New FalconFileVantageRule - CrowdStrike/psfalcon GitHub Wiki
Create a rule within a FileVantage rule group
Requires 'Falcon FileVantage: Write'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| Precedence | Int32 | Precedence for the new rule inside of the existing rule group | X | ||||
| Path | String | Path of the directory, file, or registry key to monitor | 1 |
250 |
X | ||
| Depth | String | Monitoring depth below the initial target directory/file/registry key |
12345ANY
|
X | |||
| Severity | String | Rule severity |
LowMediumHighCritical
|
X | |||
| Description | String | Rule description | 500 |
X | |||
| Include | String | User Restrict monitoring to changes made by one or more users |
X | ||||
| Exclude | String | User Exclude changes made by one or more users |
X | ||||
| IncludeProcess | String | Restrict monitoring to changes made by one or more processes | X | ||||
| ExcludeProcess | String | Exclude changes made by one or more processes | X | ||||
| IncludeUser | String | Restrict monitoring to changes made by one or more users | X | ||||
| ExcludeUser | String | Exclude changes made by one or more users | X | ||||
| DirectoryAttribute | Boolean | Track directory attribute change events | X | ||||
| DirectoryCreate | Boolean | Track directory create events | X | ||||
| DirectoryDelete | Boolean | Track directory delete events | X | ||||
| DirectoryPermission | Boolean | Track directory permission change events | X | ||||
| DirectoryRename | Boolean | Track directory rename events | X | ||||
| FileAttribute | Boolean | Track file attribute change events | X | ||||
| FileChange | Boolean | Track file change events | X | ||||
| FileDelete | Boolean | Track file delete events | X | ||||
| FilePermission | Boolean | Track file permission change events | X | ||||
| FileRename | Boolean | Track file rename events | X | ||||
| FileWrite | Boolean | Track file write events | X | ||||
| RegKeyCreate | Boolean | Track registry key create events | X | ||||
| RegKeyDelete | Boolean | Track registry key delete events | X | ||||
| RegKeyPermission | Boolean | Track registry key permission change events | X | ||||
| RegKeyRename | Boolean | Track registry key rename events | X | ||||
| RegKeySet | Boolean | Track registry key set events | X | ||||
| RegValueCreate | Boolean | Track registry value create events | X | ||||
| RegValueDelete | Boolean | Track registry value delete events | X | ||||
| EnableContentCapture | Boolean | Enable the capture of file content during events | X | ||||
| ContentFiles | String[] | A specific list of files to monitor for content changes | X | ||||
| ContentRegistryValues | String[] | A specific list of registry paths to monitor for content changes (matching Include/Exclude) | X | ||||
| HashCapture | Boolean | Track file hash | X | ||||
| RuleGroupId | String | FileVantage rule group identifier | X |
New-FalconFileVantageRule [-Precedence] <Int32> [-Path] <String> [[-Depth] <String>] [[-Severity] <String>] [[-Description] <String>] [[-Include] <String>] [[-Exclude] <String>] [[-IncludeProcess] <String>] [[-ExcludeProcess] <String>] [[-IncludeUser] <String>] [[-ExcludeUser] <String>] [[-DirectoryAttribute] <Boolean>] [[-DirectoryCreate] <Boolean>] [[-DirectoryDelete] <Boolean>] [[-DirectoryPermission] <Boolean>] [[-DirectoryRename] <Boolean>] [[-FileAttribute] <Boolean>] [[-FileChange] <Boolean>] [[-FileDelete] <Boolean>] [[-FilePermission] <Boolean>] [[-FileRename] <Boolean>] [[-FileWrite] <Boolean>] [[-RegKeyCreate] <Boolean>] [[-RegKeyDelete] <Boolean>] [[-RegKeyPermission] <Boolean>] [[-RegKeyRename] <Boolean>] [[-RegKeySet] <Boolean>] [[-RegValueCreate] <Boolean>] [[-RegValueDelete] <Boolean>] [[-EnableContentCapture] <Boolean>] [[-ContentFiles] <String[]>] [[-ContentRegistryValues] <String[]>] [[-HashCapture] <Boolean>] -RuleGroupId <String> [-WhatIf] [-Confirm] [<CommonParameters>]POST /filevantage/entities/rule-groups-rules/v1
2024-09-03: PSFalcon v2.2.7
