ConvertTo FalconMlExclusion - CrowdStrike/psfalcon GitHub Wiki
Output required fields to create a Machine Learning exclusion from a Falcon alert or detection
Uses the 'filepath' and 'device' properties of an alert/detection with a 'Machine Learning' tactic to create a Machine Learning exclusion. Specfically, it maps the following properties these fields:
filepath > value device.groups > groups
The 'filepath' field is stripped of any leading NT file path ('\Device\HarddiskVolume'). If the host involved in the alert/detection is not in any host groups, the resulting exclusion will apply to all host groups.
The output of this command can be passed to 'New-FalconMlExclusion' to create an exclusion.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| Detection | Object | Falcon alert or detection | X |
ConvertTo-FalconMlExclusion [-Detection] <Object> [<CommonParameters>]2025-09-19: PSFalcon v2.2.9
