How to import IoaGroup activate and assign to prevention policy

[mbonne]

How can we import IoaGroup from our MSSP CID 'master' into new CID which only has the Prevention Policies from "Your MSSP" pushed down to it.

Reading through the docs:
https://github.com/CrowdStrike/psfalcon/wiki/Import-FalconConfig

Have tried both:
AssignExisting and ModifyExisting parameters to try and import the Custom IoaGroup and have it applied to the same prevention plan name in the target as it is in source/master CID

But I can only get the IoaGroup to be added, not the Prevention policy assigned the same as in the 'master' CID.
Error received during the command suggesting there is an issue. I have no idea why though.

The Export and import is specifically IoaGroup.

Terminal output below:

PS /Users/userName/CrowdStrike/Scripted_Tasks> Import-FalconConfig -Path ./FalconConfig_20231003T1704113892.zip -ModifyExisting PreventionPolicy,IoaGroup
[Import-FalconConfig] Imported from /Users/userName/CrowdStrike/Scripted_Tasks/FalconConfig_20231003T1704113892.zip: IoaGroup, PreventionPolicy.
[Import-FalconConfig] Retrieving 'IoaGroup'...
[Import-FalconConfig] Retrieving 'PreventionPolicy'...
[Import-FalconConfig] Created mac IoaGroup 'macOS IOC'.
[Import-FalconConfig] Created IoaRule 'name1'.
[Import-FalconConfig] Created IoaRule 'name2'.
[Import-FalconConfig] Created IoaRule 'name3'.
[Import-FalconConfig] Modified 'enabled' for IoaRule 'name1'.
[Import-FalconConfig] Modified 'enabled' for IoaRule 'name2'.
[Import-FalconConfig] Modified 'enabled' for IoaRule 'name3'.
[Import-FalconConfig] Modified 'enabled' for mac IoaGroup 'macOS IOC'.
Write-Result: /Users/userName/.local/share/powershell/Modules/PSFalcon/2.2.5/private/Private.ps1:627
Line |
 627 |                  Write-Result $Object
     |                  ~~~~~~~~~~~~~~~~~~~~
     | [{"code":400,"message":"Child CID 22222222REDACTED22222222222 tried to edit parent CID 11111111111REDACTED1111111111111 policy
     | d7c410bREDACTED06e12495bf1"}]
Write-Result: /Users/userName/.local/share/powershell/Modules/PSFalcon/2.2.5/private/Private.ps1:627
Line |
 627 |                  Write-Result $Object
     |                  ~~~~~~~~~~~~~~~~~~~~
     | [{"code":400,"message":"Child CID 22222222REDACTED22222222222 tried to edit parent CID 11111111111REDACTED1111111111111 policy
     | 47c5f7ffREDACTED9d7fa9faa5"}]
Write-Result: /Users/userName/.local/share/powershell/Modules/PSFalcon/2.2.5/private/Private.ps1:627
Line |
 627 |                  Write-Result $Object
     |                  ~~~~~~~~~~~~~~~~~~~~
     | [{"code":400,"message":"Child CID 22222222REDACTED22222222222 tried to edit parent CID 11111111111REDACTED1111111111111 policy
     | 94a01c3c4REDACTEDf4d60023"}]

FullName                                                                                       Length LastWriteTime
--------                                                                                       ------ -------------
/Users/userName/CrowdStrike/Scripted_Tasks/FalconConfig_20231003T1711061825.csv   2477 3/10/2023 5:11:19 pm

[MagicGnomezz]

Fantastic, been trying to figure out how to do this - have saved me a BUNCH
+1

[bk-cs]

Based on the error message ...

Child CID <child_cid> tried to edit parent CID <parent_cid> policy <policy_id>

... it seems something was put in place that prevents you from assigning Custom IOA rule groups to an inherited policy. In that case, you'd need to duplicate the inherited policy and assign the Custom IOA rule groups to that policy instead.

This isn't how it always worked, so it's possible that this is not intended. I'll see what I can find out...

[mbonne]

Other test scenarios checked after posting:

1
Setup the IoaGroup in MSSP CID, assigned to PreventionPolicy which is inherited by all child CID.
Export both IoaGroup and PreventionPolicy.
Try to import into Test CID 22222222REDACTED22222222222
Same Error, unable to modify Policy in parent 11111111111REDACTED1111111111111.

2
from a separate child CID, setup new PreventionPolicy which wouldn't be pushed to Test CID 22222222REDACTED22222222222
assigned IoaGroup to new PreventionPolicy
export IoaGroup,PreventionPolicy
then import, IoaGroup imports, activates, but doesn't assign to new PreventionPolicy which was imported at same time.

3
Also tried above but when importing specifying PreventionPolicy first incase the error was due to Prevention policy not being available because IoaGroup was specified first in import command.

Happy to try any suggestions

[mbonne-mc]

Hello,

Another attempt to get this going.

Using macOS with Powershell installed.

# Connect to MSSP
Request-SecretToken mykey

# Export
export-falconconfig -Select  IoaGroup, PreventionPolicy

# Close Connection
Revoke-falcontoken

# Connect to CID under MSSP
Request-SecretToken mykey RANDOMSTRINGCIDCODE

# Try to import
Import-FalconConfig -Path ./FalconConfig_20241029T1754322527.zip -AssignExisting -ModifyExisting PreventionPolicy, IoaGroup -WhatIf

# Also tried with
Import-FalconConfig -Path ./FalconConfig_20241029T1816271048.zip -WhatIf

Removing -WhatIf doesn't change anything, when tested in our lab CID

Getting the following errors

# Heaps of lines with:
 551 |            $PolicyId | & "Invoke-Falcon$($Type)Action" -Name $Action
     |                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot validate argument on parameter 'Id'. The argument "                                 " does not match the "^[a-fA-F0-9]{32}$" pattern. Supply an argument that matches "^[a-fA-F0-9]{32}$" and try the command again.
Import-FalconConfig: Cannot validate argument on parameter 'Id'. The argument "                                 " does not match the "^[a-fA-F0-9]{32}$" pattern. Supply an argument that matches "^[a-fA-F0-9]{32}$" and try the command again.
Invoke-FalconPreventionPolicyAction: /Users/$HOME/.local/share/powershell/Modules/PSFalcon/2.2.7/public/psf-config.ps1:551

# And:
Import-FalconConfig: Cannot validate argument on parameter 'Id'. The argument "                                        " does not match the "^[a-fA-F0-9]{32}$" pattern. Supply an argument that matches "^[a-fA-F0-9]{32}$" and try the command again.

I'm at a loss for what to try next, any suggestions would be amazing.

Thanks,
MB

[bk-cs]

Is this error message accurate?

... argument "                                        " does not match the "^[a-fA-F0-9]{32}$" ...

That would indicate that something is attempting to be modified, but it does not have an actual id associated with it.

You can re-run the commands with verbose output enabled and capture the attempt in a transcript to provide more detail about what's happening:

Import-Module -Name PSFalcon
Request-FalconToken ...
$VerbosePreference=2
Start-Transcript
Import-FalconConfig .\FalconConfig_20241029T1816271048.zip
Stop-Transcript

[mbonne-mc]

I wondered about that. Not sure where to start looking. Will do a find on the exported files and look for blank space around any id fields.

I'll hopefully have time tomorrow to revisit and have a look for anything out of place.

For reference,
MSSP has the prevention policies which filter through to the managed CID.
The Custom IOA/Things we want to export are from the MSSP

Is the command syntax correct for wanting to import something which only exists in MSSP CID to one of the Sub CID?

Import-FalconConfig -Path ./FalconConfig_20241029T1754322527.zip -AssignExisting -ModifyExisting PreventionPolicy, IoaGroup

[bk-cs]

Import-FalconConfig -Path ./FalconConfig_20241029T1754322527.zip -AssignExisting -ModifyExisting PreventionPolicy, IoaGroup

Yes that should be right. Also ensure you're using the latest version of PSFalcon.

[mbonne-mc]

Hi BK, looking into why we're seeing there missing ID:
... argument " " does not match the "^[a-fA-F0-9]{32}$" ...

seems there might be a cleanup job required. I'm not sure where to start though?

The exports from our MSSP shows the following from PreventionPolicy.json

[
  {
    "id": "XXXCORRECT-RANDOM-STRINGXXX",
    "cid": "XXXCORRECT-RANDOM-STRINGXXX",
    "name": "Phase 1 - Rapid Deployment of Windows Sensor",
    "description": "Used for Rapid Deployment, can be used alongside PRE-EXISTING AV when on-boarding client.\nPolicy Created under MSSP - Primary",
    "platform_name": "Windows",
    "groups": [
      {
        "id": "",
        "name": "",
        "description": "",
        "created_by": "",
        "created_timestamp": null,
        "modified_by": "",
        "modified_timestamp": null
      },
      {
        "id": "",
        "name": "",
        "description": "",
        "created_by": "",
        "created_timestamp": null,
        "modified_by": "",
        "modified_timestamp": null
      },
      {
        "id": "",
        "name": "",
        "description": "",
        "created_by": "",
        "created_timestamp": null,
        "modified_by": "",
        "modified_timestamp": null
      },
      ...  
      # dozens of them for all the prevention policy

Checking an export from one of the child CID, does not have these same empty groups.

The strange thing is if I export from a child CID, then attempt to upload back to same testing/NFR CID after deleting one of the customIOA from web UI.

I get the same error again.

Line |
 551 |            $PolicyId | & "Invoke-Falcon$($Type)Action" -Name $Action
     |                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot validate argument on parameter 'Id'. The argument "                " does not match the "^[a-fA-F0-9]{32}$" pattern. Supply an argument that matches "^[a-fA-F0-9]{32}$" and try the command again.
Import-FalconConfig: Cannot validate argument on parameter 'Id'. The argument "                " does not match the "^[a-fA-F0-9]{32}$" pattern. Supply an argument that matches "^[a-fA-F0-9]{32}$" and try the command again.

#and
Import-FalconConfig: Cannot validate argument on parameter 'Id'. The argument " " does not match the "^[a-fA-F0-9]{32}$" pattern. Supply an argument that matches "^[a-fA-F0-9]{32}$" and try the command again.

PSFalcon Vers

Version             Name          Repository          Description
-------              ----             ----------           -----------
2.2.7                PSFalcon      PSGallery           PowerShell for the CrowdStrike Falcon OAuth2 APIs

Is what I'm trying to do intended use for export and import functions? Use the Web UI to create the desired configuration in MSSP, and then use export to grab what doesn't automatically filter down to child CID and import to desired CID.
Ultimately, we'd have a script to iterate over all the CID in tenant.

[bk-cs]

Can you redo this with verbose output enabled and reply with the transcript?

Import-Module -Name PSFalcon
Request-FalconToken ...
$VerbosePreference=2
Start-Transcript
Import-FalconConfig ...
Stop-Transcript

Once we've verified it's importing properly, you can use something like this as a template to Import-FalconConfig into the child CIDs:

https://github.com/CrowdStrike/psfalcon/wiki/Authentication#authorize-and-run-commands-across-member-CIDs

[mbonne-mc]

I've attached the 2x transcripts. Hopefully sanitised...

Importing-ExportFrom-NFR-PowerShell_transcript.Mac.rK1LVtKP.20241114194933.txt
is from NFR CID to NFR CID.

Importing-ExportFromMSSP_transcript.MB.BYxUgmYr.20241114200326.txt
is from MSSP CID export to NFR.
This is where the majority of phantom groups exist

#Prevention Policy with issue in 'groups'
➜ Get-FalconPreventionPolicy -Detailed | where "name" -eq "Phase 3 - Well Protected"
id                  : 9a7b125ed1fababababababd1f6627cc6b
cid                 : d13e47abababababaabababab13cb343
name                : Phase 3 - Well Protected
description         : Maximum Security for Linux hosts.
                      Created 2024-05-10
platform_name       : Linux
groups              : {@{id=; name=; description=; created_by=; created_timestamp=; modified_by=; modified_timestamp=}, @{id=; name=; description=; created_by=; created_timestamp=; modified_by=; modified_timestamp=}, @{id=; name=; description=; 
                      created_by=; created_timestamp=; modified_by=; modified_timestamp=}, @{id=; name=; description=; created_by=; created_timestamp=; modified_by=; modified_timestamp=}…}
enabled             : True
created_by          : my@email.com
created_timestamp   : 2024-05-09T22:36:35.887838507Z
modified_by         : my@email.com
modified_timestamp  : 2024-05-09T22:41:55.516411433Z
prevention_settings : {@{name=User-Mode Capabilities; settings=System.Object[]}, @{name=Enhanced Visibility; settings=System.Object[]}, @{name=Cloud Machine Learning; settings=System.Object[]}, @{name=Sensor Machine Learning; 
                      settings=System.Object[]}…}
ioa_rule_groups     : {}


#Brand new Prevention Policy with no groups present as expected.
➜ Get-FalconPreventionPolicy -Detailed | where "name" -eq "NewTestPolicy"

id                  : dc8c128cdcdcdcdcdcdcdcdcd32a8133
cid                 : d13e47abababababaabababab13cb343
name                : NewTestPolicy
description         : Checking if this policy has Device groups with blank ID assigned
platform_name       : Linux
groups              : {}
enabled             : True
created_by          : my@email.com
created_timestamp   : 2024-11-13T04:53:45.681879086Z
modified_by         : my@email.com
modified_timestamp  : 2024-11-13T04:55:10.278126548Z
prevention_settings : {@{name=User-Mode Capabilities; settings=System.Object[]}, @{name=Enhanced Visibility; settings=System.Object[]}, @{name=Cloud Machine Learning; settings=System.Object[]}, @{name=Sensor Machine Learning; 
                      settings=System.Object[]}…}
ioa_rule_groups     : {}

The empty groups in the exported .json look like this:

  {
    "id": "9a7b12512121212121212121212627cc6b",
    "cid": "d13e471212121212121212121212cb343",
    "name": "Phase 3 - Well Protected",
    "description": "Maximum Security for Linux hosts.\nCreated 2024-05-10",
    "platform_name": "Linux",
    "groups": [
      {
        "id": "",
        "name": "",
        "description": "",
        "created_by": "",
        "created_timestamp": null,
        "modified_by": "",
        "modified_timestamp": null
      },
      {
        "id": "",
        "name": "",
        "description": "",
        "created_by": "",
        "created_timestamp": null,
        "modified_by": "",
        "modified_timestamp": null
      },
      {
        "id": "",
        "name": "",
        "description": "",
        "created_by": "",
        "created_timestamp": null,
        "modified_by": "",
        "modified_timestamp": null
      },
      {
        "id": "",
        "name": "",
        "description": "",
        "created_by": "",
        "created_timestamp": null,
        "modified_by": "",
        "modified_timestamp": null
      },
      {
        "id": "",
        "name": "",
        "description": "",
        "created_by": "",
        "created_timestamp": null,
        "modified_by": "",
        "modified_timestamp": null
      },
      {
        "id": "",
        "name": "",
        "description": "",
        "created_by": "",
        "created_timestamp": null,
        "modified_by": "",
        "modified_timestamp": null
      }
    ],
    "enabled": true,
    "created_by": "my@email.com",
    "created_timestamp": "2024-05-09T22:36:35.887838507Z",
    "modified_by": "my@email.com",
    "modified_timestamp": "2024-05-09T22:41:55.516411433Z",
    "prevention_settings": [
      {
        "name": "User-Mode Capabilities",
        "settings": [
          {
            "id": "UnknownDetectionRelatedExecutables",
            "name": "Unknown Detection-Related Executables",
            "type": "toggle",
            "description": "Upload all unknown detection-related executables for advanced analysis in the cloud.",
            "value": {
              "enabled": true
            }
          },
       

These empty groups can't be seen in the web ui.

Importing-ExportFrom-NFR-PowerShell_transcript.Mac.rK1LVtKP.20241114194933.txt

Importing-ExportFromMSSP_transcript.MB.BYxUgmYr.20241114200326.txt

[bk-cs]

Are you always using -WhatIf during import/export, or did you only use it for the transcripts? If you're always using it, have you tried without -WhatIf?

[mbonne-mc]

No, I'm using -WhatIf to check if the there are any errors before running it without.

There is also another issue I noticed before which happens when running without -WhatIf
and thats creating dozens of prevention policy.

Import-FalconConfig -Path ./MSSP-Export-FalconConfig_20241114T2002396539.zip -AssignExisting -ModifyExisting PreventionPolicy, IoaGroup

Should only be half a dozen or so, the default policy and the custom ones we've created.

Prevention Policy in MSSP
I'm choosing to export this as well as Custom IOA so when I import, I'm hoping to add the assigned custom IOA to the same Prevention policies which have filtered down to child CID.

What gets added to NFR is many many more prevention policy if I remove -WhatIf

So I have some clean up to do. and remove these pesky additional policy in the NFR.

The CustomIOA also don't appear to have been created.
MSSP:

NFR

[bk-cs]

Sorry about that!

There might be some issues related to the identically named policies being inherited and the ones that exist in the child CIDs. Inherited objects have the parent CID assigned to them, but Import-FalconConfig doesn't consider that.

Do you need to modify them? If you change your Export-FalconConfig to only export IoaGroup that avoid the duplication issue.

[mbonne-mc]

All good,

Flight control is lacking some behaviours, where not all configurations made in our Primary MSSP CID filter down to our customer CID.

I was hoping to be able to make the MSSP Parent CID our master config, with our recommended base config.
Export from there all the things not automatically propagated to child CID
Then import with a script to iterate over the 40+ and growing list of CID.

When I imported only the CustomIOA, it added them, but didn't assign to the Prevention policy. We would still need to go in by hand and manually assign, or build a more complex script to then perform a secondary action to find all the customIOA, and assign to Prevention policy.

Do we need to look at scrapping this method of export/import, and look at crafting the customIOA in json format, then use psfalcon to create them and assign to desired prevention policy inside each targeted CID?

Or potentially create new versions of our 3 phased prevention policy in MSSP CID. make sure they don't have these mysterious empty groups assigned. then reattempt?

Cheers,
MB

[bk-cs]

The existing version of Import-FalconConfig does not properly handle inherited policies. I consider that a bug and I'm currently adding in evaluation of the cid property for objects that should be modified and/or have groups assigned to them.

It should be assigning IOA Groups in child CIDs to policies, whether they're inherited or not. It will not be able to modify inherited policies beyond rule/host group assignment (because that's not possible).

If you can wait for me to troubleshoot and implement a potential fix, then you don't need to take any action. If you need to get it done more quickly, you could write a script that looks for IOA Groups by name and assigns them to those inherited policies.

[mbonne-mc]

Awesome, thanks for the info BK.

I appreciate the work on PSFalcon.

Cheers,

[bk-cs]

I just made some changes to Import-FalconConfig to help with this. Can you update your public\psf-config.ps1 in your local module and see if it helps with IOA Group assignment?

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/cf7b1820e9c034a341e5af2355ea37fd61bbda7e/public/psf-config.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-config.ps1)

Ensure that you close and re-open PowerShell and re-import PSFalcon before testing.

[mbonne-mc]

Amazing, thanks BK.
I'll give it a go and report back.
Cheers,