Not all columns present in CSV output

[cjlane0289]

I have 11 CrowdStrike CIDs. When I use the PSfalcon commands, Get-FalconVulnerability and Export-FalconReport, the "closed_timestamp" field is not always in the report.

I've pulled the data using the Swagger API. The "closed_timestamp" field is there. It is not in the output from the Export-FalconReport. This typically happens on very large files. (over 150MB, 100,000 records) I believe the command is reading a preset number of records to determine the fields. If it does not hit a closed vulnerability within that limit, the fields don't make it onto the report.

The following fields also have this issue: cve_references and host_last_seen_timestamp.

[bk-cs]

Based on what you're describing, I believe this behavior is caused by how PowerShell deals with exporting objects to CSV. The first object that's used to create the CSV contains all the columns that will be used in the CSV, and if a new column appears, it's automatically dropped.

You can recreate this with a simple example:

PS>[PSCustomObject] @{col1='abc';col2='def'}, [PSCustomObject] @{col1='ghi';col3='jkl'} | Export-Csv ./test.csv; cat ./test.csv
"col1","col2"
"abc","def"
"ghi",

The easiest way to stop this behavior is to force PowerShell to export your desired properties before the export:

PS> [PSCustomObject] @{col1='abc';col2='def'}, [PSCustomObject] @{col1='ghi';col3='jkl'} | Select-Object col1, col2, col3 | Export-Csv ./test.csv;cat ./test.csv
"col1","col2","col3"
"abc","def",
"ghi",,"jkl"

In the context of PSFalcon, it would look like something like this:

PS>Get-FalconVulnerability -Filter "created_timestamp:>'now-30d'" -Detailed | Select-Object id, created_timestamp, closed_timestamp, updated_timestamp, status, apps, cve | Export-FalconReport ./test.csv

I'm not sure if it will solve the problem for "sub-objects" that are included, though.

[cjlane0289]

It worked! Thank you, Chris Lane