Commands - jshcodes/psfalcon GitHub Wiki

CrowdStrike Falcon Twitter URL

List available commands

After importing the module you can view the list of commands provided with PSFalcon:

Get-Command -Module PSFalcon

Finding help

Also see Parameters.

PSFalcon v2.1+

Information about PSFalcon commands and their parameters is available using the PowerShell Get-Help command. Using the -Examples, -Detailed or -Full parameter(s) provides additional information.

Get-Help Request-FalconToken

PSFalcon v2.0.x

Because PSFalcon uses dynamic parameters, the traditional PowerShell Get-Help command doesn't show parameters that can be used with PSFalcon commands. Instead, use <command> -Help to call a custom function that displays information about the available parameters and a basic description of their use.

PS> Request-FalconToken -Help

## Request an OAuth2 access token

  -ClientId [String]
    OAuth2 API client identifier
      Position : 1
      Pattern : \w{32}

  -ClientSecret [String]
    OAuth2 API client secret
      Position : 2
      Pattern : \w{40}

  -Cloud [String]
    Destination cloud
    Enum : eu-1, us-gov-1, us-1, us-2  
    Position : 3

  -MemberCid [String]
    Child environment to use for authentication in multi-CID configurations
      Position : 4
      Pattern : \w{32}

Converting results to CSV

Export-FalconReport translates a [PSCustomObject] into something that is more CSV-friendly and then uses Export-Csv.

<command> [-Detailed] [-All] | Export-FalconReport -Path .\example.csv

If you wish to validate the output before creating a CSV, try:

<command> [-Detailed] [-All] | Export-FalconReport

Command examples

NOTE: Examples for PSFalcon v2.1+ can be found using:

Get-Help <command> -Examples

The following examples are for PSFalcon v2.0.x and may include syntax differences compared to v2.1+.

Detections and Incidents

See CrowdStrike API Documentation.

Find incidents

Get-FalconIncident [-Detailed] [-All]

Find behaviors

Get-FalconBehavior [-Detailed] [-All]

Update the status of multiple incidents

Invoke-FalconIncidentAction -Name update_status -Value in_progress -Ids <id>, <id>

NOTE: Corresponding detections can be updated with the -UpdateDetects and -OverwriteDetects parameters, using a value of $true.

Find detections

Get-FalconDetection -Filter "status:'new'+first_behavior:>'2020-01-01'" -Sort first_behavior.desc [-Detailed] [-All]

Modify the status of multiple detections

NOTE: Edit-FalconDetection will automatically group requests in batches of 1,000 detections.

Edit-FalconDetection -Ids <id>, <id> -Status new

Hide detections from the UI

WARNING: Hiding detections is not reversible!

Edit-FalconDetection -Ids <id>, <id> -ShowInUi $false

Show CrowdScores

Get-FalconScore [-All]

Event Streams

See CrowdStrike API Documentation.

Start an event stream

Get-FalconStream -AppId psfalcon

Refresh an active event stream

Update-FalconStream -AppId psfalcon -Partition 0

Capture a sample of events from a stream

Open-FalconStream

NOTE: This is a custom command included with PSFalcon. Over a few minutes, Open-FalconStream will output an event stream to a Json file in the local directory. It currently only works on Windows and will open a secondary session when executed. You can close the session to write the Json to disk.

Falcon Complete Dashboards

See CrowdStrike API Documentation.

Search for Falcon Complete detection, device collection or incident identifiers

Get-FalconCompleteDetection [-All]
Get-FalconCompleteCollection [-All]
Get-FalconCompleteIncident [-All]

Display the total number of Falcon Complete detections, device collections or incidents

Get-FalconCompleteDetection -Total
Get-FalconCompleteCollection -Total
Get-FalconCompleteIncident -Total

Search for Falcon Complete allowlist, blocklist, escalation, or remediation identifiers

Get-FalconCompleteAllowlist [-All]
Get-FalconCompleteBlocklist [-All]
Get-FalconCompleteEscalation [-All]
Get-FalconCompleteRemediation [-All]

Display the total number of Falcon Complete allowlist, blocklist, escalation, and remediation tickets

Get-FalconCompleteAllowlist -Total
Get-FalconCompleteBlocklist -Total
Get-FalconCompleteEscalation -Total
Get-FalconCompleteRemediation -Total

Falcon X Recon

See CrowdStrike API Documentation.

Finding a monitoring rule

Get-FalconReconRule [-Detailed]

Creating a monitoring rule

New-FalconReconRule -Name psfalcon_example -Topic SA_AUTHOR -Filter "author:'example_author'" -Priority low -Permissions private

Creating multiple monitoring rules in a single request

$Array = @(
    @{
        name = "psfalcon_example_1"
        topic = "SA_BRAND_PRODUCT"
        filter = "phrase:'psfalcon_example_phrase'"
        priority = "low"
        permissions = "private"
    },
    @{
        name = "psfalcon_example_2"
        topic = "SA_BIN"
        filter = "ccbin:'1234'"
        priority = "medium"
        permissions = "public"
    }
)
New-FalconReconRule -Array $Array

Updating a monitoring rule

Edit-FalconReconRule -Id <id> -Name psfalcon_example_updated -Priority medium

Updating multiple monitoring rules in a single request

$Array = @(
    @{
        id = <id>
        priority = "high"
    },
    @{
        id = <id>
        priority = "high"
    }
)
Edit-FalconReconRule -Array $Array

Deleting a monitoring rule

Remove-FalconReconRule -Ids <id>, <id>

Querying monitoring rule actions

Get-FalconReconAction [-Detailed]

Creating email notifications for a monitoring rule

New-FalconReconAction -RuleId <rule_id> -Type email -Frequency daily -Recipients user@example.com

Updating email notifications for a monitoring rule

Edit-FalconReconAction -Id <id> -Frequency weekly

Deleting email notifications for a monitoring rule

Remove-FalconReconAction -Id <id>

Querying notifications

Get-FalconReconNotification

Get simplified data from notifications

Get-FalconReconNotification [-Detailed]

Get raw intelligence data from notifications

Get-FalconReconNotification -Ids <id>, <id> -Intel

Get data from notifications translated into English

Get-FalconReconNotification -Ids <id>, <id> -Translate

Get raw intelligence data from notifications translated into English

Get-FalconReconNotification -Ids <id>, <id> -Combined

Firewall Management

See CrowdStrike API Documentation.

Creating firewall rule groups

The -Rules parameter accepts a PowerShell array of rule objects which are converted to Json before submission.

$Rules = @(
    @{
        name = 'Block IP'
        description = 'Block outbound to example.com IP address'
        platform_ids = @( "0" )
        enabled = $true
        action = "DENY"
        direction = "OUT"
        address_family = "IP4"
        protocol = "*"
        fields = @(
            @{
                name = "network_location"
                type = "set"
                values = @( "ANY" )
            }
        )
        local_address = @(
            @{
                address = "*"
                netmask = 0
            }
        )
        remote_address = @(
            @{
                address = "93.184.216.34"
                netmask = 32
            }
        )
    }
)
New-FalconFirewallGroup -Name 'test rule group' -Enabled $true -Description 'describing a rule group' -Rules $Rules

Finding rule IDs in a firewall rule group

Get-FalconFirewallGroup -Ids <id>, <id>

Deleting firewall rule groups

Remove-FalconFirewallGroup -Ids <id>, <id>

Creating firewall policies

New-FalconFirewallPolicy -PlatformName Windows -Name 'Test Policy' -Description 'Firewall test policy'

Updating firewall policies

Edit-FalconFirewallPolicy -Id <id> -Name 'Test Policy 1 Name Changed'

Copying firewall policies

New-FalconFirewallPolicy -PlatformName Windows -Name 'Cloned Test Policy' -Description 'Firewall test cloned policy' -CloneId <id>

Enabling firewall policies

Invoke-FalconFirewallPolicyAction -Name enable -Id <id>

Disabling firewall policies

Invoke-FalconFirewallPolicyAction -Name disable -Id <id>

Deleting firewall policies

Remove-FalconFirewallPolicy -Ids <id>, <id>

Managing firewall policy precedence

NOTE: All policy ids (with the exception of platform_default) must be supplied in desired precedence order.

Set-FalconFirewallPrecedence -PlatformName Windows -Ids <id>, <id>

Flight Control

See CrowdStrike API Documentation.

List member CIDs

Get-FalconMemberCID [-Detailed] [-All]

List CID groups by ID

Get-FalconCIDGroup [-Detailed] [-All]

Retrieve detail about one or more CID groups

Get-FalconCIDGroup -Ids <id>, <id>

Create a CID group

New-FalconCIDGroup -Name 'Manual Testing' -Description 'Manual Testing'

Update a CID group

Edit-FalconCIDGroup -Id <id> -Name 'Updated Name' -Description 'Updated name for manual testing'

Delete a CID group

Remove-FalconCIDGroup -Ids <id>, <id>

List User groups by ID

Get-FalconUserGroup [-Detailed] [-All]

Retrieve detail about one or more User groups

Get-FalconUserGroup -Ids <id>, <id>

Create a User group

New-FalconUserGroup -Name 'Manual Testing' -Description 'Manual Testing'

Update a User group

Edit-FalconUserGroup -Id <id> -Name 'Updated Name' -Description 'Updated name for manual testing'

Delete a User group

Remove-FalconUserGroup -Ids <id>, <id>

Add a CID to a CID Group

Add-FalconCIDGroupMember -Id <cid_group_id> -CIDs <cid>, <cid>

Remove a CID from a CID Group

Remove-FalconCIDGroupMember -Id <cid_group_id> -CIDs <cid>, <cid>

List members of a User group

Get-FalconUserGroupMember -Id <user_group_id>

List the groups that a user belongs to

Get-FalconUserGroupMember -Id <user_id>

Add a user to a User Group

Add-FalconUserGroupMember -Id <user_group_id> -UserIds <user_id>, <user_id>

Remove a user to a User Group

Remove-FalconUserGroupMember -Id <user_group_id> -UserIds <user_id>, <user_id>

Get role assignments

Get-FalconGroupRole -CombinedIds <cid_group_id>:<user_group_id>, <cid_group_id>:<user_group_id>

Create a role assignment

Add-FalconGroupRole -CidGroupId <cid_group_id> -UserGroupId <user_group_id> -RoleIds <role_id>, <role_id>

Delete a role assignment

Remove-FalconGroupRole -CidGroupId <cid_group_id> -UserGroupId <user_group_id> -RoleIds <role_id>, <role_id>

Horizon

See CrowdStrike API Documentation.

Register an AWS account

New-FalconHorizonAwsAccount -AccountId <id>

Generate an AWS Cloudformation link

$Link = Get-FalconHorizonAwsLink

NOTE: A link will not be generated if an OrganizationId was included when registering your AWS account.

The link must be visited with your browser to complete the registration process. The PowerShell command Start-Process will launch your default browser:

Start-Process $Link.url

Check that the AWS account was correctly provisioned

Get-FalconHorizonAwsAccount -Ids <id>

A properly provisioned account will display status: Event_DiscoverAccountStatusOperational.

Deprovision an AWS account

Remove-FalconHorizonAwsAccount -Ids <id>

Register an AWS organizational account

New-FalconHorizonAwsAccount -AccountId <id> -OrganizationId <id>

Generate an AWS Cloudformation script

Receive-FalconHorizonAwsScript -Path $pwd\aws_provision.sh

NOTE: The script must be run using AWS CLI Version 2.

Check that the AWS account was correctly provisioned

Get-FalconHorizonAwsAccount -Ids <id>

A properly provisioned account will display status: Event_DiscoverAccountStatusOperational.

Deprovision an AWS organization

Remove-FalconHorizonAwsAccount -OrganizationIds <id>

Register an Azure account

New-FalconHorizonAzureAccount -SubscriptionId <id> -TenantId <id>

Generate an Azure CLI script

Receive-FalconHorizonAzureScript -TenantId <id> -Path $pwd\azure_provision.sh

NOTE: This script needs to be executed within your Azure Cloud Shell (Bash).

Check that the Azure account was correctly provisioned

Get-FalconHorizonAzureAccount -Ids <id>

A properly provisioned account will display status: Event_DiscoverAccountStatusOperational.

Update an Azure account

Edit-FalconHorizonAzureAccount -Id <id> [-TenantId <id>]

Deprovision an Azure account

Remove-FalconHorizonAzureAccount -Ids <id>, <id>

Retrieve a policy

Get-FalconHorizonPolicy -Ids <id>, <id>

Retrieving policies by service

Get-FalconHorizonPolicy -Service <service_name> [-Detailed]

Updating policy settings

Edit-FalconHorizonPolicy -PolicyId 20 -Enabled $true -Severity medium

Retrieving the assessment schedule

Get-FalconHorizonSchedule [-CloudPlatform]

Updating the assessment schedule

Edit-FalconHorizonSchedule -CloudPlatform aws -ScanSchedule 2h

Hosts and Host Groups

See CrowdStrike API Documentation.

Hosts that match an AWS Instance ID

Get-FalconHost -Filter "instance_id:'<instance_id>'" [-Detailed] [-All]

Finding all Windows hosts

Get-FalconHost -Filter "platform_name:'Windows'" [-Detailed] [-All]

Finding hosts based on multiple criteria

Get-FalconHost -Filter "product_type_desc:'Workstation'+status:'normal'+platform_name:['Windows','Mac']+last_seen:>='2020-07-04'" [-Detailed] [-All]

Retrieving a list of the first 100 hosts in your environment

Get-FalconHost [-Detailed]

Getting information about hosts

Get-FalconHost -Ids <id>, <id>

Containing and lifting containment on hosts

Invoke-FalconHostAction -Name contain -Ids <id>, <id>
Invoke-FalconHostAction -Name lift_containment -Ids <id>, <id>

Deleting and restoring hosts

Invoke-FalconHostAction -Name hide_host -Ids <id>, <id>
Invoke-FalconHostAction -Name unhide_host -Ids <id>, <id>

Finding hosts that have been deleted

Get-FalconHost -Hidden [-Detailed] [-All]

Create a static host group

New-FalconHostGroup -GroupType static -Name 'Test Group 45' -Description 'A demo group'

Assigning hosts to a static host group

Invoke-FalconHostGroupAction -Name add-hosts -Id <id> -HostIds <id>, <id>

Create a dynamic host group

New-FalconHostGroup -GroupType dynamic -Name Dynamic_Group -AssignmentRule "hostname:'*-BL',hostname:'*-DT'"

Finding host groups

Get-FalconHostGroup [-Detailed] [-All]

Deleting host groups

Remove-FalconHostGroup -Ids <id>, <id>

Installation tokens

See CrowdStrike API Documentation.

View installation token settings

Get-FalconInstallTokenSettings

Create installation tokens

New-FalconInstallToken -Label "My Token" -ExpiresTimestamp "2021-12-31T00:00:00Z"

Find installation tokens

Get-FalconInstallToken [-Detailed] [-All]

Get information about an installation token

Get-FalconInstallToken -Ids <id>, <id>

Modify an installation token

Edit-FalconInstallToken -Ids <id>, <id> -Revoked $true
Edit-FalconInstallToken -Ids <id> -Label "Token no expiration" -ExpiresTimestamp null

Delete installation tokens

Remove-FalconInstallToken -Ids <id>, <id>

View installation token audit events

Get-FalconInstallTokenEvent [-Detailed] [-All]

Get information about an installation token audit event

Get-FalconInstallTokenEvent -Ids <id>, <id>

MalQuery

See CrowdStrike API Documentation.

Perform a simple YARA search for a specific hash

NOTE: PSFalcon has a custom command named Search-FalconMalQueryHash which will run a simple YARA-based hash search to find a SHA256 value.

Search-FalconMalQueryHash -Sha256 <sha256>

Schedule a hunt

Invoke-FalconMalQuery -FilterFiletypes pe32 -MaxSize 1200KB -FilterMeta sha256, label, family -YaraRule "rule CrowdStrike_16142_01 : wiper { strings: $ = { 41 61 43 63 64 44 65 46 66 47 68 69 4B 4C 6C 4D 6D 6E 4E 6F 4F 70 50 72 52 73 53 54 74 55 75 56 76 77 57 78 79 5A 7A 33 32 2E 5C 45 62 67 6A 48 49 20 5F 59 51 42 3A 22 2F 40 } condition: all of them and filesize < 800KB }"

Perform an exact search

Invoke-FalconMalQuery -FilterMeta sha256, type, size -FilterFiletypes pe32, pe64 -MaxSize 1200KB -MinDate 2017/01/01 -Limit 20 -Type hex -Value 8948208b480833ca33f989502489482889782c8bd7

Perform a fuzzy search

Invoke-FalconMalQuery -Limit 3 -Type ascii -Value ".8@bVn7r&k" -Fuzzy

Check the status of a search

Get-FalconMalQuery -Ids <id>, <id>

Retrieve MalQuery sample metadata

Get-FalconMalQuerySample -Ids <sha256>, <sha256>

Download a MalQuery sample

Receive-FalconMalQuerySample -Id <sha256> -Path .\infected.exe

Download an archive of multiple MalQuery samples

$Request = Group-FalconMalQuerySample -Samples <sha256>, <sha256>
Receive-FalconMalQuerySample -Id $Request.reqid -Path .\infected.zip

Check your MalQuery quota

Get-FalconMalQueryQuota

OverWatch Dashboards

See CrowdStrike API Documentation.

Getting the total number of Falcon OverWatch detections for the past 48 hours

Get-FalconOverWatchDetection -Filter "detect_time:>'now-48h'"

Getting the total number of Falcon OverWatch events that occurred across all customers

Get-FalconOverWatchEvent -Filter "total_count:>1"

Getting the total number of Falcon OverWatch incidents for the past 48 hours

Get-FalconOverWatchIncident -Filter "detect_time:>'now-48h'"

Policies

See CrowdStrike API Documentation.

Create a Prevention policy

$Settings = @(
    @{
        id = "AdditionalUserModeData"
        value = @{
            enabled = $true
        }
    },
    @{
        id = "EndUserNotifications"
        value = @{
            enabled = $true
        }
    },
    @{
        id = "CloudAntiMalware"
        value = @{
            detection = "MODERATE"
            prevention = "MODERATE"
        }
    }
)
New-FalconPreventionPolicy -PlatformName Windows -Name "Demo Policy" -Description "This is a demo policy" -Settings $Settings

Assign a host group to a Prevention policy

Invoke-FalconPreventionPolicyAction -ActionName add-host-group -Id <id> -GroupId <id>

Set Prevention policy precedence

NOTE: All policy ids (with the exception of platform_default) must be supplied in precedence order.

Set-FalconPreventionPrecedence -PlatformName Windows -Ids <id>, <id>

Get all Prevention policies

Get-FalconPreventionPolicy -All [-Detailed]

Finding the uninstallation token for a host

Get-FalconUninstallToken -DeviceId <id>

Finding the maintenance token that applies to any host within a given policy

Get-FalconUninstallToken -DeviceId MAINTENANCE

Create Machine Learning exclusions

New-FalconMLExclusion -Value '/foo' -ExcludedFrom blocking, extraction -GroupIds all -Comment 'creating foo'

Find Machine Learning exclusions

Get-FalconMLExclusion [-Detailed] [-All]

Modify Machine Learning exclusions

Edit-FalconMLExclusion -Id <id> -Value '/foo*'

Delete Machine Learning exclusions

Remove-FalconMLExclusion -Ids <id>, <id>

Create Sensor Visibility exclusions

New-FalconSVExclusion -Value '/foo' -GroupIds all -Comment 'creating'

Find Sensor Visibility exclusions

Get-FalconSVExclusion [-Detailed] [-All]

Modify Sensor Visibility exclusions

Edit-FalconSVExclusion -Id <id> -Value '/foochanged*'

Delete Sensor Visibility exclusions

Remove-FalconSVExclusion -Ids <id>, <id>

Modify IOA exclusions

Edit-FalconIOAExclusion -Id <id> -ImagePath '.*\\Windows\\System32\\choice1\.exe'

Find IOA exclusions

Get-FalconIOAExclusion [-Detailed]

Delete IOA exclusions

Remove-FalconIOAExclusion -Ids <id>, <id>

Find custom IOA rule types

Get-FalconIOAType [-Detailed]

Find custom IOA severities

Get-FalconIOASeverity [-Detailed]

Find custom IOA platforms

Get-FalconIOAPlatform [-Detailed]

Create custom IOA rule groups

New-FalconIOAGroup -Platform mac -Name newRuleGroup -Description "My new mac rule group"

Modify custom IOA rule groups

$Current = Get-FalconIOAGroup -Filter "name:'newRuleGroup'" -Detailed
Edit-FalconIOAGroup -Id $Current.id -Name "updatedRuleGroup" -Enabled $true -RulegroupVersion $Current.version -Description "My updated mac rule group" -Comment "Updated using PSFalcon"

Find custom IOA rule groups

Get-FalconIOAGroup [-Detailed]

Delete custom IOA rule groups

Remove-FalconIOAGroup -Ids <id>, <id>

Create custom IOA rules

$Group = Get-FalconIOAGroup -Filter "name:'updatedRuleGroup'" -Detailed
$FieldValues = @{
    label = 'Grandparent Image Filename'
    name = 'GrandparentImageFilename'
    type = 'excludable'
    values = @(
        @{
            label = 'include'
            value = '.+bug.exe'
        }
    )
}
New-FalconIOARule -RulegroupId $Group.id -Name "BugRule" -PatternSeverity critical -RuletypeId 5 -DispositionId 30 -FieldValues $FieldValues

Modify custom IOA rules

$Group = Get-FalconIOAGroup -Filter "name:'updatedRuleGroup'" -Detailed
$RuleUpdates = @(
    @{
        name = 'BugRule'
        pattern_severity = 'critical'
        enabled = $true
        description = 'Stops the bug'
        disposition_id = 30
        instance_id = '1'
        field_values = @(
            @{
                label = 'Grandparent Image Filename'
                name = 'GrandparentImageFilename'
                type = 'excludable'
                values = @(
                    @{
                        label = 'include'
                        value = '.+updatebug.exe'
                    }
                )
            },
            @{
                label = 'Grandparent Command Line'
                name = 'GrandparentCommandLine'
                type = 'excludable'
                values = @(
                    @{
                        label = 'include'
                        value = '.*'
                    }
                )
            },
            @{
                label = 'Parent Image Filename'
                name = 'ParentImageFilename'
                type = 'excludable'
                values = @(
                      @{
                          label = 'include'
                          value = '.*'
                       }
                  )
            },
            @{
                label = 'Parent Command Line'
                name = 'ParentCommandLine'
                type = 'excludable'
                values = @(
                    @{
                         label = 'include'
                         value = '.*'
                    }
                )
            },
            @{
                label = 'Image Filename'
                name = 'ImageFilename'
                type = 'excludable'
                values = @(
                    @{
                        label = 'include'
                        value = '.*'
                    }
                )
            },
            @{
                label = 'Command Line'
                name = 'CommandLine'
                type = 'excludable'
                values = @(
                    @{
                        label = 'include'
                        value = '.*'
                    }
                )
            }
        )
    }
)
Edit-FalconIOARule -RulegroupId $Group.id -RulegroupVersion $Group.version -RuleUpdates $RuleUpdates -Comment "Updated using PSFalcon"

Find custom IOA rules

Get-FalconIOARule [-Detailed]

Delete custom IOA rules

Remove-FalconIOARule -RulegroupId <id> -Ids <id>, <id>

Validating field values

$Fields = @(
    @{
        label = 'Grandparent Image Filename'
        name = 'GrandparentImageFilename'
        type = 'excludable'
        values = @(
            @{
                label = 'include'
                value = '.+attacker.exe'
            }
        )
    }
)
Test-FalconIOARule -Fields $Fields

Find custom IOA rule groups matching a query

Get-FalconIOAGroup -Filter "name:'updatedRuleGroup'+platform:'mac'" -Detailed

Find custom IOA rule group identifiers matching a query

Get-FalconIOAGroup -Filter "name:'updatedRuleGroup'+platform:'mac'"

Find a custom IOA rule identifier by name within a rule group

Get-FalconIOARule -Filter "id:'<id>'+rules.name:'BugRule'" [-Detailed] [-All]

Creating a domain indicator

New-FalconIOC -Type domain -Value example01.com -Action detect -Severity medium -Description 'test description' -Platforms windows, mac, linux -Tags test_tag -HostGroups <host_group_id>, <host_group_id> -Expiration 2021-05-01

Creating multiple indicators in a single request

$Array = @(
    @{
        type = "domain"
        value = "example01.com"
        action = "detect"
        severity = "medium"
        description = "test description"
        platforms = @("windows", "mac", "linux")
        tags = @("test_tag")
        host_groups = @("<id>")
    },
    @{
        type = "sha256"
        value = "a88787d8ff144c502c7f5cffaafe2cc588d86079f9de88304c26b0cb99ce91cc"
        source = "bd20201216"
        filename = "iexplore.exe"
        action = "prevent"
        severity = "high"
        description = "test block description"
        platforms = @("windows")
        tags = @("test_tag", "test_tag2")
        applied_globally = $true
    }
)
New-FalconIOC -Array $Array

Finding domain indicator identifiers

Get-FalconIOC -Filter "type:'domain'

Retrieving details about an indicator by its identifier

Get-FalconIOC -Ids <id>, <id>

Retrieving indicator details in large batches

Get-FalconIOC -Filter "type:'domain'+tags:'MalDomain_20201215'+tags:'domains_mac'" -Detailed

Updating an indicator by identifier

Edit-FalconIOC -Id <id> -Source testSource -Action detect -Severity low -Description 'test description update' -Platforms windows -Tags test_tag2 -HostGroups all -Expiration '2021-05-01T12:00:00Z'

Deleting indicators by identifier

Remove-FalconIOC -Ids <id>, <id>

Real-time Response

See CrowdStrike API Documentation.

Invoke-FalconRtr

PSFalcon has a custom command named Invoke-FalconRtr that is designed to perform all the necessary steps to initiate a session with one or more hosts, send a command and output the results.

This command is not designed for a multi-step Real-time Response workflow and will negatively impact certain operations.

For instance, if you were to cd into a directory and attempt to put a file by running Invoke-FalconRtr twice, Invoke-FalconRtr will reset back to the root of your system drive between the cd and put commands, causing the file to be placed in the wrong directory.

Invoke-FalconRtr -Command ls -Arguments C:\Windows -HostIds <id>, <id>

If the hosts you're targeting are currently offline, you can add your Real-time Response commands to the "offline queue" using the -QueueOffline parameter.

Invoke-FalconRtr -Command runscript -Arguments "-CloudFile='HelloWorld'" -HostIds <id>, <id> -QueueOffline $true

If you find that your script needs to be more complex, you can follow the instructions below to create a custom Real-time Response workflow with multiple commands. NOTE: PSFalcon includes commands for each Real-time Response permission level.

  • Invoke-FalconCommand, Confirm-FalconCommand
  • Invoke-FalconResponderCommand, Confirm-FalconResponderCommand
  • Invoke-FalconAdminCommand, Confirm-FalconAdminCommand

Invoke-FalconDeploy

Invoke-FalconDeploy was developed to support mass-deployment of Falcon Forensics. It is designed to upload a file to your ‘Put’ Files library, create a session with target hosts, push the file to those hosts, then execute it and output the results to CSV.

NOTE: Because Real-time Response does not interact with logged in users, the executable must be able to be run silently and without user interaction.

Invoke-FalconDeploy -HostIds <id>, <id> -Path $pwd\File.exe [-QueueOffline]

Get-FalconQueue

Get-FalconQueue will create a CSV file with information about sessions that have pending queued commands or have been created in the last 7 days (by default).

Get-FalconQueue [-Days]

Start a batch session with multiple hosts

$Batch = Start-FalconSession -HostIds <id>, <id>

Send a command using appropriate permissions

Invoke-FalconCommand -Command ls -Arguments C:\Windows -BatchId $Batch.batch_id

Refresh the session to prevent expiration

NOTE: Required when you expect to exceed the default batch session expiration time (5 minutes).

Update-FalconSession -BatchId $Batch.batch_id

Start a session with a single host

$Session = Start-FalconSession -HostId <id>

Send a command using appropriate permissions

$Command = Invoke-FalconCommand -Command ls -Arguments C:\Windows -SessionId $Session.session_id

Retrieve command results

Confirm-FalconCommand -CloudRequestId $Command.cloud_request_id

NOTE: This step is important! Without retrieving the results from an issued command, the Real-time Response session may not reflect that actions have taken place. For instance, If you cd and don't confirm, you'll stay in your current directory.

Refresh the session to prevent expiration

NOTE: Refreshing the session is required when you expect to exceed the default expiration time (10 minutes).

Update-FalconSession -SessionId $Session.session_id

Use Real-time Response to download a file

NOTE: Invoke-FalconRtr can be used to initialize a batch session and issue the get command. The results will include the batch_get_cmd_req_id that can be used with Confirm-FalconGetFile to verify the extraction has completed, and then Receive-FalconGetFile can be used to download the file(s).

To download a file from a single host, start with a Real-time Response session:

$Init = Start-FalconSession -HostId <id>

Follow it with a get command:

$Get = Invoke-FalconAdminCommand -SessionId $Init.session_id -Command get -Arguments C:\path\to\file.exe

Verify that the extraction of the file has completed:

$Confirm = Confirm-FalconGetFile -SessionId $Init.session_id

Once the results of Confirm-FalconGetFile contain a SHA256 value (indicating the extraction has completed), you can download the file:

Receive-FalconGetFile -Sha256 $Confirm.sha256 -SessionId $Init.session_id -Path C:\path\to\local\download.7z

The process is similar for multiple hosts, but uses slightly different commands after starting the session:

$Init = Start-FalconSession -HostIds <id>, <id>

Send the get command to the session:

$Get = Invoke-FalconBatchGet -BatchId $Init.batch_id -FilePath C:\path\to\file.exe

Verify that extraction of the files has completed:

$Confirm = Confirm-FalconGetFile -BatchGetCmdReqId $Get.batch_get_cmd_req_id

The upload from the host has completed once the file has populated sha256 and created_at values. You can use the sha256 and session_id values to download the files, and in the following example, each file will be downloaded and saved in your local directory, using the sha256 and aid values to name the archive.

$Confirm | Where-Object { $_.sha256 -and $_.created_at -and $_.session_id } | ForEach-Object {
    $Param = @{
        Sha256 = $_.sha256
        SessionId = $_.session_id
        Path = "$pwd\$($_.aid)_$($_.sha256).7z"
    }
    Receive-FalconGetFile @Param
}

You can re-run the previous command examples (Confirm-FalconGetFile and Receive-FalconGetFile) repeatedly to download additional files as their uploads complete from each individual host.

Find Real-time Response sessions

NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.

Get-FalconSession [-Detailed] [-All]

Retrieve detail about Real-time Response sessions

NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.

Get-FalconSession -Ids <id>, <id> [-Queue]

Create a new Real-time Response script

Send-FalconScript -Path $pwd\hello_world.ps1 -Platform windows -PermissionType group

Find Real-time Response scripts

Get-FalconScript [-Detailed] [-All]

Modify Real-time Response scripts

Edit-FalconScript -Id <id>

Delete Real-time Response scripts

Remove-FalconScript -Ids <id>, <id>

Create a new Real-time Response ‘put’ file

Send-FalconPutFile -Path $pwd\File.exe

Find Real-time Response ‘put’ files

Get-FalconPutFile [-Detailed] [-All]

Delete Real-time Response ‘put’ files

Remove-FalconPutFile -Ids <id>

Sandbox and QuickScan

See CrowdStrike API Documentation.

Upload files for submission

$Sample = Send-FalconSample -Path C:\virus.exe -Filename virus.exe -Comment 'bad file'

Submit an uploaded sample for analysis in a sandbox environment

$Submission = New-FalconSubmission -Sha256 $Sample.sha256 -EnvironmentId win7_x86 -SubmitName virus.exe

Check the progress of samples previously submitted for analysis

Get-FalconSubmission -Ids $Submission.id

Submit files to QuickScan

NOTE: The files submitted for QuickScan must be available via a previous upload using Send-FalconSample.

New-FalconQuickScan -Samples <sha256>, <sha256>

Search for QuickScans run in the last 7 days

Get-FalconQuickScan -Filter "created_timestamp:>'Last 7 days'" [-Detailed]

Retrieve information about a QuickScan

Get-FalconQuickScan -Ids <id>

View a summary-level sandbox report

Get-FalconReport -Ids <id>, <id> -Summary

View a sandbox report

Get-FalconReport -Ids <id>, <id>

Download artifacts

NOTE: The identifiers needed to download artifacts can be found in a sandbox report.

$Report = Get-FalconReport -Ids <id>

Download a strict IOC pack

Receive-FalconArtifact -Id $Report.ioc_report_strict_csv_artifact_id -Path .\ioc_report_strict_csv_artifact_id.csv

Check your Sandbox submission quota

Get-FalconSubmissionQuota

Check your QuickScan submission quota

Get-FalconQuickScanQuota

Sensor Installers

See CrowdStrike API Documentation.

Find all available sensor installers for Linux

Get-FalconInstaller -Filter "platform:'linux'" [-Detailed] [-All]

Find all available sensor installers for a specific OS version

Get-FalconInstaller -Filter "os:'Amazon Linux'" [-Detailed] [-All]

Retrieve detailed information about a specific sensor installer

Get-FalconInstaller -Ids <id>

Download a sensor installer

Receive-FalconInstaller -Id <id> -Path .\WindowsSensor.exe

Find your Customer ID and Checksum (CCID)

Get-FalconCCID

Spotlight

See CrowdStrike API Documentation.

Search for vulnerabilities

NOTE: The Spotlight API requires the use of a filter when requesting results.

Get-FalconVulnerability -Filter "created_timestamp:>'2019-11-25T22:36:12Z'" [-Detailed] [-All]

Get information about specific vulnerabilities

Get-FalconVulnerability -Ids <id>, <id>

Get information about specific remediations

Get-FalconRemediation -Ids <id>, <id>

Threat Intelligence

See CrowdStrike API Documentation.

Search for actors

Get-FalconActor -Filter "target_countries:'united states'+target_countries:'canada'+target_industries:'government'" [-Detailed] [-All]

Get information about specific actors

Get-FalconActor -Ids <id>, <id>

Search for information about actors

Get-FalconActor -Filter "target_countries:'united states'+target_countries:'canada'+target_industries:'government'" -Limit 1 -Detailed

Search for indicators

Get-FalconIndicator -Filter "type:'domain'" [-Detailed]

Get information about specific indicators

Get-FalconIndicator -Ids <id>, <id>

Search for information about indicators

Get-FalconIndicator -Filter "last_updated:>=1427846400" -Sort "last_updated|asc" -Detailed [-All]

Search for reports

Get-FalconReport -Filter "target_countries:'united states'+target_industries:'government'"

Get information about specific reports

Get-FalconReport -Ids <id>, <id>

Search for information about reports

Get-FalconReport -Filter "target_countries:'afghanistan'" -Limit 1 -Detailed

Download the latest rule set

Receive-FalconRule -Type yara-master -Path $pwd\yara-master.zip

Search for a rule set

Get-FalconRule -Filter "type=yara-master&min_created_date_date=1509494400" -Limit 3

Get information about a specific rule set

Get-FalconRule -Ids <id>, <id>

Download a specific rule set

Receive-FalconRule -Id <id> -Path $pwd\rules.zip

Users and Roles

See CrowdStrike API Documentation.

Create a new user

New-FalconUser -Username jane.doe@example.com

List all users

Get-FalconUser [-Detailed]

Get details on one or more users

Get-FalconUser -Ids <id>, <id>

Modify a user

Edit-FalconUser -Id <id> -FirstName Jane -LastName Doe

Remove a user

Remove-FalconUser -Id <id>

List all available user roles

Get-FalconRole [-Detailed]

List roles assigned to a user

Get-FalconRole -UserId <id> [-Detailed]

Assign roles to a user

Add-FalconRole -Ids <id>, <id> -UserId <id>

Revoke roles from a user

Remove-FalconRole -Ids <id>, <id> -UserId <id>

Zero Trust Assessment

See CrowdStrike API Documentation.

Retrieving Zero Trust Assessment data by host

Get-FalconZTA -Ids <id>, <id>

⚠️ **GitHub.com Fallback** ⚠️