[ ENHANCEMENT ] Enriching information returned by Get-FalconHostGroup

[DimitrisBinichakis]

Supplying Get-FalconHostGroup with an ID of a group like so:

Get-FalconHostGroup -Id c7m99ad98h7AAAAAAAAAA4oiijh9l4ix

returns information for the following fields:

id                 
group_type         
name               
description       
assignment_rule                     
created_by         
created_timestamp  
modified_by        
modified_timestamp 

It would be very useful if it also returned the following information that can be found by looking at the host groups tab in the console:

Targeted hosts 
Applied hosts
Assigned Policies ( Prevention Policies , Response Policies, etc )
USB Devices Policies 
Sensor Visibility Exclusions 

If it is not possible to include these fields in this API call, maybe a new one can be created. It would be really useful to easily extract this information from PSFalcon. One idea would be to have a command that exports all of the groups in a tenant along with the fields described above and outputs the results in a .csv file.

[bk-cs]

Most PSFalcon commands are simply API calls, returning whatever data is provided from that particular endpoint. Only a handful of the commands combine multiple endpoints, and they're usually for a specific purpose.

The host group listing within the Falcon console is pulling data from multiple different APIs to provide the other information. If I were to update Get-FalconHostGroup to gather those details, it would need to have a bunch of additional permissions outside of Host Groups: Read. This is something I avoid, because it makes commands harder to understand and troubleshoot.

I think this is best solved using a script:

param(
    [Parameter(Mandatory=$true,ParameterSetName='Id')]
    [ValidatePattern('^[a-fA-F0-9]{32}$')]
    [string]$Id,
    [Parameter(Mandatory=$true,ParameterSetName='Name')]
    [string]$Name
)
try {
    [object]$Group = if ($Id) {
        Get-FalconHostGroup -Id $Id
    } else {
        Get-FalconHostGroup -Filter "name:['$Name']" -Detailed
    }
    if (!$Group -and $Id) {
        throw "No group found matching id '$Id'."
    } elseif (!$Group -and $Name) {
        throw "No group found matching '$Name'."
    }
    $Group.PSObject.Properties.Add((New-Object PSNoteProperty('applied_hosts',
        (Get-FalconHostGroupMember -Id $Group.id -Total))))
    [System.Collections.Generic.List[object]]$PolicyList = @()
    foreach ($Type in @('SensorUpdate','Prevention','Firewall','Response','DeviceControl')) {
        @(& "Get-Falcon$($Type)Policy" -Filter "groups:'$($Group.id)'" -Detailed).foreach{
            $PolicyList.Add([PSCustomObject]@{
                id = $_.id
                name = $_.name
                status = if ($_.enabled -eq $true) { 'Enabled' } else { 'Disabled' }
                type = $Type
                platform = $_.platform_name
            })
        }
    }
    $Group.PSObject.Properties.Add((New-Object PSNoteProperty('assigned_policies',$PolicyList)))
    [object[]]$ExclusionList = @('Ml','Ioa','Sv').foreach{
        [PSCustomObject]@{
            type = switch ($_) {
                'Ml' { 'MachineLearning' }
                'Ioa' { 'IndicatorOfAttack' }
                'Sv' { 'SensorVisibility' }
            }
            id = [string[]](@(& "Get-Falcon$($_)Exclusion" -Detailed -All).Where({
                $_.groups.id -contains $Group.id })).id
        }
    }
    $Group.PSObject.Properties.Add((New-Object PSNoteProperty('exclusions',$ExclusionList)))
    $Group
} catch {
    throw $_
}