Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ BUG ] New-FalconReconRule generating Invalid Request error with single rule #381

Open
jashley92 opened this issue Feb 12, 2024 · 4 comments
Open

[ BUG ] New-FalconReconRule generating Invalid Request error with single rule #381

jashley92 opened this issue Feb 12, 2024 · 4 comments
Assignees
@bk-cs
Labels
bug Something isn't working

Comments

@jashley92
Copy link

jashley92 commented Feb 12, 2024
edited by bk-cs

Describe the bug
The documented examples for New-FalconReconRule generate an Invalid Request error

To Reproduce
Attempt to create a rule with New-FalconReconRule

Environment (please complete the following information):

  • OS: Windows 10, Server 2019
  • PowerShell: 5.1
  • PSFalcon: 2.2.5, 2.2.6

Additional context
Tried multiple different devices, multiple api keys

Transcript content

**********************
Windows PowerShell transcript start
Start time: 20240212143113
Username: [Domain]\[Redacted]
RunAs User: [Domain]\[Redacted]
Configuration Name:
Machine: [Server] (Microsoft Windows NT 10.0.17763.0)
Host Application: C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe
Process ID: 8144
PSVersion: 5.1.17763.5202
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17763.5202
BuildVersion: 10.0.17763.5202
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Transcript started, output file is C:\Users\[Redacted]\Documents\PowerShell_transcript.[Server].b_zQgO6w.20240212143113.txt
PS C:\Users\[Redacted]> Show-FalconModule
 
 
PSVersion      : Desktop [5.1.17763.5202]
ModuleVersion  : v2.2.6 {d893eb9f-f6bb-4a40-9caf-aaff0e42acd1}
ModulePath     : C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.6
UserModulePath : C:\Users\[Redacted]\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;D:\Program Files (x86)\Microsoft SQL
                 Server\150\Tools\PowerShell\Modules\
UserHome       : C:\Users\[Redacted]
UserAgent      : crowdstrike-psfalcon/2.2.6
 
 
 
PS C:\Users\[Redacted]> New-FalconReconRule -Name "psfalcon_example_1" -Topic "SA_VIP" -Filter "phrase:'psfalcon_example_phrase'" -Priority "low" -Permission public -verbose
VERBOSE: 14:31:33 [New-FalconReconRule] /recon/entities/rules/v1:post
VERBOSE: 14:31:33 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/recon/entities/rules/v1
VERBOSE: 14:31:33 [ApiClient.Invoke] ContentType=application/json, Accept=application/json
VERBOSE: 14:31:33 [ApiClient.Invoke] {"filter":"phrase:\u0027psfalcon_example_phrase\u0027","priority":"low","name":"psfalcon_example_1","permissions":"public","topic":"SA_VIP"}
VERBOSE: 14:31:33 [ApiClient.Invoke] 400: BadRequest
VERBOSE: 14:31:33 [ApiClient.Invoke] Connection=keep-alive, Pragma=no-cache, Strict-Transport-Security=max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=cc8e0f9f-d06a-4e29-a892-08ad1dc05c3a, X-Frame-Options=SAMEORIGIN, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5841, Cache-Control=no-store, must-revalidate, no-cache, Date=Mon, 12 Feb 2024 19:31:33 GMT, Server=nginx
VERBOSE: 14:31:33 [Write-Result] query_time=0.000437981, powered_by=recon, trace_id=cc8e0f9f-d06a-4e29-a892-08ad1dc05c3a
Write-Result : {"code":400,"message":"Invalid request","message_key":"INVALID_REQUEST"}
At C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.6\private\Private.ps1:663 char:9
+         Write-Result $Object
+         ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (@{resources=Sys...ystem.Object[]}:PSObject) [Write-Result], Exception
    + FullyQualifiedErrorId : Write-Result
Write-Result : {"code":400,"message":"Invalid request","message_key":"INVALID_REQUEST"}
At C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.2.6\private\Private.ps1:663 char:9
+         Write-Result $Object
+         ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidResult: (@{resources=Sys...ystem.Object[]}:PSObject) [Write-Result], Exception
    + FullyQualifiedErrorId : Write-Result
 
PS C:\Users\[Redacted]> Stop-Transcript
**********************
Windows PowerShell transcript end
End time: 20240212143141
**********************
@jashley92 jashley92 added the bug Something isn't working label Feb 12, 2024
@jashley92
Copy link
Author

Forgot to mention, API Key works when using API directly via Postman.

@bk-cs bk-cs changed the title [ BUG ] New-FalconReconRule not working [ BUG ] New-FalconReconRule generating Invalid Request error Feb 12, 2024
@bk-cs
Copy link
Collaborator

bk-cs commented Feb 12, 2024

Forgot to mention, API Key works when using API directly via Postman.

Thanks for the added detail! Are you submitting the same fields when creating the rule using Postman?

@bk-cs
Copy link
Collaborator

bk-cs commented Feb 12, 2024
edited

It appears that PSFalcon is incorrectly sending your single rule as an individual object, instead of forcing it into an array (expected by the API). You can work around the problem by creating your rule using the example below until I fix it:

[PSCustomObject]@{ filter = "phrase:'psfalcon_example_phrase'"; priority = 'low'; name = 'psfalcon_example_1'; permissions = 'public'; topic = 'SA_VIP' } | New-FalconReconRule

@bk-cs bk-cs changed the title [ BUG ] New-FalconReconRule generating Invalid Request error [ BUG ] New-FalconReconRule generating Invalid Request error with single rule Feb 13, 2024
@jashley92
Copy link
Author

Excellent! The workaround works perfect. Thank you so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bk-cs bk-cs

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jashley92 @bk-cs