PSFalcon

2.2.2

Public/psf-devices.ps1

                                function Find-FalconDuplicate {

<#

.SYNOPSIS

Find potential duplicate hosts within your Falcon environment

.DESCRIPTION

Requires 'Hosts: Read'.

If the 'Hosts' parameter is not provided, all Host information will be retrieved. An error will be

displayed if required fields 'cid', 'device_id', 'first_seen', 'last_seen', 'hostname' and any defined

'filter' value are not present.

Hosts are grouped by 'cid', 'hostname' and any defined 'filter' values, then sorted by 'last_seen' time. Any

result other than the one with the most recent 'last_seen' time is considered a duplicate host and is returned

within the output.

Hosts can be hidden from the Falcon console by piping the results of 'Find-FalconDuplicate' to

'Invoke-FalconHostAction' using the action 'hide_host'.

.PARAMETER Hosts

Array of detailed Host results

.PARAMETER Filter

Property to determine duplicate Host in addition to 'Hostname'

.LINK

https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management

#>

    [CmdletBinding(SupportsShouldProcess)]

    param(

        [Parameter(Position=1)]

        [object[]]$Hosts,

        [Parameter(Position=2)]

        [ValidateSet('external_ip','local_ip','mac_address','os_version','platform_name','serial_number',

            IgnoreCase=$false)]

        [string[]]$Filter

    )

    begin {

        function Group-Selection ($Object,$GroupBy) {

            ($Object | Group-Object $GroupBy).Where({ $_.Count -gt 1 -and $_.Name }).foreach{

                $_.Group | Sort-Object last_seen | Select-Object -First ($_.Count - 1)

            }

        }

        # Comparison criteria and required properties for host results

        [string[]]$Criteria = 'cid','hostname'

        [string[]]$Required = 'cid','device_id','first_seen','last_seen','hostname'

        if ($PSBoundParameters.Filter) {

            $Criteria = $Criteria + $PSBoundParameters.Filter

            $Required = $Required + $PSBoundParameters.Filter

        }

        # Create filter for excluding results with empty $Criteria values

        $FilterScript = "$(($Criteria).foreach{ "`$_.$($_)" } -join ' -and ')"

    }

    process {

        [object[]]$HostArray = if (!$PSBoundParameters.Hosts) {

            # Retreive Host details

            Get-FalconHost -Detailed -All

        } else {

            $PSBoundParameters.Hosts

        }

        if ($HostArray) {

            @($Required).foreach{

                if (($HostArray | Get-Member -MemberType NoteProperty).Name -notcontains $_) {

                    # Verify required properties are present

                    throw "Missing required property '$_'."

                }

            }

            # Group, sort and output result

            $Param = @{

                Object = $HostArray | Select-Object $Required | Where-Object -FilterScript {$FilterScript}

                GroupBy = $Criteria

            }

            $Output = Group-Selection @Param

            if ($Output) { $Output } else { Write-Warning "No duplicates found." }

        }

    }

}

function Find-FalconHostname {

<#

.SYNOPSIS

Find hosts using a list of hostnames

.DESCRIPTION

Requires 'Hosts: Read'.

Performs an exact-match hostname search in groups of 20.

.PARAMETER Array

An array containing one or more hostnames

.PARAMETER Path

Path to a plaintext file containing hostnames

.LINK

https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management

#>

    [CmdletBinding(DefaultParameterSetName='Path',SupportsShouldProcess)]

    param(

        [Parameter(ParameterSetName='Path',Mandatory,Position=1)]

        [ValidateScript({

            if (Test-Path $_ -PathType Leaf) {

                $true

            } else {

                throw "Cannot find path '$_' because it does not exist."

            }

        })]

        [string]$Path,

        [Parameter(ParameterSetName='Array',Mandatory,ValueFromPipeline)]

        [string[]]$Array

    )

    begin {

        if ($Path) {

            [string]$Path = $Script:Falcon.Api.Path($Path)

        } else {

            [System.Collections.Generic.List[string]]$List = @()

        }

    }

    process { if ($Array) { @($Array).foreach{ $List.Add($_) }}}

    end {

        [string[]]$Hostnames = if ($List) {

            $List | Select-Object -Unique

        } else {

            (Get-Content -Path $Path).Normalize() | Select-Object -Unique

        }

        for ($i = 0; $i -lt ($Hostnames | Measure-Object).Count; $i += 20) {

            [string[]]$TempList = $Hostnames[$i..($i + 19)]

            [string]$Filter = (@($TempList).foreach{

                if (![string]::IsNullOrEmpty($_)) { "hostname:['$_']" }

            }) -join ','

            [object[]]$HostList = Get-FalconHost -Filter $Filter -Detailed | Select-Object hostname,device_id

            @($TempList).foreach{

                if ($HostList.hostname -notcontains $_) {

                    Write-Warning "[Find-FalconHostname] No match found for '$_'."

                }

            }

            if ($HostList) { $HostList }

        }

    }

}