PSFalcon

Author(s)

• Brendan Kremian

Tags

CrowdStrike Falcon OAuth2 REST API Windows Linux MacOS

Functions

Get-FalconAlert Invoke-FalconAlertAction Confirm-FalconDiscoverAwsAccess Edit-FalconDiscoverAwsAccount Get-FalconDiscoverAwsAccount Get-FalconDiscoverAwsSetting New-FalconDiscoverAwsAccount Remove-FalconDiscoverAwsAccount Update-FalconDiscoverAwsSetting Get-FalconDiscoverAzureAccount Get-FalconDiscoverAzureCertificate New-FalconDiscoverAzureAccount Receive-FalconDiscoverAzureScript Update-FalconDiscoverAzureAccount Edit-FalconHorizonAwsAccount Get-FalconHorizonAwsAccount Get-FalconHorizonAwsLink New-FalconHorizonAwsAccount Receive-FalconHorizonAwsScript Remove-FalconHorizonAwsAccount Edit-FalconHorizonAzureAccount Get-FalconHorizonAzureAccount Get-FalconHorizonAzureCertificate New-FalconHorizonAzureAccount Receive-FalconHorizonAzureScript Remove-FalconHorizonAzureAccount Get-FalconDiscoverGcpAccount New-FalconDiscoverGcpAccount Receive-FalconDiscoverGcpScript Get-FalconContainerAssessment Get-FalconContainerSensor Remove-FalconRegistryCredential Request-FalconRegistryCredential Remove-FalconContainerImage Show-FalconRegistryCredential Edit-FalconDetection Get-FalconDetection Get-FalconHorizonIoa Get-FalconHorizonIom Add-FalconGroupingTag Edit-FalconHostGroup Get-FalconHost Get-FalconHostGroup Get-FalconHostGroupMember Invoke-FalconHostAction Invoke-FalconHostGroupAction New-FalconHostGroup Remove-FalconGroupingTag Remove-FalconHostGroup Get-FalconAsset Get-FalconCompleteAllowlist Get-FalconCompleteBlocklist Get-FalconCompleteCollection Get-FalconCompleteDetection Get-FalconCompleteEscalation Get-FalconCompleteIncident Get-FalconCompleteRemediation Get-FalconReport Get-FalconSubmission Get-FalconSubmissionQuota New-FalconSubmission Receive-FalconArtifact Remove-FalconReport Get-FalconFimChange Edit-FalconFirewallGroup Edit-FalconFirewallSetting Get-FalconFirewallEvent Get-FalconFirewallField Get-FalconFirewallGroup Get-FalconFirewallPlatform Get-FalconFirewallRule Get-FalconFirewallSetting New-FalconFirewallGroup Remove-FalconFirewallGroup Invoke-FalconIdentityGraph Get-FalconBehavior Get-FalconIncident Get-FalconScore Invoke-FalconIncidentAction Get-FalconIocHost Get-FalconIocProcess Get-FalconActor Get-FalconIndicator Get-FalconIntel Get-FalconRule Receive-FalconIntel Receive-FalconRule Edit-FalconInstallToken Get-FalconInstallToken Get-FalconInstallTokenEvent Get-FalconInstallTokenSetting New-FalconInstallToken Remove-FalconInstallToken Get-FalconHorizonIoaEvent Get-FalconHorizonIoaUser Edit-FalconIoaGroup Edit-FalconIoaRule Get-FalconIoaGroup Get-FalconIoaPlatform Get-FalconIoaRule Get-FalconIoaSeverity Get-FalconIoaType New-FalconIoaGroup New-FalconIoaRule Remove-FalconIoaGroup Remove-FalconIoaRule Test-FalconIoaRule Edit-FalconIoc Get-FalconIoc New-FalconIoc Remove-FalconIoc Edit-FalconContainerAwsAccount Get-FalconContainerAwsAccount Get-FalconContainerCloud Get-FalconContainerCluster Invoke-FalconContainerScan New-FalconContainerAwsAccount New-FalconContainerKey Receive-FalconContainerYaml Remove-FalconContainerAwsAccount Get-FalconMalQuery Get-FalconMalQueryQuota Get-FalconMalQuerySample Group-FalconMalQuerySample Invoke-FalconMalQuery Receive-FalconMalQuerySample Search-FalconMalQueryHash Add-FalconCompleteActivity Edit-FalconCompleteCase New-FalconCompleteCase Get-FalconCompleteActivity Get-FalconCompleteCase Receive-FalconCompleteAttachment Send-FalconCompleteAttachment Invoke-FalconMobileAction Add-FalconCidGroupMember Add-FalconGroupRole Add-FalconUserGroupMember Edit-FalconCidGroup Edit-FalconUserGroup Get-FalconCidGroup Get-FalconCidGroupMember Get-FalconGroupRole Get-FalconMemberCid Get-FalconUserGroup Get-FalconUserGroupMember New-FalconCidGroup New-FalconUserGroup Remove-FalconCidGroup Remove-FalconCidGroupMember Remove-FalconGroupRole Remove-FalconUserGroup Remove-FalconUserGroupMember Request-FalconToken Revoke-FalconToken Test-FalconToken Get-FalconOverWatchEvent Get-FalconOverWatchDetection Get-FalconOverWatchIncident Edit-FalconDeviceControlPolicy Get-FalconDeviceControlPolicy Get-FalconDeviceControlPolicyMember Invoke-FalconDeviceControlPolicyAction New-FalconDeviceControlPolicy Remove-FalconDeviceControlPolicy Set-FalconDeviceControlPrecedence Edit-FalconFirewallPolicy Get-FalconFirewallPolicy Get-FalconFirewallPolicyMember Invoke-FalconFirewallPolicyAction New-FalconFirewallPolicy Remove-FalconFirewallPolicy Set-FalconFirewallPrecedence ConvertTo-FalconIoaExclusion Edit-FalconIoaExclusion Get-FalconIoaExclusion New-FalconIoaExclusion Remove-FalconIoaExclusion ConvertTo-FalconMlExclusion Edit-FalconMlExclusion Get-FalconMlExclusion New-FalconMlExclusion Remove-FalconMlExclusion Edit-FalconPreventionPolicy Get-FalconPreventionPolicy Get-FalconPreventionPolicyMember Invoke-FalconPreventionPolicyAction New-FalconPreventionPolicy Remove-FalconPreventionPolicy Set-FalconPreventionPrecedence Edit-FalconResponsePolicy Get-FalconResponsePolicy Get-FalconResponsePolicyMember Invoke-FalconResponsePolicyAction New-FalconResponsePolicy Remove-FalconResponsePolicy Set-FalconResponsePrecedence Edit-FalconSensorUpdatePolicy Get-FalconBuild Get-FalconKernel Get-FalconSensorUpdatePolicy Get-FalconSensorUpdatePolicyMember Get-FalconUninstallToken Invoke-FalconSensorUpdatePolicyAction New-FalconSensorUpdatePolicy Remove-FalconSensorUpdatePolicy Set-FalconSensorUpdatePrecedence Edit-FalconSvExclusion Get-FalconSvExclusion New-FalconSvExclusion Remove-FalconSvExclusion Export-FalconConfig Import-FalconConfig Find-FalconDuplicate Find-FalconHostname Register-FalconEventCollector Send-FalconEvent Show-FalconEventCollector Unregister-FalconEventCollector Export-FalconReport Send-FalconWebhook Show-FalconMap Show-FalconModule Copy-FalconDeviceControlPolicy Copy-FalconFirewallPolicy Copy-FalconPreventionPolicy Copy-FalconResponsePolicy Copy-FalconSensorUpdatePolicy Add-FalconSensorTag Get-FalconSensorTag Remove-FalconSensorTag Uninstall-FalconSensor Get-FalconQueue Invoke-FalconDeploy Invoke-FalconRtr Get-FalconQuarantine Invoke-FalconQuarantineAction Test-FalconQuarantineAction Confirm-FalconAdminCommand Confirm-FalconCommand Confirm-FalconGetFile Confirm-FalconResponderCommand Edit-FalconScript Get-FalconPutFile Get-FalconScript Get-FalconSession Invoke-FalconAdminCommand Invoke-FalconBatchGet Invoke-FalconCommand Invoke-FalconResponderCommand Receive-FalconGetFile Remove-FalconCommand Remove-FalconGetFile Remove-FalconPutFile Remove-FalconScript Remove-FalconSession Send-FalconPutFile Send-FalconScript Start-FalconSession Update-FalconSession Edit-FalconReconAction Edit-FalconReconNotification Edit-FalconReconRule Get-FalconReconAction Get-FalconReconNotification Get-FalconReconRule Get-FalconReconRulePreview New-FalconReconAction New-FalconReconRule Remove-FalconReconAction Remove-FalconReconRule Remove-FalconReconNotification Get-FalconScheduledReport Invoke-FalconScheduledReport Receive-FalconScheduledReport Redo-FalconScheduledReport Get-FalconSample Send-FalconSample Receive-FalconSample Remove-FalconSample Get-FalconQuickScan Get-FalconQuickScanQuota New-FalconQuickScan Get-FalconCcid Get-FalconInstaller Get-FalconStream Receive-FalconInstaller Update-FalconStream Edit-FalconHorizonPolicy Edit-FalconHorizonSchedule Get-FalconHorizonPolicy Get-FalconHorizonSchedule Get-FalconRemediation Get-FalconVulnerability Get-FalconVulnerabilityLogic Add-FalconRole Edit-FalconUser Get-FalconRole Get-FalconUser Invoke-FalconUserAction New-FalconUser Remove-FalconRole Remove-FalconUser Get-FalconZta

PSEditions

Desktop Core

Dependencies

This module has no dependencies.

Release Notes

@
New Commands

* cloud-connect-azure.ps1
 Get-FalconDiscoverAzureCertificate

* cloud-connect-cspm-azure.ps1
 Get-FalconHorizonAzureCertificate

* mobile-enrollment.ps1
 Invoke-FalconMobileAction

* psf-devices.ps1
 Find-FalconHostname

* user-management.ps1
 Invoke-FalconUserAction

General Changes

* Re-organized public functions into files named for their URL prefix rather than their respective Swagger
 collection (which sometimes would match the prefix and sometimes wouldn't). Because of the number of endpoints
 that fell under 'policy', it is segmented into specific files.

* The public 'users.ps1' and 'user-roles.ps1' files have been consolidated under 'user-management.ps1' and merged
 with new /user-management/ endpoints.

* Updated IPv4 regex used by 'Test-RegexValue' private function.

* Streamlined looping functionality (used with '-All' parameter). Updated all commands to output groups of
 results as they are retrieved instead of the entire result set at the end of a loop. Also verified that
 authorization tokens are properly refreshed during a long running loop.

Command Changes

* Modified 'Add-FalconSensorTag' and 'Remove-FalconSensorTag' to include the uninstall token of the target device
 and while adding and removing sensor tags with 'CsSensorSettings.exe' on Windows sensor versions v6.42 and above.

* Modified 'Get-FalconSensorTag' to return the 'FalconSensorTags' values listed in a devices API response if the
 target device is Windows sensor version 6.42 or above. If 'CsSensorSettings.exe' is updated to include a method
 to 'get' sensor tags, 'Get-FalconSensorTag' will use that method in the future.

* Removed mandatory requirement for 'TenantId' parameter within the 'Get-FalconDiscoverAzureAccount' command.

* Updated 'Invoke-FalconAlertAction' to use the new v2 endpoint which includes formatting corrections.

* Based on code provided by @SleepySysadmin, 'Invoke-FalconIdentityGraph' now has an '-All' parameter when using
 '-Query'!

 When used with a query that includes 'pageInfo{endCursor hasNextPage}', results will be paginated automatically
 and only relevant data will be output (similar to the rest of the PSFalcon commands) instead of the entire
 object.

 '-All' will automatically be added if a query begins with ($after: Cursor) and has 'after' in the query
 parameters, as it is assumed that all results are expected.

 If 'pageInfo' is not provided in the query and '-All' is specified, a warning message will be generated.

 A  query without '-All' will produce the same results as earlier versions of the module.

* Added '-Mutation' parameter to 'Invoke-FalconIdentityGraph'.

* Updated 'Add-FalconRole', 'Edit-FalconUser', 'Get-FalconUser', 'New-FalconUser', 'Remove-FalconRole', and
 'Remove-FalconUser', to use new /user-management/ endpoints where appropriate. These commands behave as they
 did before, unless using additional parameters to signify that requests are being performed within a
 multi-CID environment.

* 'Get-FalconRole' has been updated to produce results from new /user-management/ endpoints.

Resolved Issues

* Issue #170: 'Invoke-Loop' changes should eliminate token failures during retrieval of large result sets.

* Issue #222: Updated comparison process to ensure an imported policy would be properly added to the list of
 items to be modified, whether or not it was going to be created. Removed existing copy policy operation from
 creation process.

* Issue #223: Removed extraneous 'Endpoint' definition that was generating an error.

* Issue #231: Corrected addition of 'FirewallRule' when using 'Export-FalconConfig -Item FirewallGroup'. This fix
 should also resolve issues when exporting 'HostGroup' and a singular 'exclusion' item.

* Issue #232: Re-added 'Outfile' designation for 'Path' parameter in 'Receive-FalconArtifact'. This should have
 been present and was accidentally removed in an earlier module version.
@