Get FalconAsset - CrowdStrike/psfalcon GitHub Wiki

Get-FalconAsset

SYNOPSIS

Search for assets in Falcon Discover

DESCRIPTION

Requires 'Falcon Discover: Read' and 'Falcon Discover IoT: Read'.

PARAMETERS

Name Type Description Min Max Allowed Pipeline PipelineByName
Id String[] Asset identifier X X
Filter String Falcon Query Language expression to limit results

account_enabled
ad_user_account_control
agent_version
aid
assigned_to
bios_manufacturer
bios_version
cid
city
classification
confidence
country
cpu_manufacturer
creation_timestamp
current_local_ip
data_providers
data_providers_count
department
descriptions
discoverer_aids
discoverer_count
discoverer_platform_names
discoverer_product_type_descs
discoverer_tags
email
entity_type
external_ip
field_metadata
first_discoverer_aid
first_discoverer_ip
first_seen_timestamp
fqdn
groups
hostname
id
internet_exposure
kernel_version
last_discoverer_aid
last_seen_timestamp
local_ip_addresses
local_ips_count
location
mac_addresses
machine_domain
managed_by
network_interfaces
network_interfaces.interface_alias
network_interfaces.interface_description
network_interfaces.local_ip
network_interfaces.mac_address
network_interfaces.network_prefix
number_of_disk_drives
object_guid
object_sid
os_is_eol
os_service_pack
os_version
ou
owned_by
physical_core_count
platform_name
processor_package_count
product_type
product_type_desc
reduced_functionality_mode
servicenow_id
site_name
state
system_manufacturer
system_product_name
system_serial_number
tags
used_for

Account:
account_name
account_type
admin_privileges
cid
first_seen_timestamp
id
last_failed_login_hostname
last_failed_login_timestamp
last_failed_login_type
last_successful_login_host_city
last_successful_login_host_country
last_successful_login_hostname
last_successful_login_remote_ip
last_successful_login_timestamp
last_successful_login_type
login_domain
password_last_set_timestamp
user_sid
username

IoT:
device_family
device_class
device_type
device_mode
business_criticality
line_of_business
virtual_zone
subnet
purdue_level
vlan
local_ip_addresses
mac_addresses
physical_connections_count
data_providers

Login:
account_id
account_name
account_type
admin_privileges
aggregation_time_interval
aid
cid
failure_description
host_city
host_country
host_id
hostname
id
is_suspicious
local_ip
login_domain
login_event_count
login_status
login_timestamp
login_type
remote_ip
user_sid
username
Sort String Property and direction to sort results
Limit Int32 Maximum number of results per request 1 100
Include String[] Include additional properties login_event
Offset Int32 Position to begin retrieving results
Detailed Switch Retrieve detailed information
All Switch Repeat requests until all available results are retrieved
Total Switch Display total result count instead of results
Account Switch Search for user account assets
Application Switch Search for applications
IoT Switch Search for IoT assets
Login Switch Search for login events

SYNTAX

Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [-Offset <Int32>] [-Detailed] [-All] [-Total] [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -Login [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -IoT [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -Application [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -Account [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-Offset <Int32>] [-Detailed] [-All] [-Total] -Login [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-Offset <Int32>] [-Detailed] [-All] [-Total] -IoT [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-Offset <Int32>] [-Detailed] [-All] [-Total] -Application [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [-Offset <Int32>] [-Detailed] [-All] [-Total] -Account [-WhatIf] [-Confirm] [<CommonParameters>]

REFERENCE

Endpoints

GET /discover/entities/accounts/v1
GET /discover/entities/applications/v1
GET /discover/entities/hosts/v1
GET /discover/entities/iot-hosts/v1
GET /discover/entities/logins/v1
GET /discover/queries/accounts/v1
GET /discover/queries/applications/v1
GET /discover/queries/hosts/v1
GET /discover/queries/iot-hosts/v1
GET /discover/queries/logins/v1

falconpy

query_hosts
get_logins
get_iot_hosts
get_hosts
get_applications
get_accounts
query_logins
query_iot_hosts
query_applications
query_accounts

USAGE

Find Unmanaged Assets within a given Subnet

Get-FalconAsset -Filter "entity_type:'unmanaged'+network_interfaces.local_ip:'192.168.25.0/24'" [-Detailed] [-All]

Find assets using a filtered search

Get-FalconAsset -Filter "entity_type:'managed'+product_type_desc:'Workstation'+platform_name:'Windows'+last_seen_timestamp:>'now-7d'" [-Detailed] [-All]

Get information about specific assets

Get-FalconAsset -Id <id>, <id>

2024-02-08: PSFalcon v2.2.6

⚠️ **GitHub.com Fallback** ⚠️