psfalcon icon indicating copy to clipboard operation
psfalcon copied to clipboard
verified publisher icon CrowdStrike

Discover - Get-FalconAsset fills blank field with predecessor value

Open TG-Lear opened this issue 3 years ago • 8 comments

Hello, when running the following command for exporting Unmanaged Assets to a .csv, the hostname value of a predecessor asset is filled into the hostname field of an asset that has no hostname. I have experienced the same with PSFalcon versions 2.1.8 and 2.1.9. I also tried the newest release 2.2.0 but that returns inaccurate numbers - it exports only 235 assets instead of 1200+ unmanaged assets when using the -Detailed parameter.

Get-FalconAsset -Detailed -All -Filter "entity_type:*'unmanaged'+last_seen_timestamp:>'Last 1 days'+discoverer_count:>10" | Export-FalconReport .\Unmanaged4.csv

Thank you!

TG-Lear avatar May 06 '22 09:05 TG-Lear

  • Could you provide an example CSV?
  • Could you provide a transcript from running the commands? Please include $VerbosePreference = 'Continue' to ensure that the API calls are shown.
  • Do you experience the same hostname behavior when looking at the devices directly in PowerShell, instead of the CSV output?

bk-cs avatar May 06 '22 17:05 bk-cs

Please find attached an example csv file and also the PS transcript. I don’t experience the same hostname behavior when running the command without csv output. It simply does not have that attribute hostname listed for systems that do not have a hostname.

TG-Lear avatar May 09 '22 12:05 TG-Lear

Sorry, attaching via email didn't work properly. Is there another method you could use to host the output?

Thus far I've been unable to reproduce this issue. Until I figure it out, could you export to Json instead? Or, if it needs to be CSV, try using the PowerShell Export-Csv command.

bk-cs avatar May 09 '22 15:05 bk-cs

Can you try the following?

  • Copy the contents of this file: https://raw.githubusercontent.com/CrowdStrike/psfalcon/2.2.1/Public/psf-output.ps1
  • Replace your local copy of Public\psf-output.ps1 with those contents
  • Restart PowerShell, re-import PSFalcon and re-test

I've made a few tweaks to Export-FalconReport in v2.2.1 which might have a positive impact on your problem.

bk-cs avatar May 09 '22 18:05 bk-cs

Sorry for the late reply. I followed your instructions below and the result is that PowerShell throws error for the lines 66 and 95 as follows:

Set-Property : The term 'Set-Property' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\PSFalcon219\psfalcon-2.1.9\Public\psf-output.ps1:66 char:21

  •                 Set-Property @SetParam

  •                 ~~~~~~~~~~~~
    • CategoryInfo : ObjectNotFound: (Set-Property:String) [], CommandNotFoundException
    • FullyQualifiedErrorId : CommandNotFoundException

Set-Property : The term 'Set-Property' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\PSFalcon219\psfalcon-2.1.9\Public\psf-output.ps1:95 char:21

  •                 Set-Property @SetParam

  •                 ~~~~~~~~~~~~
    • CategoryInfo : ObjectNotFound: (Set-Property:String) [], CommandNotFoundException
    • FullyQualifiedErrorId : CommandNotFoundException

I have also tried the PowerShell native Export-csv command which resulted in some attributes not being exported.

TG-Lear avatar May 10 '22 12:05 TG-Lear

Set-Property is a function used by PSFalcon v2.2.0, but the error is coming from v2.1.9. It looks like you may have more than one version of PSFalcon on your system and things may not be correctly importing. I recommend removing all copies of PSFalcon and re-installing v2.2.0:

Uninstall-Module -Name PSFalcon -AllVersions
Install-Module -Name PSFalcon -Scope CurrentUser
Import-Module -Name PSFalcon

Once that is complete, can you try doing your export again and let me know if there are still issues?

bk-cs avatar May 10 '22 14:05 bk-cs

Oh OK, I got your point. But if you remember – I ran into another issue with PSFalcon v2.2.0 where it seems to hit some limitations and the export stops at 220 rows or 532KB. So I didn’t have the opportunity to compare it to results from the CS console and decided to go with v2.1.9.

However, let’s focus on getting it solved in v2.2.0. As described above, it seems to hit some limit in the export to a csv file and after that simply continues printing the output in the PowerShell command prompt.

We can schedule a meeting if you want me to show it.

TG-Lear avatar May 11 '22 11:05 TG-Lear

Oh OK, I got your point. But if you remember – I ran into another issue with PSFalcon v2.2.0 where it seems to hit some limitations and the export stops at 220 rows or 532KB. So I didn’t have the opportunity to compare it to results from the CS console and decided to go with v2.1.9. However, let’s focus on getting it solved in v2.2.0. As described above, it seems to hit some limit in the export to a csv file and after that simply continues printing the output in the PowerShell command prompt.

There were changes for the 'Export-FalconReport' function in the Public\psf-output.ps1 file linked above. I expected it to help with your CSV export issue. Does your reply mean that it still has the same behavior?

bk-cs avatar Jun 13 '22 15:06 bk-cs

Closing ticket due to lack of response. Unable to replicate issue.

bk-cs avatar Aug 24 '22 19:08 bk-cs