Skip to content

2.2.9

Latest
Latest

Choose a tag to compare

View all tags
@bk-cs bk-cs released this 13 Sep 00:56
2.2.9
b5f3774
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Removed Commands

detects

  • Edit-FalconDetection
  • Get-FalconDetection

falcon-complete-dashboards

  • Get-FalconCompleteDetection

New Commands

case-files

  • Edit-FalconNgsCaseFile
  • Get-FalconNgsCaseFile
  • Receive-FalconNgsCaseFile
  • Remove-FalconNgsCaseFile
  • Send-FalconNgsCaseFile

casemgmt

  • Edit-FalconNgsCaseNotificationGroup
  • Edit-FalconNgsCaseSla
  • Edit-FalconNgsCaseTemplate
  • Get-FalconNgsCaseField
  • Get-FalconNgsCaseNotificationGroup
  • Get-FalconNgsCaseSla
  • Get-FalconNgsCaseTemplate
  • Get-FalconNgsCaseTemplateSnapshot
  • New-FalconNgsCaseNotificationGroup
  • New-FalconNgsCaseSla
  • New-FalconNgsCaseTemplate
  • Remove-FalconNgsCaseNotificationGroup
  • Remove-FalconNgsCaseSla
  • Remove-FalconNgsCaseTemplate

cases

  • Add-FalconNgsCaseEvidence
  • Add-FalconNgsCaseTag
  • Edit-FalconNgsCase
  • Get-FalconNgsCase
  • New-FalconNgsCase
  • Remove-FalconNgsCaseTag

correlation-rules

  • Edit-FalconCorrelationRule
  • New-FalconCorrelationRule

cloud-security-assets

  • Get-FalconCloudAsset

fem

  • Get-FalconSubsidiary
  • New-FalconAsset
  • Remove-FalconAsset

fwmgr

  • Compare-FalconFirewallLocation

humio

  • Receive-FalconNgsLookupFile

hunting

  • Get-FalconCaoQuery

intel

  • Receive-FalconMalwareFamilyAttck

it-automation

  • Add-FalconItHostGroup
  • Edit-FalconItPolicy
  • Edit-FalconItScheduledTask
  • Edit-FalconItTask
  • Edit-FalconItTaskGroup
  • Edit-FalconItUserGroup
  • Get-FalconItFileTask
  • Get-FalconItHostExecution
  • Get-FalconItPolicy
  • Get-FalconItScheduledTask
  • Get-FalconItTask
  • Get-FalconItTaskExecution
  • Get-FalconItTaskExecutionSearch
  • Get-FalconItTaskGroup
  • Get-FalconItUserGroup
  • Invoke-FalconItTask
  • New-FalconItPolicy
  • New-FalconItScheduledTask
  • New-FalconItTask
  • New-FalconItTaskGroup
  • New-FalconItUserGroup
  • Redo-FalconItTaskExecution
  • Remove-FalconItHostGroup
  • Remove-FalconItPolicy
  • Remove-FalconItScheduledTask
  • Remove-FalconItTask
  • Remove-FalconItTaskGroup
  • Remove-FalconItUserGroup
  • Search-FalconItTaskExecution
  • Set-FalconItPolicyPrecedence
  • Stop-FalconItTaskExecution

ngsiem-content

  • Edit-FalconNgsParser
  • Get-FalconNgsDashboard
  • Get-FalconNgsLookupFile
  • Get-FalconNgsParser
  • Get-FalconNgsSavedQuery
  • New-FalconNgsParser
  • Receive-FalconNgsDashboard
  • Receive-FalconNgsParser
  • Receive-FalconNgsSavedQuery
  • Remove-FalconNgsDashboard
  • Remove-FalconNgsLookupFile
  • Remove-FalconNgsParser
  • Remove-FalconNgsSavedQuery
  • Send-FalconNgsDashboard
  • Send-FalconNgsLookupFile
  • Send-FalconNgsParser
  • Send-FalconNgsSavedQuery
  • Update-FalconNgsDashboard
  • Update-FalconNgsLookupFile
  • Update-FalconNgsSavedQuery

oauth2

  • Show-FalconToken

policy-content-update

  • Get-FalconContentVersion

policy-device-control

  • Edit-FalconDeviceControlClass
  • Edit-FalconDeviceControlNotification
  • Get-FalconDeviceControlNotification

real-time-response

  • Receive-FalconPutFile

Issues Resolved

  • Issue #441: Added code to ensure that the final run step takes place when using File with Windows or Mac
    hosts. Previously, the run step was never reached because the extract step (only necessary when using the
    Archive and Run parameters) was not processed. Now that step will be effectively ignored when using the
    File parameter for Mac and Windows which should lead everything completing successfully.
  • Issue #444: Corrected use of HomeCid to properly evaluate policies to be modified when not in a Flight
    Control environment, along with errors related to variants and scheduler in SensorUpdatePolicy.
  • Issue #445: Solved with Import-FalconConfig re-write.
  • Issue #446: Forced comment when creating/modifying IoaRule, and version when creating/modifying IoaGroup
    using Import-FalconConfig.
  • Issue #447: Corrected Compare-ImportData under Import-FalconConfig to check both target CID and import files
    for possible platform values and ensure that Script (and other imports) check all available platform
    values.
  • Issue #450: Updated internal Invoke-TagScript function to properly remove single tag present on target host.
  • Issue #453: Solved with Import-FalconConfig re-write.
  • Issue #454: Solved with Import-FalconConfig re-write.
  • Issue #455: Various bugfixes added to Edit-FalconFirewallGroup and New-FalconFirewallGroup to properly
    handle rules that have singule property values under property arrays.
  • Issue #463: Corrected ValidatePattern for Expiration under Edit-FalconIoc and New-FalconIoc to only
    allow UTC ISO 8601.
  • Issue #470: Updated Invoke-UpdateCheck function to check for write access to module folder before attempting
    to create update_check.json.
  • Issue #479: Updated format.json to remove bulk_update fields which were causing errors with Edit-FalconIoc.

General Changes

  • Updated default request timeout from 5m30s to 10m to allow for longer Send-FalconPutFile attempts.

Command Changes

Add-FalconRole

ConvertTo-FalconFirewallRule

  • Added mandatory and optional fields.
  • Changed output from [PSCustomObject[]] to [hashtable[]] to better support pipelining to
    New-FalconFirewallGroup.

ConvertTo-FalconIoaExclusion

  • Updated to work with both detections and alerts.

ConvertTo-FalconMlExclusion

  • Updated to work with both detections and alerts.

Copy-FalconDeviceControlPolicy

  • Modified to work with updated Edit-FalconDeviceControlPolicy and New-FalconDeviceControlPolicy commands.

Edit-FalconAsset

  • Added Triage.
  • Renamed Comment to Description and modified help text for parameter.

Edit-FalconCertificateExclusion

  • Renamed Cid to MemberCid. Corrected ValidatePattern to properly handle CCID values.

Edit-FalconCloudAwsAccount

  • Added ClientId, DeploymentMethod, and RootStackId.

Edit-FalconDeviceControlPolicy

  • Updated to use /policies/entities/device-control/v2:patch.
  • Removed Default, Blocked, UseBlocked, Restricted, and UseRestricted.
  • Added Propagated.

Edit-FalconFirewallLocation

  • Modified parameters to accept values from pipeline by property name.
  • Changed HttpsReachableHost and IcmpRequestTarget to handle pipelined objects instead of only strings.

Edit-FalconMlExclusion

  • Added ExcludedFrom.

Export-FalconConfig

  • Shortened output filename by removing seconds.
  • Added FirewallLocation.
  • If the relevant item is not specified in Select, now the command will only export assigned items instead
    of forcing all items of that type. For example, if PreventionPolicy is chosen, assigned HostGroup and
    IoaGroup will be included, instead of all HostGroup and IoaGroup items.

Find-FalconDuplicate

  • Updated to use Field property with Get-FalconHost.

Find-FalconHostname

  • Updated to use Field property with Get-FalconHost.

Get-FalconAlert

  • Added /alerts/combined/alerts/v1:post when using Detailed and Filter.

Get-FalconAsset

  • Updated to use new /fem/queries/external-assets/v2:get endpoint.

Get-FalconCompleteAlert

  • Updated to use /falcon-complete-dashboards/queries/alerts/v2:get.

Get-FalconContainerCount

  • Added Filter when using Resource: container and Type: count-by-registry

Get-FalconContentState

  • Added maximum grouping of 100 Id values per request.

Get-FalconCorrelationRule

  • Added ValidatePattern to Id.
  • Updated to use /correlation-rules/queries/rules/v2:get and /correlation-rules/entities/rules/v2:get.

Get-FalconDeviceControlPolicy

  • Updated to use /policy/entities/device-control/v2:get and removed Default parameter.

Get-FalconFirewallPlatform

  • Removed ValidateSet to account for new platform values.

Get-FalconFirewallRule

  • Corrected bug preventing submission of PolicyId value.

Get-FalconFoundrySearch

  • Added JobStatusOnly.

Get-FalconHost

  • Added /devices/combined/devices/v1:get and /devices/combined/devices-hidden/v1:get when using new Field
    parameter.
  • Added error message when using Field with Include when device_id is not in Field list.
  • Increased maximum limit to 10000 when using new endpoints (5000 for others).
  • Added filesystem_containment_status values to Sort. Thanks @agent268!

Get-FalconMalwareFamily

  • Added /intel/combined/malware/v1:get when using Detailed.
  • Added Field.

Get-FalconRole

  • Updated to use /user-management/combined/user-roles/v2:get and /user-management/entities/roles/GET/v2:post.

Get-FalconRule

  • Added Type values cql-changelog, cql-master, and cql-update.

Get-FalconWorkflowAction

  • Added Library switch to show all Fusion SOAR library actions.

Import-FalconConfig

  • Re-wrote Import-FalconConfig. Cleaned up code and moved into functions for easier troubleshooting in the
    future.
  • Added Select parameter to allow filtering of files used from import archive.
  • Added All value to ModifyExisting and ModifyDefault.
  • Modified to support updated Edit-FalconDeviceControlPolicy and New-FalconDeviceControlPolicy commands and
    new Edit-FalconDeviceControlClass command.
  • Shortened output filename by removing seconds.
  • Added support for FirewallLocation.
  • Updated warning messaging related to existing items and their precedence.

Invoke-FalconContentPolicyAction

  • Added override-allow', 'override-pause, override-revert, remove-pinned-content-version, and
    set-pinned-content-version actions.

Invoke-FalconHostAction

  • Added lift_filesystem_containment_all to Name. Thanks @agent268!
  • Added filesystem_containment_status to Include. Thanks @agent268!

Invoke-FalconIdentityGraph

  • Updated looping for Invoke-FalconIdentityGraph to ensure hasNextPage is true before trying second page.
  • Added code to properly support use of All switch with timeline results.

New-FalconCertificateExclusion

  • Renamed Cid to MemberCid. Corrected ValidatePattern to properly handle CCID values.

New-FalconCloudAwsAccount

  • Added ClientId, DeploymentMethod, and RootStackId.

New-FalconDeviceControlPolicy

  • Updated to use /policies/entities/device-control/v2:post.

New-FalconFirewallLocation

  • Modified parameters to accept values from pipeline by property name.
  • Changed HttpsReachableHost and IcmpRequestTarget to handle pipelined objects instead of only strings.

New-FalconHostGroup

  • Reduced submission size to 10 to help eliminate timeout related errors.

New-FalconScan

  • Added CloudPupDetection and CloudPupPrevention.
  • Set CpuPriority to mandatory.

New-FalconScheduledScan

  • Added CloudPupDetection and CloudPupPrevention.
  • Set CpuPriority to mandatory.

New-FalconSubmission

  • Added Aid, AutoDetect, Browser, Interactivity, and SendEmail.
  • Added values ubuntu20_x64 and win11_x64 to EnvironmentId.

Receive-FalconRule

  • Added Type values cql-changelog, cql-master, and cql-update.

Remove-FalconCorrelationRule

  • Added ValidatePattern to Id.
  • Modified to remove specific rule versions by default instead of all versions.

Remove-FalconHostGroup

  • Reduced submission size to 10 to help eliminate 500: Contact Support errors.

Show-FalconToken

  • Renamed error message from no_authorization_request_made to no_access_request_made.

Test-FalconToken

  • Renamed error message from no_authorization_request_made to no_access_request_made.

Contributors

agent268 and cr4shtest
Assets 2
Loading
0 Join discussion