Commands - jshcodes/psfalcon GitHub Wiki
After importing the module you can view the list of commands provided with PSFalcon:
Get-Command -Module PSFalcon
Also see Parameters.
Information about PSFalcon commands and their parameters is available using the PowerShell Get-Help
command. Using the -Examples
, -Detailed
or -Full
parameter(s) provides additional information.
Get-Help Request-FalconToken
Because PSFalcon uses dynamic parameters, the traditional PowerShell Get-Help
command doesn't show parameters that can be used with PSFalcon commands. Instead, use <command> -Help
to call a custom function that displays information about the available parameters and a basic description of their use.
PS> Request-FalconToken -Help
## Request an OAuth2 access token
-ClientId [String]
OAuth2 API client identifier
Position : 1
Pattern : \w{32}
-ClientSecret [String]
OAuth2 API client secret
Position : 2
Pattern : \w{40}
-Cloud [String]
Destination cloud
Enum : eu-1, us-gov-1, us-1, us-2
Position : 3
-MemberCid [String]
Child environment to use for authentication in multi-CID configurations
Position : 4
Pattern : \w{32}
Export-FalconReport
translates a [PSCustomObject] into something that is more CSV-friendly and then uses Export-Csv
.
<command> [-Detailed] [-All] | Export-FalconReport -Path .\example.csv
If you wish to validate the output before creating a CSV, try:
<command> [-Detailed] [-All] | Export-FalconReport
NOTE: Examples for PSFalcon v2.1+ can be found using:
Get-Help <command> -Examples
The following examples are for PSFalcon v2.0.x and may include syntax differences compared to v2.1+.
See CrowdStrike API Documentation.
Get-FalconIncident [-Detailed] [-All]
Get-FalconBehavior [-Detailed] [-All]
Invoke-FalconIncidentAction -Name update_status -Value in_progress -Ids <id>, <id>
NOTE: Corresponding detections can be updated with the -UpdateDetects
and -OverwriteDetects
parameters, using a value of $true
.
Get-FalconDetection -Filter "status:'new'+first_behavior:>'2020-01-01'" -Sort first_behavior.desc [-Detailed] [-All]
NOTE: Edit-FalconDetection
will automatically group requests in batches of 1,000 detections.
Edit-FalconDetection -Ids <id>, <id> -Status new
WARNING: Hiding detections is not reversible!
Edit-FalconDetection -Ids <id>, <id> -ShowInUi $false
Get-FalconScore [-All]
See CrowdStrike API Documentation.
Get-FalconStream -AppId psfalcon
Update-FalconStream -AppId psfalcon -Partition 0
Open-FalconStream
NOTE: This is a custom command included with PSFalcon. Over a few minutes, Open-FalconStream
will output an event stream to a Json file in the local directory. It currently only works on Windows and will open a secondary session when executed. You can close the session to write the Json to disk.
See CrowdStrike API Documentation.
Get-FalconCompleteDetection [-All]
Get-FalconCompleteCollection [-All]
Get-FalconCompleteIncident [-All]
Get-FalconCompleteDetection -Total
Get-FalconCompleteCollection -Total
Get-FalconCompleteIncident -Total
Get-FalconCompleteAllowlist [-All]
Get-FalconCompleteBlocklist [-All]
Get-FalconCompleteEscalation [-All]
Get-FalconCompleteRemediation [-All]
Display the total number of Falcon Complete allowlist, blocklist, escalation, and remediation tickets
Get-FalconCompleteAllowlist -Total
Get-FalconCompleteBlocklist -Total
Get-FalconCompleteEscalation -Total
Get-FalconCompleteRemediation -Total
See CrowdStrike API Documentation.
Get-FalconReconRule [-Detailed]
New-FalconReconRule -Name psfalcon_example -Topic SA_AUTHOR -Filter "author:'example_author'" -Priority low -Permissions private
$Array = @(
@{
name = "psfalcon_example_1"
topic = "SA_BRAND_PRODUCT"
filter = "phrase:'psfalcon_example_phrase'"
priority = "low"
permissions = "private"
},
@{
name = "psfalcon_example_2"
topic = "SA_BIN"
filter = "ccbin:'1234'"
priority = "medium"
permissions = "public"
}
)
New-FalconReconRule -Array $Array
Edit-FalconReconRule -Id <id> -Name psfalcon_example_updated -Priority medium
$Array = @(
@{
id = <id>
priority = "high"
},
@{
id = <id>
priority = "high"
}
)
Edit-FalconReconRule -Array $Array
Remove-FalconReconRule -Ids <id>, <id>
Get-FalconReconAction [-Detailed]
New-FalconReconAction -RuleId <rule_id> -Type email -Frequency daily -Recipients user@example.com
Edit-FalconReconAction -Id <id> -Frequency weekly
Remove-FalconReconAction -Id <id>
Get-FalconReconNotification
Get-FalconReconNotification [-Detailed]
Get-FalconReconNotification -Ids <id>, <id> -Intel
Get-FalconReconNotification -Ids <id>, <id> -Translate
Get-FalconReconNotification -Ids <id>, <id> -Combined
See CrowdStrike API Documentation.
The -Rules
parameter accepts a PowerShell array of rule objects which are converted to Json before submission.
$Rules = @(
@{
name = 'Block IP'
description = 'Block outbound to example.com IP address'
platform_ids = @( "0" )
enabled = $true
action = "DENY"
direction = "OUT"
address_family = "IP4"
protocol = "*"
fields = @(
@{
name = "network_location"
type = "set"
values = @( "ANY" )
}
)
local_address = @(
@{
address = "*"
netmask = 0
}
)
remote_address = @(
@{
address = "93.184.216.34"
netmask = 32
}
)
}
)
New-FalconFirewallGroup -Name 'test rule group' -Enabled $true -Description 'describing a rule group' -Rules $Rules
Get-FalconFirewallGroup -Ids <id>, <id>
Remove-FalconFirewallGroup -Ids <id>, <id>
New-FalconFirewallPolicy -PlatformName Windows -Name 'Test Policy' -Description 'Firewall test policy'
Edit-FalconFirewallPolicy -Id <id> -Name 'Test Policy 1 Name Changed'
New-FalconFirewallPolicy -PlatformName Windows -Name 'Cloned Test Policy' -Description 'Firewall test cloned policy' -CloneId <id>
Invoke-FalconFirewallPolicyAction -Name enable -Id <id>
Invoke-FalconFirewallPolicyAction -Name disable -Id <id>
Remove-FalconFirewallPolicy -Ids <id>, <id>
NOTE: All policy ids (with the exception of platform_default
) must be supplied in desired precedence order.
Set-FalconFirewallPrecedence -PlatformName Windows -Ids <id>, <id>
See CrowdStrike API Documentation.
Get-FalconMemberCID [-Detailed] [-All]
Get-FalconCIDGroup [-Detailed] [-All]
Get-FalconCIDGroup -Ids <id>, <id>
New-FalconCIDGroup -Name 'Manual Testing' -Description 'Manual Testing'
Edit-FalconCIDGroup -Id <id> -Name 'Updated Name' -Description 'Updated name for manual testing'
Remove-FalconCIDGroup -Ids <id>, <id>
Get-FalconUserGroup [-Detailed] [-All]
Get-FalconUserGroup -Ids <id>, <id>
New-FalconUserGroup -Name 'Manual Testing' -Description 'Manual Testing'
Edit-FalconUserGroup -Id <id> -Name 'Updated Name' -Description 'Updated name for manual testing'
Remove-FalconUserGroup -Ids <id>, <id>
Add-FalconCIDGroupMember -Id <cid_group_id> -CIDs <cid>, <cid>
Remove-FalconCIDGroupMember -Id <cid_group_id> -CIDs <cid>, <cid>
Get-FalconUserGroupMember -Id <user_group_id>
Get-FalconUserGroupMember -Id <user_id>
Add-FalconUserGroupMember -Id <user_group_id> -UserIds <user_id>, <user_id>
Remove-FalconUserGroupMember -Id <user_group_id> -UserIds <user_id>, <user_id>
Get-FalconGroupRole -CombinedIds <cid_group_id>:<user_group_id>, <cid_group_id>:<user_group_id>
Add-FalconGroupRole -CidGroupId <cid_group_id> -UserGroupId <user_group_id> -RoleIds <role_id>, <role_id>
Remove-FalconGroupRole -CidGroupId <cid_group_id> -UserGroupId <user_group_id> -RoleIds <role_id>, <role_id>
See CrowdStrike API Documentation.
New-FalconHorizonAwsAccount -AccountId <id>
$Link = Get-FalconHorizonAwsLink
NOTE: A link will not be generated if an OrganizationId was included when registering your AWS account.
The link must be visited with your browser to complete the registration process. The PowerShell command Start-Process
will launch your default browser:
Start-Process $Link.url
Get-FalconHorizonAwsAccount -Ids <id>
A properly provisioned account will display status: Event_DiscoverAccountStatusOperational
.
Remove-FalconHorizonAwsAccount -Ids <id>
New-FalconHorizonAwsAccount -AccountId <id> -OrganizationId <id>
Receive-FalconHorizonAwsScript -Path $pwd\aws_provision.sh
NOTE: The script must be run using AWS CLI Version 2.
Get-FalconHorizonAwsAccount -Ids <id>
A properly provisioned account will display status: Event_DiscoverAccountStatusOperational
.
Remove-FalconHorizonAwsAccount -OrganizationIds <id>
New-FalconHorizonAzureAccount -SubscriptionId <id> -TenantId <id>
Receive-FalconHorizonAzureScript -TenantId <id> -Path $pwd\azure_provision.sh
NOTE: This script needs to be executed within your Azure Cloud Shell (Bash).
Get-FalconHorizonAzureAccount -Ids <id>
A properly provisioned account will display status: Event_DiscoverAccountStatusOperational
.
Edit-FalconHorizonAzureAccount -Id <id> [-TenantId <id>]
Remove-FalconHorizonAzureAccount -Ids <id>, <id>
Get-FalconHorizonPolicy -Ids <id>, <id>
Get-FalconHorizonPolicy -Service <service_name> [-Detailed]
Edit-FalconHorizonPolicy -PolicyId 20 -Enabled $true -Severity medium
Get-FalconHorizonSchedule [-CloudPlatform]
Edit-FalconHorizonSchedule -CloudPlatform aws -ScanSchedule 2h
See CrowdStrike API Documentation.
Get-FalconHost -Filter "instance_id:'<instance_id>'" [-Detailed] [-All]
Get-FalconHost -Filter "platform_name:'Windows'" [-Detailed] [-All]
Get-FalconHost -Filter "product_type_desc:'Workstation'+status:'normal'+platform_name:['Windows','Mac']+last_seen:>='2020-07-04'" [-Detailed] [-All]
Get-FalconHost [-Detailed]
Get-FalconHost -Ids <id>, <id>
Invoke-FalconHostAction -Name contain -Ids <id>, <id>
Invoke-FalconHostAction -Name lift_containment -Ids <id>, <id>
Invoke-FalconHostAction -Name hide_host -Ids <id>, <id>
Invoke-FalconHostAction -Name unhide_host -Ids <id>, <id>
Get-FalconHost -Hidden [-Detailed] [-All]
New-FalconHostGroup -GroupType static -Name 'Test Group 45' -Description 'A demo group'
Invoke-FalconHostGroupAction -Name add-hosts -Id <id> -HostIds <id>, <id>
New-FalconHostGroup -GroupType dynamic -Name Dynamic_Group -AssignmentRule "hostname:'*-BL',hostname:'*-DT'"
Get-FalconHostGroup [-Detailed] [-All]
Remove-FalconHostGroup -Ids <id>, <id>
See CrowdStrike API Documentation.
Get-FalconInstallTokenSettings
New-FalconInstallToken -Label "My Token" -ExpiresTimestamp "2021-12-31T00:00:00Z"
Get-FalconInstallToken [-Detailed] [-All]
Get-FalconInstallToken -Ids <id>, <id>
Edit-FalconInstallToken -Ids <id>, <id> -Revoked $true
Edit-FalconInstallToken -Ids <id> -Label "Token no expiration" -ExpiresTimestamp null
Remove-FalconInstallToken -Ids <id>, <id>
Get-FalconInstallTokenEvent [-Detailed] [-All]
Get-FalconInstallTokenEvent -Ids <id>, <id>
See CrowdStrike API Documentation.
NOTE: PSFalcon has a custom command named Search-FalconMalQueryHash
which will run a simple YARA-based hash search to find a SHA256 value.
Search-FalconMalQueryHash -Sha256 <sha256>
Invoke-FalconMalQuery -FilterFiletypes pe32 -MaxSize 1200KB -FilterMeta sha256, label, family -YaraRule "rule CrowdStrike_16142_01 : wiper { strings: $ = { 41 61 43 63 64 44 65 46 66 47 68 69 4B 4C 6C 4D 6D 6E 4E 6F 4F 70 50 72 52 73 53 54 74 55 75 56 76 77 57 78 79 5A 7A 33 32 2E 5C 45 62 67 6A 48 49 20 5F 59 51 42 3A 22 2F 40 } condition: all of them and filesize < 800KB }"
Invoke-FalconMalQuery -FilterMeta sha256, type, size -FilterFiletypes pe32, pe64 -MaxSize 1200KB -MinDate 2017/01/01 -Limit 20 -Type hex -Value 8948208b480833ca33f989502489482889782c8bd7
Invoke-FalconMalQuery -Limit 3 -Type ascii -Value ".8@bVn7r&k" -Fuzzy
Get-FalconMalQuery -Ids <id>, <id>
Get-FalconMalQuerySample -Ids <sha256>, <sha256>
Receive-FalconMalQuerySample -Id <sha256> -Path .\infected.exe
$Request = Group-FalconMalQuerySample -Samples <sha256>, <sha256>
Receive-FalconMalQuerySample -Id $Request.reqid -Path .\infected.zip
Get-FalconMalQueryQuota
See CrowdStrike API Documentation.
Get-FalconOverWatchDetection -Filter "detect_time:>'now-48h'"
Get-FalconOverWatchEvent -Filter "total_count:>1"
Get-FalconOverWatchIncident -Filter "detect_time:>'now-48h'"
See CrowdStrike API Documentation.
$Settings = @(
@{
id = "AdditionalUserModeData"
value = @{
enabled = $true
}
},
@{
id = "EndUserNotifications"
value = @{
enabled = $true
}
},
@{
id = "CloudAntiMalware"
value = @{
detection = "MODERATE"
prevention = "MODERATE"
}
}
)
New-FalconPreventionPolicy -PlatformName Windows -Name "Demo Policy" -Description "This is a demo policy" -Settings $Settings
Invoke-FalconPreventionPolicyAction -ActionName add-host-group -Id <id> -GroupId <id>
NOTE: All policy ids (with the exception of platform_default
) must be supplied in precedence order.
Set-FalconPreventionPrecedence -PlatformName Windows -Ids <id>, <id>
Get-FalconPreventionPolicy -All [-Detailed]
Get-FalconUninstallToken -DeviceId <id>
Get-FalconUninstallToken -DeviceId MAINTENANCE
New-FalconMLExclusion -Value '/foo' -ExcludedFrom blocking, extraction -GroupIds all -Comment 'creating foo'
Get-FalconMLExclusion [-Detailed] [-All]
Edit-FalconMLExclusion -Id <id> -Value '/foo*'
Remove-FalconMLExclusion -Ids <id>, <id>
New-FalconSVExclusion -Value '/foo' -GroupIds all -Comment 'creating'
Get-FalconSVExclusion [-Detailed] [-All]
Edit-FalconSVExclusion -Id <id> -Value '/foochanged*'
Remove-FalconSVExclusion -Ids <id>, <id>
Edit-FalconIOAExclusion -Id <id> -ImagePath '.*\\Windows\\System32\\choice1\.exe'
Get-FalconIOAExclusion [-Detailed]
Remove-FalconIOAExclusion -Ids <id>, <id>
Get-FalconIOAType [-Detailed]
Get-FalconIOASeverity [-Detailed]
Get-FalconIOAPlatform [-Detailed]
New-FalconIOAGroup -Platform mac -Name newRuleGroup -Description "My new mac rule group"
$Current = Get-FalconIOAGroup -Filter "name:'newRuleGroup'" -Detailed
Edit-FalconIOAGroup -Id $Current.id -Name "updatedRuleGroup" -Enabled $true -RulegroupVersion $Current.version -Description "My updated mac rule group" -Comment "Updated using PSFalcon"
Get-FalconIOAGroup [-Detailed]
Remove-FalconIOAGroup -Ids <id>, <id>
$Group = Get-FalconIOAGroup -Filter "name:'updatedRuleGroup'" -Detailed
$FieldValues = @{
label = 'Grandparent Image Filename'
name = 'GrandparentImageFilename'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.+bug.exe'
}
)
}
New-FalconIOARule -RulegroupId $Group.id -Name "BugRule" -PatternSeverity critical -RuletypeId 5 -DispositionId 30 -FieldValues $FieldValues
$Group = Get-FalconIOAGroup -Filter "name:'updatedRuleGroup'" -Detailed
$RuleUpdates = @(
@{
name = 'BugRule'
pattern_severity = 'critical'
enabled = $true
description = 'Stops the bug'
disposition_id = 30
instance_id = '1'
field_values = @(
@{
label = 'Grandparent Image Filename'
name = 'GrandparentImageFilename'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.+updatebug.exe'
}
)
},
@{
label = 'Grandparent Command Line'
name = 'GrandparentCommandLine'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.*'
}
)
},
@{
label = 'Parent Image Filename'
name = 'ParentImageFilename'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.*'
}
)
},
@{
label = 'Parent Command Line'
name = 'ParentCommandLine'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.*'
}
)
},
@{
label = 'Image Filename'
name = 'ImageFilename'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.*'
}
)
},
@{
label = 'Command Line'
name = 'CommandLine'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.*'
}
)
}
)
}
)
Edit-FalconIOARule -RulegroupId $Group.id -RulegroupVersion $Group.version -RuleUpdates $RuleUpdates -Comment "Updated using PSFalcon"
Get-FalconIOARule [-Detailed]
Remove-FalconIOARule -RulegroupId <id> -Ids <id>, <id>
$Fields = @(
@{
label = 'Grandparent Image Filename'
name = 'GrandparentImageFilename'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.+attacker.exe'
}
)
}
)
Test-FalconIOARule -Fields $Fields
Get-FalconIOAGroup -Filter "name:'updatedRuleGroup'+platform:'mac'" -Detailed
Get-FalconIOAGroup -Filter "name:'updatedRuleGroup'+platform:'mac'"
Get-FalconIOARule -Filter "id:'<id>'+rules.name:'BugRule'" [-Detailed] [-All]
New-FalconIOC -Type domain -Value example01.com -Action detect -Severity medium -Description 'test description' -Platforms windows, mac, linux -Tags test_tag -HostGroups <host_group_id>, <host_group_id> -Expiration 2021-05-01
$Array = @(
@{
type = "domain"
value = "example01.com"
action = "detect"
severity = "medium"
description = "test description"
platforms = @("windows", "mac", "linux")
tags = @("test_tag")
host_groups = @("<id>")
},
@{
type = "sha256"
value = "a88787d8ff144c502c7f5cffaafe2cc588d86079f9de88304c26b0cb99ce91cc"
source = "bd20201216"
filename = "iexplore.exe"
action = "prevent"
severity = "high"
description = "test block description"
platforms = @("windows")
tags = @("test_tag", "test_tag2")
applied_globally = $true
}
)
New-FalconIOC -Array $Array
Get-FalconIOC -Filter "type:'domain'
Get-FalconIOC -Ids <id>, <id>
Get-FalconIOC -Filter "type:'domain'+tags:'MalDomain_20201215'+tags:'domains_mac'" -Detailed
Edit-FalconIOC -Id <id> -Source testSource -Action detect -Severity low -Description 'test description update' -Platforms windows -Tags test_tag2 -HostGroups all -Expiration '2021-05-01T12:00:00Z'
Remove-FalconIOC -Ids <id>, <id>
See CrowdStrike API Documentation.
PSFalcon has a custom command named Invoke-FalconRtr
that is designed to perform all the necessary steps to initiate a session with one or more hosts, send a command and output the results.
This command is not designed for a multi-step Real-time Response workflow and will negatively impact certain operations.
For instance, if you were to cd
into a directory and attempt to put
a file by running Invoke-FalconRtr
twice, Invoke-FalconRtr
will reset back to the root of your system drive between the cd
and put
commands, causing the file to be placed in the wrong directory.
Invoke-FalconRtr -Command ls -Arguments C:\Windows -HostIds <id>, <id>
If the hosts you're targeting are currently offline, you can add your Real-time Response commands to the "offline queue" using the -QueueOffline
parameter.
Invoke-FalconRtr -Command runscript -Arguments "-CloudFile='HelloWorld'" -HostIds <id>, <id> -QueueOffline $true
If you find that your script needs to be more complex, you can follow the instructions below to create a custom Real-time Response workflow with multiple commands. NOTE: PSFalcon includes commands for each Real-time Response permission level.
-
Invoke-FalconCommand
,Confirm-FalconCommand
-
Invoke-FalconResponderCommand
,Confirm-FalconResponderCommand
-
Invoke-FalconAdminCommand
,Confirm-FalconAdminCommand
Invoke-FalconDeploy
was developed to support mass-deployment of Falcon Forensics. It is designed to upload a file to your ‘Put’ Files library, create a session with target hosts, push the file to those hosts, then execute it and output the results to CSV.
NOTE: Because Real-time Response does not interact with logged in users, the executable must be able to be run silently and without user interaction.
Invoke-FalconDeploy -HostIds <id>, <id> -Path $pwd\File.exe [-QueueOffline]
Get-FalconQueue
will create a CSV file with information about sessions that have pending queued commands or have been created in the last 7 days (by default).
Get-FalconQueue [-Days]
$Batch = Start-FalconSession -HostIds <id>, <id>
Invoke-FalconCommand -Command ls -Arguments C:\Windows -BatchId $Batch.batch_id
NOTE: Required when you expect to exceed the default batch session expiration time (5 minutes).
Update-FalconSession -BatchId $Batch.batch_id
$Session = Start-FalconSession -HostId <id>
$Command = Invoke-FalconCommand -Command ls -Arguments C:\Windows -SessionId $Session.session_id
Confirm-FalconCommand -CloudRequestId $Command.cloud_request_id
NOTE: This step is important! Without retrieving the results from an issued command, the Real-time Response session may not reflect that actions have taken place. For instance, If you cd
and don't confirm, you'll stay in your current directory.
NOTE: Refreshing the session is required when you expect to exceed the default expiration time (10 minutes).
Update-FalconSession -SessionId $Session.session_id
NOTE: Invoke-FalconRtr
can be used to initialize a batch session and issue the get
command. The results will include the batch_get_cmd_req_id
that can be used with Confirm-FalconGetFile
to verify the extraction has completed, and then Receive-FalconGetFile
can be used to download the file(s).
To download a file from a single host, start with a Real-time Response session:
$Init = Start-FalconSession -HostId <id>
Follow it with a get
command:
$Get = Invoke-FalconAdminCommand -SessionId $Init.session_id -Command get -Arguments C:\path\to\file.exe
Verify that the extraction of the file has completed:
$Confirm = Confirm-FalconGetFile -SessionId $Init.session_id
Once the results of Confirm-FalconGetFile
contain a SHA256 value (indicating the extraction has completed), you can download the file:
Receive-FalconGetFile -Sha256 $Confirm.sha256 -SessionId $Init.session_id -Path C:\path\to\local\download.7z
The process is similar for multiple hosts, but uses slightly different commands after starting the session:
$Init = Start-FalconSession -HostIds <id>, <id>
Send the get
command to the session:
$Get = Invoke-FalconBatchGet -BatchId $Init.batch_id -FilePath C:\path\to\file.exe
Verify that extraction of the files has completed:
$Confirm = Confirm-FalconGetFile -BatchGetCmdReqId $Get.batch_get_cmd_req_id
The upload from the host has completed once the file has populated sha256
and created_at
values. You can use the sha256
and session_id
values to download the files, and in the following example, each file will be downloaded and saved in your local directory, using the sha256
and aid
values to name the archive.
$Confirm | Where-Object { $_.sha256 -and $_.created_at -and $_.session_id } | ForEach-Object {
$Param = @{
Sha256 = $_.sha256
SessionId = $_.session_id
Path = "$pwd\$($_.aid)_$($_.sha256).7z"
}
Receive-FalconGetFile @Param
}
You can re-run the previous command examples (Confirm-FalconGetFile
and Receive-FalconGetFile
) repeatedly to download additional files as their uploads complete from each individual host.
NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.
Get-FalconSession [-Detailed] [-All]
NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.
Get-FalconSession -Ids <id>, <id> [-Queue]
Send-FalconScript -Path $pwd\hello_world.ps1 -Platform windows -PermissionType group
Get-FalconScript [-Detailed] [-All]
Edit-FalconScript -Id <id>
Remove-FalconScript -Ids <id>, <id>
Send-FalconPutFile -Path $pwd\File.exe
Get-FalconPutFile [-Detailed] [-All]
Remove-FalconPutFile -Ids <id>
See CrowdStrike API Documentation.
$Sample = Send-FalconSample -Path C:\virus.exe -Filename virus.exe -Comment 'bad file'
$Submission = New-FalconSubmission -Sha256 $Sample.sha256 -EnvironmentId win7_x86 -SubmitName virus.exe
Get-FalconSubmission -Ids $Submission.id
NOTE: The files submitted for QuickScan must be available via a previous upload using Send-FalconSample
.
New-FalconQuickScan -Samples <sha256>, <sha256>
Get-FalconQuickScan -Filter "created_timestamp:>'Last 7 days'" [-Detailed]
Get-FalconQuickScan -Ids <id>
Get-FalconReport -Ids <id>, <id> -Summary
Get-FalconReport -Ids <id>, <id>
NOTE: The identifiers needed to download artifacts can be found in a sandbox report.
$Report = Get-FalconReport -Ids <id>
Receive-FalconArtifact -Id $Report.ioc_report_strict_csv_artifact_id -Path .\ioc_report_strict_csv_artifact_id.csv
Get-FalconSubmissionQuota
Get-FalconQuickScanQuota
See CrowdStrike API Documentation.
Get-FalconInstaller -Filter "platform:'linux'" [-Detailed] [-All]
Get-FalconInstaller -Filter "os:'Amazon Linux'" [-Detailed] [-All]
Get-FalconInstaller -Ids <id>
Receive-FalconInstaller -Id <id> -Path .\WindowsSensor.exe
Get-FalconCCID
See CrowdStrike API Documentation.
NOTE: The Spotlight API requires the use of a filter when requesting results.
Get-FalconVulnerability -Filter "created_timestamp:>'2019-11-25T22:36:12Z'" [-Detailed] [-All]
Get-FalconVulnerability -Ids <id>, <id>
Get-FalconRemediation -Ids <id>, <id>
See CrowdStrike API Documentation.
Get-FalconActor -Filter "target_countries:'united states'+target_countries:'canada'+target_industries:'government'" [-Detailed] [-All]
Get-FalconActor -Ids <id>, <id>
Get-FalconActor -Filter "target_countries:'united states'+target_countries:'canada'+target_industries:'government'" -Limit 1 -Detailed
Get-FalconIndicator -Filter "type:'domain'" [-Detailed]
Get-FalconIndicator -Ids <id>, <id>
Get-FalconIndicator -Filter "last_updated:>=1427846400" -Sort "last_updated|asc" -Detailed [-All]
Get-FalconReport -Filter "target_countries:'united states'+target_industries:'government'"
Get-FalconReport -Ids <id>, <id>
Get-FalconReport -Filter "target_countries:'afghanistan'" -Limit 1 -Detailed
Receive-FalconRule -Type yara-master -Path $pwd\yara-master.zip
Get-FalconRule -Filter "type=yara-master&min_created_date_date=1509494400" -Limit 3
Get-FalconRule -Ids <id>, <id>
Receive-FalconRule -Id <id> -Path $pwd\rules.zip
See CrowdStrike API Documentation.
New-FalconUser -Username jane.doe@example.com
Get-FalconUser [-Detailed]
Get-FalconUser -Ids <id>, <id>
Edit-FalconUser -Id <id> -FirstName Jane -LastName Doe
Remove-FalconUser -Id <id>
Get-FalconRole [-Detailed]
Get-FalconRole -UserId <id> [-Detailed]
Add-FalconRole -Ids <id>, <id> -UserId <id>
Remove-FalconRole -Ids <id>, <id> -UserId <id>
See CrowdStrike API Documentation.
Get-FalconZTA -Ids <id>, <id>