
function Clear-Auth {
        Removes cached authentication and token information

    process {
        @('Hostname', 'ClientId', 'ClientSecret', 'MemberCid', 'Token').foreach{
            if ($Falcon.$_) {
                $Falcon.$_ = $null
        $Falcon.Expires = Get-Date
function Format-Body {
        Converts a 'splat' hashtable body from Get-Param into Json
        Parameter hashtable

        [Parameter(Mandatory = $true)]
        [hashtable] $Param
    process {
        if ($Param.Body -and ($Falcon.GetEndpoint($Param.Endpoint).consumes -eq 'application/json')) {
            # Check 'consumes' value for endpoint and convert body values to Json
            $Param.Body = ConvertTo-Json $Param.Body -Depth 8
            Write-Debug "[$($MyInvocation.MyCommand.Name)] $($Param.Body)"
function Format-Header {
        Adds header values to request from endpoint and user input
        Falcon endpoint
        Request object
        Additional header values to add from user input

        [Parameter(Mandatory = $true)]
        [hashtable] $Endpoint,

        [Parameter(Mandatory = $true)]
        [object] $Request,

        [hashtable] $Header
    begin {
        $Authorization = if ($ -match ".*:(read|write)") {
            # Capture cached token value
        else {
            # Get basic authorization value
    process {
        if ($Endpoint.consumes) {
            # Add 'consumes' values as 'Content-Type'
        if ($Endpoint.produces) {
            # Add 'produces' values as 'Accept'
        if ($Header) {
            foreach ($Pair in $Header.GetEnumerator()) {
                # Add additional header inputs
                $Request.Headers.Add($Pair.Key, $Pair.Value)
        if ($Authorization) {
            # Add authorization
            $Request.Headers.Add('Authorization', $Authorization)
        # Output debug
        $DebugHeader = ($Request.Headers.GetEnumerator()).Where({ $_.Key -NE 'Authorization' }).foreach{
            "$($_.Key): '$($_.Value)'" } -join ', '
        Write-Debug "[$($MyInvocation.MyCommand.Name)] $DebugHeader"
function Format-Result {
        Flattens and formats a response from the Falcon API
        Response object from a Falcon API request
        Falcon endpoint

        [Parameter(Mandatory = $true)]
        [object] $Response,

        [Parameter(Mandatory = $true)]
        [string] $Endpoint
    begin {
        # Capture StatusCode from response
        $StatusCode = $Response.Result.StatusCode.GetHashCode()
        $Schema = if ($StatusCode) {
            # Determine 'schema' type from StatusCode
            $Falcon.GetResponse($Endpoint, $StatusCode)
        if ($Response.Result.Content -match '^<') {
            # Output HTML responses as plain strings
            try {
                $HTML = ($Response.Result.Content).ReadAsStringAsync().Result
            catch {
        elseif ($Response.Result.Content) {
            # Convert Json responses into PowerShell objects
            try {
                $Json = ConvertFrom-Json ($Response.Result.Content).ReadAsStringAsync().Result
            catch {
        if ($Json) {
            # Capture 'meta' information to private variable for processing with Invoke-Loop
            Read-Meta -Object $Json -Endpoint $Endpoint -TypeName $Schema
            Write-Debug "[$($MyInvocation.MyCommand.Name)] `r`n$($Json | ConvertTo-Json -Depth 16)"
    process {
        try {
            if ($Json) {
                # Count populated sub-objects in API response
                $Populated = ($Json.PSObject.Properties).Where({ ($_.Name -ne 'meta') -and
                ($_.Name -ne 'errors') }).foreach{
                    if ($_.Value) {
                ($Json.PSObject.Properties).Where({ ($_.Name -eq 'errors') }).foreach{
                    if ($_.Value) {
                                    [Exception]::New("$($_.code): $($_.message)"),
                # Format response to output only relevant fields, instead of entire object
                $Output = if ($Populated.count -gt 1) {
                    # For Real-time Response batch session creation, create custom object
                    if ($Populated -eq 'batch_id' -and 'resources') {
                        [PSCustomObject] @{
                            batch_id = $Json.batch_id
                            hosts = $Json.resources.PSObject.Properties.Value
                    else {
                        # Output undefined sub-objects
                elseif ($Populated.count -eq 1) {
                    if ($Populated[0] -eq 'combined') {
                        # If 'combined', return the results under combined
                    else {
                        # Output sub-object
                else {
                    if ($Meta) {
                            # Output fields from 'meta' that aren't pagination/diagnostic related
                            if ($_ -notmatch '(entity|pagination|powered_by|query_time|trace_id)' -and $Meta.$_) {
                                if (-not($MetaValues)) {
                                    $MetaValues = [PSCustomObject] @{}
                                $Name = if ($_ -eq 'writes') {
                                else {
                                $Value = if ($Name -eq 'resources_affected') {
                                else {
                                $MetaValues.PSObject.Properties.Add((New-Object PSNoteProperty($Name,$Value)))
                        if ($MetaValues) {
                            # Output meta values
                if ($Output) {
                    # Output formatted result
            elseif ($HTML) {
                # Output HTML
            elseif ($Response.Result.Content) {
                # If unable to convert HTML or Json, output as-is
            else {
                # Output request error
        catch {
            # Output exception
function Get-AuthPair {
        Outputs a base64 authorization pair for Format-Header

    process {
        if ($Falcon.ClientId -and $Falcon.ClientSecret) {
            # Convert cached ClientId/ClientSecret to Base64 for basic auth requests
            "basic $([System.Convert]::ToBase64String(

        else {
function Get-Body {
        Outputs body parameters from input
        Falcon endpoint
        A runtime parameter dictionary to search for input values

        [Parameter(Mandatory = $true)]
        [hashtable] $Endpoint,

        [Parameter(Mandatory = $true)]
        [System.Collections.ArrayList] $Dynamic
    begin {
        if ($PSVersionTable.PSVersion.Major -lt 6) {
            Add-Type -AssemblyName System.Net.Http
    process {
        foreach ($Item in $Dynamic.Values.Where({ $_.IsSet -eq $true })) {
            # Match dynamic parameters to parameters defined by endpoint
            $Endpoint.parameters.GetEnumerator().Where({ ($_.Value.dynamic -eq $Item.Name) -and
            ((-not $ -or ($ -eq 'body')) -and ($_.Value.type -ne 'switch') }).foreach{
                if ($_.Key -eq 'body') {
                    # Convert files sent as 'body' to ByteStream and upload
                    $ByteStream = if ($PSVersionTable.PSVersion.Major -ge 6) {
                        Get-Content $Item.Value -AsByteStream
                    else {
                        Get-Content $Item.Value -Encoding Byte -Raw
                    $ByteArray = [System.Net.Http.ByteArrayContent]::New($ByteStream)
                    $ByteArray.Headers.Add('Content-Type', $Endpoint.consumes)
                    Write-Verbose "[Get-Body] File: $($Item.Value)"
                else {
                    if (-not($BodyOutput)) {
                        $BodyOutput = @{}
                    if ($_.Value.parent) {
                        if (-not($Parents)) {
                            # Construct table to hold child input
                            $Parents = @{}
                        if (-not($Parents.($_.Value.parent))) {
                            $Parents[$_.Value.parent] = @{}
                        $Parents.($_.Value.parent)[$_.Key] = $Item.Value
                    else {
                        # Add input to hashtable for Json conversion
                        $BodyOutput[$_.Key] = $Item.Value
        if ($Parents) {
                # Add "Parent" object as array to body
                $BodyOutput[$_.Key] = @( $_.Value )
        if ($BodyOutput) {
            # Output body table
            Write-Verbose "[$($MyInvocation.MyCommand.Name)] Body: $($BodyOutput.Keys -join ', ')"
        elseif ($ByteArray) {
            # Output ByteStream
function Get-Dictionary {
        Creates a dynamic parameter dictionary
        An array of 'path:method' endpoint values

        [Parameter(Mandatory = $true)]
        [array] $Endpoints
    begin {
        # Create parameter dictionary
        $Output = New-Object System.Management.Automation.RuntimeDefinedParameterDictionary
        function Add-Parameter ($Parameter) {
                # Create parameters defined by endpoint
                $Attribute = New-Object System.Management.Automation.ParameterAttribute
                $Attribute.ParameterSetName = $_.Value.set
                $Attribute.Mandatory = $_.Value.required
                if ($_.Value.description) {
                    $Attribute.HelpMessage = $_.Value.description
                if ($_.Value.position) {
                    $Attribute.Position = $_.Value.position
                if ($_.Value.pipeline) {
                    $Attribute.ValueFromPipeline = $_.Value.pipeline
                if ($Output.($_.Value.dynamic)) {
                else {
                    $Collection = New-Object System.Collections.ObjectModel.Collection[System.Attribute]
                    $PSType = switch ($_.Value.type) {
                        'array' { [array] }
                        'boolean' { [bool] }
                        'double' { [double] }
                        'integer' { [int] }
                        'int32' { [Int32] }
                        'int64' { [Int64] }
                        'object' { [object] }
                        'switch' { [switch] }
                        default { [string] }
                    if ($_.Value.required -eq $false) {
                        $Collection.Add((New-Object Management.Automation.ValidateNotNullOrEmptyAttribute))
                    if ($_.Value.enum) {
                        $ValidSet = New-Object System.Management.Automation.ValidateSetAttribute($_.Value.enum)
                        $ValidSet.IgnoreCase = $false
                    if ($_.Value.min -and $_.Value.max) {
                        if ($PSType -eq [int]) {
                            # Set range min/max for integers
                            $Collection.Add((New-Object Management.Automation.ValidateRangeAttribute(
                                $_.Value.Min, $_.Value.Max)))
                        elseif ($PSType -eq [string]) {
                            # Set length min/max for strings
                            $Collection.Add((New-Object Management.Automation.ValidateLengthAttribute(
                                    $_.Value.Min, $_.Value.Max)))
                    if ($_.Value.pattern) {
                        # Set RegEx validation pattern
                        $Collection.Add((New-Object Management.Automation.ValidatePatternAttribute(
                    if ($_.Value.script) {
                        # Set ValidationScript
                        $ValidScript = New-Object Management.Automation.ValidateScriptAttribute(
                        if ($_.Value.scripterror -and $ValidScript.ErrorMessage) {
                            $ValidScript.ErrorMessage = $_.Value.scripterror
                    # Add parameter to dictionary
                    $RunParam = New-Object System.Management.Automation.RuntimeDefinedParameter(
                        $_.Value.dynamic, $PSType, $Collection)
                    $Output.Add($_.Value.dynamic, $RunParam)
    process {
                # Add parameters from each endpoint
                Add-Parameter -Parameter $_
        ($Endpoints -match '(/combined/|/queries/)').foreach{
            if ($Endpoints -match '(/entities/|/combined/)') {
                # Add 'Detailed' parameter when both 'queries' and 'entities/combined' endpoints are present
                Add-Parameter @{
                    detailed = @{
                        dynamic = 'Detailed'
                        set = $_
                        type = 'switch'
                        description = 'Retrieve detailed information'
            if ($Output.Offset -or $Output.After) {
                # Add 'All' switch when using a 'queries' endpoint that has pagination parameters
                Add-Parameter @{
                    all = @{
                        dynamic = 'All'
                        set = $_
                        type = 'switch'
                        description = 'Repeat requests until all available results are retrieved'
        # Add 'Help' to all endpoints
        Add-Parameter @{
            help = @{
                dynamic = 'Help'
                set = 'psfalcon:help'
                type = 'switch'
                required = $true
                description = 'Output dynamic help information'
        # Output dictionary
        return $Output
function Get-DynamicHelp {
        Outputs basic information about dynamic parameters
        PSFalcon command name(s)
        Endpoints to exclude from results (for redundancies)

        [Parameter(Mandatory = $true)]
        [string] $Command,

        [array] $Exclusions
    begin {
        function Show-Parameter ($Parameter) {
            # Output name and type
            $Type = if ($_.Value.type) {
            else {
            $Label = "`n -$($_.Value.dynamic) [$($Type)]"
            if ($_.Value.required -eq $true) {
                # Output required status
                $Label += " <Required>"
            # Output description
            $Label + "`n $($_.Value.description)"
            (($_.Value).GetEnumerator().Where({ $_.Key -match '(enum|min|max|pattern|position)' }) |
            Sort-Object { $_.Key }).foreach{
                $Value = if ($_.Value -is [array]) {
                    # Convert arrays to strings
                    $_.Value -join ', '
                else {
                # Output remaining properties
                " $($Falcon.Culture.ToTitleCase($_.Key)) : $Value"
    process {
        # Gather endpoint names from $Command
        ((Get-Command $Command).ParameterSets.Where({ ($_.Name -ne 'psfalcon:help') -and
        ($Exclusions -notcontains $_.Name) })).foreach{
            $Ref = $Falcon.GetEndpoint($_.Name)
            # Output endpoint description and permission
            "`n# $($Ref.description)"
            if ($ {
                " Requires $($"
            if ($Ref.parameters) {
                (($Ref.parameters).GetEnumerator().Where({ $_.Value.type -ne 'switch' }) |
                Sort-Object { $_.Value.position }).foreach{
                    # Output parameters from endpoint based on position
                    Show-Parameter -Parameter $_
                ($Ref.Parameters).GetEnumerator().Where({ $_.Value.type -eq 'switch' }).foreach{
                    # Output switch parameters from endpoint
                    Show-Parameter -Parameter $_
            ($_.Parameters).Where({ $_.Name -match '^(All|Detailed)$'}).foreach{
                # Show switch parameters added by Get-Dictionary
                "`n -$($_.Name) [switch]`n $($_.HelpMessage)"
function Get-Formdata {
        Outputs 'Formdata' dictionary from input
        Falcon endpoint
        A runtime parameter dictionary to search for input values

        [Parameter(Mandatory = $true)]
        [hashtable] $Endpoint,

        [Parameter(Mandatory = $true)]
        [System.Collections.ArrayList] $Dynamic
    process {
        foreach ($Item in $Dynamic.Values.Where({ $_.IsSet -eq $true })) {
            # Match dynamic parameters to parameters defined by endpoint
            $Endpoint.parameters.GetEnumerator().Where({ ($_.Value.dynamic -eq $Item.Name) -and
            ($_.Value.In -eq 'formdata') }).foreach{
                # Construct formdata table
                if (-not($FormdataOutput)) {
                    $FormdataOutput = @{}
                $Value = if ($_.Key -eq 'content') {
                    # Collect file content as a string
                    [string] (Get-Content $Item.Value -Raw)
                else {
                $FormdataOutput[$_.Key] = $Value
        if ($FormdataOutput) {
            # Output formdata table
            Write-Verbose "[$($MyInvocation.MyCommand.Name)] $(ConvertTo-Json $FormdataOutput)"
function Get-Header {
        Outputs a hashtable of header values from input
        Falcon endpoint
        A runtime parameter dictionary to search for input values

        [Parameter(Mandatory = $true)]
        [hashtable] $Endpoint,

        [Parameter(Mandatory = $true)]
        [System.Collections.ArrayList] $Dynamic
    process {
        foreach ($Item in $Dynamic.Values.Where({ $_.IsSet -eq $true })) {
            # Match dynamic parameters to parameters defined by endpoint
            $Endpoint.parameters.GetEnumerator().Where({ ($_.Value.dynamic -eq $Item.Name) -and
            ($_.Value.In -eq 'header') }).foreach{
                # Construct header table
                if (-not($HeaderOutput)) {
                    $HeaderOutput = @{}
                $HeaderOutput[$_.Key] = $Item.Value
        if ($HeaderOutput) {
            # Output header table
function Get-LoopParam {
        Creates a 'splat' hashtable for Invoke-Loop
        A runtime parameter dictionary to search for input values

        [Parameter(Mandatory = $true)]
        [System.Collections.ArrayList] $Dynamic
    begin {
        $Output = @{}
    process {
        foreach ($Item in ($Dynamic.Values).Where({ ($_.IsSet -eq $true) -and
        ($_.Name -notmatch '(offset|after|all|detailed)') })) {
            # Add dynamic inputs, but exclude parameters that will break Invoke-Loop
            $Output[$Item.Name] = $Item.Value
function Get-Outfile {
        Corrects relative user path inputs for 'outfile' content
        Falcon endpoint
        A runtime parameter dictionary to search for input values

        [Parameter(Mandatory = $true)]
        [hashtable] $Endpoint,

        [Parameter(Mandatory = $true)]
        [System.Collections.ArrayList] $Dynamic
    process {
        foreach ($Item in $Dynamic.Values.Where({ $_.IsSet -eq $true })) {
            # Match dynamic parameters to parameters defined by endpoint
            $FileOutput = $Endpoint.parameters.GetEnumerator().Where({ ($_.Value.dynamic -eq $Item.Name) -and
            ($_.Value.In -eq 'outfile') }).foreach{
                # Convert relative paths
            if ($FileOutput) {
                # Output file path string
                Write-Verbose "[$($MyInvocation.MyCommand.Name)] $FileOutput"
function Get-Param {
        Creates a 'splat' hashtable for Invoke-Endpoint
        Falcon endpoint name
        A runtime parameter dictionary to search for input values
        A maximum number of identifiers per request

        [Parameter(Mandatory = $true)]
        [string] $Endpoint,

        [Parameter(Mandatory = $true)]
        [System.Collections.ArrayList] $Dynamic,

        [int] $Max
    begin {
        # Construct output table and gather information about endpoint
        $Output = @{
            Endpoint = $Endpoint
        $Target = $Falcon.GetEndpoint($Endpoint)
    process {
        @('Body', 'Formdata', 'Header', 'Outfile', 'Path', 'Query').foreach{
            # Create key/value pairs for each "Get-<Input>" function
            $Value = & "Get-$_" -Endpoint $Target -Dynamic $Dynamic
            if ($Value) {
                $Output[$_] = $Value
        # Pass parameter sets to Split-Param
        $Param = @{
            Param = $Output
        if ($Max) {
            $Param['Max'] = $Max
        Split-Param @Param
function Get-Path {
        Modifies an endpoint 'path' value based on input
        Falcon endpoint
        A runtime parameter dictionary to search for input values

        [Parameter(Mandatory = $true)]
        [hashtable] $Endpoint,

        [Parameter(Mandatory = $true)]
        [System.Collections.ArrayList] $Dynamic
    begin {
        $PathOutput = $Endpoint.Path
    process {
        foreach ($Item in $Dynamic.Values.Where({ $_.IsSet -eq $true })) {
            # Match dynamic parameters to parameters defined by endpoint
            $PathOutput = $Endpoint.parameters.GetEnumerator().Where({ ($_.Value.dynamic -eq $Item.Name) -and
            ($_.Value.In -eq 'path') }).foreach{
                $Endpoint.path -replace $_.Key, $Item.Value
            if ($PathOutput) {
                # Output new URI path
                Write-Verbose "[$($MyInvocation.MyCommand.Name)] $PathOutput"
function Get-Query {
        Outputs an array of query values from user input
        Falcon endpoint
        A runtime parameter dictionary to search for input values

        [Parameter(Mandatory = $true)]
        [hashtable] $Endpoint,

        [Parameter(Mandatory = $true)]
        [System.Collections.ArrayList] $Dynamic
    begin {
        # Check for relative "last X days/hours" filter values and convert them to RFC-3339
        if ($Dynamic.Filter.Value) {
            $Relative = "(last (?<Int>\d{1,}) (day[s]?|hour[s]?))"
            if ($Dynamic.Filter.Value -match $Relative) {
                $Dynamic.Filter.Value | Select-String $Relative -AllMatches | ForEach-Object {
                    foreach ($Match in $_.Matches.Value) {
                        [int] $Int = $Match -replace $Relative, '${Int}'
                        if ($Match -match "day") {
                            $Int = $Int * -24
                        } else {
                            $Int = $Int * -1
                        $Dynamic.Filter.Value = $Dynamic.Filter.Value -replace $Match, $Falcon.Rfc3339($Int)
    process {
        $QueryOutput = foreach ($Item in ($Dynamic.Values).Where({ $_.IsSet -eq $true })) {
            # Match dynamic parameters to parameters defined by endpoint
            $Endpoint.parameters.GetEnumerator().Where({ ($_.Value.dynamic -eq $Item.Name) -and
            ($ -eq 'query') }).foreach{
                foreach ($Value in $Item.Value) {
                    # Output "query" values to an array and encode '+' to ensure filter input integrity
                    if ($_.Key) {
                        if (($Endpoint.path -eq '/indicators/queries/iocs/v1') -and (($_.Key -eq 'type') -or
                        ($_.Key -eq 'value'))) {
                            # Change type/value to types/values for /indicators/queries/iocs/v1:get
                            ,"$($_.Key)s=$($Value -replace '\+','%2B')"
                        else {
                            ,"$($_.Key)=$($Value -replace '\+','%2B')"
                    else {
                        ,"$($Value -replace '\+','%2B')"
        if ($QueryOutput) {
            # Trim pagination tokens for verbose output and output query array
            $VerboseOutput = (($QueryOutput).foreach{
                if (($_ -match '^offset=') -and ($_.Length -gt 14)) {
                elseif (($_ -match '^after=') -and ($_.Length -gt 13)) {
                else {
            }) -join ', '
            Write-Verbose "[$($MyInvocation.MyCommand.Name)] $VerboseOutput"
function Invoke-Endpoint {
        Makes a request to a Falcon API endpoint
        Falcon endpoint
        Header key/value pair user input
        An array of string values to append to the URI path
        User body string input
        Formdata dictionary from user input
        Path for 'outfile' output
        A modified 'path' value to use in place of the endpoint-defined string

        [Parameter(Mandatory = $true)]
        [string] $Endpoint,

        [hashtable] $Header,

        [array] $Query,

        [object] $Body,

        [System.Collections.IDictionary] $Formdata,

        [string] $Outfile,

        [string] $Path
    begin {
        if ($PSVersionTable.PSVersion.Major -lt 6) {
            Add-Type -AssemblyName System.Net.Http
        if ((-not($Falcon.Token)) -or (($Falcon.Expires) -le (Get-Date).AddSeconds(30)) -and
        ($Endpoint -ne '/oauth2/token:post')) {
            # Check for expired/expiring tokens and force an OAuth2 token request
        # Gather endpoint data
        $Target = $Falcon.GetEndpoint($Endpoint)
        $FullUri = if ($Path) {
            # Append URI path with Hostname and user input
        else {
            # Append URI path with Hostname
        Write-Verbose "[$($MyInvocation.MyCommand.Name)] $($Target.Method.ToUpper()) $FullUri"
        if ($Query) {
            # Appent query inputs to URI path
            $FullUri += "?$($Query -join '&')"
    process {
        # Create System.Net.Http base object and append request header
        $Client = [System.Net.Http.HttpClient]::New()
        $Request = [System.Net.Http.HttpRequestMessage]::New($Target.Method.ToUpper(), [System.Uri]::New($FullUri))
        $Param = @{
            Endpoint = $Target
            Request = $Request
        if ($Header) {
            $Param['Header'] = $Header
        Format-Header @Param
        if ($Query -match 'timeout') {
            # Add timeout value to request if found in query inputs from Real-time Response commands
            $Timeout = [int] (($Query).Where({ $_ -match 'timeout' })).Split('=')[1] + 5
            $Client.Timeout = (New-TimeSpan -Seconds $Timeout).Ticks
            Write-Verbose ("[$($MyInvocation.MyCommand.Name)] HttpClient timeout set to $($Timeout) seconds")
        try {
            if ($Formdata) {
                # Create formdata object
                $MultiContent = [System.Net.Http.MultipartFormDataContent]::New()
                foreach ($Key in $Formdata.Keys) {
                    if ($Key -match '(file|upfile)') {
                        # Append files defined by dynamic parameters
                        $FileStream = [System.IO.FileStream]::New($Formdata.$Key, [System.IO.FileMode]::Open)
                        $Filename = [System.IO.Path]::GetFileName($Formdata.$Key)
                        $StreamContent = [System.Net.Http.StreamContent]::New($FileStream)
                        $MultiContent.Add($StreamContent, $Key, $Filename)
                    else {
                        # Add content as strings
                        $StringContent = [System.Net.Http.StringContent]::New($Formdata.$Key)
                        $MultiContent.Add($StringContent, $Key)
                # Append formdata object to request
                $Request.Content = $MultiContent
            elseif ($Body) {
                $Request.Content = if ($Body -is [string]) {
                    # Append Json body to request using endpoint's 'consumes' value
                    [System.Net.Http.StringContent]::New($Body, [System.Text.Encoding]::UTF8, $Target.consumes)
                else {
                    # Append body to request directly
            $Response = if ($Outfile) {
                # Add 'outfile' to header and receive payload
                    $Client.DefaultRequestHeaders.Add($_.Key, $_.Value)
            else {
                # Make request
            if ($Response.Result -is [System.Byte[]]) {
                # Write file payload to 'outfile' path
                [System.IO.File]::WriteAllBytes($Outfile, ($Response.Result))
                if (Test-Path $Outfile) {
                    Get-ChildItem $Outfile | Out-Host
            elseif ($Response.Result) {
                # Format responses
                Format-Result -Response $Response -Endpoint $Endpoint
            else {
                # Output error
                        [Exception]::New("Unable to contact $($Falcon.Hostname)"),
        catch {
            # Output exception
    end {
        if ($Response.Result.Headers) {
            # Wait for 'X-Ratelimit-RetryAfter'
            Wait-RetryAfter $Response.Result.Headers
        if ($Response) {
function Invoke-Loop {
        Watches 'meta' results to repeat command requests
        The PSFalcon command to repeat
        Parameters to include when running the command
        Toggle the 'Detailed' switch during command request

        [Parameter(Mandatory = $true)]
        [string] $Command,

        [Parameter(Mandatory = $true)]
        [hashtable] $Param,

        [bool] $Detailed
    begin {
        function Get-Paging ($Object, $Param, $Count) {
            # Check 'Meta' object from Format-Result for pagination information
            if ($Object.after) {
                $Param['After'] = $Object.after
            else {
                if ($Object.next_page) {
                    $Param['Offset'] = $Object.offset
                else {
                    $Param['Offset'] = if ($Object.offset -match '^\d{1,}$') {
                    else {
    process {
        # Perform initial request
        $Loop = @{
            Request = & $Command @Param
            Pagination = $Meta.pagination
        if ($Loop.Request -and $Detailed) {
            # Perform secondary request for identifier detail
            & $Command -Ids $Loop.Request
        else {
        if ($Loop.Request -and (($Loop.Request.count -lt $ -or $Loop.Pagination.next_page)) {
            for ($i = $Loop.Request.count; ($Loop.Pagination.next_page -or ($i -lt $;
            $i += $Loop.Request.count) {
                # Repeat requests if additional results are defined in 'meta'
                Write-Verbose "[$($MyInvocation.MyCommand.Name)] retrieved $i results"
                Get-Paging -Object $Loop.Pagination -Param $Param -Count $i
                $Loop = @{
                    Request = & $Command @Param
                    Pagination = $Meta.pagination
                if ($Loop.Request -and $Detailed) {
                    & $Command -Ids $Loop.Request
                else {
function Invoke-Request {
        Determines request type and submits to Invoke-Loop or Invoke-Endpoint
        PSFalcon command calling Invoke-Request [required for -All and -Detailed]
        The Falcon endpoint that for 'queries' operations
        The Falcon endpoint that for 'entities' operations
        A runtime parameter dictionary to search for user input values
        Toggle the use of 'Detailed' with a command when using Invoke-Loop
        The name of a switch parameter used to modify a command when using Invoke-Loop
        Toggle the use of Invoke-Loop to repeat command requests

        [string] $Command,

        [Parameter(Mandatory = $true)]
        [string] $Query,

        [string] $Entity,

        [Parameter(Mandatory = $true)]
        [System.Collections.ArrayList] $Dynamic,

        [bool] $Detailed,

        [string] $Modifier,

        [switch] $All
    begin {
        # Set base endpoint based on dynamic input
        $Endpoint = if (($Dynamic.Values).Where({ $_.IsSet -eq $true }).Attributes.ParameterSetName -eq $Entity) {
        else {
    process {
        if ($All) {
            # Construct parameters and pass to Invoke-Loop
            $LoopParam = @{
                Command = $Command
                Param = Get-LoopParam -Dynamic $Dynamic
            if ($Endpoint -match '/combined/.*:get$') {
                $LoopParam.Param['Detailed'] = $true
            if ($Detailed) {
                $LoopParam['Detailed'] = $true
            if ($Modifier) {
                $LoopParam.Param[$Modifier] = $true
            Invoke-Loop @LoopParam
        else {
            foreach ($Param in (Get-Param -Endpoint $Endpoint -Dynamic $Dynamic)) {
                # Format Json body and make request
                Format-Body -Param $Param
                $Request = Invoke-Endpoint @Param
                if ($Request -and $Detailed) {
                    # Make secondary request for detail about identifiers
                    & $Command -Ids $Request
                else {
function Read-Meta {
        Outputs verbose 'meta' information and creates $Script:Meta for loop processing
        Object from a Falcon API request
        Falcon endpoint
        Optional 'meta' object typename, sourced from API response code/definition

        [Parameter(Mandatory = $true)]
        [object] $Object,

        [Parameter(Mandatory = $true)]
        [string] $Endpoint,

        [string] $TypeName
    begin {
        function Read-CountValue ($Property, $Prefix) {
            # Output 'meta' values
            if ($_.Value -is [PSCustomObject]) {
                $ItemPrefix = $_.Name
                    Read-CountValue -Property $_ -Prefix $ItemPrefix
            elseif ($_.Name -match '(after|offset|total)') {
                $Value = if (($_.Value -is [string]) -and ($_.Value.Length -gt 7)) {
                else {
                $Name = if ($Prefix) {
                else {
                if ($Name -and $Value) {
                    "$($Name): $($Value)"
    process {
        Write-Debug "[$($MyInvocation.MyCommand.Name)] $($StatusCode): $TypeName"
        if ($Object.meta) {
            # Create script 'meta' variable for internal reference
            $Script:Meta = $Object.meta
            if ($TypeName) {
                # Set object typename to 'schema' from response
        if ($Meta) {
            if ($Meta.trace_id) {
                # Output trace_id
                Write-Verbose "[$($MyInvocation.MyCommand.Name)] trace_id: $($Meta.trace_id)"
            $CountInfo = (($Meta.PSObject.Properties).foreach{
                # Output pagination
                Read-CountValue $_
            }) -join ', '
            if ($CountInfo) {
                Write-Verbose "[$($MyInvocation.MyCommand.Name)] $CountInfo"
function Split-Param {
        Splits 'splat' hashtables into smaller groups to avoid API limitations
        Parameter hashtable
        A manually-defined maximum number of identifiers per request

        [Parameter(Mandatory = $true)]
        [hashtable] $Param,

        [int] $Max
    begin {
        if (-not($Max)) {
            # Gather endpoint information
            $Endpoint = $Falcon.GetEndpoint($Param.Endpoint)
            $Max = if ($Output.Query -match 'ids=') {
                # Calculate URL length based on hostname, endpoint path and input
                $PathLength = ("$($Falcon.Hostname)$($Endpoint.Path)").Length
                $LongestId = (($Output.Query).Where({ $_ -match 'ids='}) |
                    Measure-Object -Maximum -Property Length).Maximum + 1
                $IdCount = [Math]::Floor([decimal]((65535 - $PathLength)/$LongestId))
                if ($IdCount -gt 500) {
                    # Set maximum for requests to 500
                else {
                    # Use maximum below 500
            } elseif ($Endpoint.parameters -and ($Endpoint.Parameters.GetEnumerator().Where({
            $_.Key -eq 'ids' }).Value.max -gt 0)) {
                # Use maximum defined by endpoint
                $Endpoint.parameters.GetEnumerator().Where({ $_.Key -eq 'ids' }).Value.max
            } else {
    process {
        if ($Max -and $Param.Query.count -gt $Max) {
            Write-Verbose "[$($MyInvocation.MyCommand.Name)] $Max query values per request"
            for ($i = 0; $i -lt $Param.Query.count; $i += $Max) {
                # Break query inputs into groups that are lower than maximum
                $Group = @{
                    Query = $Param.Query[$i..($i + ($Max - 1))]
                    if ($_ -ne 'Query') {
                        $Group[$_] = $Param.$_
        } elseif ($Max -and $Param.Body.ids.count -gt $Max) {
            Write-Verbose "[$($MyInvocation.MyCommand.Name)] $Max body values per request"
            for ($i = 0; $i -lt $Param.Body.ids.count; $i += $Max) {
                # Break body inputs into groups that are lower than maximum
                $Group = @{
                    Body = @{
                        ids = $Param.Body.ids[$i..($i + ($Max - 1))]
                    if ($_ -ne 'Body') {
                        $Group[$_] = $Param.$_
                    } else {
                            if ($_ -ne 'ids') {
                                $Group.Body[$_] = $Param.Body.$_
        } else {
            # If maximum is not exceeded, output as-is
function Wait-RetryAfter {
        Checks a Falcon API response for rate limiting and waits
        Response headers from Falcon endpoint

        [Parameter(Mandatory = $true)]
        [object] $Headers
    process {
        if ($Headers.Key -contains 'X-Ratelimit-RetryAfter') {
            # Determine wait time from response header and sleep
            $RetryAfter = (($Headers.GetEnumerator()).Where({ $_.Key -eq 'X-Ratelimit-RetryAfter' })).Value
            $Wait = ($RetryAfter - ([int] (Get-Date -UFormat %s) + 1))
            Write-Verbose "[$($MyInvocation.MyCommand.Name)] rate limited for $Wait seconds"
            Start-Sleep -Seconds $Wait