New FalconIoaRule - CrowdStrike/psfalcon GitHub Wiki
Create a custom Indicator of Attack rule within a rule group
Requires 'Custom IOA rules: Write'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| Name | String | Rule name | X | ||||
| PatternSeverity | String | Rule severity | X | ||||
| RuletypeId | String | Rule type | X | ||||
| DispositionId | Int32 | Disposition identifier [10: Monitor, 20: Detect, 30: Block] |
102030
|
X | |||
| FieldValue | Object[] | An array of custom Indicator of Attack properties | X | ||||
| Description | String | Rule description | X | ||||
| Comment | String | Audit log comment | X | ||||
| RulegroupId | String | Rule group identifier | X |
New-FalconIoaRule [-Name] <String> [-PatternSeverity] <String> [-RuletypeId] <String> [-DispositionId] <Int32> [-FieldValue] <Object[]> [[-Description] <String>] [[-Comment] <String>] [-RulegroupId] <String> [-WhatIf] [-Confirm] [<CommonParameters>]POST /ioarules/entities/rules/v1
$Group = Get-FalconIoaGroup -Filter "name:'updatedRuleGroup'" -Detailed
$FieldValue = [PSCustomObject]@{
label = 'Grandparent Image Filename'
name = 'GrandparentImageFilename'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.+bug.exe'
}
)
}
New-FalconIoaRule -RulegroupId $Group.id -Name 'BugRule' -PatternSeverity critical -RuletypeId 5 -DispositionId 30 -FieldValue $FieldValue2024-11-05: PSFalcon v2.2.7
