2.2.9

[bk-cs]

Removed Commands

detects

• Edit-FalconDetection
• Get-FalconDetection

falcon-complete-dashboards

• Get-FalconCompleteDetection

New Commands

case-files

• Edit-FalconNgsCaseFile
• Get-FalconNgsCaseFile
• Receive-FalconNgsCaseFile
• Remove-FalconNgsCaseFile
• Send-FalconNgsCaseFile

casemgmt

• Edit-FalconNgsCaseNotificationGroup
• Edit-FalconNgsCaseSla
• Edit-FalconNgsCaseTemplate
• Get-FalconNgsCaseField
• Get-FalconNgsCaseNotificationGroup
• Get-FalconNgsCaseSla
• Get-FalconNgsCaseTemplate
• Get-FalconNgsCaseTemplateSnapshot
• New-FalconNgsCaseNotificationGroup
• New-FalconNgsCaseSla
• New-FalconNgsCaseTemplate
• Remove-FalconNgsCaseNotificationGroup
• Remove-FalconNgsCaseSla
• Remove-FalconNgsCaseTemplate

cases

• Add-FalconNgsCaseEvidence
• Add-FalconNgsCaseTag
• Edit-FalconNgsCase
• Get-FalconNgsCase
• New-FalconNgsCase
• Remove-FalconNgsCaseTag

correlation-rules

• Edit-FalconCorrelationRule
• New-FalconCorrelationRule

cloud-security-assets

• Get-FalconCloudAsset

fem

• Get-FalconSubsidiary
• New-FalconAsset
• Remove-FalconAsset

fwmgr

• Compare-FalconFirewallLocation

humio

• Receive-FalconNgsLookupFile

hunting

• Get-FalconCaoQuery

intel

• Receive-FalconMalwareFamilyAttck

it-automation

• Add-FalconItHostGroup
• Edit-FalconItPolicy
• Edit-FalconItScheduledTask
• Edit-FalconItTask
• Edit-FalconItTaskGroup
• Edit-FalconItUserGroup
• Get-FalconItFileTask
• Get-FalconItHostExecution
• Get-FalconItPolicy
• Get-FalconItScheduledTask
• Get-FalconItTask
• Get-FalconItTaskExecution
• Get-FalconItTaskExecutionSearch
• Get-FalconItTaskGroup
• Get-FalconItUserGroup
• Invoke-FalconItTask
• New-FalconItPolicy
• New-FalconItScheduledTask
• New-FalconItTask
• New-FalconItTaskGroup
• New-FalconItUserGroup
• Redo-FalconItTaskExecution
• Remove-FalconItHostGroup
• Remove-FalconItPolicy
• Remove-FalconItScheduledTask
• Remove-FalconItTask
• Remove-FalconItTaskGroup
• Remove-FalconItUserGroup
• Search-FalconItTaskExecution
• Set-FalconItPolicyPrecedence
• Stop-FalconItTaskExecution

ngsiem-content

• Edit-FalconNgsParser
• Get-FalconNgsDashboard
• Get-FalconNgsLookupFile
• Get-FalconNgsParser
• Get-FalconNgsSavedQuery
• New-FalconNgsParser
• Receive-FalconNgsDashboard
• Receive-FalconNgsParser
• Receive-FalconNgsSavedQuery
• Remove-FalconNgsDashboard
• Remove-FalconNgsLookupFile
• Remove-FalconNgsParser
• Remove-FalconNgsSavedQuery
• Send-FalconNgsDashboard
• Send-FalconNgsLookupFile
• Send-FalconNgsParser
• Send-FalconNgsSavedQuery
• Update-FalconNgsDashboard
• Update-FalconNgsLookupFile
• Update-FalconNgsSavedQuery

oauth2

• Show-FalconToken

policy-content-update

• Get-FalconContentVersion

policy-device-control

• Edit-FalconDeviceControlClass
• Edit-FalconDeviceControlNotification
• Get-FalconDeviceControlNotification

real-time-response

• Receive-FalconPutFile

Issues Resolved

• Issue [ BUG ] Invoke-FalconDeploy doesn't execute scripts specified in the File parameter #441: Added code to ensure that the final run step takes place when using File with Windows or Mac
  hosts. Previously, the run step was never reached because the extract step (only necessary when using the
  Archive and Run parameters) was not processed. Now that step will be effectively ignored when using the
  File parameter for Mac and Windows which should lead everything completing successfully.
• Issue [ BUG ] Import-FalconConfig fails to modify and ignores default SensorUpdatePolicy #444: Corrected use of HomeCid to properly evaluate policies to be modified when not in a Flight
  Control environment, along with errors related to variants and scheduler in SensorUpdatePolicy.
• Issue [ BUG ] Import-FalconConfig generates Cannot overwrite variable error #445: Solved with Import-FalconConfig re-write.
• Issue [ BUG ] Import-FalconConfig generates IoaRule or IoaGroup property-related error #446: Forced comment when creating/modifying IoaRule, and version when creating/modifying IoaGroup
  using Import-FalconConfig.
• Issue [ BUG ] Import-FalconConfig only creates Script for a single platform #447: Corrected Compare-ImportData under Import-FalconConfig to check both target CID and import files
  for possible platform values and ensure that Script (and other imports) check all available platform
  values.
• Issue [ BUG ] Remove-FalconSensorTag returns status TAG_NOT_PRESENT when attempting to delete only tag #450: Updated internal Invoke-TagScript function to properly remove single tag present on target host.
• Issue [ BUG ] Import-FalconConfig Prevention policy with multiple prevention policies using settings of first policy #453: Solved with Import-FalconConfig re-write.
• Issue [ BUG ] Flight Control - Import-FalconConfig CID check issue #454: Solved with Import-FalconConfig re-write.
• Issue [ BUG ] Import-FalconConfig creates invalid FirewallRule #455: Various bugfixes added to Edit-FalconFirewallGroup and New-FalconFirewallGroup to properly
  handle rules that have singule property values under property arrays.
• Issue [ BUG ] New-FalconIOC and Edit-FalconIOC Expiration parameter error #463: Corrected ValidatePattern for Expiration under Edit-FalconIoc and New-FalconIoc to only
  allow UTC ISO 8601.
• Issue [ BUG ] update_check.json denied when installed as administrator, can it be disabled? #470: Updated Invoke-UpdateCheck function to check for write access to module folder before attempting
  to create update_check.json.
• Issue [ BUG ] Edit-FalconIoc generates 400: Provided data does not match expected format error #479: Updated format.json to remove bulk_update fields which were causing errors with Edit-FalconIoc.

General Changes

• Updated default request timeout from 5m30s to 10m to allow for longer Send-FalconPutFile attempts.

Command Changes

Add-FalconRole

• Added ExpiresAt. Thanks @cr4shtest!

ConvertTo-FalconFirewallRule

• Added mandatory and optional fields.
• Changed output from [PSCustomObject[]] to [hashtable[]] to better support pipelining to
  New-FalconFirewallGroup.

ConvertTo-FalconIoaExclusion

• Updated to work with both detections and alerts.

ConvertTo-FalconMlExclusion

• Updated to work with both detections and alerts.

Copy-FalconDeviceControlPolicy

• Modified to work with updated Edit-FalconDeviceControlPolicy and New-FalconDeviceControlPolicy commands.

Edit-FalconAsset

• Added Triage.
• Renamed Comment to Description and modified help text for parameter.

Edit-FalconCertificateExclusion

• Renamed Cid to MemberCid. Corrected ValidatePattern to properly handle CCID values.

Edit-FalconCloudAwsAccount

• Added ClientId, DeploymentMethod, and RootStackId.

Edit-FalconDeviceControlPolicy

• Updated to use /policies/entities/device-control/v2:patch.
• Removed Default, Blocked, UseBlocked, Restricted, and UseRestricted.
• Added Propagated.

Edit-FalconFirewallLocation

• Modified parameters to accept values from pipeline by property name.
• Changed HttpsReachableHost and IcmpRequestTarget to handle pipelined objects instead of only strings.

Edit-FalconMlExclusion

• Added ExcludedFrom.

Export-FalconConfig

• Shortened output filename by removing seconds.
• Added FirewallLocation.
• If the relevant item is not specified in Select, now the command will only export assigned items instead
  of forcing all items of that type. For example, if PreventionPolicy is chosen, assigned HostGroup and
  IoaGroup will be included, instead of all HostGroup and IoaGroup items.

Find-FalconDuplicate

• Updated to use Field property with Get-FalconHost.

Find-FalconHostname

• Updated to use Field property with Get-FalconHost.

Get-FalconAlert

• Added /alerts/combined/alerts/v1:post when using Detailed and Filter.

Get-FalconAsset

• Updated to use new /fem/queries/external-assets/v2:get endpoint.

Get-FalconCompleteAlert

• Updated to use /falcon-complete-dashboards/queries/alerts/v2:get.

Get-FalconContainerCount

• Added Filter when using Resource: container and Type: count-by-registry

Get-FalconContentState

• Added maximum grouping of 100 Id values per request.

Get-FalconCorrelationRule

• Added ValidatePattern to Id.
• Updated to use /correlation-rules/queries/rules/v2:get and /correlation-rules/entities/rules/v2:get.

Get-FalconDeviceControlPolicy

• Updated to use /policy/entities/device-control/v2:get and removed Default parameter.

Get-FalconFirewallPlatform

• Removed ValidateSet to account for new platform values.

Get-FalconFirewallRule

• Corrected bug preventing submission of PolicyId value.

Get-FalconFoundrySearch

• Added JobStatusOnly.

Get-FalconHost

• Added /devices/combined/devices/v1:get and /devices/combined/devices-hidden/v1:get when using new Field
  parameter.
• Added error message when using Field with Include when device_id is not in Field list.
• Increased maximum limit to 10000 when using new endpoints (5000 for others).
• Added filesystem_containment_status values to Sort. Thanks @agent268!

Get-FalconMalwareFamily

• Added /intel/combined/malware/v1:get when using Detailed.
• Added Field.

Get-FalconRole

• Updated to use /user-management/combined/user-roles/v2:get and /user-management/entities/roles/GET/v2:post.

Get-FalconRule

• Added Type values cql-changelog, cql-master, and cql-update.

Get-FalconWorkflowAction

• Added Library switch to show all Fusion SOAR library actions.

Import-FalconConfig

• Re-wrote Import-FalconConfig. Cleaned up code and moved into functions for easier troubleshooting in the
  future.
• Added Select parameter to allow filtering of files used from import archive.
• Added All value to ModifyExisting and ModifyDefault.
• Modified to support updated Edit-FalconDeviceControlPolicy and New-FalconDeviceControlPolicy commands and
  new Edit-FalconDeviceControlClass command.
• Shortened output filename by removing seconds.
• Added support for FirewallLocation.
• Updated warning messaging related to existing items and their precedence.

Invoke-FalconContentPolicyAction

• Added override-allow', 'override-pause, override-revert, remove-pinned-content-version, and
  set-pinned-content-version actions.

Invoke-FalconHostAction

• Added lift_filesystem_containment_all to Name. Thanks @agent268!
• Added filesystem_containment_status to Include. Thanks @agent268!

Invoke-FalconIdentityGraph

• Updated looping for Invoke-FalconIdentityGraph to ensure hasNextPage is true before trying second page.
• Added code to properly support use of All switch with timeline results.

New-FalconCertificateExclusion

• Renamed Cid to MemberCid. Corrected ValidatePattern to properly handle CCID values.

New-FalconCloudAwsAccount

• Added ClientId, DeploymentMethod, and RootStackId.

New-FalconDeviceControlPolicy

• Updated to use /policies/entities/device-control/v2:post.

New-FalconFirewallLocation

• Modified parameters to accept values from pipeline by property name.
• Changed HttpsReachableHost and IcmpRequestTarget to handle pipelined objects instead of only strings.

New-FalconHostGroup

• Reduced submission size to 10 to help eliminate timeout related errors.

New-FalconScan

• Added CloudPupDetection and CloudPupPrevention.
• Set CpuPriority to mandatory.

New-FalconScheduledScan

• Added CloudPupDetection and CloudPupPrevention.
• Set CpuPriority to mandatory.

New-FalconSubmission

• Added Aid, AutoDetect, Browser, Interactivity, and SendEmail.
• Added values ubuntu20_x64 and win11_x64 to EnvironmentId.

Receive-FalconRule

• Added Type values cql-changelog, cql-master, and cql-update.

Remove-FalconCorrelationRule

• Added ValidatePattern to Id.
• Modified to remove specific rule versions by default instead of all versions.

Remove-FalconHostGroup

• Reduced submission size to 10 to help eliminate 500: Contact Support errors.

Show-FalconToken

• Renamed error message from no_authorization_request_made to no_access_request_made.

Test-FalconToken

• Renamed error message from no_authorization_request_made to no_access_request_made.

---

This discussion was created from the release 2.2.9.