PSFalcon

2.1.6

Public/devices.ps1

                                function Add-FalconGroupingTag {

    [CmdletBinding(DefaultParameterSetName = '/devices/entities/devices/tags/v1:patch')]

    param(

        [Parameter(ParameterSetName = '/devices/entities/devices/tags/v1:patch', Mandatory = $true, Position = 1)]

        [ValidatePattern('^\w{32}$')]

        [array] $Ids,

        [Parameter(ParameterSetName = '/devices/entities/devices/tags/v1:patch', Mandatory = $true, Position = 2)]

        [ValidatePattern('^FalconGroupingTags/.+$')]

        [ValidateScript({

            @($_).foreach{

                if ((Test-RegexValue $_) -eq 'tag') {

                    $true

                } else {

                    throw "Valid values include letters, numbers, hyphens, unscores and forward slashes. ['$_']"

                }

            }

        })]

        [array] $Tags

    )

    begin {

        $Fields = @{

            Ids = 'device_ids'

        }

    }

    process {

        $PSBoundParameters['action'] = 'add'

        $Param = @{

            Command  = $MyInvocation.MyCommand.Name

            Endpoint = $PSCmdlet.ParameterSetName

            Inputs   = Update-FieldName -Fields $Fields -Inputs $PSBoundParameters

            Format   = @{

                Body = @{

                    root = @('tags', 'device_ids', 'action')

                }

            }

        }

        Invoke-Falcon @Param

    }

}

function Get-FalconHost {

    [CmdletBinding(DefaultParameterSetName = '/devices/queries/devices-scroll/v1:get')]

    param(

        [Parameter(ParameterSetName = '/devices/entities/devices/v1:get', Mandatory = $true, Position = 1)]

        [Parameter(ParameterSetName = '/devices/combined/devices/login-history/v1:post', Mandatory = $true,

            Position = 1)]

        [Parameter(ParameterSetName = '/devices/combined/devices/network-address-history/v1:post',

            Mandatory = $true, Position = 1)]

        [ValidatePattern('^\w{32}$')]

        [array] $Ids,

        [Parameter(ParameterSetName = '/devices/queries/devices-scroll/v1:get', Position = 1)]

        [Parameter(ParameterSetName = '/devices/queries/devices-hidden/v1:get', Position = 1)]

        [ValidateScript({

            Test-FqlStatement $_ @('agent_load_flags','agent_version','bios_manufacturer','bios_version',

            'config_id_base','config_id_build','config_id_platform','cpu_signature','device_id','external_ip',

            'first_seen','hostname','last_login_timestamp','last_seen','local_ip','local_ip.raw','mac_address',

            'machine_domain','major_version','minor_version','modified_timestamp','os_version','ou','platform_id',

            'platform_name','product_type_desc','reduced_functionality_mode','release_group','serial_number',

            'site_name','status','system_manufacturer','system_product_name')

        })]

        [string] $Filter,

        [Parameter(ParameterSetName = '/devices/queries/devices-scroll/v1:get', Position = 2)]

        [Parameter(ParameterSetName = '/devices/queries/devices-hidden/v1:get', Position = 2)]

        [ValidateSet('device_id.asc','device_id.desc','agent_load_flags.asc','agent_load_flags.desc',

            'agent_version.asc','agent_version.desc','bios_manufacturer.asc','bios_manufacturer.desc',

            'bios_version.asc','bios_version.desc','config_id_base.asc','config_id_base.desc',

            'config_id_build.asc','config_id_build.desc','config_id_platform.asc','config_id_platform.desc',

            'cpu_signature.asc','cpu_signature.desc','external_ip.asc','external_ip.desc','first_seen.asc',

            'first_seen.desc','hostname.asc','hostname.desc','last_login_timestamp.asc',

            'last_login_timestamp.desc','last_seen.asc','last_seen.desc','local_ip.asc','local_ip.desc',

            'local_ip.raw.asc','local_ip.raw.desc','mac_address.asc','mac_address.desc','machine_domain.asc',

            'machine_domain.desc','major_version.asc','major_version.desc','minor_version.asc',

            'minor_version.desc','modified_timestamp.asc','modified_timestamp.desc','os_version.asc',

            'os_version.desc','ou.asc','ou.desc','platform_id.asc','platform_id.desc','platform_name.asc',

            'platform_name.desc','product_type_desc.asc','product_type_desc.desc','reduced_functionality_mode.asc',

            'reduced_functionality_mode.desc','release_group.asc','release_group.desc','serial_number.asc',

            'serial_number.desc','site_name.asc','site_name.desc','status.asc','status.desc',

            'system_manufacturer.asc','system_manufacturer.desc','system_product_name.asc',

            'system_product_name.desc')]

        [string] $Sort,

        [Parameter(ParameterSetName = '/devices/queries/devices-scroll/v1:get', Position = 3)]

        [Parameter(ParameterSetName = '/devices/queries/devices-hidden/v1:get', Position = 3)]

        [ValidateRange(1,5000)]

        [int] $Limit,

        [Parameter(ParameterSetName = '/devices/queries/devices-scroll/v1:get', Position = 4)]

        [Parameter(ParameterSetName = '/devices/queries/devices-hidden/v1:get', Position = 4)]

        [string] $Offset,

        [Parameter(ParameterSetName = '/devices/queries/devices-scroll/v1:get', Position = 5)]

        [Parameter(ParameterSetName = '/devices/queries/devices-hidden/v1:get', Position = 5)]

        [ValidateSet('login_history', 'network_history', 'zero_trust_assessment')]

        [array] $Include,

        [Parameter(ParameterSetName = '/devices/queries/devices-hidden/v1:get', Mandatory = $true)]

        [switch] $Hidden,

        [Parameter(ParameterSetName = '/devices/combined/devices/login-history/v1:post', Mandatory = $true)]

        [switch] $Login,

        [Parameter(ParameterSetName = '/devices/combined/devices/network-address-history/v1:post',

            Mandatory = $true)]

        [switch] $Network,

        [Parameter(ParameterSetName = '/devices/queries/devices-scroll/v1:get')]

        [Parameter(ParameterSetName = '/devices/queries/devices-hidden/v1:get')]

        [switch] $Detailed,

        [Parameter(ParameterSetName = '/devices/queries/devices-scroll/v1:get')]

        [Parameter(ParameterSetName = '/devices/queries/devices-hidden/v1:get')]

        [switch] $All,

        [Parameter(ParameterSetName = '/devices/queries/devices-scroll/v1:get')]

        [Parameter(ParameterSetName = '/devices/queries/devices-hidden/v1:get')]

        [switch] $Total

    )

    begin {

        $Param = @{

            Command  = $MyInvocation.MyCommand.Name

            Endpoint = $PSCmdlet.ParameterSetName

            Inputs   = $PSBoundParameters

        }

    }

    process {

        $Param['Format'] = if ($Param.Endpoint -match 'post$') {

            @{ Body = @{ root = @('ids') }}

        } else {

            @{ Query = @('ids', 'filter', 'sort', 'limit', 'offset') }

        }

        $Result = Invoke-Falcon @Param

        if ($PSBoundParameters.Include -and $Result) {

            if (!$Result.device_id) {

                $Result = @($Result).foreach{

                    ,[PSCustomObject] @{ device_id = $_ }

                }

            }

            if ($PSBoundParameters.Include -contains 'login_history') {

                foreach ($Item in (& $MyInvocation.MyCommand.Name -Ids $Result.device_id -Login)) {

                    $AddParam = @{

                        Object = $Result | Where-Object { $_.device_id -eq $Item.device_id }

                        Name   = 'login_history'

                        Value  = $Item.recent_logins

                    }

                    Add-Property @AddParam

                }

            }

            if ($PSBoundParameters.Include -contains 'network_history') {

                foreach ($Item in (& $MyInvocation.MyCommand.Name -Ids $Result.device_id -Network)) {

                    $AddParam = @{

                        Object = $Result | Where-Object { $_.device_id -eq $Item.device_id }

                        Name   = 'network_history'

                        Value  = $Item.history

                    }

                    Add-Property @AddParam

                }

            }

            if ($PSBoundParameters.Include -contains 'zero_trust_assessment') {

                foreach ($Item in (& Get-FalconZta -Ids $Result.device_id)) {

                    $AddParam = @{

                        Object = $Result | Where-Object { $_.device_id -eq $Item.device_id }

                        Name   = 'zero_trust_assessment'

                        Value  = $Item | Select-Object modified_time, sensor_file_status,

                            assessment, assessment_items

                    }

                    Add-Property @AddParam

                }

            }

        }

        $Result

    }

}

function Invoke-FalconHostAction {

    [CmdletBinding(DefaultParameterSetName = '/devices/entities/devices-actions/v2:post')]

    param(

        [Parameter(ParameterSetName = '/devices/entities/devices-actions/v2:post', Mandatory = $true,

            Position = 1)]

        [ValidateSet('contain', 'lift_containment', 'hide_host', 'unhide_host')]

        [string] $Name,

        [Parameter(ParameterSetName = '/devices/entities/devices-actions/v2:post', Mandatory = $true,

            Position = 2)]

        [ValidatePattern('^\w{32}$')]

        [array] $Ids,

        [Parameter(ParameterSetName = '/devices/entities/devices-actions/v2:post', Position = 3)]

        [ValidateSet('agent_version','cid','external_ip','first_seen','host_hidden_status','hostname','last_seen',

            'local_ip','mac_address','os_build','os_version','platform_name','product_type','product_type_desc',

            'reduced_functionality_mode','serial_number','system_manufacturer','system_product_name','tags')]

        [array] $Include

    )

    begin {

        $Fields = @{

            Name = 'action_name'

        }

    }

    process {

        $Param = @{

            Command  = $MyInvocation.MyCommand.Name

            Endpoint = $PSCmdlet.ParameterSetName

            Inputs   = Update-FieldName -Fields $Fields -Inputs $PSBoundParameters

            Format   = @{

                Query = @('action_name')

                Body  = @{

                    root = @('ids')

                }

            }

        }

        $Param['Max'] = if ($Param.Inputs.action_name -match 'host$') {

            100

        } else {

            500

        }

        $Result = Invoke-Falcon @Param

        if ($PSBoundParameters.Include -and $Result) {

            foreach ($Item in (Get-FalconHost -Ids $Result.id | Select-Object @($PSBoundParameters.Include +

            'device_id'))) {

                @($Item.PSObject.Properties.Where({ $_.Name -ne 'device_id' })).foreach{

                    $AddParam = @{

                        Object = $Result | Where-Object { $_.id -eq $Item.device_id }

                        Name   = $_.Name

                        Value  = $_.Value

                    }

                    Add-Property @AddParam

                }

            }

        }

        $Result

    }

}

function Remove-FalconGroupingTag {

    [CmdletBinding(DefaultParameterSetName = '/devices/entities/devices/tags/v1:patch')]

    param(

        [Parameter(ParameterSetName = '/devices/entities/devices/tags/v1:patch', Mandatory = $true, Position = 1)]

        [ValidatePattern('^\w{32}$')]

        [array] $Ids,

        [Parameter(ParameterSetName = '/devices/entities/devices/tags/v1:patch', Mandatory = $true, Position = 2)]

        [ValidatePattern('^FalconGroupingTags/.+$')]

        [ValidateScript({

            @($_).foreach{

                if ((Test-RegexValue $_) -eq 'tag') {

                    $true

                } else {

                    throw "Valid values include letters, numbers, hyphens, unscores and forward slashes. ['$_']"

                }

            }

        })]

        [array] $Tags

    )

    begin {

        $Fields = @{

            Ids = 'device_ids'

        }

    }

    process {

        $PSBoundParameters['action'] = 'remove'

        $Param = @{

            Command  = $MyInvocation.MyCommand.Name

            Endpoint = $PSCmdlet.ParameterSetName

            Inputs   = Update-FieldName -Fields $Fields -Inputs $PSBoundParameters

            Format   = @{

                Body = @{

                    root = @('tags', 'device_ids', 'action')

                }

            }

        }

        Invoke-Falcon @Param

    }

}