2.2.7

New Commands

cloud-connect-cspm-azure

• Get-FalconCloudAzureGroup
• New-FalconCloudAzureGroup
• Remove-FalconCloudAzureGroup

cloud-connect-cspm-gcp

• Get-FalconCloudGcpAccount
• Get-FalconCloudGcpServiceAccount
• Invoke-FalconCloudGcpHealthCheck
• Receive-FalconCloudGcpScript
• Remove-FalconCloudGcpAccount

configuration-assessment

• Get-FalconConfigAssessmentRule

container-security

• Edit-FalconContainerPolicy
• Edit-FalconContainerPolicyGroup
• Get-FalconContainer
• Get-FalconContainerAlert
• Get-FalconContainerAssessment
• Get-FalconContainerCluster
• Get-FalconContainerDetection
• Get-FalconContainerCount
• Get-FalconContainerDriftIndicator
• Get-FalconContainerImage
• Get-FalconContainerIom
• Get-FalconContainerNode
• Get-FalconContainerPackage
• Get-FalconContainerPod
• Get-FalconContainerPolicy
• Get-FalconContainerPolicyExclusion
• Get-FalconContainerPolicyGroup
• Get-FalconContainerVulnerability
• New-FalconContainerImage
• New-FalconContainerPolicy
• New-FalconContainerPolicyExclusion
• New-FalconContainerPolicyGroup
• Remove-FalconContainerPolicy
• Remove-FalconContainerPolicyGroup
• Set-FalconContainerPolicyPrecedence

delivery-settings

• Get-FalconChannelControl
• Set-FalconChannelControl

exclusions

• Edit-FalconCertificateExclusion
• Get-FalconCertificate
• Get-FalconCertificateExclusion
• New-FalconCertificateExclusion
• Remove-FalconCertificateExclusion

fem

• Edit-FalconAsset

filevantage

• Get-FalconFileVantageAction
• Get-FalconFileVantageContent
• Invoke-FalconFileVantageAction
• Invoke-FalconFileVantageWorkflow

host-migration

• Get-FalconMigration
• Get-FalconMigrationCid
• Get-FalconMigrationHost
• Invoke-FalconMigrationAction
• New-FalconMigration
• Start-FalconMigration
• Stop-FalconMigration
• Remove-FalconMigration
• Rename-FalconMigration

intel

• Get-FalconMalwareFamily

loggingapi

• Get-FalconFoundryRepository
• Get-FalconFoundrySearch
• Get-FalconFoundryView

plugins

• Get-FalconWorkflowIntegration

psf-sensors

• Set-FalconSensorTag (Thanks @LyleWB)

snapshots

• Get-FalconSnapshot
• Get-FalconSnapshotScan
• New-FalconSnapshotScan

threatgraph

• Get-FalconThreatGraphIndicator
• Get-FalconThreatGraphVertex
• Get-FalconThreatGraphEdge

workflows

• Export-FalconWorkflow
• Get-FalconWorkflow
• Get-FalconWorkflowAction
• Get-FalconWorkflowInput
• Get-FalconWorkflowTrigger
• Import-FalconWorkflow
• Invoke-FalconWorkflow
• Redo-FalconWorkflow

Issues Resolved

• Issue #310: Added default timeout of one minute for all requests in an effort to help produce error messages
  when a file download does not complete.
• Issue #369: Corrected Find-FalconHostname so it outputs the entire list of results instead of stopping with
  the first initial 100.
• Issue #370: Changed all identifier parameter aliases from uppercase to lowercase to resolve matching issues
  when using Turkish as the default display language.
• Issue #375: Added a second delay for Invoke-FalconDeploy between commands when using the offline queue to
  ensure that the proper processing order is retained.
• Issue #380: Updated Compare-ImportData function to analyze items by each individual platform (or
  platform_name) to resolve bug where FirewallGroup items were being ignored.
• Issue #382: Removed output of successfully downloaded file information from Invoke-Falcon private function
  and relocated within the Invoke() class function to prevent Index out of range error on successful download
  requests.
• Issue #385: Re-wrote Add-FalconSensorTag and Remove-FalconSensorTag commands properly append/remove tags
  across all OSes, and fix issue where tags weren't applied at all.
• Issue #391: Removed pattern validation for the Id parameter for Get-FalconAsset to prevent errors when
  unexpected (but legitimate) Id values are provided.
• Issue #393: Updated Import-FalconConfig to properly remove rule_group_ids that aren't tied to
  FirewallGroup items that are also created during import.
• Issue #396: Added maximum count of 1000 identifiers when building body content during Get-FalconAlert
  requests.
• Issue #397: Added Action parameter to define multiple actions to perform in a single request when using
  Invoke-FalconAlertAction or Invoke-FalconIncidentAction.
• Issue #399: Updated how field_values properties are selected to ensure that they're correctly passed as an
  array when using New-FalconIoaRule.
• Issue #401: Added Confirm-CidValue private function to check Cid input for checksum, remove it when present,
  and return the Cid value in lower case.
• Issue #411: Added Include with value of scan_file to Get-FalconScan, and added ScanId to
  Get-FalconScanFile to support Include for Get-FalconScan.
• Issue #412: Added Limit of 500 to Get-FalconScan and Get-FalconScanFile to ensure both limit and
  offset are passed during pagination.

General Changes

• Added a weekly check of the PSGallery for PSFalcon module updates if the PSFalcon module was originally
  installed via the PSGallery. Update status is kept in a file called update_check.json in the base PSFalcon
  module folder. If the connection to the PSGallery fails, the update check is disabled. Deleting update_check.json
  will re-attempt connection the next time the module is loaded.

• Updated internal Build-Query function to automatically URL encode provided values during submission instead
  of only previously encoding +.

• Updated internal Log() method for [ApiClient] to support Falcon NGSIEM and CrowdStrike Parsing Standard.

• Added UserAgent value to [ApiClient] object for use with Log() method.

• Updated Request-FalconToken and Show-FalconModule to use new UserAgent value under [ApiClient].

• Removed filtering for unique values when supplying an array of identifiers to a command. This was originally
  added to prevent problems related to an array containing the same identifier twice, but it adds a lot of
  processing time when a large list of identifiers is provided. PSFalcon will now pass all given identifiers on
  to the relevant API, meaning that new error messages might appear if a user is not properly error checking
  their scripts and filtering out duplicate identifier values.

• Added Test-ActionParameter private function to support new Action parameter for Invoke-FalconAlertAction
  and Invoke-FalconIncidentAction.

• Added Select-CertificateProperty private function to support the new Edit-FalconCertificateExclusion and
  New-FalconCertificateExclusion commands.

• Corrected verbose output for various commands to ensure that the relevant command name was displayed when
  Invoke-Falcon makes a request to the target API.

• Re-wrote the internal function Confirm-Parameter to reduce necessary parameters when calling the function.

• Added internal Remove-EmptyValue function to strip empty values before submission when necessary.

• Corrected bug found when implementing new v2 endpoint for Get-FalconAsset -IoT where after would not
  be added properly when paginating without another criteria (i.e. filter, sort, etc.) using -All.

• Compressed SensorTag commands into a reusable function to de-duplicate code.

• Renamed the Array parameter to InputObject to better match PowerShell style for the following commands:
  Edit-FalconDeviceControlPolicy, Edit-FalconFirewallPolicy, Edit-FalconIoc, Edit-FalconPreventionPolicy,
  Edit-FalconReconNotification, Edit-FalconReconRule, Edit-FalconResponsePolicy,
  Edit-FalconSensorUpdatePolicy, Find-FalconHostname, New-FalconDeviceControlPolicy,
  New-FalconFirewallPolicy, New-FalconHostGroup, New-FalconIoc, New-FalconPreventionPolicy,
  New-FalconReconRule, New-FalconResponsePolicy, and New-FalconSensorUpdatePolicy.

  Array has been kept as an alias to prevent issues with existing scripts.

• Changed the prefix from Horizon to Cloud for the following commands:
  Edit-FalconHorizonAwsAccount, Edit-FalconHorizonAzureAccount, Edit-FalconHorizonPolicy,
  Edit-FalconHorizonSchedule, Get-FalconFimChange, Get-FalconHorizonAwsAccount, Get-FalconHorizonAwsLink,
  Get-FalconHorizonAzureAccount, Get-FalconHorizonAzureCertificate, Get-FalconHorizonAzureGroup,
  Get-FalconHorizonIoa, Get-FalconHorizonIoaEvent, Get-FalconHorizonIoaUser, Get-FalconHorizonIom,
  Get-FalconHorizonPolicy, Get-FalconHorizonSchedule, New-FalconHorizonAwsAccount,
  New-FalconHorizonAzureAccount, New-FalconHorizonAzureGroup, Receive-FalconHorizonAwsScript,
  Receive-FalconHorizonAzureScript, Remove-FalconHorizonAwsAccount, Remove-FalconHorizonAzureAccount, and
  Remove-FalconHorizonAzureGroup.

  The original command names have been kept as aliases to prevent issues with existing scripts.

• Removed Compare-FalconPreventionPhase and accompanying policy json files due to Falcon Prevention Policy UI
  changes that enabled policy comparison in the Falcon console.

Command Changes

Add-FalconSensorTag

• Re-written to properly evaluate add tags across all OSes.
• Added support for passing uninstallation token when adding tags on MacOS (and presumably Linux in the future).
• Added properties to output to increase transparency in the use of RTR and the status of tag additions.

Edit-FalconCloudAwsAccount

• Added Environment, DspmEnabled, DspmRole and TargetOu.

Edit-FalconIoaRule

• Updated to use /ioarules/entities/rules/v2:patch endpoint.

Edit-FalconMlExclusion

• Added DescendentProcess.

Edit-FalconSvExclusion

• Added DescendentProcess.

Edit-FalconReconRule

• Added BreachMonitorOnly.

Edit-FalconFileVantageRule

• Added ContentRegistryValues, HashCapture and RegKeyPermission.

Export-FalconConfig

• Added error message when unable to create export in current directory.

Get-FalconAlert

• Updated to use /alerts/queries/alerts/v2:get endpoint.
• Added IncludeHidden (used when submitting Id values).

Get-FalconAsset

• Updated to use new /discover/queries/iot-hosts/v2:get endpoint with -IoT.
• Added -External switch to search for external assets.
• Updated to use new /discover/combined/hosts/v1:get endpoint when using -Detailed.
• Updated to use new /discover/combined/applications/v1:get when using -Application and -Detailed.
• The facet property has been joined together with Include for the relevant new /combined/ API
  endpoints for consistency with earlier PSFalcon version.
• Added error messages when invalid Limit or facet values (as Include) are supplied for their
  respective API endpoint. Tab-completion for Include will first offer all available values, and the
  command will error if one of the supplied values is invalid based on the eventual API endpoint
  being targeted.
• Updated code to properly append login_event when used with -Include for respective aid (when
  searching for Host) or account_id (when searching for Account) values.

Get-FalconCloudAwsAccount

• Added CspmLite.
• Renamed IsHorizonAcct parameter to IsFcsAccount. Kept IsHorizonAcct as an alias.

Get-FalconCloudAzureAccount

• Added CspmLite.
• Renamed IsHorizonAcct parameter to IsFcsAccount. Kept IsHorizonAcct as an alias.

Get-FalconContainerSensor

• Added check to verify proper credentials are available to avoid 401: Unauthorized errors when a token is not
  present.

Get-FalconInstaller

• Updated to use new v2 endpoints.

Get-FalconIocHost

• Updated to use /iocs/aggregates/device-count/v1:get endpoint.

Get-FalconReconRule

• Added SecondarySort.

Get-FalconRole

• Added Detailed switch.

Get-FalconSensorTag

• Re-written to pull tags directly from devices API instead of using RTR on Linux and Mac.

Get-FalconUninstallToken

• Re-wrote command to group all device_id values together and make requests in appropriately sized groups,
  instead of individually when using Include. This should drastically increase performance when requesting
  large numbers of uninstall_token values with other device properties included.

Get-FalconVulnerability

• Updated Limit to a maximum of 5,000 for Detailed requests. If retrieving identifiers only, the command
  will force Limit to a maximum of 400.

Invoke-FalconAlertAction

• Added Action for performing multiple actions on alerts in a single request. Thanks @datorr2!

Invoke-FalconIncidentAction

• Added Action for performing multiple actions on incidents in a single request. Thanks @datorr2!
• Removed mandatory attribute from Value to ensure that it works when using unassign with Name parameter.

Invoke-FalconMobileAction

• Updated to use /enrollments/entities/details/v4:post endpoint.
• Added EnrollmentType.

Import-FalconConfig

• Added additional verbose output during analysis of items to import to help with future troubleshooting.
• Added additional verbose output to show when rule_group_ids are being assigned and/or the removal of
  non-existent values when FirewallPolicy items are being created and modified.
• Added FirewallPolicy settings values to final CSV output.
• Added various improvements for handling SensorUpdatePolicy with unavailable sensor build versions. When
  an invalid build version is found, it is stripped. When a build is updated with a matching tagged version,
  sensor_version and stage are also updated. These changes also affect variants for LinuxArm64.
• Fixed issues preventing SensorUpdatePolicy from being evaluated for changes with ModifyExisting. Updated
  final output to properly record changes.
• Various improvements related to policy analysis and changes for policy settings.

Invoke-FalconAlertAction

• Added IncludeHidden.

Invoke-FalconRtr

• Forced the private function that is keeping the the RTR session alive every 30 seconds by default to help
  prevent results from being lost when hosts that recently went offline (i.e. didn't meet the cutoff for
  the offline queue) delay the RTR session start long enough for the session itself to die before the eventual
  command is properly issued. This should help eliminate cases of Invoke-FalconRtr "not doing anything"
  because a host is unable to be added to the session and/or the results aren't returned quickly enough after
  the session begins.

New-FalconCloudGcpAccount

• Updated to use new /cloud-connect-cspm-gcp/entities/account/v2:post endpoint.
• Added ServiceAccountId, ClientId, ClientEmail, PrivateKey, PrivateKeyId, ProjectId, and
  ServiceAccountCondition.

New-FalconCloudAwsAccount

• Added DspmEnabled and DspmRole.

New-FalconFileVantageRule

• Added ContentRegistryValues, HashCapture and RegKeyPermission.

New-FalconSvExclusion

• Added IsDescendentProcess.

New-FalconReconRule

• Added BreachMonitorOnly.
• Added OriginatingTemplateId.

New-FalconFileVantageRule

• Added ContentRegistryValues.

Receive-FalconCloudAwsScript

• Added OrganizationId, Template, Account, AccountType,AwsProfile, CustomRole, BehaviorAssessment,
  SensorManagement, and ExistingCloudtrail.

Receive-FalconCloudAzureScript

• Added AzureManagementGroup.

Receive-FalconInstaller

• Updated to use new v2 endpoint.

Register-FalconEventCollector

• Updated to support Falcon NGSIEM HTTP Event Collector ingestion.

Remove-FalconContainerImage

• Updated to use new /container-security/entities/base-images/v1:delete endpoint.

Remove-FalconSensorTag

• Re-written to properly evaluate and remove specific tags across all OSes.
• Added support for passing uninstallation token when removing tags on MacOS (and presumably Linux in the future).
• Added properties to output to increase transparency in the use of RTR and the status of tag removal.

Request-FalconRegistryCredential

• Removed mandatory requirement for SensorType and added a prompt if it is not present.
• Added additional error messages to notify when token or expires_in is missing from a token request response.
• Made various changes to ensure all token-related content was properly cached/retrieved from cache.

Request-FalconToken

• Added us-gov-2 as Cloud and Hostname option.

Send-FalconEvent

• Updated to support Falcon NGSIEM HTTP Event Collector ingestion.