Permissions - jshcodes/psfalcon GitHub Wiki
| Command | Permission(s) |
|---|---|
| Add-FalconCidGroupMember | mssp:write |
| Add-FalconGroupRole | mssp:write |
| Add-FalconHostTag | devices:write |
| Add-FalconRole | usermgmt:write |
| Add-FalconUserGroupMember | mssp:write |
| Confirm-FalconAdminCommand | real-time-response-admin:write |
| Confirm-FalconCommand | real-time-response:read |
| Confirm-FalconDiscoverAwsAccess | cloud-connect-aws:write |
| Confirm-FalconGetFile | real-time-response:write |
| Confirm-FalconResponderCommand | real-time-response:write |
| Edit-FalconCidGroup | mssp:write |
| Edit-FalconContainerAwsAccount | kubernetes-protection:write |
| Edit-FalconDetection | detects:write |
| Edit-FalconDeviceControlPolicy | device-control-policies:write |
| Edit-FalconDiscoverAwsAccount | cloud-connect-aws:write |
| Edit-FalconFirewallGroup | firewall-management:write |
| Edit-FalconFirewallPolicy | firewall-management:write |
| Edit-FalconFirewallSetting | firewall-management:write |
| Edit-FalconHorizonAwsAccount | cspm-registration:write |
| Edit-FalconHorizonAzureAccount | cspm-registration:write |
| Edit-FalconHorizonPolicy | cspm-registration:write |
| Edit-FalconHorizonSchedule | cspm-registration:write |
| Edit-FalconHostGroup | host-group:write |
| Edit-FalconInstallToken | installation-tokens:write |
| Edit-FalconIoaExclusion | self-service-ioa-exclusions:write |
| Edit-FalconIoaGroup | custom-ioa:write |
| Edit-FalconIoaRule | custom-ioa:write |
| Edit-FalconIoc | ioc:write |
| Edit-FalconMlExclusion | ml-exclusions:write |
| Edit-FalconPreventionPolicy | prevention-policies:write |
| Edit-FalconReconAction | recon-monitoring-rules:write |
| Edit-FalconReconNotification | recon-monitoring-rules:write |
| Edit-FalconReconRule | recon-monitoring-rules:write |
| Edit-FalconResponsePolicy | response-policies:write |
| Edit-FalconScript | real-time-response-admin:write |
| Edit-FalconSensorUpdatePolicy | sensor-update-policies:write |
| Edit-FalconSvExclusion | sensor-visibility-exclusions:write |
| Edit-FalconUser | usermgmt:write |
| Edit-FalconUserGroup | mssp:write |
| Export-FalconConfig | 'write' for each configuration exported |
| Export-FalconReport | |
| Find-FalconDuplicate | devices:read, devices:write |
| Get-FalconActor | falconx-actors:read |
| Get-FalconBehavior | incidents:read |
| Get-FalconBuild | sensor-update-policies:read |
| Get-FalconCcid | sensor-installers:read |
| Get-FalconCidGroup | mssp:read |
| Get-FalconCidGroupMember | mssp:read |
| Get-FalconCompleteAllowlist | falconcomplete-dashboard:read |
| Get-FalconCompleteBlocklist | falconcomplete-dashboard:read |
| Get-FalconCompleteCollection | falconcomplete-dashboard:read |
| Get-FalconCompleteDetection | falconcomplete-dashboard:read |
| Get-FalconCompleteEscalation | falconcomplete-dashboard:read |
| Get-FalconCompleteIncident | falconcomplete-dashboard:read |
| Get-FalconCompleteRemediation | falconcomplete-dashboard:read |
| Get-FalconContainerAwsAccount | kubernetes-protection:read |
| Get-FalconContainerCloud | kubernetes-protection:read |
| Get-FalconContainerCluster | kubernetes-protection:read |
| Get-FalconContainerToken | container-security:read |
| Get-FalconDetection | detects:read |
| Get-FalconDeviceControlPolicy | device-control-policies:read |
| Get-FalconDeviceControlPolicyMember | device-control-policies:read |
| Get-FalconDiscoverAwsAccount | cloud-connect-aws:read |
| Get-FalconDiscoverAwsSetting | cloud-connect-aws:read |
| Get-FalconDiscoverAzureAccount | d4c-registration:read |
| Get-FalconDiscoverGcpAccount | d4c-registration:read |
| Get-FalconFirewallEvent | firewall-management:read |
| Get-FalconFirewallField | firewall-management:read |
| Get-FalconFirewallGroup | firewall-management:read |
| Get-FalconFirewallPlatform | firewall-management:read |
| Get-FalconFirewallPolicy | firewall-management:read |
| Get-FalconFirewallPolicyMember | firewall-management:read |
| Get-FalconFirewallRule | firewall-management:read |
| Get-FalconFirewallSetting | firewall-management:read |
| Get-FalconGroupRole | mssp:read |
| Get-FalconHorizonAwsAccount | cspm-registration:read |
| Get-FalconHorizonAwsLink | cspm-registration:read |
| Get-FalconHorizonAzureAccount | cspm-registration:read |
| Get-FalconHorizonIoaEvent | cspm-registration:read |
| Get-FalconHorizonIoaUser | cspm-registration:read |
| Get-FalconHorizonPolicy | cspm-registration:read |
| Get-FalconHorizonSchedule | cspm-registration:read |
| Get-FalconHost | devices:read |
| Get-FalconHostGroup | host-group:read |
| Get-FalconHostGroupMember | host-group:read |
| Get-FalconIncident | incidents:read |
| Get-FalconIndicator | falconx-indicators:read |
| Get-FalconInstaller | sensor-installers:read |
| Get-FalconInstallToken | installation-tokens:read |
| Get-FalconInstallTokenEvent | installation-tokens:read |
| Get-FalconInstallTokenSetting | installation-tokens:read |
| Get-FalconIntel | falconx-reports:read |
| Get-FalconIoaExclusion | self-service-ioa-exclusions:read |
| Get-FalconIoaGroup | custom-ioa:read |
| Get-FalconIoaPlatform | custom-ioa:read |
| Get-FalconIoaRule | custom-ioa:read |
| Get-FalconIoaSeverity | custom-ioa:read |
| Get-FalconIoaType | custom-ioa:read |
| Get-FalconIoc | ioc:read |
| Get-FalconIocHost | iocs:read |
| Get-FalconIocProcess | iocs:read |
| Get-FalconMalQuery | malquery:read |
| Get-FalconMalQueryQuota | malquery:read |
| Get-FalconMalQuerySample | malquery:read |
| Get-FalconMemberCid | mssp:read |
| Get-FalconMlExclusion | ml-exclusions:read |
| Get-FalconOverWatchDetection | overwatch-dashboard:read |
| Get-FalconOverWatchEvent | overwatch-dashboard:read |
| Get-FalconOverWatchIncident | overwatch-dashboard:read |
| Get-FalconPreventionPolicy | prevention-policies:read |
| Get-FalconPreventionPolicyMember | prevention-policies:read |
| Get-FalconPutFile | real-time-response-admin:write |
| Get-FalconQuarantine | quarantine:read |
| Get-FalconQueue | real-time-response:read, real-time-response:write, real-time-response-admin:write |
| Get-FalconQuickScan | quick-scan:read |
| Get-FalconQuickScanQuota | quick-scan:read |
| Get-FalconReconAction | recon-monitoring-rules:read |
| Get-FalconReconNotification | recon-monitoring-rules:read |
| Get-FalconReconRule | recon-monitoring-rules:read |
| Get-FalconReconRulePreview | recon-monitoring-rules:read |
| Get-FalconRemediation | spotlight-vulnerabilities:read |
| Get-FalconReport | falconx-sandbox:read |
| Get-FalconResponsePolicy | response-policies:read |
| Get-FalconResponsePolicyMember | response-policies:read |
| Get-FalconRole | usermgmt:read |
| Get-FalconRule | falconx-rules:read |
| Get-FalconSample | samplestore:read |
| Get-FalconScheduledReport | scheduled-report:read |
| Get-FalconScore | incidents:read |
| Get-FalconScript | real-time-response-admin:write |
| Get-FalconSensorUpdatePolicy | sensor-update-policies:read |
| Get-FalconSensorUpdatePolicyMember | sensor-update-policies:read |
| Get-FalconSession | real-time-response:read |
| Get-FalconStream | streaming:read |
| Get-FalconSubmission | falconx-sandbox:read |
| Get-FalconSubmissionQuota | falconx-sandbox:read |
| Get-FalconSvExclusion | sensor-visibility-exclusions:read |
| Get-FalconUninstallToken | sensor-update-policies:write |
| Get-FalconUser | usermgmt:read |
| Get-FalconUserGroup | mssp:read |
| Get-FalconUserGroupMember | mssp:read |
| Get-FalconVulnerability | spotlight-vulnerabilities:read |
| Get-FalconZta | zero-trust-assessment:read |
| Group-FalconMalQuerySample | malquery:write |
| Import-FalconConfig | 'write' for each configuration imported |
| Invoke-FalconAdminCommand | real-time-response-admin:write |
| Invoke-FalconBatchGet | real-time-response:write |
| Invoke-FalconCommand | real-time-response:read |
| Invoke-FalconContainerScan | kubernetes-protection:write |
| Invoke-FalconDeploy | devices:read, real-time-response-admin:write |
| Invoke-FalconDeviceControlPolicyAction | device-control-policies:write |
| Invoke-FalconFirewallPolicyAction | firewall-management:write |
| Invoke-FalconHostAction | devices:write |
| Invoke-FalconHostGroupAction | host-group:write |
| Invoke-FalconIncidentAction | incidents:write |
| Invoke-FalconMalQuery | malquery:write |
| Invoke-FalconPreventionPolicyAction | prevention-policies:write |
| Invoke-FalconQuarantineAction | quarantine:write |
| Invoke-FalconResponderCommand | real-time-response:write |
| Invoke-FalconResponsePolicyAction | response-policies:write |
| Invoke-FalconRtr | real-time-response:read, real-time-response:write, real-time-response-admin:write |
| Invoke-FalconSensorUpdatePolicyAction | sensor-update-policies:write |
| New-FalconCidGroup | mssp:write |
| New-FalconContainerAwsAccount | kubernetes-protection:write |
| New-FalconContainerKey | kubernetes-protection:write |
| New-FalconDeviceControlPolicy | device-control-policies:write |
| New-FalconDiscoverAwsAccount | cloud-connect-aws:write |
| New-FalconDiscoverAzureAccount | d4c-registration:write |
| New-FalconDiscoverGcpAccount | d4c-registration:write |
| New-FalconFirewallGroup | firewall-management:write |
| New-FalconFirewallPolicy | firewall-management:write |
| New-FalconHorizonAwsAccount | cspm-registration:write |
| New-FalconHorizonAzureAccount | cspm-registration:write |
| New-FalconHostGroup | host-group:write |
| New-FalconInstallToken | installation-tokens:write |
| New-FalconIoaExclusion | self-service-ioa-exclusions:write |
| New-FalconIoaGroup | custom-ioa:write |
| New-FalconIoaRule | custom-ioa:write |
| New-FalconIoc | ioc:write |
| New-FalconMlExclusion | ml-exclusions:write |
| New-FalconPreventionPolicy | prevention-policies:write |
| New-FalconQuickScan | quick-scan:write |
| New-FalconReconAction | recon-monitoring-rules:write |
| New-FalconReconRule | recon-monitoring-rules:write |
| New-FalconResponsePolicy | response-policies:write |
| New-FalconSensorUpdatePolicy | sensor-update-policies:write |
| New-FalconSubmission | falconx-sandbox:write |
| New-FalconSvExclusion | sensor-visibility-exclusions:write |
| New-FalconUser | usermgmt:write |
| New-FalconUserGroup | mssp:write |
| Receive-FalconArtifact | falconx-sandbox:read |
| Receive-FalconContainerYaml | kubernetes-protection:read |
| Receive-FalconDiscoverAzureScript | d4c-registration:read |
| Receive-FalconDiscoverGcpScript | d4c-registration:read |
| Receive-FalconGetFile | real-time-response:write |
| Receive-FalconHorizonAwsScript | cspm-registration:read |
| Receive-FalconHorizonAzureScript | cspm-registration:read |
| Receive-FalconInstaller | sensor-installers:read |
| Receive-FalconIntel | scheduled-report:read |
| Receive-FalconMalQuerySample | malquery:read |
| Receive-FalconRule | falconx-rules:read |
| Receive-FalconSample | samplestore:read |
| Receive-FalconScheduledReport | scheduled-report:read |
| Remove-FalconCidGroup | mssp:write |
| Remove-FalconCidGroupMember | mssp:write |
| Remove-FalconCommand | real-time-response:read |
| Remove-FalconContainerAwsAccount | kubernetes-protection:write |
| Remove-FalconDeviceControlPolicy | device-control-policies:write |
| Remove-FalconDiscoverAwsAccount | cloud-connect-aws:write |
| Remove-FalconFirewallGroup | firewall-management:write |
| Remove-FalconFirewallPolicy | firewall-management:write |
| Remove-FalconGetFile | real-time-response:write |
| Remove-FalconGroupRole | mssp:write |
| Remove-FalconHorizonAwsAccount | cspm-registration:write |
| Remove-FalconHorizonAzureAccount | cspm-registration:write |
| Remove-FalconHostGroup | host-group:write |
| Remove-FalconHostTag | devices:write |
| Remove-FalconInstallToken | installation-tokens:write |
| Remove-FalconIoaExclusion | self-service-ioa-exclusions:write |
| Remove-FalconIoaGroup | custom-ioa:write |
| Remove-FalconIoaRule | custom-ioa:write |
| Remove-FalconIoc | ioc:write |
| Remove-FalconMlExclusion | ml-exclusions:write |
| Remove-FalconPreventionPolicy | prevention-policies:write |
| Remove-FalconPutFile | real-time-response-admin:write |
| Remove-FalconReconAction | recon-monitoring-rules:write |
| Remove-FalconReconNotification | recon-monitoring-rules:write |
| Remove-FalconReconRule | recon-monitoring-rules:write |
| Remove-FalconReport | falconx-sandbox:write |
| Remove-FalconResponsePolicy | response-policies:write |
| Remove-FalconRole | usermgmt:write |
| Remove-FalconSample | samplestore:write |
| Remove-FalconScript | real-time-response-admin:write |
| Remove-FalconSensorUpdatePolicy | sensor-update-policies:write |
| Remove-FalconSession | real-time-response:read |
| Remove-FalconSvExclusion | sensor-visibility-exclusions:write |
| Remove-FalconUser | usermgmt:write |
| Remove-FalconUserGroup | mssp:write |
| Remove-FalconUserGroupMember | mssp:write |
| Request-FalconToken | |
| Revoke-FalconToken | |
| Search-FalconMalQueryHash | malquery:write |
| Send-FalconPutFile | real-time-response-admin:write |
| Send-FalconSample | samplestore:write |
| Send-FalconScript | real-time-response-admin:write |
| Send-FalconWebhook | |
| Set-FalconDeviceControlPrecedence | device-control-policies:write |
| Set-FalconFirewallPrecedence | firewall-management:write |
| Set-FalconPreventionPrecedence | prevention-policies:write |
| Set-FalconResponsePrecedence | response-policies:write |
| Set-FalconSensorUpdatePrecedence | sensor-update-policies:write |
| Show-FalconMap | |
| Show-FalconModule | |
| Start-FalconSession | real-time-response:read |
| Test-FalconIoaRule | custom-ioa:write |
| Test-FalconQuarantineAction | quarantine:write |
| Test-FalconToken | |
| Uninstall-FalconSensor | devices:write, sensor-update-policies:write, real-time-response-admin:write |
| Update-FalconDiscoverAwsSetting | cloud-connect-aws:write |
| Update-FalconDiscoverAzureAccount | d4c-registration:write |
| Update-FalconSession | real-time-response:read |
| Update-FalconStream | streaming:read |