Region, TagExcluded and AccountId parameters.

Edit-FalconHorizonSchedule

• Added NextScanTimestamp parameter.

Edit-FalconIoaExclusion

• Added PatternId and PatternName parameters.

Find-FalconHostname

• Added Partial switch to perform non-exact matches, an idea from Reddit user 'Runs_on_empty'!
• Added Include parameter.

Get-FalconActor

• Added Include parameter to allow the addition of tactic_and_technique results from Get-FalconAttck.

Get-FalconDiscoverAwsAccount

• Because the new v2 endpoint no longer includes them, Filter and Sort have been removed from available parameters, but Migrated, OrganizationId and ScanType have been added.
• Detailed has been removed because a single call now includes details.

Get-FalconHorizonIoaEvent

• Renamed UserIds parameter to UserId but kept UserIds as an alias.

Get-FalconHorizonSchedule

• Changed CloudPlatform to mandatory, as the API no longer returns results without specifying a value.

Get-FalconIndicator

• Added IncludeRelation parameter.

Get-FalconRole

• Added error message when a user attempts to pipeline a detailed Get-FalconUser result to Get-FalconRole.
• Added auto-complete for Id using list of roles from authorized CID.

Get-FalconUser

• Added All and Total parameters. These were mistakenly missed in the 2.2.3 release.
• Added maximum of 100 user ids per 'detailed' request.

Import-FalconConfig

• Added loop to retry creation of Ioc items after excluding failures and those that were successfully created.
• Updated to ensure that 'Created' results are not generated when creation of an Ioc actually failed.

New-FalconDiscoverAwsAccount

• Updated to use new /cloud-connect-aws/entities/account/v2:post endpoint. Parameters have changed to match new endpoint.

New-FalconFirewallGroup

• Added Validate parameter to utilize new /fwmgr/entities/rule-groups/validation/v1:post endpoint.
• Added Platform parameter, with auto-complete using Get-FalconFirewallPlatform for available values.

New-FalconIoaExclusion

• Added check to remove the value all when submitted within GroupId. While all will allow the creation of globally applied Machine Learning and Sensor Visibility exclusions, IOA exclusions expect no groups value. This also fixes Import-FalconConfig failing to create IoaExclusion because all being an invalid Host Group identifier errors.

New-FalconSubmission

• Repositioned parameters and added pipeline support for SubmitName and Sha256.

Remove-FalconRole

• Removed deprecated endpoint /user-roles/entities/user-roles/v1:delete. This command now uses the /user-management/entities/user-role-actions/v1:post endpoint exclusively (using action: revoke).
• Changed parameter positions and removed pipeline support for Id.
• Cid is now a required parameter due to the endpoint change. Cid is included in a Get-FalconUser -Detailed result.

Revoke-FalconToken

• Updated to suppress error message when command is used without a valid authorization token present.

Send-FalconCompleteAttachment

• Updated filename verification pattern and added check to ensure that filesize is less than 15MB.

Send-FalconSample

• Renamed parameter FileName to Name to match Send-FalconSampleArchive when redirecting sample archives. FileName was retained as an alias.

Start-FalconSession

• Added Timeout parameter to Start-FalconSession when working with single-host sessions. Timeout would previously force a batch session to be created even if a single host was submitted. Now that Timeout also works for single host sessions, HostTimeout or ExistingBatchId must be used to force creation of a batch session.

---

This discussion was created from the release 2.2.4.