Get FalconSession - CrowdStrike/psfalcon GitHub Wiki
Search for Real-time Response sessions
Real-time Response sessions are segmented by permission, meaning that only sessions that were created using your OAuth2 API Client will be visible. Use the 'Cid' switch to enable viewing of sessions from your entire environment.
'Get-FalconQueue' can be used to find and export information about sessions in the 'offline queue'.
Requires 'Real time response: Read', and 'Real time response audit: Read' when using the 'Cid' switch.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| Id | String[] | Session identifier | X | X | |||
| Filter | String | Falcon Query Language expression to limit results | |||||
| Sort | String | Property and direction to sort results | |||||
| Limit | Int32 | Maximum number of results per request | 1 |
1000 |
|||
| CommandInfo | Boolean | ||||||
| Offset | Int32 | Position to begin retrieving results | |||||
| Cid | Switch | Expand search to include all sessions created within your environment | |||||
| Queue | Switch | Restrict search to sessions that have been queued | |||||
| Detailed | Switch | Retrieve detailed information | |||||
| All | Switch | Repeat requests until all available results are retrieved | |||||
| Total | Switch | Display total result count instead of results |
Get-FalconSession [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-Offset <Int32>] [-Detailed] [-All] [-Total] [-WhatIf] [-Confirm] [<CommonParameters>]Get-FalconSession -Id <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]Get-FalconSession -Id <String[]> -Queue [-WhatIf] [-Confirm] [<CommonParameters>]Get-FalconSession [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-CommandInfo] <Boolean>] [-Offset <Int32>] -Cid [-All] [-Total] [-WhatIf] [-Confirm] [<CommonParameters>]GET /real-time-response-audit/combined/sessions/v1
GET /real-time-response/queries/sessions/v1
POST /real-time-response/entities/queued-sessions/GET/v1
POST /real-time-response/entities/sessions/GET/v1
RTR_ListAllSessions
RTR_ListSessions
RTR_ListQueuedSessions
RTRAuditSessions
NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.
Get-FalconSession [-Detailed] [-All]NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.
Get-FalconSession -Id <id>, <id>Use the Queue switch when the session has been queued for offline host(s):
Get-FalconSession -Id <id>, <id> -Queue2024-09-03: PSFalcon v2.2.7
