PSFalcon

Author(s)

• Brendan Kremian

Tags

CrowdStrike Falcon OAuth2 REST API Windows Linux MacOS

Functions

Confirm-DiscoverAwsAccess Edit-DiscoverAwsAccount Get-DiscoverAwsAccount Get-DiscoverAwsSettings New-DiscoverAwsAccount Remove-DiscoverAwsAccount Update-DiscoverAwsSettings Get-DiscoverAzureAccount Get-DiscoverAzureScript New-DiscoverAzureAccount Update-DiscoverAzureAccount Get-HorizonAwsAccount Get-HorizonAwsLink New-HorizonAwsAccount Receive-HorizonAwsScript Remove-HorizonAwsAccount Edit-HorizonAzureAccount Get-HorizonAzureAccount New-HorizonAzureAccount Receive-HorizonAzureScript Remove-HorizonAzureAccount Get-DiscoverGcpAccount New-DiscoverGcpAccount Receive-DiscoverGcpScript Export-Config Import-Config Edit-Detection Get-Detection Add-HostTag Edit-HostGroup Get-Host Get-HostGroup Get-HostGroupMember Invoke-HostAction Invoke-HostGroupAction New-HostGroup Remove-HostGroup Remove-HostTag Get-Report Get-Submission Get-SubmissionQuota New-Submission Receive-Artifact Remove-Report Edit-FirewallGroup Edit-FirewallSetting Get-FirewallEvent Get-FirewallField Get-FirewallGroup Get-FirewallPlatform Get-FirewallRule Get-FirewallSetting New-FirewallGroup Remove-FirewallGroup Get-Behavior Get-Incident Get-Score Invoke-IncidentAction Edit-IOC Get-IOC Get-IOCHost Get-IOCProcess Get-IOCTotal New-IOC Remove-IOC Edit-InstallToken Get-InstallToken Get-InstallTokenEvent Get-InstallTokenSettings New-InstallToken Remove-InstallToken Get-Actor Get-Indicator Get-Intel Get-Rule Receive-Intel Receive-Rule Edit-IOAGroup Edit-IOARule Get-IOAGroup Get-IOAPlatform Get-IOARule Get-IOASeverity Get-IOAType New-IOAGroup New-IOARule Remove-IOAGroup Remove-IOARule Test-IOARule Get-MalQuery Get-MalQueryQuota Get-MalQuerySample Group-MalQuerySample Invoke-MalQuery Receive-MalQuerySample Add-CIDGroupMember Add-GroupRole Add-UserGroupMember Edit-CIDGroup Edit-UserGroup Get-CIDGroup Get-CIDGroupMember Get-GroupRole Get-MemberCID Get-UserGroup Get-UserGroupMember New-CIDGroup New-UserGroup Remove-CIDGroup Remove-CIDGroupMember Remove-GroupRole Remove-UserGroup Remove-UserGroupMember Request-Token Revoke-Token Edit-DeviceControlPolicy Edit-FirewallPolicy Edit-IOAExclusion Edit-MLExclusion Edit-PreventionPolicy Edit-ResponsePolicy Edit-SensorUpdatePolicy Edit-SVExclusion Get-Build Get-DeviceControlPolicy Get-DeviceControlPolicyMember Get-FirewallPolicy Get-FirewallPolicyMember Get-IOAExclusion Get-MLExclusion Get-PreventionPolicy Get-PreventionPolicyMember Get-ResponsePolicy Get-ResponsePolicyMember Get-SensorUpdatePolicy Get-SensorUpdatePolicyMember Get-SVExclusion Get-UninstallToken Invoke-DeviceControlPolicyAction Invoke-FirewallPolicyAction Invoke-PreventionPolicyAction Invoke-ResponsePolicyAction Invoke-SensorUpdatePolicyAction New-DeviceControlPolicy New-FirewallPolicy New-MLExclusion New-PreventionPolicy New-ResponsePolicy New-SensorUpdatePolicy New-SVExclusion Remove-DeviceControlPolicy Remove-FirewallPolicy Remove-IOAExclusion Remove-MLExclusion Remove-PreventionPolicy Remove-ResponsePolicy Remove-SensorUpdatePolicy Remove-SVExclusion Set-DeviceControlPrecedence Set-FirewallPrecedence Set-PreventionPrecedence Set-ResponsePrecedence Set-SensorUpdatePrecedence Get-Process Confirm-AdminCommand Confirm-Command Confirm-GetFile Confirm-ResponderCommand Edit-Script Get-PutFile Get-Script Get-Session Invoke-AdminCommand Invoke-BatchGet Invoke-Command Invoke-ResponderCommand Receive-GetFile Remove-Command Remove-GetFile Remove-PutFile Remove-Script Remove-Session Send-PutFile Send-Script Start-Session Update-Session Get-Sample Receive-Sample Remove-Sample Send-Sample Get-QuickScan New-QuickScan Export-Report Find-Duplicate Get-Queue Invoke-Deploy Invoke-RTR Open-Stream Search-MalQueryHash Show-Map Show-Module Test-Token Get-CCID Get-Installer Get-Stream Receive-Installer Update-Stream Edit-HorizonPolicy Edit-HorizonSchedule Get-HorizonPolicy Get-HorizonSchedule Get-Remediation Get-Vulnerability Add-Role Get-Role Remove-Role Edit-User Get-User New-User Remove-User

PSEditions

Desktop Core

Dependencies

This module has no dependencies.

Release Notes

v2.0.7:
       General Changes
       * Added additional 'tags' to module manifest to help with PowerShell Gallery organization.
       * Added 'LicenseUri' to module manifest.
       * Added code to close file access methods when uploading files using 'Send' commands. Previously, if an
         upload failed and another attempt was made you would receive a notification that the file was
         already being accessed.
       * Added check during initial module load to enforce TLS 1.2 for connecting to CrowdStrike APIs.
       * Moved [System.Net.Http] check for PowerShell 5.1 from Invoke-Endpoint to base module load.
       * Updated base functions in an effort to improve error handling.
       * Added URI validation check to Invoke-Endpoint to improve error handling.

       Command and Parameter Changes
       * Re-wrote 'Get-FalconQueue' in an effort to increase performance when dealing with large numbers of
         results.
       * Fixed typo in 'Get-FalconIOARule' that was corrupting parameters and '-Help' output of the command.
       * Changed various 'verbose' outputs to 'debug' to reduce overall output when running with '-Verbose'. Some
         of the fields were not useful in a 'more information' context, but were for 'debugging'.
       * Updated the internal function 'Invoke-Loop' to automatically provide the '-Limit' parameter (at the
         maximum available value) when '-All' is specified with a command and '-Limit' was not included.
       * Added 'add-rule-group' and 'remove-rule-group' actions to 'Invoke-FalconPreventionPolicyAction' for
         assigning and removing Custom IOA Rule Groups from Prevention policies.
       * Removed 'Name' as a required parameter when using the 'Edit' policy commands as it should not be
         mandatory.
       * Updated 'Limit' for 'Get-FalconIOC' to 500 to match API.
       * Fixed 'Invoke-FalconHostGroupAction' to enable adding/removing multiple hosts at one time.
       * Added a 'pattern' value for 'Get-FalconUninstallToken' to make it clear that a device_id or the value
         'MAINTENANCE' can be supplied to retrieve an individual uninstall token or the more widely accepted
         maintenance token.
       * Added 'Array' parameter (used by 'Import-FalconConfig') to enable creation and modification of multiple
         items using a single request to the following commands:
           Edit-FalconDeviceControlPolicy
           Edit-FalconFirewallPolicy
           Edit-FalconHostGroup
           Edit-FalconPreventionPolicy
           Edit-FalconResponsePolicy
           Edit-FalconSensorUpdatePolicy
           New-FalconDeviceControlPolicy
           New-FalconFirewallPolicy
           New-FalconHostGroup
           New-FalconPreventionPolicy
           New-FalconResponsePolicy
           New-FalconSensorUpdatePolicy
       * Changed 'Settings' parameters for 'New-FalconDeviceControlPolicy', 'New-FalconResponsePolicy',
         'New-FalconSensorUpdatePolicy' and their matching 'Edit' commands to take a hashtable instead of an
         array to correct bug where policy creation/updates would fail.

       New Commands
       * Added 'Export-FalconConfig' and 'Import-FalconConfig' commands to export and import exclusions, policies
         and groups using an archive of Json files.
       * Added MSSP/Falcon Flight Control commands for new API endpoints:
         Add-FalconCIDGroupMember
         Add-FalconGroupRole
         Add-FalconUserGroupMember
         Edit-FalconCIDGroup
         Edit-FalconUserGroup
         Get-FalconCID
         Get-FalconCIDGroup
         Get-FalconCIDGroupMember
         Get-FalconGroupRole
         Get-FalconUserGroup
         Get-FalconUserGroupMember
         New-FalconCIDGroup
         New-FalconUserGroup
         Remove-FalconCIDGroup
         Remove-FalconCIDGroupMember
         Remove-FalconGroupRole
         Remove-FalconUserGroup
         Remove-FalconUserGroupMember

       GitHub Issues
       * Issue #13: Creating/modifying multiple objects in one request handled with new 'Array' parameter
         for commands used with 'Import-FalconConfig'.
       * Issue #31: Added code to the 'Get-Body' function to .Normalize() text grabbed with 'Get-Content' and
         prevent errors when the content is converted to Json for API submission.
       * Issue #33: Changed default permission level for 'runscript' command to Admin when using
         'Invoke-FalconRTR' to compensate for '-Raw' parameter not working with Active Responder permissions.
       * Issue #34: Added 'Test-FalconToken' command to display token status and additional client information
         including 'ClientId', 'Hostname' and 'MemberCid'. Also made various changes to improve general error
         message production.
       * Issue #36: Set 'Limit' maximum to 500 for 'Get-FalconIOAExclusion', 'Get-FalconMLExclusion', and
         'Get-FalconSVExclusion'.
       * Issue #43: Updated 'ids' and 'value' parameters to correct bugs related to 'Invoke-FalconIncidentAction'.