Start FalconSession - CrowdStrike/psfalcon GitHub Wiki
Initialize a single-host or batch Real-time Response session
Real-time Response sessions require Host identifier values. Sessions that are successfully started return a 'session_id' (for single hosts) or 'batch_id' (multiple hosts) value which can be used to issue commands that will be processed by the host(s) in the session.
Commands can be issued using 'Invoke-FalconCommand', 'Invoke-FalconResponderCommand', 'Invoke-FalconAdminCommand' and 'Invoke-FalconBatchGet'.
Requires 'Real time response: Read'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| QueueOffline | Boolean | Add non-responsive hosts to the offline queue | |||||
| ExistingBatchId | String | Add hosts to an existing batch session | |||||
| Timeout | Int32 | Length of time to wait for a result, in seconds [default: 30] | 1 |
600 |
|||
| HostTimeout | Int32 | Length of time to wait for a result from target host(s), in seconds | 1 |
600 |
|||
| Id | String[] | Host identifier | 1 |
10000 |
X | X |
Start-FalconSession [[-QueueOffline] <Boolean>] [[-ExistingBatchId] <String>] [[-Timeout] <Int32>] [[-HostTimeout] <Int32>] -Id <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]Start-FalconSession [[-QueueOffline] <Boolean>] [[-Timeout] <Int32>] -Id <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]POST /real-time-response/combined/batch-init-session/v1
POST /real-time-response/entities/sessions/v1
BatchInitSessions
RTR_InitSession
$Batch = Start-FalconSession -Id <id>, <id>$Session = Start-FalconSession -Id <id>See Invoke-FalconCommand.
See Invoke-FalconResponderCommand.
See Invoke-FalconAdminCommand.
See Update-FalconSession.
2023-04-25: PSFalcon v2.2.5
