Receive FalconGetFile - CrowdStrike/psfalcon GitHub Wiki
Download a password protected .7z archive containing a Real-time Response 'get' file [password: 'infected']
'Sha256' and 'SessionId' values can be found using 'Confirm-FalconGetFile'. 'Invoke-FalconResponderCommand' or 'Invoke-FalconAdminCommand' can be used to issue a 'get' command to a single-host, and 'Invoke-FalconBatchGet' can be used for multiple hosts within existing Real-time Response session.
Requires 'Real time response: Write'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| Path | String | Destination path | |||||
| Sha256 | String | Sha256 hash value | X | ||||
| SessionId | String | Session identifier | X | ||||
| Force | Switch | Overwrite an existing file when present |
Receive-FalconGetFile [[-Path] <String>] [-Sha256] <String> [-SessionId] <String> [-Force] [-WhatIf] [-Confirm] [<CommonParameters>]GET /real-time-response/entities/extracted-file-contents/v1
2023-04-25: PSFalcon v2.2.5
