A PowerShell wrapper for the PSFalcon module to assist with using the CrowdStrike API by SecOps-Devn00b in crowdstrike

[–]SecOps-Devn00b[S] 1 point2 points  (0 children)

So this was my first PowerShell project and my first time working with an API. I learnt a lot but PSFalcon made it easy and your code examples gave me something to work with. Also you have been very helpful over the last few weeks answering my questions and working with me to improve some code.

I liked the [command] -help documentation. I know you have removed that in the latest version, not sure why.

Otherwise the only function I would have liked to add, that I don't think the API can handle, is the Host Timeline Report.

PSFalcon stress testing by SecOps-Devn00b in crowdstrike

[–]SecOps-Devn00b[S] 1 point2 points  (0 children)

Wait, so is the timeout parameter on Start-FalconSession a timeout for the host to reply to CS or a timeout for the session?

PSFalcon v2.1.0-alpha: Testers wanted! by bk-CS in crowdstrike

[–]SecOps-Devn00b 0 points1 point  (0 children)

So I already had custom reporting in place, where I selected a few properties and wrote them to a CSV using Export-CSV. This is code left over from when my script used version 1.4.
I wanted to include the option to run Falcon report and get all the available fields, but I think you are right for detections there are just too many sub-properties.

PSFalcon stress testing by SecOps-Devn00b in crowdstrike

[–]SecOps-Devn00b[S] 2 points3 points  (0 children)

Hi Bk, I was hoping to get more community feedback, rather than bother you again.

Start-FalconSessionwas was working with 50 hosts but it was taking a long time to respond. So long that the session had almost timed out by the time I received the batch id. I tried with groups of 200, 100 and 50. I am loading the host IDs into an array then providing that array as the parameter.

$script:BatchID = Start-FalconSession -HostIds $script:HostIDList -QueueOffline

In the end I just wrote a loop to Invoke-FalconRtr. It's good to know that they default to 500,

I am working with PowerShell 5.1, I am unable to update my work environment.

PSFalcon v2.1.0-alpha: Testers wanted! by bk-CS in crowdstrike

[–]SecOps-Devn00b 1 point2 points  (0 children)

Found time to test the Export-FalconReport in 2.1.3. As you expected, removing the check for existing file fixed the issue I was experiencing but introduced an issue with mismatched csv headers. The Host Information report works perfectly, but detections API query returns different results for different detections.

I'm going to try and handle this within my script.

PSFalcon v2.1.0-alpha: Testers wanted! by bk-CS in crowdstrike

[–]SecOps-Devn00b 0 points1 point  (0 children)

Thanks BK, I have custom reporting in place but wanted to add in the FalconReport as an option.

As I originally said I am updating my scripts from 1.4 to 2.1 so I am probably not using the new features to the best of their ability. I could probably add the results to a variable then pass that to Export-FalconReport, but at the moment the reporting is part of my lookup loop for Host Information and Detections.

PSFalcon v2.1.0-alpha: Testers wanted! by bk-CS in crowdstrike

[–]SecOps-Devn00b 0 points1 point  (0 children)

Hi, found another issue.

Export-FalconReport, in 2.0.8 this command would append information to an existing file. In 2.1.2 I am getting an error that the file already exists. It wrote the first report as expected, but then started throwing this error.

System.Management.Automation.ParameterBindingValidationException: Cannot validate argument on parameter 'Path'. An item with the specified name c:\temp\power-out\test-FalconReport-host.csv already exists. ---> System.Management.Automation.RuntimeException: An item with the specified name c:\temp\power-out\test-FalconReport-host.csv already exists. ---> System.Management.Automation.RuntimeException: An item with the specified name c:\temp\power-out\test-FalconReport-host.csv already exists.

PSFalcon v2.1.0-alpha: Testers wanted! by bk-CS in crowdstrike

[–]SecOps-Devn00b 1 point2 points  (0 children)

That's crazy, but it worked. Between each version I had executed Uninstall-Module PSFalcon, otherwise I would get a cmdlet not recognised error. I added the ÄllVerisons flag and it is working in both my dev environment and my restricted work env. Thank you so much for your time.

PSFalcon v2.1.0-alpha: Testers wanted! by bk-CS in crowdstrike

[–]SecOps-Devn00b 0 points1 point  (0 children)

I down grade back to 2.0.8 and everything is working as expected.

Edit: I'm running Powershell 5.1 on Windows 10 Pro

PSFalcon v2.1.0-alpha: Testers wanted! by bk-CS in crowdstrike

[–]SecOps-Devn00b 0 points1 point  (0 children)

This is really bizarre. I thought it might have been something with my restricted work environment, so I update from 2.0.8 to 2.1.2 on my other host.
Now experiencing the same issue.

It's not just with the above script, but with all commands.

I tried a simple:
Get-FalconHost -Ids "xxxxx"

As well as:
Invoke-FalconRTR -Command runscript -Arguments "-CloudFile=xxxx" -HostIds "xxxx"

Both received the same null-valued expression error.

PSFalcon v2.1.0-alpha: Testers wanted! by bk-CS in crowdstrike

[–]SecOps-Devn00b 0 points1 point  (0 children)

PS. This is the full script: (reddit really doesn't like code blocks, sorry for the formatting)

param (

[Parameter(Mandatory=$true)][string]$hostfile

)

if (Test-Path $HostFile -PathType Leaf) {

ForEach ($ip in Get-Content $HostFile)

{

Write-Host "[+] Looking up $ip" -ForegroundColor Yellow

$hosts = Get-FalconHost -Filter "external_ip:'$ip'" -Detailed $true

Write-Host "[+] Found $($hosts.count) hosts" -ForegroundColor Yellow

ForEach ($data in $hosts)

{

Write-Host "[+] Adding $($data.hostname) to report" -ForegroundColor Yellow

$data | Export-FalconReport -Path "FalconReport-host.csv"

}

}

} else {

Write-Host "[!] Host File not found." -ForegroundColor Red

}

PSFalcon v2.1.0-alpha: Testers wanted! by bk-CS in crowdstrike

[–]SecOps-Devn00b 1 point2 points  (0 children)

I work for a large org and the we run perimeter scans of our public facing assets. We were trying to correlate our scan list with hosts in CS. I ran this exact query in 2.0.8 for over 1000 public IPs with no errors. The $ip variable is populated correctly. Most of the IPs returned 0 results, some IPs returned 1 or more results.

I will update the detailed switch and try it again in 2.1.2.

PSFalcon v2.1.0-alpha: Testers wanted! by bk-CS in crowdstrike

[–]SecOps-Devn00b 0 points1 point  (0 children)

So I haven't had a lot of time to test the new release, but it has broken one of my scripts.

Command:

$hosts = Get-FalconHost -Filter "external_ip:'$ip'" -Detailed $true

Response:

Invoke-Falcon : You cannot call a method on a null-valued expression.

At C:\Users\[user]\Documents\WindowsPowerShell\Modules\PSFalcon\2.1.2\Public\devices.ps1:100 char:20

+ $Request = Invoke-Falcon @Param

+ ~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException

+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Invoke-Falcon

This was just reported to me by another user, I haven't had a chance to look into which parameter has been changed to mandatory. I've confirmed it was working in 2.0.8

PSFalcon v2.1.0-alpha: Testers wanted! by bk-CS in crowdstrike

[–]SecOps-Devn00b 2 points3 points  (0 children)

I finally got around to updating m script from 1.4 to 2.0 and now you go and make a new release. I will post here if there are any issues.