Invoke FalconAdminCommand - CrowdStrike/psfalcon GitHub Wiki

Invoke-FalconAdminCommand

SYNOPSIS

Issue a Real-time Response admin command to an existing single-host or batch session

DESCRIPTION

Sessions can be started using 'Start-FalconSession'. A successfully created session will contain a 'session_id' or 'batch_id' value which can be used with the '-SessionId' or '-BatchId' parameters.

The 'Wait' parameter will use 'Confirm-FalconAdminCommand' or 'Confirm-FalconGetFile' to check for command results every 20 seconds until complete or processing ends.

Requires 'Real time response (admin): Write'.

PARAMETERS

Name Type Description Min Max Allowed Pipeline PipelineByName
Command String Real-time Response command cat
cd
clear
cp
csrutil
cswindiag
encrypt
env
eventlog backup
eventlog export
eventlog list
eventlog view
falconscript
filehash
get
getsid
help
history
ifconfig
ipconfig
kill
ls
map
memdump
mkdir
mount
mv
netstat
ps
put
put-and-run
reg delete
reg load
reg query
reg set
reg unload
restart
rm
run
runscript
shutdown
umount
unmap
update history
update install
update list
update install
users
xmemdump
zip
Argument String Arguments to include with the command
OptionalHostId String[] Restrict execution to specific host identifiers
Timeout Int32 Length of time to wait for a result, in seconds [default: 30] 1 600
HostTimeout Int32 Length of time to wait for a result from target host(s), in seconds 1 600
SessionId String Session identifier X
BatchId String Batch session identifier X
Wait Switch Use 'Confirm-FalconAdminCommand' or 'Confirm-FalconGetFile' to retrieve command result

SYNTAX

Invoke-FalconAdminCommand [-Command] <String> [[-Argument] <String>] [[-OptionalHostId] <String[]>] [[-Timeout] <Int32>] [[-HostTimeout] <Int32>] -BatchId <String> [-Wait] [-WhatIf] [-Confirm] [<CommonParameters>]
Invoke-FalconAdminCommand [-Command] <String> [[-Argument] <String>] -SessionId <String> [-Wait] [-WhatIf] [-Confirm] [<CommonParameters>]

REFERENCE

Endpoints

POST /real-time-response/combined/batch-admin-command/v1
POST /real-time-response/entities/admin-command/v1

falconpy

BatchAdminCmd
RTR_ExecuteAdminCommand

USAGE

2023-11-27: PSFalcon v2.2.6

⚠️ **GitHub.com Fallback** ⚠️