New FalconIdentityRule - CrowdStrike/psfalcon GitHub Wiki

New-FalconIdentityRule

SYNOPSIS

Create Falcon Identity Protection policy rules

DESCRIPTION

Requires 'Identity Protection Policy Rules: Write'.

PARAMETERS

Name Type Description Min Max Allowed Pipeline PipelineByName
Name String Rule name
Action String Rule action ADD_TO_WATCH_LIST
ALLOW
APPLY_SSO_POLICY
BLOCK
FORCE_PASSWORD_CHANGE
MFA
Trigger String Rule trigger access
accountEvent
alert
federatedAccess
Enabled Boolean Rule enablement status
SimulationMode Boolean Enable simulation mode
Activity Object Object containing 'accessType' and/or 'accessTypeCustom', for rule conditions based on access
Destination Object Object containing 'entityId' and/or 'groupMembership', for rule conditions based on destination
SourceEndpoint Object Object containing 'entityId' and/or 'groupMembership', for define rule conditions based on source endpoints
SourceUser Object Object containing 'entityId' and/or 'groupMembership', for define rule conditions based on source users

SYNTAX

New-FalconIdentityRule [-Name] <String> [-Action] <String> [-Trigger] <String> [-Enabled] <Boolean> [-SimulationMode] <Boolean> [[-Activity] <Object>] [[-Destination] <Object>] [[-SourceEndpoint] <Object>] [[-SourceUser] <Object>] [-WhatIf] [-Confirm] [<CommonParameters>]

REFERENCE

Endpoints

POST /identity-protection/entities/policy-rules/v1

falconpy

api_preempt_proxy_post_policy_rules

USAGE

$Param = @{
  Name = 'Example policy rule'
  Action = 'BLOCK'
  Trigger = 'access'
  Destination = @{
    entityId = @{ 
      exclude = @('guid')
      include = @('guid')
    }
    groupMembership = @{
      exclude = @('guid')
      include = @('guid')
    }
  }
  Activity = @{
    accessType = @{
      exclude = @('AUTHENTICATION')
      include = @('REMOTE_DESKTOP')
    }
    accessTypeCustom = @{
      exclude = @('EX1')
      include = @('INC1','INC2')
    }
  }
  Enabled = $true
  SimulationMode = $false
  SourceEndpoint = @{
    entityId = @{ 
      exclude = @('guid')
      include = @('guid','guid')
    }
    groupMembership = @{
      include = @('guid')
    }
  }
  SourceUser = @{
    entityId = @{ 
      exclude = @('guid')
      include = @('guid','guid')
    }
    groupMembership = @{
      exclude = @('guid')
      include = @('guid','guid')
    }
  }
}
New-FalconIdentityRule @Param

2024-12-19: PSFalcon v2.2.8

⚠️ **GitHub.com Fallback** ⚠️