2.2.7

New Commands

cloud-connect-cspm-azure

• Get-FalconCloudAzureGroup
• New-FalconCloudAzureGroup
• Remove-FalconCloudAzureGroup

cloud-connect-cspm-gcp

• Get-FalconCloudGcpAccount
• Get-FalconCloudGcpServiceAccount
• Invoke-FalconCloudGcpHealthCheck
• Receive-FalconCloudGcpScript
• Remove-FalconCloudGcpAccount

configuration-assessment

• Get-FalconConfigAssessmentRule

container-security

• Edit-FalconContainerPolicy
• Edit-FalconContainerPolicyGroup
• Get-FalconContainer
• Get-FalconContainerAlert
• Get-FalconContainerAssessment
• Get-FalconContainerCluster
• Get-FalconContainerDetection
• Get-FalconContainerCount
• Get-FalconContainerDriftIndicator
• Get-FalconContainerImage
• Get-FalconContainerIom
• Get-FalconContainerNode
• Get-FalconContainerPackage
• Get-FalconContainerPod
• Get-FalconContainerPolicy
• Get-FalconContainerPolicyExclusion
• Get-FalconContainerPolicyGroup
• Get-FalconContainerVulnerability
• New-FalconContainerImage
• New-FalconContainerPolicy
• New-FalconContainerPolicyExclusion
• New-FalconContainerPolicyGroup
• Remove-FalconContainerPolicy
• Remove-FalconContainerPolicyGroup
• Set-FalconContainerPolicyPrecedence

delivery-settings

• Get-FalconChannelControl
• Set-FalconChannelControl

exclusions

• Edit-FalconCertificateExclusion
• Get-FalconCertificate
• Get-FalconCertificateExclusion
• New-FalconCertificateExclusion
• Remove-FalconCertificateExclusion

fem

• Edit-FalconAsset

filevantage

• Get-FalconFileVantageAction
• Get-FalconFileVantageContent
• Invoke-FalconFileVantageAction
• Invoke-FalconFileVantageWorkflow

host-migration

• Get-FalconMigration
• Get-FalconMigrationCid
• Get-FalconMigrationHost
• Invoke-FalconMigrationAction
• New-FalconMigration
• Start-FalconMigration
• Stop-FalconMigration
• Remove-FalconMigration
• Rename-FalconMigration

intel

• Get-FalconMalwareFamily

loggingapi

• Get-FalconFoundryRepository
• Get-FalconFoundrySearch
• Get-FalconFoundryView

plugins

• Get-FalconWorkflowIntegration

psf-sensors

• Set-FalconSensorTag (Thanks @LyleWB)

snapshots

• Get-FalconSnapshot
• Get-FalconSnapshotScan
• New-FalconSnapshotScan

threatgraph

• Get-FalconThreatGraphIndicator
• Get-FalconThreatGraphVertex
• Get-FalconThreatGraphEdge

workflows

• Export-FalconWorkflow
• Get-FalconWorkflow
• Get-FalconWorkflowAction
• Get-FalconWorkflowInput
• Get-FalconWorkflowTrigger
• Import-FalconWorkflow
• Invoke-FalconWorkflow
• Redo-FalconWorkflow

Issues Resolved

• Issue #310: Added default timeout of one minute for all requests in an effort to help produce error messages
  when a file download does not complete.
• Issue #369: Corrected Find-FalconHostname so it outputs the entire list of results instead of stopping with
  the first initial 100.
• Issue #370: Changed all identifier parameter aliases from uppercase to lowercase to resolve matching issues
  when using Turkish as the default display language.
• Issue #375: Added a second delay for Invoke-FalconDeploy between commands when using the offline queue to
  ensure that the proper processing order is retained.
• Issue #380: Updated Compare-ImportData function to analyze items by each individual platform (or
  platform_name) to resolve bug where FirewallGroup items were being ignored.
• Issue #382: Removed output of successfully downloaded file information from Invoke-Falcon private function
  and relocated within the Invoke() class function to prevent Index out of range error on successful download
  requests.
• Issue #385: Re-wrote Add-FalconSensorTag and Remove-FalconSensorTag commands properly append/remove tags
  across all OSes, and fix issue where tags weren't applied at all.
• Issue #391: Removed pattern validation for the Id parameter for Get-FalconAsset to prevent errors when
  unexpected (but legitimate) Id values are provided.
• Issue #393: Updated Import-FalconConfig to properly remove rule_group_ids that aren't tied to
  FirewallGroup items that are also created during import.
• Issue #396: Added maximum count of 1000 identifiers when building body content during Get-FalconAlert
  requests.
• Issue #397: Added Action parameter to define multiple actions to perform in a single request when using
  Invoke-FalconAlertAction or Invoke-FalconIncidentAction.
• Issue #399: Updated how field_values properties are selected to ensure that they're correctly passed as an
  array when using New-FalconIoaRule.
• Issue #401: Added Confirm-CidValue private function to check Cid input for checksum, remove it when present,
  and return the Cid value in lower case.
• Issue #411: Added Include with value of scan_file to Get-FalconScan, and added ScanId to
  Get-FalconScanFile to support Include for Get-FalconScan.
• Issue #412: Added Limit of 500 to Get-FalconScan and Get-FalconScanFile to ensure both limit and
  offset are passed during pagination.

General Changes

• Added a weekly check of the PSGallery for PSFalcon module updates if the PSFalcon module was originally
  installed via the PSGallery. Update status is kept in a file called update_check.json in the base PSFalcon
  module folder. If the connection to the PSGallery fails, the update check is disabled. Deleting update_check.json
  will re-attempt connection the next time the module is loaded.

• Updated internal Build-Query function to automatically URL encode provided values during submission instead
  of only previously encoding +.

• Updated internal Log() method for [ApiClient] to support Falcon NGSIEM and CrowdStrike Parsing Standard.

• Added UserAgent value to [ApiClient] object for use with Log() method.

• Updated Request-FalconToken and Show-FalconModule to use new UserAgent value under [ApiClient].

• Removed filtering for unique values when supplying an array of identifiers to a command. This was originally
  added to prevent problems related to an array containing the same identifier twice, but it adds a lot of
  processing time when a large list of identifiers is provided. PSFalcon will now pass all given identifiers on
  to the relevant API, meaning that new error messages might appear if a user is not properly error checking
  their scripts and filtering out duplicate identifier values.

• Added Test-ActionParameter private function to support new Action parameter for Invoke-FalconAlertAction
  and Invoke-FalconIncidentAction.

• Added Select-CertificateProperty private function to support the new Edit-FalconCertificateExclusion and
  New-FalconCertificateExclusion commands.

• Corrected verbose output for various commands to ensure that the relevant command name was displayed when
  Invoke-Falcon makes a request to the target API.

• Re-wrote the internal function Confirm-Parameter to reduce necessary parameters when calling the function.

• Added internal Remove-EmptyValue function to strip empty values before submission when necessary.

• Corrected bug found when implementing new v2 endpoint for Get-FalconAsset -IoT where after would not
  be added properly when paginating without another criteria (i.e. filter, sort, etc.) using -All.

• Compressed SensorTag commands into a reusable function to de-duplicate code.

• Renamed the Array parameter to InputObject to better match PowerShell style for the following commands:
  Edit-FalconDeviceControlPolicy, Edit-FalconFirewallPolicy, Edit-FalconIoc, Edit-FalconPreventionPolicy,
  Edit-FalconReconNotification, Edit-FalconReconRule, Edit-FalconResponsePolicy,
  Edit-FalconSensorUpdatePolicy, Find-FalconHostname, New-FalconDeviceControlPolicy,
  New-FalconFirewallPolicy, New-FalconHostGroup, New-FalconIoc, New-FalconPreventionPolicy,
  New-FalconReconRule, New-FalconResponsePolicy, and New-FalconSensorUpdatePolicy.

  Array has been kept as an alias to prevent issues with existing scripts.

• Changed the prefix from Horizon to Cloud for the following commands:
  Edit-FalconHorizonAwsAccount, Edit-FalconHorizonAzureAccount, Edit-FalconHorizonPolicy,
  Edit-FalconHorizonSchedule, Get-FalconFimChange, Get-FalconHorizonAwsAccount, Get-FalconHorizonAwsLink,
  Get-FalconHorizonAzureAccount, Get-FalconHorizonAzureCertificate, Get-FalconHorizonAzureGroup,
  Get-FalconHorizonIoa, Get-FalconHorizonIoaEvent, Get-FalconHorizonIoaUser, Get-FalconHorizonIom,
  Get-FalconHorizonPolicy, Get-FalconHorizonSchedule, New-FalconHorizonAwsAccount,
  New-FalconHorizonAzureAccount, New-FalconHorizonAzureGroup, Receive-FalconHorizonAwsScript,
  Receive-FalconHorizonAzureScript, Remove-FalconHorizonAwsAccount, Remove-FalconHorizonAzureAccount, and
  Remove-FalconHorizonAzureGroup.

  The original command names have been kept as aliases to prevent issues with existing scripts.

• Removed Compare-FalconPreventionPhase and accompanying policy json files due to Falcon Prevention Policy UI
  changes that enabled policy comparison in the Falcon console.

Command Changes

Add-FalconSensorTag

• Re-written to properly evaluate add tags across all OSes.
• Added support for passing uninstallation token when adding tags on MacOS (and presumably Linux in the future).
• Added properties to output to increase transparency in the use of RTR and the status of tag additions.

Edit-FalconCloudAwsAccount

• Added Environment, DspmEnabled, DspmRole and TargetOu.

Edit-FalconIoaRule

• Updated to use /ioarules/entities/rules/v2:patch endpoint.

Edit-FalconMlExclusion

• Added DescendentProcess.

Edit-FalconSvExclusion

• Added DescendentProcess.

Edit-FalconReconRule

• Added BreachMonitorOnly.

Edit-FalconFileVantageRule

...

2.2.6

New Commands

cloud-connect-azure

• Get-FalconDiscoverAzureTenant

configuration-assessment

• Get-FalconConfigAssessment
• Get-FalconConfigAssessmentLogic

falcon-complete-dashboards

• Get-FalconCompleteAlert

filevantage

• Add-FalconFileVantageHostGroup
• Add-FalconFileVantageRuleGroup
• Edit-FalconFileVantageExclusion
• Edit-FalconFileVantagePolicy
• Edit-FalconFileVantageRule
• Edit-FalconFileVantageRuleGroup
• Get-FalconFileVantageExclusion
• Get-FalconFileVantagePolicy
• Get-FalconFileVantageRule
• Get-FalconFileVantageRuleGroup
• New-FalconFileVantageExclusion
• New-FalconFileVantagePolicy
• New-FalconFileVantageRule
• New-FalconFileVantageRuleGroup
• Remove-FalconFileVantageExclusion
• Remove-FalconFileVantageHostGroup
• Remove-FalconFileVantagePolicy
• Remove-FalconFileVantageRule
• Remove-FalconFileVantageRuleGroup
• Set-FalconFileVantagePrecedence
• Set-FalconFileVantageRulePrecedence
• Set-FalconFileVantageRuleGroupPrecedence

identity-protection

• Get-FalconIdentityHost

real-time-response

• Get-FalconLibraryScript

Removed Commands

cloud-connect-aws (deprecated)

• Confirm-FalconDiscoverAwsAccess
• Edit-FalconDiscoverAwsAccount
• Get-FalconDiscoverAwsAccount
• Get-FalconDiscoverAwsLink
• Get-FalconDiscoverAwsSetting
• New-FalconDiscoverAwsAccount
• Receive-FalconDiscoverAwsScript
• Remove-FalconDiscoverAwsAccount
• Update-FalconDiscoverAwsSetting

cloud-connect-azure (deprecated)

• Get-FalconDiscoverAzureAccount
• Get-FalconDiscoverAzureCertificate
• Get-FalconDiscoverAzureTenant
• New-FalconDiscoverAzureAccount
• Receive-FalconDiscoverAzureScript
• Update-FalconDiscoverAzureAccount

cloud-connect-gcp (deprecated)

• Get-FalconDiscoverGcpAccount
• New-FalconDiscoverGcpAccount
• Receive-FalconDiscoverGcpScript

discover

• Get-FalconDiscoverNetwork
• Get-FalconDiscoverRule
• Get-FalconDiscoverScan
• Get-FalconDiscoverScanner

settings-discover (deprecated)

• Get-FalconDiscoverAwsScript

Issues Resolved

• Issue #313: Reorganized parameters for Get-FalconRole and removed UserId from a specific ParameterSet to
  ensure proper output.
• Issue #315: Modified script used by Uninstall-FalconSensor to match 64 instead of equal 64-bit to correct
  error caused when bit value is reported as 64 bit instead of 64-bit.
• Issue #316: Added if check to Confirm-Parameter for $Required and $Allowed to ensure that blank values
  do not count when verifying objects under PowerShell Core.
• Issue #327: Modified Invoke-FalconDeploy to properly change directories and execute scripts when working with
  .cmd and .bat files. Thanks @MatthewCKelly!
• Issue #342: Modified Invoke-FalconMalQuery and Get-FalconMalQuery to select the reqid,reqtype and/or
  status properties in their final output, when present.
• Issue #360: Fixed bug where Get-FalconAsset would not append results when using -Include login_event with a
  single asset result.
• Issue #363: Added critical as a severity for Edit-FalconHorizonPolicy.

General Changes

• Modified all authorization token validation checks to request a new token when the current token is due to
  expire within 4 minutes instead of 1 minute. This should help reduce the number of expired authorization
  tokens during long-running requests (like Get-FalconVulnerability).
• Migrated Wait-RetryAfter function from private\Private.ps1 to class\Class.ps1 under ApiClient.Invoke()
  function.
• Streamlined ApiClient.Invoke() under class\Class.ps1 in an effort to improve verbose logging and
  performance.
• Modified private functions Invoke-Falcon and Request-FalconToken to compensate for changes to
  ApiClient.Invoke().
• Modified Write-Result to ensure each error will be individually produced when a single API call generates
  multiple errors.
• Rearranged how ApiClient.Invoke() downloads files to eliminate "index out of range" error.
• Added format\format.json to contain API endpoint body/formdata/query parameters for easier updates when large
  numbers of API endpoints are modified at once.
• Added function Get-EndpointFormat to private\Private.ps1 to read body/formdata/query parameters from
  format.json.
• Replaced tab of four spaces with two to reduce file sizes across module.
• Moved code that replaces the user input parameters with proper parameter names for body payloads from the
  private Invoke-Falcon function into the private Build-Content function.
• Renamed Inputs variable (and accompanying parameter for the Invoke-Falcon function, used by commands when
  making a request) to UserInput in keeping with PowerShell style.
• Updated prevention policy settings for Compare-FalconPreventionPhase.
• Updated Write-Result to remove meta from output when meta.pagination.total equals 0 to account for
  some -Detailed results returning meta information instead of an empty response (unlike a non -Detailed
  result, which would return nothing, as expected).
• Updated private Add-Include function to provide error messages when unable to pull results instead of a silent
  failure with no output in the related -Include property.
• Updated reference policies used by Compare-FalconPreventionPhase.

Command Changes

Add-FalconSensorTag

• Fixed bug where n was being split into separate tags due to an incorrect quote. Thanks @soggysec!
• Removed support for pre-6.42 Windows sensors given that they are no longer supported and don't have
  CsSensorSettings.exe.
• Isolated the scripts being run to add sensor tags into new files contained under the script folder.

Edit-FalconHorizonAwsAccount

• Added autocomplete values for CloudTrailRegion.
• Added IamRoleArn, BehaviorAssessmentEnabled, SensorManagementEnabled, RemediationRegion, and
  RemediationTouAccepted.

Edit-FalconHorizonPolicy

• Updated AccountId to accept multiple identifiers.

Edit-FalconReconNotification

• Added IdpSendStatus and Message.

Edit-FalconFirewallLocationSetting

• Added LocationPrecedence.

Edit-FalconIoc

• Added Array parameter for submitting many IOCs for modification, and set as the default parameter set when
  utilizing the pipeline.
• Set maximum of 2,000 IOCs per request when using Array.

Export-FalconConfig

• Added FileVantagePolicy (including FileVantageExclusion) and FileVantageRuleGroup (including
  FileVantageRule). CrowdStrike-created policies and rule groups are excluded from the export
  because they are auto-generated and can not be modified.
• Updated to force HostGroup when exporting FileVantagePolicy to evaluate host_groups.
• Updated to force FileVantageRuleGroup when exporting FileVantagePolicy to evaluate rule_groups and
  assign them to policies.

Get-FalconAlert

• Removed pattern validation for Id parameter, due to new varying identifier types found in testing.

Get-FalconBuild

• Added Stage.

Get-FalconContainerAccount

• Updated Location to correctly submit as locations to the API endpoint.

Get-FalconContainerAwsAccount

• Added IsHorizonAcct.

Get-FalconContainerCluster

• Added Status.

Get-FalconContainerVulnerability

• Corrected error that prevented the submission of applicationPackages.

Get-FalconFimChange

• Updated to use new v3 endpoint, replacing Offset with After.
• Renamed command to Get-FalconFileVantageChange, but kept Get-FalconFimChange as an alias.

Get-FalconHorizonAwsAccount

• Added IamRoleArn and Migrated.

Get-FalconHorizonAzureAccount

• Added TenantId.

Get-FalconHorizonAzureCertificate

• Added YearsValid.

Get-FalconHorizonIoa

• Added ResourceId, ResourceUuid, and Since.

Get-FalconHost

• Updated the Login switch to use new v2 endpoint. The initial API is limited to 10 ids values per
  request, which means that using -Include login_history will be substantially slower until the API limit
  is increased.

Get-FalconHostGroup

• Updated Include to use a filtered Get-FalconHost search when adding members which avoids the 10k
  maximum limit from the previously used Get-FalconHostGroupMember command.

Get-FalconRole

• Reorganized parameter positioning.
• Removed automatic redirection of Id values when matching a Cid (because it also matches custom role
  identifiers).
• Removed UserId as a parameter for the /user-management/queries/roles/v1:get endpoint because the same data
  is returned by the /combined/ endpoint and they have overlapping parameters.
• Added DirectOnly parameter to Get-FalconRole.

Get-FalconScan

• Updated to use /ods/entities/scans/v2:get endpoint.

Get-FalconSensorTag

• Isolated the scripts being run to retrieve tags into new files contained under the script folder.

Get-FalconSession

• Added Cid and CommandInfo, which facilitate the display of all Real-time Response sessions within the
  authorized CID.

Import-FalconConfig

• Added an error message when filenames within the target archive do not correspond with files typically created
  by Export-FalconConfig. Thanks @JFresh15 and @soggysec!
• Added additional verbose output when the command updates id values for groups and rule_groups objects.
• Added additional verbose output when the command updates build values for Sensor Update policies.
• Fixed a bug where Linux Sensor Update policies would not be created due to a missing build for LinuxArm64
  policy variants.
• Added FileVantagePolicy and FileVantageRuleGroup as ModifyExisting options.
• Updated Comment output to specify why certain items were ignored using NoModifyDefault and
  NoModifyExisting.
• Added code to compensate and properly match when importing into a new cloud and the...

2.2.5

New Commands

container-security

• Edit-FalconContainerRegistry
• Get-FalconContainerRegistry
• New-FalconContainerRegistry
• Remove-FalconContainerRegistry

discover

• Get-FalconDiscoverNetwork
• Get-FalconDiscoverRule
• Get-FalconDiscoverScan
• Get-FalconDiscoverScanner

falconx

• Receive-FalconMemoryDump

fwmgr

• Edit-FalconFirewallLocation
• Edit-FalconFirewallLocationSetting
• Get-FalconFirewallLocation
• New-FalconFirewallLocation
• Remove-FalconFirewallLocation
• Set-FalconFirewallLocationPrecedence

kubernetes-protection

• Get-FalconContainerAccount
• Get-FalconContainerAzureScript
• Get-FalconContainerAzureTenant
• Get-FalconContainerScript

Issues Resolved

• Issue #283: Added platform during creation of FirewallGroup items when using Import-FalconConfig.
• Issue #294: Modified the FQL query being used by Get-FalconQueue to account for an API change that made the
  previous query stop working.
• Issue #295: Added code to the sub-function Invoke-Loop inside Invoke-Falcon to strip all query parameters
  when paginating Get-FalconHorizonIom.
• Issue #296: Updated Get-FalconAsset to ensure proper attachment of login_event results for each asset when
  using -Include login_event.
• Issue #283: Modified New-FalconSensorUpdatePolicy to remove scheduler under settings when set as
  disabled to prevent errors when creating policies.

General Changes

• Updated reference policies for Compare-FalconPreventionPhase.
• Switched from using Write-Verbose to PSCmdlet.WriteVerbose() to increase content when using Verbose
  with commands.
• Added additional verbose message output when commands send their requests to display the endpoint being used.
• Added (local) timestamp at the beginning of verbose output messages through the creation of a Verbose function
  within class\Class.ps1 and the private function unnamed.
• Added Start-RtrUpdate and Stop-RtrUpdate functions to manage PowerShell background jobs to refresh
  Real-time Response sessions when using Invoke-FalconRtr or Invoke-FalconDeploy.
• Changed the Wait parameter for Invoke-FalconAdminCommand, Invoke-FalconBatchGet,
  Invoke-FalconCommand, and Invoke-FalconResponderCommand to wait until completion instead of a maximum of
  60 seconds.
• Added Wait-RtrCommand and Wait-RtrGet private functions when using Wait with Real-time Response
  commands.
• Streamlined some of the code of Write-Result to increase performance.
• Updated Get-RtrResult function (used by Invoke-FalconRtr and Invoke-FalconDeploy) to include properties
  that are blank in output. This will ensure that piping to CSV does not present problems when certain hosts
  respond with different properties (i.e. stderr on some results and not others).
• Ensured the Test-FqlStatement function was properly used with each command's Filter parameter.
• Slightly changed descriptions of commands to match how required permissions are labeled within the Falcon UI.
• Modified PSFalcon.psd1 to remove duplicate load of class\Class.ps1.

Command Changes

Confirm-FalconGetFile

• Corrected invalid ValidatePattern value for Id parameter.

Edit-FalconDetection

• Removed ignored as an option for Status to conform with API change.

Edit-FalconDeviceControlPolicy

• Added parameters to allow modification of custom notifications for the default Windows policy

Find-FalconDuplicate

• Added Platform parameter to filter by a specific platform when retrieving hosts (instead of providing a
  lists through the Hosts parameter).

Find-FalconHostname

• Raised filtered search group count from 20 to 100.

Get-FalconAsset

• Raised filtered search groups count from 20 to 100 when using -Include login_event.
• Added Application switch to search for applications inventoried by Falcon Discover.
• Added IoT switch to search for IoT assets inventoried by Falcon Discover.

Get-FalconContainerVulnerability

• Added Application parameter for filtering application packages.

Get-FalconDeviceControlPolicy

• Added parameters to allow retrieval of the default Windows policy with custom notifications

Get-FalconHorizonIoa

• Added parameter AccountId and removed Region.
• Set CloudPlatform as mandatory instead of generating an error when it was not included.

Get-FalconHorizonIom

• Updated to use new endpoints /detects/entities/iom/v2:get and /detects/queries/iom/v2:get.
• New parameter set includes typical parameters like Filter and Sort. Old parameters are no longer
  available, but similar functionality can be found using proper Filter statements.

Get-FalconHorizonPolicy

• Updated to use new /settings/entities/policy-details/v2:get endpoint when supplying an Id value.
• Removed Detailed switch because the base endpoint always returns detailed results.

Get-FalconHost

• Added policy_names as an option for Include to append policy_name under device_policies
  results (when possible).

Get-FalconRole

• Removed Detailed from command because all results have detailed information in the related parameter set.
• Added All and Total to relevant parameter set.

Get-FalconUser

• Raised filtered search groups count from 20 to 100 when using Username.

Get-FalconQueue

• Added HostId parameter to restrict queued session search to specific host identifiers.

Get-FalconZta

• Added Filter, Sort, Limit, After, Detailed, All, and Total parameters in support of new API
  endpoint GET /zero-trust-assessment/queries/assessments/v1.

Invoke-FalconDeploy

• Added Set-Location to force location to temporary directory when running executable on target host(s).
• Removed pipeline support for GroupId so that Invoke-FalconHostAction results could be piped through the
  HostId parameter.

Invoke-FalconRtr

• Added additional verbose output.
• Increased the default Timeout for session creation and command requests to 600 seconds when not defined.
• Updated to set a Timeout of 2 seconds less than defined Timeout for batch sessions (or 58 seconds if not
  defined) and 3600 seconds for single-host sessions when using runscript and not specifying Timeout inside
  Argument.
• Removed Select-Object code (which ensured all objects had the same final output) to greatly increase
  performance.
• Removed pipeline support for GroupId so that Invoke-FalconHostAction results can be piped through the
  HostId parameter.
• Added Sort-Object when generating list of Command values to ensure it's provided in alphabetical order.
• Added single quotes when using auto-complete for Command values that have a space.

New-FalconCompleteCase

• Updated to use new v2 API endpoint.

2.2.4

New Commands

archives

• Expand-FalconSampleArchive
• Get-FalconSampleArchive
• Get-FalconSampleExtraction
• Remove-FalconSampleArchive
• Send-FalconSampleArchive

cloud-connect-aws

• Get-FalconDiscoverAwsLink
• Receive-FalconDiscoverAwsScript

fwmgr

• Test-FalconFirewallPath

image-assessment

• Get-FalconContainerVulnerability

installation-tokens

• Edit-FalconInstallTokenSetting

intel

• Get-FalconAttck
• Get-FalconCve

iocs

• Get-FalconIocAction
• Get-FalconIocPlatform
• Get-FalconIocSeverity
• Get-FalconIocType

kubernetes-protection

• Edit-FalconContainerAzureAccount
• Get-FalconContainerAzureAccount
• New-FalconContainerAzureAccount
• Remove-FalconContainerAzureAccount

ods

• Get-FalconScan
• Get-FalconScanFile
• Get-FalconScanHost
• Get-FalconScheduledScan
• New-FalconScheduledScan
• Remove-FalconScheduledScan
• Start-FalconScan
• Stop-FalconScan

psf-fwmgr

• ConvertTo-FalconFirewallRule

recon

• Get-FalconReconExport
• Get-FalconReconRecord
• Invoke-FalconReconExport
• Receive-FalconReconExport
• Remove-FalconReconExport

settings-discover

• Get-FalconDiscoverAwsScript

Issues Resolved

• Issue #255: Added missing parameters and maximum limit of 100 'ids' per 'detailed' request for Get-FalconUser.
• Issue #256: Removed type definition when creating build tag variables. Added filter to ensure that LinuxArm64 builds were only being checked when they were using tagged versions.
• Issue #260: @datorr2 fixed ConvertTo-IoaExclusion and ConvertTo-MlExclusion generating errors about missing properties when detection objects were not passed via the pipeline.
• Issue #263: Added additional property check to Import-FalconConfig to prevent sha256 IOCs from being ignored and marked as 'Exists' when they didn't actually exist in the target CID.
• Issue #266: Fixed typo which prevented output of results for Get-FalconContainerCluster.

General Changes

• Renamed mobile-enrollment.ps1 to enrollments.ps1 to match URL prefix.
• Renamed psf-humio.ps1 to psf-logscale.ps1 to match product name change.
• Updated references of Humio to Falcon LogScale.
• Created Select-Property private function for validating the presence of specific properties within [object[]] values. This function is used to output error messages when the proper sub-property values (or string values themselves) are not found in objects submitted via the pipeline.
• Created [ApiClient]::StreamType() method to ensure that (a supported) 'type' is included when submitting a 'file' or 'upfile' formdata payload.
• Updated internal New-ShouldMessage function to ensure that Formdata payloads are displayed when using -WhatIf parameter (with some exceptions).
• Streamlined Confirm-Property internal function for validating pipeline input.
• Added BodyArray to Invoke-Falcon internal function to force body payloads into a Json array when required.
• Moved 'ShouldMessage' output during Invoke-Falcon so that the body payload is shown after Json conversion instead of before.
• Added warning messages to [ApiClient]::Invoke() when X-Api-Deprecation header responses are detected.
• Updated reference policy Json files for Compare-FalconPreventionPhase.
• Updated Invoke-Falcon to output meta content when no other results are available and no errors were produced, to prevent certain endpoints from outputting errors and meta together.
• Added various 'ShouldProcess' messages to support the testing of PSFalcon commands using dummy data, including a notification when a user will be prompted for their API client information because they do not have an active authorization token.

Command Changes

Updated to use their new respective v2 API endpoints:

• Edit-FalconFirewallSetting
• Get-FalconCidGroup
• Get-FalconCidGroupMember
• Get-FalconDiscoverAwsAccount
• Get-FalconMemberCid
• Get-FalconUserGroup
• Get-FalconUserGroupMember
• Remove-FalconDiscoverAwsAccount

Added HostTimeout parameter, re-ordered positioning and updated Timeout and HostTimeout ranges from 30-600 to 1-600:

• Invoke-FalconAdminCommand
• Invoke-FalconBatchGet
• Invoke-FalconCommand
• Invoke-FalconResponderCommand
• Start-FalconSession

Added FromParent parameter:

• Edit-FalconIoc
• Get-FalconIoc
• Remove-FalconIoc

Added ContentFormat and TriggerMatchless parameters:

• Edit-FalconReconAction
• New-FalconReconAction

Added BreachMonitoring and SubstringMatching parameters:

• Edit-FalconReconRule
• New-FalconReconRule

Added State parameter:

• Get-FalconHorizonIoaEvent
• Get-FalconHorizonIoaUser

Modified to prevent an error message about client permissions when using -WhatIf:

• Get-FalconMalQueryQuota
• Get-FalconQuickScanQuota
• Get-FalconSubmissionQuota

Added a forced HostTimeout value to ensure that multi-host sessions are used

• Invoke-FalconDeploy
• Invoke-FalconRtr

Updated DetectionId and IncidentId to submit as hashtables with id property, rather than an array of string values:

• Edit-FalconCompleteCase
• New-FalconCompleteCase

Modified how Filename is submitted to prevent potential errors:

• Edit-FalconIoaExclusion
• New-FalconIoc

Add-FalconRole

• Removed deprecated endpoint /user-roles/entities/user-roles/v1:post. This command now uses the /user-management/entities/user-role-actions/v1:post endpoint exclusively (using action: grant).
• Changed parameter positions and removed pipeline support for Id.
• Cid is now a required parameter due to the endpoint change. Cid is included in a Get-FalconUser -Detailed result.

Edit-FalconFirewallGroup

• Added Validate parameter to utilize new /fwmgr/entities/rule-groups/validation/v1:patch endpoint.

Edit-FalconHorizonPolicy

• Added Region, TagExcluded and AccountId parameters.

Edit-FalconHorizonSchedule

• Added NextScanTimestamp parameter.

Edit-FalconIoaExclusion

• Added PatternId and PatternName parameters.

Find-FalconHostname

• Added Partial switch to perform non-exact matches, an idea from Reddit user 'Runs_on_empty'!
• Added Include parameter.

Get-FalconActor

• Added Include parameter to allow the addition of tactic_and_technique results from Get-FalconAttck.

Get-FalconDiscoverAwsAccount

• Because the new v2 endpoint no longer includes them, Filter and Sort have been removed from available parameters, but Migrated, OrganizationId and ScanType have been added.
• Detailed has been removed because a single call now includes details.

Get-FalconHorizonIoaEvent

• Renamed UserIds parameter to UserId but kept UserIds as an alias.

Get-FalconHorizonSchedule

• Changed CloudPlatform to mandatory, as the API no longer returns results without specifying a value.

Get-FalconIndicator

• Added IncludeRelation parameter.

Get-FalconRole

• Added error message when a user attempts to pipeline a detailed Get-FalconUser result to Get-FalconRole.
• Added auto-complete for Id using list of roles from authorized CID.

Get-FalconUser

• Added All and Total parameters. These were mistakenly missed in the 2.2.3 release.
• Added maximum of 100 user ids per 'detailed' request.

Import-FalconConfig

• Added loop to retry creation of Ioc items after excluding failures and those that were successfully created.
• Updated to ensure that 'Created' results are not generated when creation of an Ioc actually failed.

New-FalconDiscoverAwsAccount

• Updated to use new /cloud-connect-aws/entities/account/v2:post endpoint. Parameters have changed to match new endpoint.

New-FalconFirewallGroup

• Added Validate parameter to utilize new /fwmgr/entities/rule-groups/validation/v1:post endpoint.
• Added Platform parameter, with auto-complete using Get-FalconFirewallPlatform for available values.

New-FalconIoaExclusion

• Added check to remove the value all when submitted within GroupId. While all will allow the creation of globally applied Machine Learning and Sensor Visibility exclusions, IOA exclusions expect no groups value. This also fixes Import-FalconConfig failing to create IoaExclusion because all being an invalid Host Group identifier errors.

New-FalconSubmission

• Repositioned parameters and added pipeline support for SubmitName and Sha256.

Remove-FalconRole

• Removed deprecated endpoint /user-roles/entities/user-roles/v1:delete. This command now uses the /user-management/entities/user-role-actions/v1:post endpoint exclusively (using action: revoke).
• Changed parameter positions and removed pipeline support for Id.
• Cid is now a required parameter due to the endpoint change. Cid is included in a Get-FalconUser -Detailed result.

Revoke-FalconToken

• Updated to suppress error message when command is used without a valid authorization token present.

Send-FalconCompleteAttachment

• Updated filename verification pattern and added check to ensure that filesize is less than 15MB.

Send-FalconSample

• Renamed parameter FileName to Name to match Send-FalconSampleArchive when redirecting sample archives. FileName was retained as an alias.

Start-FalconSession

• Added Timeout parameter to Start-FalconSession when working with single-host sessions. Timeout would previously force a batch session to be created even if a single host was submitted. Now that Timeout also works for single host sessions, HostTimeout or ExistingBatchId must be used to force creation of a batch session.

2.2.3

New Commands

psf-policies

• Compare-FalconPreventionPhase

ti

• Get-FalconTailoredEvent
• Get-FalconTailoredRule

Issues resolved

• Issue #241
  Updated Confirm-Parameter to eliminate Cannot validate argument on parameter 'Array'. Key cannot be null. (Parameter 'key') errors generated when using Import-FalconConfig.

• Issue #242
  Modified Edit-FalconDetection to check whether a status value is present with a comment value during command execution rather than during parameter validation. This will prevent errors from occurring when parameters are specified in an unexpected order.

• Issue #246
  Created Confirm-Property function to properly filter Rule content for both [hashtable] and [PSCustomObject] rules. This will eliminate errors caused by [hashtable] objects being improperly filtered in PowerShell 5.1.

• Issue #247
  Updated Write-Warning to use a PSCmdlet method in order to properly support WarningVariable.

General Changes

• Created Confirm-Property private function to filter [hashtable] and [PSCustomObject] into pre-defined properties containing values.

• Updated comment-based help to link directly to specific wiki pages for each command. Using Get-Help <command> -Online will launch the appropriate wiki page. These pages will be updated with current examples present within existing wiki pages, and those pages will be re-organized.

• Modified Get-ParamSet private function to look for ids and samples as potential body values to break into groups of Max values, instead of only ids.

• Updated Falcon X references to Falcon Intelligence due to product name change.

Command Changes

• Updated Invoke-FalconIdentityGraph to no longer modify the GraphQL statement when attempting to use All for pagination. Renamed Query parameter to String and made it work for both query and mutation statements but kept Query as an alias. Now, when your statement includes a 'Cursor' variable definition and the required pageInfo { hasNextPage endCursor } properties, All will automatically paginate results. If either of those requirements are missing, a warning message will be displayed and pagination will not occur.

• Modified Get-FalconUser to remove deprecated API when using Username parameter. Username now submits filtered searches for provided uid values to the appropriate /user-management/ API.

• Added Max of 1,000 sha256 values for New-FalconQuickScan.

• Added sha256 as a PipelineByPropertyName value for New-FalconQuickScan to support pipeline input from Send-FalconSample.

• Added pattern validation to Remove-FalconUser for the Id parameter.

• Modified Status parameter for Edit-FalconDetection to support ValueFromPipelineByPropertyName and changed
  parameter to position 3.

• Modified Edit-FalconSensorUpdatePolicy and New-FalconSensorUpdatePolicy to filter out properties with empty string values in order to prevent errors when creating and/or modifying Sensor Update policies.

• Modified Import-FalconConfig to prevent an attempt to modify a policy when the policy was not successfully created earlier in the import process. Also ensured that the precedence warnings when existing policies were found would only be displayed once.

2.2.2

New Commands

cloud-connect-azure

• Get-FalconDiscoverAzureCertificate

cloud-connect-cspm-azure

• Get-FalconHorizonAzureCertificate

mobile-enrollment

• Invoke-FalconMobileAction

psf-devices

• Find-FalconHostname

user-management

• Invoke-FalconUserAction

General Changes

• Re-organized public functions into files named for their URL prefix rather than their respective Swagger
  collection (which sometimes would match the prefix and sometimes wouldn't). Because of the number of endpoints
  that fell under 'policy', it is segmented into specific files.

• The public users.ps1 and user-roles.ps1 files have been consolidated under user-management.ps1 and merged
  with new /user-management/ endpoints.

• Updated IPv4 regex used by Test-RegexValue private function.

• Streamlined looping functionality (used with All parameter). Updated all commands to output groups of
  results as they are retrieved instead of the entire result set at the end of a loop. Also verified that
  authorization tokens are properly refreshed during a long running loop.

Command Changes

• Modified Add-FalconSensorTag and Remove-FalconSensorTag to include the uninstall token of the target device
  and while adding and removing sensor tags with CsSensorSettings.exe on Windows sensor versions v6.42 and above.

• Modified Get-FalconSensorTag to return the FalconSensorTags values listed in a devices API response if the
  target device is Windows sensor version 6.42 or above. If CsSensorSettings.exe is updated to include a method
  to get sensor tags, Get-FalconSensorTag will use that method in the future.

• Removed mandatory requirement for TenantId parameter within the Get-FalconDiscoverAzureAccount command.

• Updated Invoke-FalconAlertAction to use the new v2 endpoint which includes formatting corrections.

• Based on code provided by @SleepySysadmin, Invoke-FalconIdentityGraph now has an All parameter when using
  Query!

  When used with a query that includes pageInfo{endCursor hasNextPage}, results will be paginated automatically
  and only relevant data will be output (similar to the rest of the PSFalcon commands) instead of the entire
  object.

  All will automatically be added if a query begins with ($after: Cursor) and has after in the query
  parameters, as it is assumed that all results are expected.

  If pageInfo is not provided in the query and All is specified, a warning message will be generated.

  A query without All will produce the same results as earlier versions of the module.

• Added Mutation parameter to Invoke-FalconIdentityGraph.

• Updated Add-FalconRole, Edit-FalconUser, Get-FalconUser, New-FalconUser, Remove-FalconRole, and
  Remove-FalconUser, to use new /user-management/ endpoints where appropriate. These commands behave as they
  did before, unless using additional parameters to signify that requests are being performed within a
  multi-CID environment.

• Get-FalconRole has been updated to produce results from new /user-management/ endpoints.

Resolved Issues

• Issue 170: Invoke-Loop changes should eliminate token failures during retrieval of large result sets.

• Issue 222: Updated comparison process to ensure an imported policy would be properly added to the list of
  items to be modified, whether or not it was going to be created. Removed existing copy policy operation from
  creation process.

• Issue 223: Removed extraneous 'Endpoint' definition that was generating an error.

• Issue 231: Corrected addition of FirewallRule when using Export-FalconConfig -Item FirewallGroup. This fix
  should also resolve issues when exporting HostGroup and a singular 'exclusion' item.

• Issue 232: Re-added 'Outfile' designation for Path parameter in Receive-FalconArtifact. This should have
  been present and was accidentally removed in an earlier module version.

2.2.1

New Commands

• alerts.ps1
  Get-FalconAlert
  Invoke-FalconAlertAction

• container-upload.ps1
  Get-FalconContainerAssessment
  Remove-FalconContainerImage

• container-security.ps1
  Get-FalconContainerSensor
  Remove-FalconRegistryCredential
  Request-FalconRegistryCredential
  Show-FalconRegistryCredential

General Changes

• Enabled the use of '-WhatIf' and '-Confirm' by adding 'ShouldProcess' support across the module. This also
  required the renaming of the existing '-Confirm' parameter to '-Wait' for 'Invoke-FalconAdminCommand',
  'Invoke-FalconBatchGet', 'Invoke-FalconCommand' and 'Invoke-FalconResponderCommand'.

• Updated ApiClient.Invoke() to remove blank verbose output when 'Headers' are not specified during a request.

• Created 'Get-ContainerUrl' to convert cached Hostname value into a valid 'container-upload' URL value when using
  'container-upload' commands.

• Created 'New-ShouldMessage' function to generate the output message when '-Confirm' or '-WhatIf' is used with
  a command.

• Added 'HostUrl' parameter to 'Invoke-Falcon' to force the use of 'container-upload' base URL instead of the
  cached Falcon API hostname.

• Updated 'Test-FqlStatement' private function to allow for the use of either single or double quotation marks.

• Updated RegEx patterns when validating input to look for a more restrictive list of characters to better match
  expected values.

• Various comment-based help text updates and typo corrections.

• The online help files (accessed using 'Update-Help') for PSFalcon are no longer valid for this and future
  releases as comment-based help has been included for individual commands. Using 'Get-Help -Online'
  for any PSFalcon command will link you directly to the PSFalcon Wiki which includes command examples that were
  previously provided through the online help.

• Renamed 'falcon-container.ps1' to 'container-security.ps1'. Removed 'container-upload.ps1' and moved commands
  into 'container-security.ps1'.

• Modified private 'Get-ContainerUrl' function to include a 'Registry' switch to output the Falcon container
  registry URL for related commands.

Command Changes

• Add-FalconRole, Remove-FalconRole
  Updated to use 'Get-FalconRole' to determine valid 'Id' values for auto-completion.

• Add-FalconGroupingTag, Add-FalconSensorTag, Remove-FalconGroupingTag, Remove-FalconSensorTag
  Renamed 'Tags' to 'Tag' while retaining 'Tags' as an alias.

• Edit-FalconIoc, New-FalconIoc
  Added 'android' and 'ios' as valid 'Platform' values and 'MobileAction' parameter.

• Export-FalconConfig
  Updated to include the export of 'platform_default' policies.

• Export-FalconReport
  Updated to force the creation of the same columns for every result.

• Get-FalconContainerToken
  Command has been removed and replaced with 'Request-FalconRegistryCredential' which combines requests for your
  Falcon container registry password, username (modified CID value) and authorization token, which are cached
  within the PSFalcon module, similar to 'Request-FalconToken'.

• Get-FalconFirewallRule
  Updated to output rules in order of specified 'Id' values when using the 'Id' parameter. This solves an issue
  where rules are provided in order of the 'id' property when they were retrieved using the 'family' property and
  are returned out of order (in respect to the 'family' values).

• Get-FalconHost
  Updated to use new 'POST /devices/entities/devices/v2' endpoint when requesting host details, which greatly
  improves performance when using 'Get-FalconHost -Detailed'.

• Get-FalconKernel
  Corrected maximum number for 'Limit' parameter (500).

• Get-FalconScript, Get-FalconPutFile
  Updated to use new v2 endpoints which include workflow-related schema and information.

• Get-FalconUninstallToken
  Added 'Include' parameter.

• Import-FalconConfig
  Renamed 'Force' parameter to 'AssignExisting'. Retained 'Force' as an alias.

  Added 'ModifyDefault' to modify 'platform_default' policies to match settings from import for specified values.

  Added 'ModifyExisting' to modify existing items to match settings from import for specified values. Although
  'FirewallGroup' is included, rules are not currently being modified. They will be included as part of a future
  PSFalcon update.

• Invoke-FalconBatchGet
  Added 'batch_get_cmd_req_id' to each individual host result.

• Invoke-FalconDeploy
  Added 'tgz' as a supported 'Archive' format.

  Added 'cmd' as a supported 'File' and 'Run' format using 'cmd.exe' in place of 'powershell.exe'.

  Modified 'Run' to execute a custom script that launches a secondary process when provided with a script file.
  This ensures that the process will execute and not wait for completion (similar to a regular executable when
  being used with the 'run' Real-time Response command). Standard output and error streams are redirected to
  'stdout.log' and 'stderr.log' within the temporary 'FalconDeploy' directory.

  Added 'Include' parameter.

• Invoke-FalconIncidentAction
  Added 'unassign' and 'update_assigned_to_v2' actions.

• Invoke-FalconRtr
  Updated to create Real-time Response sessions in groups of 10,000.

• New-FalconHostGroup
  Added type 'staticByID'.

• New-FalconSubmission
  Added 'macOS_10.15' for parameter 'EnvironmentId'.

• Uninstall-FalconSensor
  Added timeout value (120 seconds) to reduce the chance of no 'status' value being returned.

  Added 'Include' parameter.

Resolved Issues

• Issue #211: Added try/catch to 'Get-FalconHost' when using '-Include group_names' to suppress errors when
  hosts have no groups.

• Issue #212: Added actions to 'Invoke-FalconIncidentAction'.

• Issue #219: Indirectly fixed issue with changes that were already made to 'Invoke-FalconDeploy'.

2.2.0

New Commands

* spotlight-vulnerabilities.ps1
  Get-FalconVulnerabilityLogic

General Changes

* Re-added basic help information to each command. This will increase module size, but will eliminate the
  need to 'Update-Help' to get descriptions for each command, its parameters and the required API
  permission(s).

* Thanks to some knowledge shared by @kra-ts, PowerShell pipeline support is now cross-module and no longer
  restricted to specific commands!

  Before this release, PSFalcon supported pipeline input when a command accepted a single 'id'. With these
  changes, PSFalcon collects multiple 'ids' passed through the pipeline, groups them and sends appropriately
  sized API requests.

  This change also required the re-positioning of many parameters, the addition of aliases, and the majority of
  [array] parameters being converted into [string[]] or [int[]]. When it was logically possible, [array] values
  were also converted into [object[]] to allow for the processing of both 'id' and 'detailed' values.

* Warning messages have been added when hosts are not included in a batch Real-time Response session
  ('Start-FalconSession') or when Real-time Response commands produce errors ('Invoke-FalconCommand',
  'Invoke-FalconResponderCommand', 'Invoke-FalconAdminCommand', 'Invoke-FalconBatchGet') so it will be more
  obvious what happened when hosts are missing from the final result that was passed through the pipeline.

* Renamed plural parameters ('Ids') to singular ('Id') to follow PowerShell best practices. Each updated
  parameter kept maintains the plural version as an alias (or the original parameter name when switching to the
  singular was not possible due to incompatibilities with PowerShell) to prevent errors with existing scripts.

* Modified commands to use the alias values for parameters instead of the 'Fields' variable that was used to
  to rename parameters to fit API submission structure. Removing 'Fields' also enabled the removal of the
  private function 'Update-FieldName'.

* When applicable, the 'Id' parameter attributes were modified to ensure that 'Get-Help' properly displayed
  that the parameter name needs to be explicitly included.

* Added case enforcement to all 'ValidateSet' values. This ensures that proper case is used with parameters
  that have a pre-defined list of accepted values and preventing errors from the resulting API.

* Added 'raw_array' as a field to be used when defining the format of a 'body' submission inside of a PSFalcon
  command. Using it will instruct the module to create a 'body' object that has a base [array] value containing
  the object properties to be converted to Json.

* Updated 'Build-Formdata' private function to attempt to gather file content for the 'content' field, or
  supply the original value if that fails. This change was made to allow 'Send-FalconScript' to use a file
  path or string-based script content.

* Created 'Add-Include' private function to append 'Include' content to command results.

* Created 'Assert-Extension' private function to validate a given file extension when using 'Receive' commands.

* Renamed 'Add-Property' private function to 'Set-Property' and updated it to add a property when it doesn't
  exist, or update the value if it does exist.

* Updated 'Get-RtrCommand' private function to output available Real-time Response commands by permission,
  or all available Real-time Response commands if permission is not defined.

* Created 'Test-OutFile' private function to validate the presence of an existing file and generate error
  messages when using 'Receive' commands.

* Moved verbose output of 'body' and 'formdata' payloads from 'Build-Content' to ApiClient.Invoke() during a
  request. This ensures that individual submissions are displayed, rather than the initial submission before it
  has been broken up into groups.

* Moved verbose output of Header keys and values within an API response from 'Write-Result' to
  ApiClient.Invoke(). 'Write-Result' continues to display the 'meta' Json values due to the addition of an
  internal function called 'Write-Meta'.

* Added '-Force' parameter to the following commands to overwrite an existing file when present:
  Export-FalconConfig
  Receive-FalconHorizonAwsScript
  Receive-FalconHorizonAzureScript
  Receive-FalconDiscoverAzureScript
  Receive-FalconDiscoverGcpScript
  Receive-FalconIntel
  Receive-FalconRule
  Receive-FalconArtifact
  Receive-FalconContainerYaml
  Receive-FalconMalQuerySample
  Receive-FalconCompleteAttachment
  Receive-FalconGetFile
  Receive-FalconSample
  Receive-FalconScheduledReport
  Receive-FalconInstaller

* Added '-Include' parameter to append 'members' to the following commands:
  Get-FalconHostGroup
  Get-FalconDeviceControlPolicy
  Get-FalconFirewallPolicy
  Get-FalconPreventionPolicy
  Get-FalconResponsePolicy
  Get-FalconSensorUpdatePolicy

* Updated commands that output to CSV ('Import-FalconConfig', 'Export-FalconReport', 'Get-FalconQueue',
'Invoke-FalconDeploy') to send their results to 'Write-Output' when unable to write to CSV.

* Removed position attribute from all pagination parameters ('After', 'Offset', 'NextToken').

Command Changes

* Confirm-FalconGetFile, Remove-FalconGetFile
  Updated to use v2 API endpoint that includes upload progress.

* ConvertTo-FalconMlExclusion, ConvertTo-FalconIoaExclusion
  Commands have been corrected to properly produce individual exclusions for each relevant behavior within a
  detection (rather than one exclusion with values from multiple behaviors).

* Edit-FalconFirewallSetting, Edit-FalconHorizonPolicy
  Renamed '-PolicyId' to '-Id'.

* Export-FalconConfig
  Now includes 'Script' (Real-time Response scripts) as an exportable item.

  Output filename now contains a 'FileDateTime' timestamp instead of simply 'FileDate'. This was done to
  match changes made to 'Import-FalconConfig'.

* Find-FalconDuplicate
  Updated to accommodate multiple 'Filter' values.

* Get-FalconAsset
  Added '-Account' and '-Login' switch parameters to toggle access of Falcon Discover user account assets
  and user login events.

  Added '-Include' to append login events both the default hardware asset and user account output.

* Get-FalconDetection
  Added valid 'Sort' values.

* Get-FalconFirewallPolicy
  Re-added the 'policy_id' in the 'settings' sub-object that is created when using '-Include settings'. This
  was originally removed for being redundant, but needed to be restored to be utilized by the 
  'Copy-FalconFirewallPolicy' command.

* Get-FalconHorizonIoa, Get-FalconHorizonIoaEvent, Get-FalconHorizonIoaUser, Get-FalconHorizonIom
  Removed 'Mandatory' status for '-CloudPlatform', instead populating it if 'AwsAccountId' (or 'AccountId',
  in the case of 'Get-FalconHorizonIom'), 'AzureSubscriptionId', or 'AzureTenantId' are provided. Without one
  of the four values, the command will produce an exception.

* Get-FalconHorizonIoaEvent, Get-FalconHorizonIoaUser
  Replaced '-AccountId' with '-AwsAccountId' and added '-AzureSubscriptionId' and '-AzureTenantId' to match
  'Get-FalconHorizonIoa'.

* Get-FalconHorizonIom
  Renamed parameter '-AwsAccountId' to '-AccountId', which accepts an AWS account ID or GCP Project Number
  value. Also corrected the accepted '-Status' value 'recurring' to 'reoccurring'.

* Get-FalconHost
  '-Detailed' output will no longer be forced when using '-Include group_names', and instead will include
  'device_id' and 'groups'. Using '-Detailed' and '-Include group_names' maintains full output.

  Added 'online_state' to '-Include' to retrieve detail from new 'online status' API.

  Added '-State' switch to be used with '-Id' to retrieve detail from the new 'online status' API.

* Get-FalconQueue
  Updated command to write progress to host stream instead of verbose stream.

* Get-FalconVulnerability
  Added 'evaluation_logic' to the 'Facet' parameter.

* Import-FalconConfig
  Completely re-written to utilize the pipeline and excluded items (with the reason they were excluded) are
  now included within the resulting CSV output.

  Now includes 'Script' (Real-time Response scripts) as an importable item.

  Output filename now contains a 'FileDateTime' timestamp instead of simply 'FileDate'. This was done because
  verbosity of the output was increased and appending to an existing file would cause output problems.

  Removed warning message that was generated when no items were created because the CSV output now displays
  both excluded and created items.

* Invoke-FalconBatchGet, Invoke-FalconCommand, Invoke-FalconAdminCommand, Invoke-FalconResponderCommand
  Added a new '-Confirm' parameter to confirm and retrieve the output from both single-host commands and batch
  'get' commands.

  'Invoke-FalconAdminCommand' and 'Invoke-FalconResponderCommand' will now redirect to 'Invoke-FalconBatchGet'
  when used to 'get' within a multi-host session.

  Each of the commands now appends 'batch_id' to the output of commands issued within a batch session.

* Invoke-FalconCommand, Invoke-FalconAdminCommand, Invoke-FalconResponderCommand, Invoke-FalconRtr
  Split the 'eventlog' command into 'eventlog backup', 'eventlog export', 'eventlog list', and 'eventlog view'.

* Invoke-FalconDeploy
  Contribut...

2.1.9

General Changes

• Added 'Select-Object' to 'Get-ChildItem' output to force the display of FullName, Length and LastWriteTime
  due to differences with how PowerShell displays Get-ChildItem on non-Windows devices.

Resolved Issues

• Issue #190: Modified Json conversion of 'stdout' when using 'runscript' with 'Invoke-FalconRtr' to reduce
  the opportunity of null output.

2.1.8

New Commands

• sensor-update-policies.ps1
  'Get-FalconKernel'

Command Changes

• Added 'cswindiag' command to 'Invoke-FalconRtr' and 'Invoke-FalconAdminCommand'.

• Changed 'Limit' maximum for 'Get-FalconVulnerability' to 400 to match API.

• Added support for local Humio instances within 'Register-FalconEventCollector' while maintaining auto-
  complete for Humio Cloud. Thank you @kra-ts!

• Added 'No queued Real-time Response sessions available' error when using 'Get-FalconQueue' when there are
  no queued sessions.

• Added automatic Json conversion of 'stdout' and 'stderr' output when using 'runscript' with
  'Invoke-FalconRtr', simplifying the use of results from scripts that were designed for Falcon Workflows.

• Added 'iOS' and 'Android' as valid values for 'platform_name' for 'Edit-FalconPreventionPolicy' and
  'New-FalconPreventionPolicy'.

• Added pipeline support for 'Remove-FalconPutFile' and 'Remove-FalconScript'.

• Added the undocumented 'detection_suppress' and 'detection_unsuppress' to 'Invoke-FalconHostAction'.

Resolved Issues

• Issue #187: Fixed typo which was causing array values to only show a single value (instead of all values)
  when using 'Export-FalconReport'.