I have noticed an issue whereby Export-FalconConfig seems to fail on certain items. I have two CIDs. On one of them this command gets stuck on Exporting Prevention Policy. Other items export fine, but when using -verbose to see what's going on - it seems to be getting stuck in a loop. In the end it stops without error and I have no file saved and it doesn't continue with the other items.

Exporting 'PreventionPolicy'...
VERBOSE: [Invoke-Endpoint] GET https://api.us-2.crowdstrike.com/policy/combined/prevention/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>-2e1e47980082
VERBOSE: [Read-Meta] pagination_offset: 7, pagination_total: 7
VERBOSE: [Invoke-Endpoint] GET https://api.us-2.crowdstrike.com/policy/combined/prevention/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>-9ca64fad61d7
VERBOSE: [Read-Meta] pagination_offset: 1, pagination_total: 1
VERBOSE: [Invoke-Loop] retrieved  results
VERBOSE: [Invoke-Endpoint] GET https://api.us-2.crowdstrike.com/policy/combined/prevention/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>-7fb8c29e45ef
VERBOSE: [Read-Meta] pagination_offset: 1, pagination_total: 1
VERBOSE: [Invoke-Loop] retrieved  results
VERBOSE: [Invoke-Endpoint] GET https://api.us-2.crowdstrike.com/policy/combined/prevention/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>-245b0392de22
VERBOSE: [Read-Meta] pagination_offset: 1, pagination_total: 1
VERBOSE: [Invoke-Loop] retrieved  results
VERBOSE: [Invoke-Endpoint] GET https://api.us-2.crowdstrike.com/policy/combined/prevention/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>-9ace-f080bdf4a704
VERBOSE: [Read-Meta] pagination_offset: 1, pagination_total: 1
VERBOSE: [Invoke-Loop] retrieved  results
VERBOSE: [Invoke-Endpoint] GET https://api.us-2.crowdstrike.com/policy/combined/prevention/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>16b9f206c835
VERBOSE: [Read-Meta] pagination_offset: 1, pagination_total: 1
VERBOSE: [Invoke-Loop] retrieved  results
VERBOSE: [Invoke-Endpoint] GET https://api.us-2.crowdstrike.com/policy/combined/prevention/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>42f35de8
VERBOSE: [Read-Meta] pagination_offset: 1, pagination_total: 1
VERBOSE: [Invoke-Loop] retrieved  results
VERBOSE: [Invoke-Endpoint] GET https://api.us-2.crowdstrike.com/policy/combined/prevention/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>f8a3fa0e8eba
VERBOSE: [Read-Meta] pagination_offset: 1, pagination_total: 1
VERBOSE: [Invoke-Loop] retrieved  results

...and so on

In the other CID, it only gets as far as Exporting DeviceControlPolicy be for showing the same sort of behaviour. So I know it's not specific to prevention policies. This has been tested with an API which has every privilege available and it still occurs.

Exporting 'HostGroup'...
VERBOSE: [Invoke-Endpoint] GET https://api.crowdstrike.com/devices/combined/host-groups/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>-4d7da3323338
VERBOSE: [Read-Meta] pagination_offset: 67, pagination_total: 67
Exporting 'IOAGroup'...
VERBOSE: [Invoke-Endpoint] GET https://api.crowdstrike.com/ioarules/queries/rule-groups/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>-8f61a32bfcc8
VERBOSE: [Read-Meta] pagination_offset: 500, pagination_total: 8
VERBOSE: [Invoke-Endpoint] GET https://api.crowdstrike.com/ioarules/entities/rule-groups/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>cb315f261a49
Exporting 'FirewallGroup'...
VERBOSE: [Invoke-Endpoint] GET https://api.crowdstrike.com/fwmgr/queries/rule-groups/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>09dbf958fe0b
Exporting 'DeviceControlPolicy'...
VERBOSE: [Invoke-Endpoint] GET https://api.crowdstrike.com/policy/combined/device-control/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>-8d715ea0a72d
VERBOSE: [Read-Meta] pagination_total: 1
VERBOSE: [Invoke-Loop] retrieved  results
VERBOSE: [Invoke-Endpoint] GET https://api.crowdstrike.com/policy/combined/device-control/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>d7e0398ec65b
VERBOSE: [Read-Meta] pagination_total: 1
VERBOSE: [Invoke-Loop] retrieved  results
VERBOSE: [Invoke-Endpoint] GET https://api.crowdstrike.com/policy/combined/device-control/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>-9576753d78fc
VERBOSE: [Read-Meta] pagination_total: 1
VERBOSE: [Invoke-Loop] retrieved  results
VERBOSE: [Invoke-Endpoint] GET https://api.crowdstrike.com/policy/combined/device-control/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>-b44f883aef0e
VERBOSE: [Read-Meta] pagination_total: 1
VERBOSE: [Invoke-Loop] retrieved  results
VERBOSE: [Invoke-Endpoint] GET https://api.crowdstrike.com/policy/combined/device-control/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>-0bda82260eb3
VERBOSE: [Read-Meta] pagination_total: 1
VERBOSE: [Invoke-Loop] retrieved  results
VERBOSE: [Invoke-Endpoint] GET https://api.crowdstrike.com/policy/combined/device-control/v1
VERBOSE: [Read-Meta] trace_id: <Obfuscated>10a7edc46bba
VERBOSE: [Read-Meta] pagination_total: 1
VERBOSE: [Invoke-Loop] retrieved  results

..and so on.

It looks like the sort parameter validation set is not correct for the Get-FalconDetection cmdlet.

Here is a screenshot:

We are attempting to use the Offline Queue feature in PSFalcon. As far as I can tell, it's a function of PSFalcon, not something in Crowdstrike's API itself. If I'm wrong, sorry about that, please just let me know!

I am not sure if this issue is due to us not using it correctly, or it just not working.

We add it here, this command is part of a loop:

Invoke-FalconRTR -Command runscript -Arguments "-CloudFile='ourscript'" -HostIds $id -QueueOffline $true

When we run this, the output will list offline_queued:True for offline systems that exist in Crowdstrike, but the script does not appear to run against the offline hosts once the host comes back online. The script we run doesn't appear to keep running after it completes, and I don't believe PSFalcon runs in the background, so the system I run this script from is shut off after business hours my time. Is this incorrect?

We are using this to install an agent on 50 hosts in various timezones. No "offline queued" systems appear to have the agent installed when the host comes online. What are we doing wrong? Any help would be appreciated!

Using the New-FalconHostGroup cmdlet with -AssignmentRule based on 'hostname' works fine. However, when using a rule based on 'Site' it creates an empty group, with no host. See below and attached screenshot.

group_type : dynamic
name : Test_2_PSDynamic_Group
description :
assignment_rule : Site:'Store-006',Site:'Store-008',Site:'Store-011',Site:'Store-013',Site:'Store-014',Site:'Store-016'
created_by : api-client-id:3f

It appears the library outputs the current version during import, which can lead to some issues if the output of a script needs to be parsed, which I am doing at the moment. Since the call is to Write-Host rather than Write-Output it is a little awkward to suppress since it can't be piped to Out-Null. Would it be possible to either remove this message or swap the call to something else?

I kept receiving a 415: Unsupported Media Type error when trying to test the "Sandbox and QuickScan" examples. After some digging, I realized it was adding the "produces" value for "Content-Type" during a request instead of the "consumes" value. This wasn't easy to see since Invoke-Endpoint claimed it was adding the right one.

Fixed with recent commit.

Received bug report via email that Invoke-FalconHostAction was not automatically grouping the "hide_host" and "unhide_host" actions into groups of 100 as expected, which I verified through testing.

The "ActionName" parameter was renamed to "Name" but I didn't update the command to compensate.

There are no params "type" and "value" on cmdlet New-FalconIOC:

New-FalconIOC -value testing.com -Description "Testing custom IOCs" -ShareLevel red -Source "Testing" -Policy none -ExpirationDays 2

New-FalconIOC : No parameter is found matching the parameter name 'Type'.
On line: 1 Character: 15

• New-FalconIOC -Type domain -value testing.com -Description "Testing c ...
  • CategoryInfo : InvalidArgument: (:) [New-FalconIOC], ParameterBindingException
  • FullyQualifiedErrorId : NamedParameterNotFound,New-FalconIOC

New-FalconIOC -help

#Create Custom IOCs
Requires iocs:write

-Policy [string]
Action to perform when the Custom IOC is observed by a Host
Enum : detect, none
Position : 2

-ShareLevel [string]
Custom IOC visibility level
Enum : red
Position : 3

-ExpirationDays [int32]
Number of days before expiration (for 'domain' 'ipv4' and 'ipv6')
Position : 4

-Source [string]
Custom IOC source
Position : 5

-Description [string]
Custom IOC description
Position : 6

Fixed in v2.0.7 by forcing GroupIds input into an array (whether the value is a single GroupId or "all").

The following commands allow for Limit values of 5,000, but the API does not return results past 500:

Get-FalconIOAExclusion
Get-FalconMLExclusion
Get-FalconSVExclusion

I will change Limit to 500 for each of these commands in v2.0.7. Until that release, you must use a Limit of 500 or less.

Invoke-FalconRTR -Command 'runscript' -Arguments '-Raw=```Get-ChildItem -Path "C:\" ``` ' -HostId 'deadbeef'

Results in:

Format-Result: C:\Program Files\WindowsPowerShell\Modules\PSFalcon\Private\Private.ps1:995
Line |
 995 |                  Format-Result -Response $Response -Endpoint $Endpoint
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | 40014: Unrecognized flag found: Raw, value: Get-ChildItem -Path "C:\"

Note: I understand that I can use the 'ls' command instead, but I was testing the -Raw flag before I tried to use a different command/set of commands.

The Wiki shows that Get-FalconScore has a -All parameter, but it looks like it is missing from the actual function. Is there an -All parameter for Get-FalconScore?

I am unable to import the module. The error I receive is in the PSFalcon.psm1 file. the [Falcon] type is not defined and cannot be found. Also, despite moving the module to multiple different source directories, I am unable to import the module by name, I have to provide the full path.
PowerShell_transcript.DESKTOP-SMP17H4.P9n+IISs.20210218132336.txt

I was able to use Send-FalconPutFile to upload a file. I want to send a command to a batch of hosts to retrieve that file. I tried to use the format from the V1 set of commands, this previously worked

Send-RtrCommand -Id $Batch.batch_id -Command put -String file.msi

When I use the V2 commands, I wrote it like this.
Invoke-FalconAdminCommand -Command put -Arguments file.msi -BatchId $connect.batch_id
The error returned is "check your filename. could not find file.msi". I also tried with -Command get. I don't think the -Command part is the problem, I think I need to know how to reference the file. $pwd\ doesn't work

I would like to be able to write scripts that utilize the PSFalcon module for our active responders/admins. In the scripts, I would like to check to see if there's an OAuth2 token already present in the session; if not, request that the user enter one (or pull from an external source, such as an environmental variable, or dot-sourcing a script file).

The only commands I see that involve tokens are the Request-FalconToken and Revoke-FalconToken. I've tried to see if Request-FalconToken returns an error or not, but it doesn't look like it returns anything.

Is there a way to check if a token was already requested prior to running Request-FalconToken ?

Certain API endpoints can accept multiple objects in a single request (like the creation of policies and custom IOCs) but PSFalcon does not support this through the included commands.

This issue has been created as a reminder to add a an "array parameter" to the relevant commands.

The "ids" parameter is improperly configured. Fixed in v2.0.7.

Reported via reddit: https://www.reddit.com/r/crowdstrike/comments/l4pryw/psfalcon20_ffc/

I recreated this using PowerShell 5.1 in both Invoke-FalconDeploy and Invoke-FalconRTR. I'm updating the module to use ForEach-Object and Where-Object where it's currently using where.() and foreach.{} as PowerShell 5.1 doesn't support those methods in [PSCustomObject] (but PowerShell 7 does).

A user reported that 'zip' was not working with RTR commands: https://www.reddit.com/r/crowdstrike/comments/lba6ow/how_to_properly_zip_with_psfalcon_2/

I replicated this and my guess is that it's related to how the Arguments and Command fields are being joined when passed to the API. I tried a few different ways to join the strings and they didn't work so far.

User reported that Get-FalconHost -Detailed was failing in us-gov-1. Discovered an HTML error was getting sent back (and improperly handled) from the API because too many ID values were being submitted.

It looks like these updates broke Start-FalconSession. This was working before I pulled down the latest commit. Let me know if you want me to open a new issue for this error. I tested this on both Mac (PS Core 7.1.1) and Windows (PS 5.1) and I get this same error.

Here is the error I get:

Originally posted by @Factorization in #2 (comment)

I have a script which collects data off the host, uses a get request to upload the output to CS and then downloads that data from CS to one of our servers. Occasionally I have failures while my script is running a loop checking whether the get file has uploaded to CS.

Here is a snippet of the code that is running:

                try
                { 
                    $getUploadResponse = Confirm-FalconGetFile -SessionID $rtrSessionID -ErrorAction Stop
                    Start-Sleep -seconds 10
                }
                catch
                {
                    Write-Host "Error checking for Get file status: $($error[0])" -ForegroundColor Red
                    return
                }


                # Checking to see if upload has completed

                while($getuploadResponse.count-eq 0){
                    $sessionUpdate = Update-FalconSession -hostid $($aid)
                    Write-Host "Upload still running. Will check again in 30 seconds..." -ForegroundColor Yellow
                    Start-Sleep -Seconds 30
                    $getUploadResponse = Confirm-FalconGetFile -SessionID $rtrSessionID -ErrorAction Stop
                }

                $getUploadStatus = Confirm-FalconResponderCommand -CloudRequestId $getuploadResponse.cloud_request_id 

                if($getUploadStatus.complete -eq "True") {
                    Write-Host "Collection successfully uploaded to CrowdStrike Cloud" -ForegroundColor Green
                }

What's odd is that the error that I see when this fails is as follows:

Request-FalconToken : The term 'Request-FalconToken' is not recognized as the name of a cmdlet, function, script file,
or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and
try again.
At C:\Users\foo\Documents\WindowsPowerShell\Modules\PSFalcon\2.0.6\Private\Private.ps1:907 char:13
+             Request-FalconToken
+             ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Request-FalconToken:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Any idea why it can't find the Request-FalconToken function? The script works the majority of times without issue and even when it fails that function has been called multiple times before failing.

With PSFalcon 1.4.x, we have been successfully requesting $Falcon token with -Proxy parameter:

Get-CsToken -ID <ID> -Secret <Secret> -Proxy <ProxyURL> -Debug

With PSFalcon 2.0.0, Request-FalconToken does not take -Proxy parameter and it silently fails to create $Falcon token:

Request-FalconToken -ID <ID> -Secret <Secret> -Proxy <ProxyURL> -Debug
Request-FalconToken -ID <ID> -Secret <Secret> -Debug

Any way to make PSFalcon 2.0 work under Proxy environment, please?

Also, when you are putting -Proxy option back in, please consider adding -ProxyCred option to explicitly provide proxy credential as part of the command line.

Thanks,

Young-

The default filter ("created_timestamp:>'Last 1 day'") gets modified during the -All loop, because the script re-creates it every request.

The default filter either needs to be removed (and forced to be input by the user) or the filter needs to be generated one time and re-used during the loop.

https://www.reddit.com/r/crowdstrike/comments/lc1ro3/spotlight_apis_with_psfalcon2/

Invoke-FalconRTR is producing the following error when attempting to run with more than one host:

I'm working on this one and will update once fixed.

I am using the Invoke-Deploy command to send my executable to select endpoints.
How can I change the destination location where the executable lands and runs from?

Hello,

For some reason Get-FalconScript -Detailed $true is failing without much of a reason, while it does work without the Detailed flag. I've provided some details below:

PS /Users/***> Get-FalconScript -Detailed $true -Debug -Verbose
VERBOSE: [Get-Query] filter=True
VERBOSE: [Invoke-Endpoint] GET https://api.crowdstrike.com/real-time-response/queries/scripts/v1
DEBUG: [Format-Header] Accept: 'application/json'
DEBUG: [Read-Meta] 500: binservclient.MsaPutFileResponse
VERBOSE: [Read-Meta] trace_id: ef11a888-c139-4314-8ef3-37c29effd603
DEBUG: [Format-Result]
{
  "meta": {
    "query_time": 1.22E-07,
    "powered_by": "crowdstrike-api-gateway",
    "trace_id": "ef11a888-c139-4314-8ef3-37c29effd603"
  },
  "errors": [
    {
      "code": 500,
      "message": "Internal Server Error: Please provide trace-id='ef11a888-c139-4314-8ef3-37c29effd603' to support"
    }
  ]
}

Looking to utilize the same query as in the Falcon UI for Group Names or Group Tags to pull a list of host ids quickly, and run RTR commands. This does not seem to work or be functional.

Filter only seems to work with "groups:','"

Using Get-Content to import HostIds seems to cause a bug in Get-Body or Invoke-Request that causes PowerShell to hang when trying to use commands like Invoke-FalconRTR or Invoke-FalconDeploy.

I was able to recreate this in PowerShell 7.1, and saw it happen in PowerShell 5.1.

Using Import-Csv to bring in the HostIds does not cause any issues.

The API endpoint used by the Edit-FalconScript supports two methods of sending script updates: content= or file=

Unfortunately, it seems that the file= parameter doesn't work (or if it does, is highly unreliable). However, content= is much more reliable.

It would be nice if the Edit-FalconScript command would support using a -Content parameter in lieu of the -Path parameter.

Side note: I have created a case in support portal regarding the bug with the API.

I'm attempting to pull firewall events via script with API since the console only gives the latest 100 events when downloading a CSV from there. If I run the command without -All there are no errors but once I add -All I get the below error.

My environment is in us-2.

I noticed in oauth2.ps1 that the ClientSecret isn't being stored in memory as a [securestring]. I would recommend doing that.

I have a code sample that should handle the prompt when a user didn't supply the ClientSecret as a parameter, but I'm not familiar with dynamic parameters in PowerShell so I'm not sure how to handle it if it is supplied as a parameter.

When attempting to search for hosts using a filter with a wildcard (*), Get-FalconHost returns an error "400: Invalid filter expression supplied"

PS C:\> Get-FalconHost -Filter "hostname:'vp-*''"
Format-Result : 400: Invalid filter expression supplied
At C:\Program Files\WindowsPowerShell\Modules\PSFalcon\2.0.6\Private\Private.ps1:995 char:17
+                 Format-Result -Response $Response -Endpoint $Endpoint
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (StatusCode: 400...ication/json
}:HttpResponseMessage) [Format-Result], Exception
    + FullyQualifiedErrorId : 86b843d7-204d-4d6a-ad8b-c3680cffa513,Format-Result

Using the same filter in the uri with Invoke-RestMethod returns agent ids as expected.

PS C:\> Invoke-RestMethod -Uri "https://api.crowdstrike.com/devices/queries/devices-scroll/v1?limit=5000&filter=hostname:'vp-*'" -Headers $header

meta                                                                                                         resources                                                                                                               
----                                                                                                         ---------                                                                                                               
@{query_time=0.014501614; pagination=; powered_by=device-api; trace_id=f2d84b60-df39-495c-810e-8bab94c212a1} {cc41595e...

Just wanted to mention that the linux commands listed in the wiki for moving the master repo folder into the powershell module directory can fail with an error "Could not find a part of the path ...." I recognize that -Force should help with this, but in my testing this was not the case. Manually creating the PSFalcon/ directory allows you to then use the move-item command without an error.

This was reproduced in PowerShell 7.0.0 on Kali

Hello

I see documentation for the FlightControl endpoints (https://github.com/CrowdStrike/psfalcon/wiki/Flight-Control) but they don't seem to actually work at the moment even when importing from the master branch. Are they just waiting to be merged in?

Complete "TO_DO" items on Sandbox and QuickScan wiki page.

Before chasing my tail I wanted to throw out this question. We leverage an API proxy. My understanding with how the API proxy works is that is just injects itself as the parent domain and keeps all the URL paths from the original API call.

Could I add a new line(s) under the $PSBoundParameters.Cloud variable switch in the oath2.ps1 script to account for that proxy?

It looks like there is an issue with Get-FalconIncident -Detailed. The validation is looking for a GUID, but the IDs for incidents aren't a GUID.

Fixed in the most recent commit

A user reported that Find-FalconDuplicate was producing incorrect results. I ran some tests and was finding the same thing. At some point, the "Sort-Object last_seen" got removed from Find-FalconDuplicate, so results are not being properly selected.

Complete "TO_DO" items on Cloud Workload Discovery wiki page.

Run module through PSScriptAnalyzer, as recommended in PowerShell Gallery publishing guidelines.

Investigate the possibility of specific classes for proper object creation. If there are classes that define how an object (firewall rule, policy setting, custom IOA, etc.) are formatted, the process of creating them can be automated instead of relying on the user creating an object manually that can be submitted as part of the "settings array" (example) or "rule updates" (example).

I get the following error when I run Get-FalconQueue.

Error: A parameter cannot be found that matches parameter name 'SessionIds'.

Complete "TO_DO" items on Firewall Management wiki page.

we have 1000K detects which are older than 30days
Im trying to close all the detects which are older than 30 days

Im trying to get the All detect ids older than 30 days and closing them but im able to delete only 5000 could you please help me on this

Below is my code
Thankyou

$Detectid = (Get-CsDetectId -Filter "first_behavior:<'2021-04-05'").resources
"ids" | Out-File 'C:\Desktop\CrowdstrikeAutomation\Detectid.csv'
$Detectid | Out-File 'C:\Desktop\CrowdstrikeAutomation\Detectid.csv' -Append

$Data3=Import-Csv C:\Desktop\CrowdstrikeAutomation\Detectid.csv | select -ExpandProperty ids
$count=0
$output=""
$output=@()

foreach ($i in $Data3){
$output= $output + $i.Trim()
$count=$count+1
if($count -ge 4999){

    $output2 = Edit-CsDetect -Properties @{ assigned_to_uuid = '27bbcc15-262f-4a5c-83a5-f3a935bd3782'; ids = @($output); status = 'closed' } | ConvertTo-Json
    $output2 | Out-File 'C:\Users\c51337\Downloads\CrowdstrikeAutomation\Detectidoutput.csv' -Append
    $count=0
    $output=@()

}
}

Similar to #33

Command:
Invoke-FalconResponderCommand -SessionId sessionid -Command 'runscript' -Arguments '-Raw=```commands go here```'

Results in:

Format-Result : 40014: Unrecognized flag found: Raw, value: commands go here
At C:\Users\me\Documents\WindowsPowerShell\Modules\PSFalcon\2.0.7\Private\Private.ps1:972 char:17
+                 Format-Result -Response $Response -Endpoint $Endpoint
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (StatusCode: 400...ication/json
}:HttpResponseMessage) [Format-Result], Exception

I'm trying to continue an existing session started with Invoke-RTR (which does work using -Raw as of 2.0.7) and would prefer running commands in that session instead of spinning one up for each command.

How to use multiple filters while getting ids of detects

Get-CsDetectId -Filter "first_behavior:<'2021-02-06'" AND "sort=first_behavior.desc"

And while using -All im getting only 10000 results is there a way to get all the detection ids

Show actual install process for the sensors. I see it stops at just the installers being downloaded.