PSFalcon

2.2.1

Public/detects.ps1

                                function Edit-FalconDetection {

<#

.SYNOPSIS

Modify detections

.DESCRIPTION

Requires 'Detections: Write'.

.PARAMETER Status

Detection status

.PARAMETER Comment

Detection comment

.PARAMETER ShowInUi

Visible within the Falcon UI [default: $true]

.PARAMETER AssignedToUuid

User identifier for assignment

.PARAMETER Id

Detection identifier

.LINK

https://github.com/CrowdStrike/psfalcon/wiki/Incident-and-Detection-Monitoring

#>

    [CmdletBinding(DefaultParameterSetName='/detects/entities/detects/v2:patch',SupportsShouldProcess)]

    param(

        [Parameter(ParameterSetName='/detects/entities/detects/v2:patch',Position=1)]

        [ValidateSet('new','in_progress','true_positive','false_positive','ignored','closed','reopened',

            IgnoreCase=$false)]

        [string]$Status,

        [Parameter(ParameterSetName='/detects/entities/detects/v2:patch',Position=2)]

        [ValidateScript({

            if ($PSBoundParameters.Status) { $true } else { throw "A valid 'status' value must also be supplied." }

        })]

        [string]$Comment,

        [Parameter(ParameterSetName='/detects/entities/detects/v2:patch',Position=3)]

        [Alias('show_in_ui')]

        [boolean]$ShowInUi,

        [Parameter(ParameterSetName='/detects/entities/detects/v2:patch',ValueFromPipelineByPropertyName,

           Position=4)]

        [ValidatePattern('^\w{8}-\w{4}-\w{4}-\w{4}-\w{12}$')]

        [Alias('assigned_to_uuid','uuid')]

        [string]$AssignedToUuid,

        [Parameter(ParameterSetName='/detects/entities/detects/v2:patch',Mandatory,ValueFromPipeline,

            ValueFromPipelineByPropertyName,Position=5)]

        [ValidatePattern('^ldt:[a-fA-F0-9]{32}:\d+$')]

        [Alias('Ids','detection_id','detection_ids')]

        [string[]]$Id

    )

    begin {

        $Param = @{

            Command = $MyInvocation.MyCommand.Name

            Endpoint = $PSCmdlet.ParameterSetName

            Format = @{ Body = @{ root = @('show_in_ui','comment','assigned_to_uuid','status','ids') }}

            Max = 1000

        }

        [System.Collections.Generic.List[string]]$List = @()

    }

    process { if ($Id) { @($Id).foreach{ $List.Add($_) }}}

    end {

        if ($List) {

            $PSBoundParameters['Id'] = @($List | Select-Object -Unique)

            Invoke-Falcon @Param -Inputs $PSBoundParameters

        }

    }

}

function Get-FalconDetection {

<#

.SYNOPSIS

Search for detections

.DESCRIPTION

Requires 'Detections: Read'.

.PARAMETER Id

Detection identifier

.PARAMETER Filter

Falcon Query Language expression to limit results

.PARAMETER Query

Perform a generic substring search across available fields

.PARAMETER Sort

Property and direction to sort results

.PARAMETER Limit

Maximum number of results per request

.PARAMETER Offset

Position to begin retrieving results

.PARAMETER Detailed

Retrieve detailed information

.PARAMETER All

Repeat requests until all available results are retrieved

.PARAMETER Total

Display total result count instead of results

.LINK

https://github.com/CrowdStrike/psfalcon/wiki/Incident-and-Detection-Monitoring

#>

    [CmdletBinding(DefaultParameterSetName='/detects/queries/detects/v1:get',SupportsShouldProcess)]

    param(

        [Parameter(ParameterSetName='/detects/entities/summaries/GET/v1:post',Mandatory,ValueFromPipeline,

            ValueFromPipelineByPropertyName)]

        [ValidatePattern('^ldt:[a-fA-F0-9]{32}:\d+$')]

        [Alias('Ids','detection_id','detection_ids')]

        [string[]]$Id,

        [Parameter(ParameterSetName='/detects/queries/detects/v1:get',Position=1)]

        [ValidateScript({ Test-FqlStatement $_ })]

        [string]$Filter,

        [Parameter(ParameterSetName='/detects/queries/detects/v1:get',Position=2)]

        [Alias('q')]

        [string]$Query,

        [Parameter(ParameterSetName='/detects/queries/detects/v1:get',Position=3)]

        [ValidateSet('adversary_id.asc','adversary_id.desc','devices.hostname.asc','devices.hostname.desc',

            'first_behavior.asc','first_behavior.desc','last_behavior.asc','last_behavior.desc',

            'max_confidence.asc','max_confidence.desc','max_severity.asc','max_severity.desc',IgnoreCase=$false)]

        [string]$Sort,

        [Parameter(ParameterSetName='/detects/queries/detects/v1:get',Position=4)]

        [ValidateRange(1,5000)]

        [int32]$Limit,

        [Parameter(ParameterSetName='/detects/queries/detects/v1:get')]

        [int32]$Offset,

        [Parameter(ParameterSetName='/detects/queries/detects/v1:get')]

        [switch]$Detailed,

        [Parameter(ParameterSetName='/detects/queries/detects/v1:get')]

        [switch]$All,

        [Parameter(ParameterSetName='/detects/queries/detects/v1:get')]

        [switch]$Total

    )

    begin {

        $Param = @{

            Command = $MyInvocation.MyCommand.Name

            Endpoint = $PSCmdlet.ParameterSetName

            Format = @{

                Body = @{ root = @('ids') }

                Query = @('filter','q','sort','limit','offset')

            }

            Max = 1000

        }

        [System.Collections.Generic.List[string]]$List = @()

    }

    process {

        if ($Id) {

            @($Id).foreach{ $List.Add($_) }

        } else {

            Invoke-Falcon @Param -Inputs $PSBoundParameters

        }

    }

    end {

        if ($List) {

            $PSBoundParameters['Id'] = @($List | Select-Object -Unique)

            Invoke-Falcon @Param -Inputs $PSBoundParameters

        }

    }

}