PSFalcon

2.1.9

Public/falconx-indicators.ps1

                                function Get-FalconIndicator {

    [CmdletBinding(DefaultParameterSetName = '/intel/queries/indicators/v1:get')]

    param(

        [Parameter(ParameterSetName = '/intel/entities/indicators/GET/v1:post', Mandatory = $true, Position = 1)]

        [array] $Ids,

        [Parameter(ParameterSetName = '/intel/queries/indicators/v1:get', Position = 1)]

        [Parameter(ParameterSetName = '/intel/combined/indicators/v1:get', Position = 1)]

        [ValidateScript({ Test-FqlStatement $_ })]

        [string] $Filter,

        [Parameter(ParameterSetName = '/intel/queries/indicators/v1:get', Position = 2)]

        [Parameter(ParameterSetName = '/intel/combined/indicators/v1:get', Position = 2)]

        [string] $Query,

        [Parameter(ParameterSetName = '/intel/queries/indicators/v1:get', Position = 3)]

        [Parameter(ParameterSetName = '/intel/combined/indicators/v1:get', Position = 3)]

        [ValidateSet('id|asc', 'id|desc', 'indicator|asc', 'indicator|desc', 'type|asc', 'type|desc',

            'published_date|asc', 'published_date|desc', 'last_updated|asc', 'last_updated|desc',

            '_marker|asc', '_marker|desc')]

        [string] $Sort,

        [Parameter(ParameterSetName = '/intel/queries/indicators/v1:get', Position = 4)]

        [Parameter(ParameterSetName = '/intel/combined/indicators/v1:get', Position = 4)]

        [ValidateRange(1,5000)]

        [int] $Limit,

        [Parameter(ParameterSetName = '/intel/queries/indicators/v1:get', Position = 5)]

        [Parameter(ParameterSetName = '/intel/combined/indicators/v1:get', Position = 5)]

        [int] $Offset,

        [Parameter(ParameterSetName = '/intel/queries/indicators/v1:get', Position = 6)]

        [Parameter(ParameterSetName = '/intel/combined/indicators/v1:get', Position = 6)]

        [boolean] $IncludeDeleted,

        [Parameter(ParameterSetName = '/intel/combined/indicators/v1:get', Mandatory = $true)]

        [switch] $Detailed,

        [Parameter(ParameterSetName = '/intel/queries/indicators/v1:get')]

        [Parameter(ParameterSetName = '/intel/combined/indicators/v1:get')]

        [switch] $All,

        [Parameter(ParameterSetName = '/intel/queries/indicators/v1:get')]

        [switch] $Total

    )

    begin {

        $Fields = @{

            IncludeDeleted = 'include_deleted'

            Query          = 'q'

        }

    }

    process {

        $Param = @{

            Command  = $MyInvocation.MyCommand.Name

            Endpoint = $PSCmdlet.ParameterSetName

            Inputs   = Update-FieldName -Fields $Fields -Inputs $PSBoundParameters

            Format   = @{

                Query = @('sort', 'limit', 'filter', 'offset', 'include_deleted', 'q')

                Body  = @{ root = @('ids') }

            }

        }

        Invoke-Falcon @Param

    }

}