psfalcon icon indicating copy to clipboard operation
psfalcon copied to clipboard
verified publisher icon CrowdStrike

[ BUG ] settings go missing when importing configurations

Open gituser3226 opened this issue 3 years ago • 2 comments

Describe the bug Importing a configuration that was exported does not work correctly. When importin a custom prevention policy no settings are imported. So every setting is set to false. Also the groups section is not imported.

It will print this error message, when importing a custom prevention policy: Write-Result : [{"code":400,"message":"Prevention settings must specify an id"},{"code":400,"message":"Prevention settings must specify an id"},{"code":400,"message":"Prevention settings must specify an id"},{"code":400,"message":"Prevention settings must specify an id"},{"code":400,"message":"Prevention settings must specify an id"},{"code":400,"message":"Prevention settings must specify an id"},{"code":400,"message":"Prevention settings must specify an id"},{"code":400,"message":"Prevention settings must specify an id"},{"code":400,"message":"Prevention settings must specify an id"}]

With the debug option it is possible to see that the client sends the wrong data:

{"resources":[{"id":"----------------","settings":[{"id":null,"value":null},{"id":null,"value":null},{"id":null,"value":null},{"id":null,"value":null},{"id":null,"value":null},{"id":null,"value":null},{"id":null,"value":null},{"id":null,"value":null},{"id":null,"value":null}]}]}

To Reproduce Export a configuration from a profile with custom settings and prevention policies, then delete these policies and import them back.

Expected behavior It should import the configuration correct, so when exporting the configuration again, there should be no major difference.

Environment (please complete the following information):

  • OS: [Windows 10]
  • PowerShell: [5.1.19041.1682]
  • PSFalcon: [2.2.1]
  • API Keys scopes: Custom IOA rules RW, Host groups RW, Prevention policies RW, Response policies RW, Sensor update policies RW

gituser3226 avatar Jul 19 '22 09:07 gituser3226

Thank you for the report. I've verified this bug and plan on fixing it in the next release. In the meantime, you can work around the problem by using the Import-FalconConfig command twice while using the ModifyExisting parameter during the second run:

Import-FalconConfig MyConfig.zip
Import-FalconConfig MyConfig.zip -ModifyExisting PreventionPolicy

Please let me know if this does not behave as expected.

bk-cs avatar Jul 21 '22 17:07 bk-cs

Unfortunatly it did not work: I received error messages for the secound run. This is a part from them:

Import-FalconConfig : Das Argument für den Parameter "Id" kann nicht überprüft werden. Das Argument "f61XXXXc6 f61XXXXc6 " entspricht nicht dem Muster "^[a-fA-F0-9]{32}$". Geben   
Sie ein Argument an, das "^[a-fA-F0-9]{32}$" entspricht, und führen Sie den Befehl erneut aus.
In C:\Users\ME\script.ps1:169 Zeichen:5
+     Import-FalconConfig -Path  $ImportPath -ModifyExisting Prevention ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Import-FalconConfig

ghost avatar Jul 22 '22 09:07 ghost

I believe I have fixed this issue. Can you try testing by replacing your Public\psf-config.ps1 file with the version below?

https://raw.githubusercontent.com/CrowdStrike/psfalcon/2.2.2/Public/psf-config.ps1

You will need to reload your PSFalcon module in order for the changes to take effect.

bk-cs avatar Aug 19 '22 22:08 bk-cs

Closing issue--resolved in 2.2.2 release.

bk-cs avatar Sep 12 '22 22:09 bk-cs