diff --git a/PSFalcon.psd1 b/PSFalcon.psd1 index 9537a5b0..71ab125a 100644 --- a/PSFalcon.psd1 +++ b/PSFalcon.psd1 @@ -1,13 +1,13 @@ @{ RootModule = 'PSFalcon.psm1' - ModuleVersion = '2.2.2' + ModuleVersion = '2.2.3' CompatiblePSEditions = @('Desktop','Core') GUID = 'd893eb9f-f6bb-4a40-9caf-aaff0e42acd1' Author = 'Brendan Kremian' CompanyName = 'CrowdStrike' Copyright = '(c) CrowdStrike. All rights reserved.' Description = 'PowerShell for the CrowdStrike Falcon OAuth2 APIs' - HelpInfoURI = 'https://bk-cs.github.io/help/psfalcon/en-US' + HelpInfoURI = 'https://github.com/CrowdStrike/psfalcon/wiki' PowerShellVersion = '5.1' RequiredAssemblies = @('System.Net.Http') ScriptsToProcess = @('Class/Class.ps1') @@ -318,6 +318,7 @@ 'Show-FalconModule', # psf-policies + 'Compare-FalconPreventionPhase', 'Copy-FalconDeviceControlPolicy', 'Copy-FalconFirewallPolicy', 'Copy-FalconPreventionPolicy', @@ -413,6 +414,10 @@ 'Get-FalconVulnerability', 'Get-FalconVulnerabilityLogic', + # ti + 'Get-FalconTailoredEvent', + 'Get-FalconTailoredRule', + # user-management 'Add-FalconRole', 'Edit-FalconUser', @@ -439,87 +444,69 @@ ReleaseNotes = "@ New Commands -* cloud-connect-azure.ps1 - Get-FalconDiscoverAzureCertificate - -* cloud-connect-cspm-azure.ps1 - Get-FalconHorizonAzureCertificate - -* mobile-enrollment.ps1 - Invoke-FalconMobileAction +* psf-policies + 'Compare-FalconPreventionPhase' -* psf-devices.ps1 - Find-FalconHostname - -* user-management.ps1 - Invoke-FalconUserAction +* ti + 'Get-FalconTailoredEvent' + 'Get-FalconTailoredRule' General Changes -* Re-organized public functions into files named for their URL prefix rather than their respective Swagger - collection (which sometimes would match the prefix and sometimes wouldn't). Because of the number of endpoints - that fell under 'policy', it is segmented into specific files. +* Created 'Confirm-Property' private function to filter [hashtable] and [PSCustomObject] into pre-defined + properties containing values. -* The public 'users.ps1' and 'user-roles.ps1' files have been consolidated under 'user-management.ps1' and merged - with new /user-management/ endpoints. +* Updated comment-based help to link directly to specific wiki pages for each command. Using 'Get-Help + -Online' will launch the appropriate wiki page. These pages will be updated with current examples present within + existing wiki pages, and those pages will be re-organized. -* Updated IPv4 regex used by 'Test-RegexValue' private function. +* Modified 'Get-ParamSet' private function to look for 'ids' and 'samples' as potential body values to break into + groups of 'Max' values, instead of only 'ids'. -* Streamlined looping functionality (used with '-All' parameter). Updated all commands to output groups of - results as they are retrieved instead of the entire result set at the end of a loop. Also verified that - authorization tokens are properly refreshed during a long running loop. +* Updated Falcon X references to Falcon Intelligence due to product name change. Command Changes -* Modified 'Add-FalconSensorTag' and 'Remove-FalconSensorTag' to include the uninstall token of the target device - and while adding and removing sensor tags with 'CsSensorSettings.exe' on Windows sensor versions v6.42 and above. - -* Modified 'Get-FalconSensorTag' to return the 'FalconSensorTags' values listed in a devices API response if the - target device is Windows sensor version 6.42 or above. If 'CsSensorSettings.exe' is updated to include a method - to 'get' sensor tags, 'Get-FalconSensorTag' will use that method in the future. +* Updated 'Invoke-FalconIdentityGraph' to no longer modify the GraphQL statement when attempting to use '-All' for + pagination. Renamed 'Query' parameter to 'String' and made it work for both query and mutation statements but + kept 'Query' as an alias. Now, when your statement includes a 'Cursor' variable definition and the required + 'pageInfo { hasNextPage endCursor }' properties, '-All' will automatically paginate results. If either of those + requirements are missing, a warning message will be displayed and pagination will not occur. -* Removed mandatory requirement for 'TenantId' parameter within the 'Get-FalconDiscoverAzureAccount' command. +* Modified 'Get-FalconUser' to remove deprecated API when using 'Username' parameter. 'Username' now submits + filtered searches for provided 'uid' values to the appropriate /user-management/ API. -* Updated 'Invoke-FalconAlertAction' to use the new v2 endpoint which includes formatting corrections. +* Added 'Max' of 1,000 sha256 values for 'New-FalconQuickScan'. -* Based on code provided by @SleepySysadmin, 'Invoke-FalconIdentityGraph' now has an '-All' parameter when using - '-Query'! +* Added 'sha256' as a PipelineByPropertyName value for 'New-FalconQuickScan' to support pipeline input from + 'Send-FalconSample'. - When used with a query that includes 'pageInfo{endCursor hasNextPage}', results will be paginated automatically - and only relevant data will be output (similar to the rest of the PSFalcon commands) instead of the entire - object. +* Added pattern validation to 'Remove-FalconUser' for the 'Id' parameter. - '-All' will automatically be added if a query begins with (`$after: Cursor) and has 'after' in the query - parameters, as it is assumed that all results are expected. +* Modified 'Status' parameter for 'Edit-FalconDetection' to support ValueFromPipelineByPropertyName and changed + parameter to position 3. - If 'pageInfo' is not provided in the query and '-All' is specified, a warning message will be generated. +* Modified 'Edit-FalconSensorUpdatePolicy' and 'New-FalconSensorUpdatePolicy' to filter out properties with + empty string values in order to prevent errors when creating and/or modifying Sensor Update policies. - A query without '-All' will produce the same results as earlier versions of the module. - -* Added '-Mutation' parameter to 'Invoke-FalconIdentityGraph'. - -* Updated 'Add-FalconRole', 'Edit-FalconUser', 'Get-FalconUser', 'New-FalconUser', 'Remove-FalconRole', and - 'Remove-FalconUser', to use new /user-management/ endpoints where appropriate. These commands behave as they - did before, unless using additional parameters to signify that requests are being performed within a - multi-CID environment. - -* 'Get-FalconRole' has been updated to produce results from new /user-management/ endpoints. +* Modified 'Import-FalconConfig' to prevent an attempt to modify a policy when the policy was not successfully + created earlier in the import process. Also ensured that the precedence warnings when existing policies were + found would only be displayed once. Resolved Issues -* Issue #170: 'Invoke-Loop' changes should eliminate token failures during retrieval of large result sets. - -* Issue #222: Updated comparison process to ensure an imported policy would be properly added to the list of - items to be modified, whether or not it was going to be created. Removed existing copy policy operation from - creation process. +* Issue #241: Updated 'Confirm-Parameter' to eliminate 'Cannot validate argument on parameter 'Array'. Key cannot + be null. (Parameter 'key')' errors generated when using 'Import-FalconConfig'. -* Issue #223: Removed extraneous 'Endpoint' definition that was generating an error. +* Issue #242: Modified 'Edit-FalconDetection' to check whether a 'status' value is present with a 'comment' value + during command execution rather than during parameter validation. This will prevent errors from occurring when + parameters are specified in an unexpected order. -* Issue #231: Corrected addition of 'FirewallRule' when using 'Export-FalconConfig -Item FirewallGroup'. This fix - should also resolve issues when exporting 'HostGroup' and a singular 'exclusion' item. +* Issue #246: Created 'Confirm-Property' function to properly filter 'Rule' content for both [hashtable] and + [PSCustomObject] rules. This will eliminate errors caused by [hashtable] objects being improperly filtered + in PowerShell 5.1. -* Issue #232: Re-added 'Outfile' designation for 'Path' parameter in 'Receive-FalconArtifact'. This should have - been present and was accidentally removed in an earlier module version. + * Issue #247: Updated 'Write-Warning' to use a PSCmdlet method in order to properly support 'WarningVariable'. @" } } diff --git a/Policy/linux.json b/Policy/linux.json new file mode 100644 index 00000000..f39f954b Binary files /dev/null and b/Policy/linux.json differ diff --git a/Policy/mac.json b/Policy/mac.json new file mode 100644 index 00000000..7a9e11fb Binary files /dev/null and b/Policy/mac.json differ diff --git a/Policy/windows.json b/Policy/windows.json new file mode 100644 index 00000000..17e3742d Binary files /dev/null and b/Policy/windows.json differ diff --git a/Private/Private.ps1 b/Private/Private.ps1 index 5418ab38..b600cdf6 100644 --- a/Private/Private.ps1 +++ b/Private/Private.ps1 @@ -274,34 +274,59 @@ function Confirm-Parameter { } } } - @($Content).foreach{ - # Match property name with parameter name - [string]$Parameter = if ($Format -and $Format.$_) { $Format.$_ } else { $_ } - if ($Object.$_) { - # Verify that 'ValidValues' contains provided value - [string[]]$ValidValues = Get-ValidValues $Command $Endpoint $Parameter - if ($Object.$_ -is [array]) { - foreach ($Item in $Object.$_) { - if ($ValidValues -notcontains $Item) { "'$Item' is not a valid '$_' value. $ObjectString" } + if ($Content) { + @($Content).foreach{ + # Match property name with parameter name + [string]$Parameter = if ($Format -and $Format.$_) { $Format.$_ } else { $_ } + if ($Object.$_) { + # Verify that 'ValidValues' contains provided value + [string[]]$ValidValues = Get-ValidValues $Command $Endpoint $Parameter + if ($ValidValues) { + if ($Object.$_ -is [array]) { + foreach ($Item in $Object.$_) { + if ($ValidValues -notcontains $Item) { + "'$Item' is not a valid '$_' value. $ObjectString" + } + } + } elseif ($ValidValues -notcontains $Object.$_) { + throw "'$($Object.$_)' is not a valid '$_' value. $ObjectString" + } } - } elseif ($ValidValues -notcontains $Object.$_) { - throw "'$($Object.$_)' is not a valid '$_' value. $ObjectString" } } } - @($Pattern).foreach{ - # Match property name with parameter name - [string]$Parameter = if ($Format -and $Format.$_) { $Format.$_ } else { $_ } - if ($Object.$_) { - # Verify provided value matches 'ValidPattern' - $ValidPattern = Get-ValidPattern $Command $Endpoint $Parameter - if ($Object.$_ -notmatch $ValidPattern) { - throw "'$($Object.$_)' is not a valid '$_' value. $ObjectString" + if ($Pattern) { + @($Pattern).foreach{ + # Match property name with parameter name + [string]$Parameter = if ($Format -and $Format.$_) { $Format.$_ } else { $_ } + if ($Object.$_) { + # Verify provided value matches 'ValidPattern' + $ValidPattern = Get-ValidPattern $Command $Endpoint $Parameter + if ($ValidPattern -and $Object.$_ -notmatch $ValidPattern) { + throw "'$($Object.$_)' is not a valid '$_' value. $ObjectString" + } } } } } } +function Confirm-Property { + [CmdletBinding()] + [OutputType([PSCustomObject[]])] + param( + [Parameter(Mandatory,Position=1)] + [string[]]$Property, + [Parameter(Position=2)] + [object[]]$Object + ) + process { + foreach ($Item in $Object) { + # Filter to defined properties containing values + [string[]]$Select = @($Property).foreach{ if ($Item.$_) { $_ } } + if ($Select) { [PSCustomObject]$Item | Select-Object $Select } + } + } +} function Convert-Rfc3339 { [CmdletBinding()] [OutputType([string])] @@ -366,8 +391,11 @@ function Get-ParamSet { # Output maximum, no greater than 500 $Max = if ($IdCount -and $IdCount -lt 500) { $IdCount } else { 500 } } - # Get 'Content' from user input + # Get 'Content' from user input and find identifier field $Content = Build-Content -Inputs $Inputs -Format $Format + [string]$Field = if ($Content.Body) { + if ($Content.Body.ids) { 'ids' } elseif ($Content.Body.samples) { 'samples' } + } } process { if ($Content.Query -and ($Content.Query | Measure-Object).Count -gt $Max) { @@ -387,15 +415,15 @@ function Get-ParamSet { } ,$Split } - } elseif ($Content.Body -and ($Content.Body.ids | Measure-Object).Count -gt $Max) { - Write-Verbose "[Get-ParamSet] Creating groups of $Max 'ids'" - for ($i = 0; $i -lt ($Content.Body.ids | Measure-Object).Count; $i += $Max) { - # Split 'Body' content into groups using 'ids' + } elseif ($Content.Body -and $Field -and ($Content.Body.$Field | Measure-Object).Count -gt $Max) { + Write-Verbose "[Get-ParamSet] Creating groups of $Max '$Field' values" + for ($i = 0; $i -lt ($Content.Body.$Field | Measure-Object).Count; $i += $Max) { + # Split 'Body' content into groups using '$Field' $Split = $Switches.Clone() $Split.Add('Endpoint',$Base.Clone()) - $Split.Endpoint.Add('Body',@{ ids = $Content.Body.ids[$i..($i + ($Max - 1))] }) + $Split.Endpoint.Add('Body',@{ $Field = $Content.Body.$Field[$i..($i + ($Max - 1))] }) $Content.GetEnumerator().Where({ $_.Value }).foreach{ - # Add values other than 'Body.ids' + # Add values other than 'Body.$Field' if ($_.Key -eq 'Query') { $Split.Endpoint.Path += if ($Split.Endpoint.Path -match '\?') { "&$($_.Value -join '&')" @@ -403,7 +431,7 @@ function Get-ParamSet { "?$($_.Value -join '&')" } } elseif ($_.Key -eq 'Body') { - ($_.Value).GetEnumerator().Where({ $_.Key -ne 'ids' }).foreach{ + ($_.Value).GetEnumerator().Where({ $_.Key -ne $Field }).foreach{ $Split.Endpoint.Body.Add($_.Key,$_.Value) } } else { diff --git a/Public/alerts.ps1 b/Public/alerts.ps1 index 1020d579..3e19173d 100644 --- a/Public/alerts.ps1 +++ b/Public/alerts.ps1 @@ -23,7 +23,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Alerts +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconAlert #> [CmdletBinding(DefaultParameterSetName='/alerts/queries/alerts/v1:get',SupportsShouldProcess)] param( @@ -82,7 +82,7 @@ Value for the chosen action .PARAMETER Id Alert identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Alerts +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconAlertAction #> [CmdletBinding(DefaultParameterSetName='/alerts/entities/alerts/v2:patch',SupportsShouldProcess)] param( diff --git a/Public/cloud-connect-aws.ps1 b/Public/cloud-connect-aws.ps1 index 710f240b..58437432 100644 --- a/Public/cloud-connect-aws.ps1 +++ b/Public/cloud-connect-aws.ps1 @@ -7,7 +7,7 @@ Requires 'AWS Accounts: Write'. .PARAMETER Id AWS account identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/CrowdStrike/psfalcon/wiki/Confirm-FalconDiscoverAwsAccess #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-aws/entities/verify-account-access/v1:post', SupportsShouldProcess)] @@ -55,7 +55,7 @@ Maximum number of requests within 'RateLimitTime' .PARAMETER Id AWS account identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/CrowdStrike/psfalcon/wiki/Edit-FalconDiscoverAwsAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-aws/entities/accounts/v1:patch',SupportsShouldProcess)] param( @@ -125,7 +125,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/CrowdStrike/psfalcon/wiki/Get-FalconDiscoverAwsAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-aws/queries/accounts/v1:get',SupportsShouldProcess)] param( @@ -176,7 +176,7 @@ Retrieve Global Settings Falcon Discover for Cloud AWS accounts .DESCRIPTION Requires 'AWS Accounts: Read'. .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/CrowdStrike/psfalcon/wiki/Get-FalconDiscoverAwsSetting #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-aws/combined/settings/v1:get',SupportsShouldProcess)] param() @@ -205,7 +205,7 @@ Maximum number of requests within 'RateLimitTime' .PARAMETER Id AWS account identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/CrowdStrike/psfalcon/wiki/New-FalconDiscoverAwsAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-aws/entities/accounts/v1:post',SupportsShouldProcess)] param( @@ -266,7 +266,7 @@ Requires 'AWS Accounts: Write'. .PARAMETER Id AWS account identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/CrowdStrike/psfalcon/wiki/Remove-FalconDiscoverAwsAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-aws/entities/accounts/v1:delete',SupportsShouldProcess)] param( @@ -303,7 +303,7 @@ AWS account identifier containing cloudtrail logs .PARAMETER StaticExternalId Default external identifier to apply to AWS accounts .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/CrowdStrike/psfalcon/wiki/Update-FalconDiscoverAwsSetting #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-aws/entities/settings/v1:post',SupportsShouldProcess)] param( diff --git a/Public/cloud-connect-azure.ps1 b/Public/cloud-connect-azure.ps1 index a7e189b7..13fa5156 100644 --- a/Public/cloud-connect-azure.ps1 +++ b/Public/cloud-connect-azure.ps1 @@ -9,7 +9,7 @@ Scan type .PARAMETER Id Azure account identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconDiscoverAzureAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-azure/entities/account/v1:get',SupportsShouldProcess)] param( @@ -48,7 +48,7 @@ Refresh certificate [default: false] .PARAMETER TenantId Azure tenant identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconDiscoverAzureCertificate #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-azure/entities/download-certificate/v1:get', SupportsShouldProcess)] @@ -80,7 +80,7 @@ Azure subscription identifier .PARAMETER TenantId Azure tenant identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/crowdstrike/psfalcon/wiki/New-FalconDiscoverAzureAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-azure/entities/account/v1:post',SupportsShouldProcess)] param( @@ -115,7 +115,7 @@ Destination path .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconDiscoverAzureScript #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-azure/entities/user-scripts-download/v1:get', SupportsShouldProcess)] @@ -157,7 +157,7 @@ Requires 'D4C Registration: Write'. .PARAMETER Id Azure client identifier for the associated Service Principal .LINK -https://github.com/crowdstrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/crowdstrike/psfalcon/wiki/Update-FalconDiscoverAzureAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-azure/entities/client-id/v1:patch', SupportsShouldProcess)] diff --git a/Public/cloud-connect-cspm-aws.ps1 b/Public/cloud-connect-cspm-aws.ps1 index e3ac59d2..f3b681c0 100644 --- a/Public/cloud-connect-cspm-aws.ps1 +++ b/Public/cloud-connect-cspm-aws.ps1 @@ -9,7 +9,7 @@ AWS account identifier .PARAMETER CloudtrailRegion AWS region where the account resides .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconHorizonAwsAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-cspm-aws/entities/account/v1:patch', SupportsShouldProcess)] @@ -39,9 +39,9 @@ function Get-FalconHorizonAwsAccount { .SYNOPSIS Search for Falcon Horizon AWS accounts .DESCRIPTION -Requires 'CSPM Registration: Read'. - A properly provisioned AWS account will display the status 'Event_DiscoverAccountStatusOperational'. + +Requires 'CSPM Registration: Read'. .PARAMETER Id AWS account identifier .PARAMETER OrganizationId @@ -61,7 +61,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconHorizonAwsAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-cspm-aws/entities/account/v1:get', SupportsShouldProcess)] @@ -117,12 +117,12 @@ function Get-FalconHorizonAwsLink { .SYNOPSIS Retrieve a URL to grant Falcon Horizon access in AWS .DESCRIPTION -Requires 'CSPM Registration: Read'. - Once logging in to the provided link using your AWS administrator credentials, use the 'Create Stack' button to grant access. + +Requires 'CSPM Registration: Read'. .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconHorizonAwsLink #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-cspm-aws/entities/console-setup-urls/v1:get', SupportsShouldProcess)] @@ -142,7 +142,7 @@ AWS region where the account resides .PARAMETER AccountId AWS account identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/New-FalconHorizonAwsAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-cspm-aws/entities/account/v1:post', SupportsShouldProcess)] @@ -182,7 +182,7 @@ Destination path .PARAMETER Force Overwrite existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconHorizonAwsScript #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-cspm-aws/entities/user-scripts-download/v1:get', SupportsShouldProcess)] @@ -226,7 +226,7 @@ AWS account identifier .PARAMETER OrganizationId AWS organization identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconHorizonAwsAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-cspm-aws/entities/account/v1:delete', SupportsShouldProcess)] @@ -236,7 +236,6 @@ https://github.com/crowdstrike/psfalcon/wiki/Horizon [ValidatePattern('^\d{12}$')] [Alias('Ids')] [string[]]$Id, - [Parameter(ParameterSetName='OrganizationIds',Mandatory)] [ValidatePattern('^o-[0-9a-z]{10,32}$')] [Alias('organization-ids','OrganizationIds')] diff --git a/Public/cloud-connect-cspm-azure.ps1 b/Public/cloud-connect-cspm-azure.ps1 index dd51b972..9dd53f35 100644 --- a/Public/cloud-connect-cspm-azure.ps1 +++ b/Public/cloud-connect-cspm-azure.ps1 @@ -11,7 +11,7 @@ Azure subscription identifier .PARAMETER TenantId Azure tenant identifier, required when multiple tenants have been registered .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconHorizonAzureAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-cspm-azure/entities/client-id/v1:patch', SupportsShouldProcess)] @@ -63,7 +63,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconHorizonAzureAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-cspm-azure/entities/account/v1:get', SupportsShouldProcess)] @@ -115,7 +115,7 @@ Refresh certificate [default: false] .PARAMETER TenantId Azure tenant identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconHorizonAzureCertificate #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-cspm-azure/entities/download-certificate/v1:get', SupportsShouldProcess)] @@ -147,7 +147,7 @@ Azure subscription identifier .PARAMETER TenantId Azure tenant identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/New-FalconHorizonAzureAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-cspm-azure/entities/account/v1:post', SupportsShouldProcess)] @@ -185,7 +185,7 @@ Azure tenant identifier .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconHorizonAzureScript #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-cspm-azure/entities/user-scripts-download/v1:get', SupportsShouldProcess)] @@ -235,7 +235,7 @@ Requires 'CSPM Registration: Write'. .PARAMETER Id Azure account identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconHorizonAzureAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-cspm-azure/entities/account/v1:delete', SupportsShouldProcess)] diff --git a/Public/cloud-connect-gcp.ps1 b/Public/cloud-connect-gcp.ps1 index 5696d66e..3b31ddc1 100644 --- a/Public/cloud-connect-gcp.ps1 +++ b/Public/cloud-connect-gcp.ps1 @@ -9,7 +9,7 @@ Scan type .PARAMETER Id GCP account identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconDiscoverGcpAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-gcp/entities/account/v1:get',SupportsShouldProcess)] param( @@ -48,7 +48,7 @@ Requires 'D4C Registration: Write'. .PARAMETER ParentId GCP project identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/crowdstrike/psfalcon/wiki/New-FalconDiscoverGcpAccount #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-gcp/entities/account/v1:post', SupportsShouldProcess)] @@ -79,7 +79,7 @@ Destination path .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Discover-for-Cloud-and-Containers +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconDiscoverGcpScript #> [CmdletBinding(DefaultParameterSetName='/cloud-connect-gcp/entities/user-scripts-download/v1:get', SupportsShouldProcess)] diff --git a/Public/container-security.ps1 b/Public/container-security.ps1 index 1f7de385..da14df6d 100644 --- a/Public/container-security.ps1 +++ b/Public/container-security.ps1 @@ -11,7 +11,7 @@ Container repository .PARAMETER Tag Container tag .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconContainerAssessment #> [CmdletBinding(DefaultParameterSetName='/reports:get',SupportsShouldProcess)] param( @@ -44,7 +44,7 @@ Requires 'Falcon Container Image: Read'. .PARAMETER LatestUrl Create a URL using the most recent build tag .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconContainerSensor #> [CmdletBinding(DefaultParameterSetName='/v2/{sensortype}/{region}/release/falcon-sensor/tags/list:get', SupportsShouldProcess)] @@ -80,7 +80,7 @@ Requires 'Falcon Container Image: Write'. .PARAMETER Id Container image identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconContainerImage #> [CmdletBinding(DefaultParameterSetName='/images/{id}:delete',SupportsShouldProcess)] param( @@ -108,7 +108,7 @@ function Remove-FalconRegistryCredential { .SYNOPSIS Remove your cached Falcon container registry access token and credential information from the module .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconRegistryCredential #> [CmdletBinding(SupportsShouldProcess)] param() @@ -119,15 +119,15 @@ function Request-FalconRegistryCredential { .SYNOPSIS Request your Falcon container registry username, password and access token .DESCRIPTION -Requires 'Falcon Container Image: Read' and 'Sensor Download: Read'. - If successful, you token and username are cached for re-use as you use Falcon container security related commands. If an active access token is due to expire in less than 15 seconds, a new token will automatically be requested. + +Requires 'Falcon Container Image: Read' and 'Sensor Download: Read'. .PARAMETER SensorType Container sensor type, used to determine container registry .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/Request-FalconRegistryCredential #> [CmdletBinding(SupportsShouldProcess)] param( @@ -196,7 +196,7 @@ function Show-FalconRegistryCredential { .SYNOPSIS Display Falcon container registry credential information .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/Show-FalconRegistryCredential #> [CmdletBinding()] param() diff --git a/Public/detects.ps1 b/Public/detects.ps1 index b14daa9e..8aef7753 100644 --- a/Public/detects.ps1 +++ b/Public/detects.ps1 @@ -4,33 +4,31 @@ function Edit-FalconDetection { Modify detections .DESCRIPTION Requires 'Detections: Write'. -.PARAMETER Status -Detection status .PARAMETER Comment Detection comment .PARAMETER ShowInUi Visible within the Falcon UI [default: $true] +.PARAMETER Status +Detection status .PARAMETER AssignedToUuid User identifier for assignment .PARAMETER Id Detection identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Incident-and-Detection-Monitoring +https://github.com/CrowdStrike/psfalcon/wiki/Edit-FalconDetection #> [CmdletBinding(DefaultParameterSetName='/detects/entities/detects/v2:patch',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/detects/entities/detects/v2:patch',Position=1)] - [ValidateSet('new','in_progress','true_positive','false_positive','ignored','closed','reopened', - IgnoreCase=$false)] - [string]$Status, - [Parameter(ParameterSetName='/detects/entities/detects/v2:patch',Position=2)] - [ValidateScript({ - if ($PSBoundParameters.Status) { $true } else { throw "A valid 'status' value must also be supplied." } - })] [string]$Comment, - [Parameter(ParameterSetName='/detects/entities/detects/v2:patch',Position=3)] + [Parameter(ParameterSetName='/detects/entities/detects/v2:patch',Position=2)] [Alias('show_in_ui')] [boolean]$ShowInUi, + [Parameter(ParameterSetName='/detects/entities/detects/v2:patch',ValueFromPipelineByPropertyName, + Position=3)] + [ValidateSet('new','in_progress','true_positive','false_positive','ignored','closed','reopened', + IgnoreCase=$false)] + [string]$Status, [Parameter(ParameterSetName='/detects/entities/detects/v2:patch',ValueFromPipelineByPropertyName, Position=4)] [ValidatePattern('^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$')] @@ -53,7 +51,9 @@ https://github.com/CrowdStrike/psfalcon/wiki/Incident-and-Detection-Monitoring } process { if ($Id) { @($Id).foreach{ $List.Add($_) }}} end { - if ($List) { + if ($PSBoundParameters.Comment -and !$PSBoundParameters.Status) { + throw "A 'status' value must be supplied when adding a comment." + } elseif ($List) { $PSBoundParameters['Id'] = @($List | Select-Object -Unique) Invoke-Falcon @Param -Inputs $PSBoundParameters } @@ -84,7 +84,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Incident-and-Detection-Monitoring +https://github.com/CrowdStrike/psfalcon/wiki/Get-FalconDetection #> [CmdletBinding(DefaultParameterSetName='/detects/queries/detects/v1:get',SupportsShouldProcess)] param( @@ -167,7 +167,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconHorizonIoa #> [CmdletBinding(DefaultParameterSetName='/detects/entities/ioa/v1:get',SupportsShouldProcess)] param( @@ -275,7 +275,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconHorizonIom #> [CmdletBinding(DefaultParameterSetName='/detects/entities/iom/v1:get',SupportsShouldProcess)] param( diff --git a/Public/devices.ps1 b/Public/devices.ps1 index 82341161..85ba81aa 100644 --- a/Public/devices.ps1 +++ b/Public/devices.ps1 @@ -9,7 +9,7 @@ FalconGroupingTag value ['FalconGroupingTags/'] .PARAMETER Id Host identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Add-FalconGroupingTag #> [CmdletBinding(DefaultParameterSetName='/devices/entities/devices/tags/v1:patch',SupportsShouldProcess)] param( @@ -62,7 +62,7 @@ FQL-based assignment rule, used with dynamic host groups .PARAMETER Id Host group identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconHostGroup #> [CmdletBinding(DefaultParameterSetName='/devices/entities/host-groups/v1:patch',SupportsShouldProcess)] param( @@ -123,7 +123,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconHost #> [CmdletBinding(DefaultParameterSetName='/devices/queries/devices-scroll/v1:get',SupportsShouldProcess)] param( @@ -227,7 +227,7 @@ https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management $Groups = try { $Request.groups | Get-FalconHostGroup -EA 0 | Select-Object id,name } catch {} if ($Groups) { foreach ($i in $Request) { - $i.groups = $Groups | Where-Object { $i.groups -contains $_.id } + if ($i.groups) { $i.groups = $Groups | Where-Object { $i.groups -contains $_.id }} } } } @@ -303,7 +303,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconHostGroup #> [CmdletBinding(DefaultParameterSetName='/devices/queries/host-groups/v1:get',SupportsShouldProcess)] param( @@ -385,7 +385,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconHostGroupMember #> [CmdletBinding(DefaultParameterSetName='/devices/queries/host-group-members/v1:get',SupportsShouldProcess)] param( @@ -439,7 +439,7 @@ Include additional properties .PARAMETER Id Host identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconHostAction #> [CmdletBinding(DefaultParameterSetName='/devices/entities/devices-actions/v2:post',SupportsShouldProcess)] param( @@ -491,9 +491,9 @@ function Invoke-FalconHostGroupAction { .SYNOPSIS Perform actions on host groups .DESCRIPTION -Requires 'Host Groups: Write'. - Adds or removes hosts from host groups in batches of 500. + +Requires 'Host Groups: Write'. .PARAMETER Name Action to perform .PARAMETER Id @@ -501,7 +501,7 @@ Host group identifier .PARAMETER HostId Host identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconHostGroupAction #> [CmdletBinding(DefaultParameterSetName='/devices/entities/host-group-actions/v1:post',SupportsShouldProcess)] param( @@ -561,7 +561,7 @@ Host group description .PARAMETER AssignmentRule Assignment rule for 'dynamic' host groups .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/New-FalconHostGroup #> [CmdletBinding(DefaultParameterSetName='/devices/entities/host-groups/v1:post',SupportsShouldProcess)] param( @@ -646,7 +646,7 @@ FalconGroupingTag value ['FalconGroupingTags/'] .PARAMETER Id Host identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconGroupingTag #> [CmdletBinding(DefaultParameterSetName='/devices/entities/devices/tags/v1:patch',SupportsShouldProcess)] param( @@ -695,7 +695,7 @@ Requires 'Host Groups: Write'. .PARAMETER Id Host group identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconHostGroup #> [CmdletBinding(DefaultParameterSetName='/devices/entities/host-groups/v1:delete',SupportsShouldProcess)] param( diff --git a/Public/discover.ps1 b/Public/discover.ps1 index 049540ab..02d271cf 100644 --- a/Public/discover.ps1 +++ b/Public/discover.ps1 @@ -27,7 +27,7 @@ Search for user account assets .PARAMETER Login Search for login events .LINK -https://github.com/crowdstrike/psfalcon/wiki/Discover +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconAsset #> [CmdletBinding(DefaultParameterSetName='/discover/queries/hosts/v1:get',SupportsShouldProcess)] param( diff --git a/Public/falcon-complete-dashboards.ps1 b/Public/falcon-complete-dashboards.ps1 index 63b31b79..804fed05 100644 --- a/Public/falcon-complete-dashboards.ps1 +++ b/Public/falcon-complete-dashboards.ps1 @@ -17,7 +17,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Dashboards +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconCompleteAllowlist #> [CmdletBinding(DefaultParameterSetName='/falcon-complete-dashboards/queries/allowlist/v1:get', SupportsShouldProcess)] @@ -65,7 +65,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Dashboards +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconCompleteBlocklist #> [CmdletBinding(DefaultParameterSetName='/falcon-complete-dashboards/queries/blocklist/v1:get', SupportsShouldProcess)] @@ -113,7 +113,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Dashboards +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconCompleteCollection #> [CmdletBinding(DefaultParameterSetName='/falcon-complete-dashboards/queries/devicecount-collections/v1:get', SupportsShouldProcess)] @@ -164,7 +164,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Dashboards +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconCompleteDetection #> [CmdletBinding(DefaultParameterSetName='/falcon-complete-dashboards/queries/detects/v1:get', SupportsShouldProcess)] @@ -212,7 +212,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Dashboards +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconCompleteEscalation #> [CmdletBinding(DefaultParameterSetName='/falcon-complete-dashboards/queries/escalations/v1:get', SupportsShouldProcess)] @@ -260,7 +260,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Dashboards +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconCompleteIncident #> [CmdletBinding(DefaultParameterSetName='/falcon-complete-dashboards/queries/incidents/v1:get', SupportsShouldProcess)] @@ -308,7 +308,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Dashboards +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconCompleteRemediation #> [CmdletBinding(DefaultParameterSetName='/falcon-complete-dashboards/queries/remediations/v1:get', SupportsShouldProcess)] diff --git a/Public/falconx.ps1 b/Public/falconx.ps1 index 603bba92..0289607b 100644 --- a/Public/falconx.ps1 +++ b/Public/falconx.ps1 @@ -1,9 +1,9 @@ function Get-FalconReport { <# .SYNOPSIS -Search for Falcon X Sandbox reports +Search for Falcon Intelligence Sandbox reports .DESCRIPTION -Requires 'Sandbox (Falcon X): Read'. +Requires 'Sandbox (Falcon Intelligence): Read'. .PARAMETER Id Report identifier .PARAMETER Filter @@ -23,7 +23,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconReport #> [CmdletBinding(DefaultParameterSetName='/falconx/queries/reports/v1:get',SupportsShouldProcess)] param( @@ -70,9 +70,9 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X function Get-FalconSubmission { <# .SYNOPSIS -Search for Falcon X Sandbox submissions +Search for Falcon Intelligence Sandbox submissions .DESCRIPTION -Requires 'Sandbox (Falcon X): Read'. +Requires 'Sandbox (Falcon Intelligence): Read'. .PARAMETER Id Submission identifier .PARAMETER Filter @@ -90,7 +90,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconSubmission #> [CmdletBinding(DefaultParameterSetName='/falconx/queries/submissions/v1:get',SupportsShouldProcess)] param( @@ -133,11 +133,11 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X function Get-FalconSubmissionQuota { <# .SYNOPSIS -Retrieve monthly Falcon X Sandbox submission quota +Retrieve monthly Falcon Intelligence Sandbox submission quota .DESCRIPTION -Requires 'Sandbox (Falcon X): Read'. +Requires 'Sandbox (Falcon Intelligence): Read'. .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconSubmissionQuota #> [CmdletBinding(DefaultParameterSetName='/falconx/queries/submissions/v1:get',SupportsShouldProcess)] param() @@ -153,12 +153,12 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X function New-FalconSubmission { <# .SYNOPSIS -Submit a sample to the Falcon X Sandbox +Submit a sample to the Falcon Intelligence Sandbox .DESCRIPTION -Requires 'Sandbox (Falcon X): Write'. - 'Sha256' values are retrieved from files that are uploaded using 'Send-FalconSample'. Files must be uploaded -before they can be provided to the Falcon X Sandbox. +before they can be provided to the Falcon Intelligence Sandbox. + +Requires 'Sandbox (Falcon Intelligence): Write'. .PARAMETER EnvironmentId Analysis environment .PARAMETER Sha256 @@ -184,7 +184,7 @@ Route traffic via TOR .PARAMETER UserTag Tags to categorize the submission .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X +https://github.com/crowdstrike/psfalcon/wiki/New-FalconSubmission #> [CmdletBinding(DefaultParameterSetName='/falconx/entities/submissions/v1:post',SupportsShouldProcess)] param( @@ -263,11 +263,12 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X function Receive-FalconArtifact { <# .SYNOPSIS -Download an artifact from a Falcon X Sandbox report +Download an artifact from a Falcon Intelligence Sandbox report .DESCRIPTION -Requires 'Sandbox (Falcon X): Read'. +Artifact identifier values can be retrieved for specific Falcon Intelligence Sandbox reports using +'Get-FalconReport'. -Artifact identifier values can be retrieved for specific Falcon X Sandbox reports using 'Get-FalconReport'. +Requires 'Sandbox (Falcon Intelligence): Read'. .PARAMETER Path Destination path .PARAMETER Id @@ -275,7 +276,7 @@ Artifact identifier .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconArtifact #> [CmdletBinding(DefaultParameterSetName='/falconx/entities/artifacts/v1:get',SupportsShouldProcess)] param( @@ -315,13 +316,13 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X function Remove-FalconReport { <# .SYNOPSIS -Remove a Falcon X Sandbox report +Remove a Falcon Intelligence Sandbox report .DESCRIPTION -Requires 'Sandbox (Falcon X): Write'. +Requires 'Sandbox (Falcon Intelligence): Write'. .PARAMETER Id Report identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconReport #> [CmdletBinding(DefaultParameterSetName='/falconx/entities/reports/v1:delete',SupportsShouldProcess)] param( diff --git a/Public/filevantage.ps1 b/Public/filevantage.ps1 index b155f40e..02ea95a9 100644 --- a/Public/filevantage.ps1 +++ b/Public/filevantage.ps1 @@ -21,7 +21,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/FileVantage +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconFimChange #> [CmdletBinding(DefaultParameterSetName='/filevantage/queries/changes/v2:get',SupportsShouldProcess)] param( diff --git a/Public/fwmgr.ps1 b/Public/fwmgr.ps1 index 92ad9185..9e7d0e92 100644 --- a/Public/fwmgr.ps1 +++ b/Public/fwmgr.ps1 @@ -3,8 +3,6 @@ function Edit-FalconFirewallGroup { .SYNOPSIS Modify Falcon Firewall Management rule groups .DESCRIPTION -Requires 'Firewall Management: Write'. - All fields (plus 'rulegroup_version' and 'tracking') are required when making a rule group change. PSFalcon adds missing values automatically using data from your existing rule group. @@ -14,6 +12,8 @@ missing values automatically using data from your existing rule group. When adding a rule to a rule group,the required rule fields must be included along with a 'temp_id' (in both the rule properties and in precedence order within 'rule_ids') to establish proper placement of the rule within the rule group. Simlarly, the value 'null' must be placed within 'rule_versions' in precedence order. + +Requires 'Firewall Management: Write'. .PARAMETER DiffOperation An array of hashtables containing rule or rule group changes .PARAMETER Comment @@ -25,7 +25,7 @@ Firewall rule version value(s) from the existing rule group [or 'null' for each .PARAMETER Id Rule group identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconFirewallGroup #> [CmdletBinding(DefaultParameterSetName='/fwmgr/entities/rule-groups/v1:patch',SupportsShouldProcess)] param( @@ -106,12 +106,12 @@ function Edit-FalconFirewallSetting { .SYNOPSIS Modify Falcon Firewall Management policy settings .DESCRIPTION -Requires 'Firewall Management: Write'. - All fields are required to modify policy settings. PSFalcon adds missing values automatically using data from your existing policy. -If adding or removing rule groups,all rule groups must be supplied in precedence order. +If adding or removing rule groups, all rule groups must be supplied in precedence order. + +Requires 'Firewall Management: Write'. .PARAMETER PlatformId Operating System platform identifier .PARAMETER Enforce @@ -129,7 +129,7 @@ Enable local logging of firewall events .PARAMETER Id Policy identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconFirewallSetting #> [CmdletBinding(DefaultParameterSetName='/fwmgr/entities/policies/v1:put',SupportsShouldProcess)] param( @@ -220,7 +220,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconFirewallEvent #> [CmdletBinding(DefaultParameterSetName='/fwmgr/queries/events/v1:get',SupportsShouldProcess)] param( @@ -285,7 +285,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconFirewallField #> [CmdletBinding(DefaultParameterSetName='/fwmgr/queries/firewall-fields/v1:get',SupportsShouldProcess)] param( @@ -350,7 +350,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconFirewallGroup #> [CmdletBinding(DefaultParameterSetName='/fwmgr/queries/rule-groups/v1:get',SupportsShouldProcess)] param( @@ -414,7 +414,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconFirewallPlatform #> [CmdletBinding(DefaultParameterSetName='/fwmgr/queries/platforms/v1:get',SupportsShouldProcess)] param( @@ -478,7 +478,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconFirewallRule #> [CmdletBinding(DefaultParameterSetName='/fwmgr/queries/rules/v1:get',SupportsShouldProcess)] param( @@ -557,7 +557,7 @@ Requires 'Firewall Management: Read'. .PARAMETER Id Policy identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconFirewallSetting #> [CmdletBinding(DefaultParameterSetName='/fwmgr/entities/policies/v1:get',SupportsShouldProcess)] param( @@ -604,7 +604,7 @@ Clone default Firewall rules .PARAMETER CloneId Clone an existing rule group .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/New-FalconFirewallGroup #> [CmdletBinding(DefaultParameterSetName='/fwmgr/entities/rule-groups/v1:post',SupportsShouldProcess)] param( @@ -643,13 +643,9 @@ https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management } process { if ($PSBoundParameters.Rule) { - $Fields = @('name','description','enabled','platform_ids','direction','action','address_family', - 'local_address','remote_address','protocol','local_port','remote_port','icmp','monitor','fields') - [object[]] $PSBoundParameters.Rule = foreach ($i in $PSBoundParameters.Rule) { - # Filter 'rule' to required properties that contain a value - $Select = @($Fields).foreach{ if ($i.$_) { $_ } } - $i | Select-Object $Select - } + [object[]]$PSBoundParameters.Rule = Confirm-Property 'name','description','enabled','platform_ids', + 'direction','action','address_family','local_address','remote_address','protocol','local_port', + 'remote_port','icmp','monitor','fields' $PSBoundParameters.Rule } Invoke-Falcon @Param -Inputs $PSBoundParameters } @@ -665,7 +661,7 @@ Audit log comment .PARAMETER Id Rule group identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconFirewallGroup #> [CmdletBinding(DefaultParameterSetName='/fwmgr/entities/rule-groups/v1:delete',SupportsShouldProcess)] param( diff --git a/Public/identity-protection.ps1 b/Public/identity-protection.ps1 index 8826f2e9..5f620408 100644 --- a/Public/identity-protection.ps1 +++ b/Public/identity-protection.ps1 @@ -3,85 +3,67 @@ function Invoke-FalconIdentityGraph { .SYNOPSIS Interact with Falcon Identity using GraphQL .DESCRIPTION +The 'All' parameter requires that your GraphQL statement contain an 'after' cursor variable definition and +'pageInfo { hasNextPage endCursor }'. + Requires 'Identity Protection GraphQL: Write'. -.PARAMETER Query -A complete GraphQL query statement -.PARAMETER Mutation -A complete GraphQL mutation statement +.PARAMETER String +A complete GraphQL statement +.PARAMETER Variable +A hashtable containing variables used in your GraphQL statement .PARAMETER All Repeat requests until all available results are retrieved +.LINK +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconIdentityGraph #> - [CmdletBinding(DefaultParameterSetName='Query',SupportsShouldProcess)] + [CmdletBinding(SupportsShouldProcess)] param( - [Parameter(ParameterSetName='Query',Mandatory,ValueFromPipeline,Position=1)] - [string]$Query, - [Parameter(ParameterSetName='Mutation',Mandatory,ValueFromPipeline,Position=1)] - [string]$Mutation, - [Parameter(ParameterSetName='Query')] + [Parameter(Mandatory,ValueFromPipeline,Position=1)] + [Alias('query','mutation')] + [string]$String, + [Parameter(ValueFromPipeline,Position=2)] + [Alias('variables')] + [hashtable]$Variable, [switch]$All ) begin { - function Test-Statement ($String) { - function Get-CharacterCount ($String,$Character) { - # Count the number of character occurances within a string - ($String.GetEnumerator() | Where-Object { $_ -eq $Character }).Count - } - if ($String -and $String -notmatch '^(\s+)?mutation') { - switch ($String) { - { $_ -match '\n' } { - if ($String -match $RegEx.Comment) { - # Remove comments - $String = $String -replace $RegEx.Comment,$null - } - # Convert into a single line and remove duplicate spaces - $String = $String -replace '\n',' ' -replace '\s+',' ' - } - # Enforce beginning and ending braces - { $_ -notmatch '^(\s+)?{' } { $String = "{$($String)" } - { $_ -notmatch '}(\s+)?$' } { $String = "$($String)}" } - { $_ -match '(^(\s+)?{|}(\s+)?$)' } { - # Verify that the number of braces match - [int]$Open = Get-CharacterCount $String '{' - [int]$Close = Get-CharacterCount $String '}' - if ($Open -ne $Close) { - if (($Close - $Open) -ge 1) { - do { - # Append opening braces - $String = ((@(1..($Close - $Open)).foreach{ '{' }) -join $null), - $String -join $null - [int]$Open = Get-CharacterCount $String '{' - } until ( ($Close - $Open) -le 0 ) - } - if (($Open - $Close) -ge 1) { - do { - # Append closing braces - $String += (@(1..($Open - $Close)).foreach{ '}' }) -join $null - [int]$Close = Get-CharacterCount $String '}' - } until ( ($Open - $Close) -le 0 ) - } + function Assert-CursorVariable ($Inputs,$EndCursor) { + # Use variable definition to ensure 'Cursor' is within 'Variable' hashtable + if ($Inputs.query -match '^(\s+)?query\s+?\(.+Cursor') { + @([regex]::Matches($Inputs.query, + '(?<=query\s+?\()(\$\w+:.[^\)]+)').Value -replace '\$',$null).foreach{ + $Array = ($_ -split ':',2).Trim() + if ($Array[1] -eq 'Cursor') { + if (!$Inputs.variables) { + $Inputs.Add('variables',@{ $Array[0] = $EndCursor }) + } elseif ($Inputs.variables.($Array[0])) { + $Inputs.variables.($Array[0]) = $EndCursor } } } } - $String + return $Inputs } function Invoke-GraphLoop ($Object,$Splat,$Inputs) { - if ($Inputs.Query -notmatch 'pageInfo(\s+)?{(\s+)?(hasNextPage(\s+)?|endCursor(\s+)?){2}(\s+)?}') { - [string]$Message = "'-All' parameter was specified but 'pageInfo' is missing from query." - Write-Warning ("[$($Splat.Command)]",$Message -join ' ') + $RegEx = @{ + # Patterns to validate statement for 'pageInfo' and 'Cursor' variable + CursorVariable = '^(\s+)?query\s+?\(.+Cursor' + PageInfo = 'pageInfo(\s+)?{(\s+)?(hasNextPage([,\s]+)?|endCursor([,\s]+)?){2}(\s+)?}' + } + [string]$Message = if ($Inputs.query -notmatch $RegEx.CursorVariable) { + "'-All' parameter was specified but 'Cursor' definition is missing from statement." + } elseif ($Inputs.query -notmatch $RegEx.PageInfo) { + "'-All' parameter was specified but 'pageInfo' is missing from statement." + } + if ($Message) { + $PSCmdlet.WriteWarning(("[$($Splat.Command)]",$Message -join ' ')) } else { do { - # Ensure 'after' is present with current endCursor value - [string]$After = 'after:"{0}"' -f $Object.entities.pageInfo.endCursor - [string]$Entities = [regex]::Match($Inputs.Query,'entities(\s+)?\([\w\s:\[\],="]+[^)]').Value - [string]$Next = if ($Entities -match 'after:"[\w=]+"') { - $Entities -replace 'after:"[\w=]+"',$After - } else { - $Entities,$After -join ' ' + if ($Object.entities.pageInfo.endCursor) { + # Update 'Cursor' and repeat + $Inputs = Assert-CursorVariable $Inputs $Object.entities.pageInfo.endCursor + Write-GraphResult (Invoke-Falcon @Splat -Inputs $Inputs -OutVariable Object) } - # Update 'query' and repeat request - $Inputs['Query'] = ($Inputs.Query).Replace($Entities,$Next) - Write-GraphResult (Invoke-Falcon @Splat -Inputs $Inputs -OutVariable Object) } while ( $Object.entities.pageInfo.hasNextPage -eq $true -and $null -ne $Object.entities.pageInfo.endCursor @@ -99,43 +81,18 @@ Repeat requests until all available results are retrieved # Output 'nodes' if ($Object.entities.nodes) { $Object.entities.nodes } else { $Object } } - $RegEx = @{ - # RegEx patterns for query modification - AfterDef = '^(\s+)?(query)?(\s+)?\((\s+)?\$after(\s+)?:(\s+)?cursor(\s+)?\)(\s+)?{' - AfterVar = 'after(\s+)?:(\s+)?\$after' - Comment = '\#(\s+)?(\w|\W|\s).+' - } $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = '/identity-protection/combined/graphql/v1:post' - Format = @{ Body = @{ root = @('query') }} + Format = @{ Body = @{ root = @('query','variables') }} } } process { - if ($PSBoundParameters.Query) { - switch ($PSBoundParameters.Query) { - { $_ -match $RegEx.AfterDef } { - # Remove prefix 'after' variable definition and closing brace - $PSBoundParameters.Query = $PSBoundParameters.Query -replace $RegEx.AfterDef,$null - } - { $_ -match $RegEx.AfterVar } { - # Remove 'after' when using variable and add 'All' - $PSBoundParameters.Query = $PSBoundParameters.Query -replace $RegEx.AfterVar,$null - if (!$PSBoundParameters.All) { $PSBoundParameters['All'] = $true } - } - } - $PSBoundParameters.Query = Test-Statement $PSBoundParameters.Query - } elseif ($PSBoundParameters.Mutation) { - # Submit 'Mutation' as 'Query' but without formatting changes - $PSBoundParameters['Query'] = $PSBoundParameters.Mutation - [void]$PSBoundParameters.Remove('Mutation') - } if ($PSBoundParameters.All) { - # Output relevant sub-objects and repeat requests when using 'All' Write-GraphResult (Invoke-Falcon @Param -Inputs $PSBoundParameters -OutVariable Request) } else { Invoke-Falcon @Param -Inputs $PSBoundParameters } } - end { if ($PSBoundParameters.All -and $Request) { Invoke-GraphLoop $Request $Param $PSBoundParameters }} + end { if ($Request -and $PSBoundParameters.All) { Invoke-GraphLoop $Request $Param $PSBoundParameters }} } \ No newline at end of file diff --git a/Public/incidents.ps1 b/Public/incidents.ps1 index bee3b9e2..b7eda5d8 100644 --- a/Public/incidents.ps1 +++ b/Public/incidents.ps1 @@ -21,7 +21,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Incident-and-Detection-Monitoring +https://github.com/CrowdStrike/psfalcon/wiki/Get-FalconBehavior #> [CmdletBinding(DefaultParameterSetName='/incidents/queries/behaviors/v1:get',SupportsShouldProcess)] param( @@ -88,7 +88,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Incident-and-Detection-Monitoring +https://github.com/CrowdStrike/psfalcon/wiki/Get-FalconIncident #> [CmdletBinding(DefaultParameterSetName='/incidents/queries/incidents/v1:get',SupportsShouldProcess)] param( @@ -154,7 +154,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Incident-and-Detection-Monitoring +https://github.com/CrowdStrike/psfalcon/wiki/Get-FalconScore #> [CmdletBinding(DefaultParameterSetName='/incidents/combined/crowdscores/v1:get',SupportsShouldProcess)] param( @@ -200,7 +200,7 @@ Replace existing status for related detections .PARAMETER Id Incident identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Incident-and-Detection-Monitoring +https://github.com/CrowdStrike/psfalcon/wiki/Invoke-FalconIncidentAction #> [CmdletBinding(DefaultParameterSetName='/incidents/entities/incident-actions/v1:post',SupportsShouldProcess)] param( diff --git a/Public/indicators.ps1 b/Public/indicators.ps1 index 8e138a14..45c835d4 100644 --- a/Public/indicators.ps1 +++ b/Public/indicators.ps1 @@ -17,7 +17,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display the total result count instead of results .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/CrowdStrike/psfalcon/wiki/Get-FalconIocHost #> [CmdletBinding(DefaultParameterSetName='/indicators/queries/devices/v1:get',SupportsShouldProcess)] param( @@ -74,7 +74,7 @@ Retrieve detailed information .PARAMETER All Repeat requests until all available results are retrieved .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/CrowdStrike/psfalcon/wiki/Get-FalconIocProcess #> [CmdletBinding(DefaultParameterSetName='/indicators/queries/processes/v1:get',SupportsShouldProcess)] param( diff --git a/Public/installation-tokens.ps1 b/Public/installation-tokens.ps1 index 5f96d743..acdcf8e7 100644 --- a/Public/installation-tokens.ps1 +++ b/Public/installation-tokens.ps1 @@ -13,7 +13,7 @@ Set revocation status .PARAMETER Id Installation token identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Installation-Tokens +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconInstallToken #> [CmdletBinding(DefaultParameterSetName='/installation-tokens/entities/tokens/v1:patch',SupportsShouldProcess)] param( @@ -76,7 +76,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Installation-Tokens +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconInstallToken #> [CmdletBinding(DefaultParameterSetName='/installation-tokens/queries/tokens/v1:get',SupportsShouldProcess)] param( @@ -139,7 +139,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Installation-Tokens +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconInstallTokenEvent #> [CmdletBinding(DefaultParameterSetName='/installation-tokens/queries/audit-events/v1:get', SupportsShouldProcess)] @@ -184,12 +184,12 @@ function Get-FalconInstallTokenSetting { .SYNOPSIS Retrieve installation token settings .DESCRIPTION -Requires 'Installation Tokens: Read'. - Returns the maximum number of allowed installation tokens,and whether or not they are required for installation of the Falcon sensor. + +Requires 'Installation Tokens: Read'. .LINK -https://github.com/crowdstrike/psfalcon/wiki/Installation-Tokens +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconInstallTokenSetting #> [CmdletBinding(DefaultParameterSetName='/installation-tokens/entities/customer-settings/v1:get', SupportsShouldProcess)] @@ -207,7 +207,7 @@ Installation token label .PARAMETER ExpiresTimestamp Installation token expiration time (RFC3339),or 'null' .LINK -https://github.com/crowdstrike/psfalcon/wiki/Installation-Tokens +https://github.com/crowdstrike/psfalcon/wiki/New-FalconInstallToken #> [CmdletBinding(DefaultParameterSetName='/installation-tokens/entities/tokens/v1:post',SupportsShouldProcess)] param( @@ -236,7 +236,7 @@ Requires 'Installation Tokens: Write'. .PARAMETER Id Installation token identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Installation-Tokens +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconInstallToken #> [CmdletBinding(DefaultParameterSetName='/installation-tokens/entities/tokens/v1:delete',SupportsShouldProcess)] param( diff --git a/Public/intel.ps1 b/Public/intel.ps1 index afbd4dd1..e6ea5cb2 100644 --- a/Public/intel.ps1 +++ b/Public/intel.ps1 @@ -3,7 +3,7 @@ function Get-FalconActor { .SYNOPSIS Search for threat actors .DESCRIPTION -Requires 'Actors (Falcon X): Read'. +Requires 'Actors (Falcon Intelligence): Read'. .PARAMETER Id Threat actor identifier .PARAMETER Filter @@ -25,7 +25,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Intel +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconActor #> [CmdletBinding(DefaultParameterSetName='/intel/queries/actors/v1:get',SupportsShouldProcess)] param( @@ -85,7 +85,7 @@ function Get-FalconIndicator { .SYNOPSIS Search for intelligence indicators .DESCRIPTION -Requires 'Indicators (Falcon X): Read'. +Requires 'Indicators (Falcon Intelligence): Read'. .PARAMETER Id Indicator identifier .PARAMETER Filter @@ -107,7 +107,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Intel +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIndicator #> [CmdletBinding(DefaultParameterSetName='/intel/queries/indicators/v1:get',SupportsShouldProcess)] param( @@ -170,7 +170,7 @@ function Get-FalconIntel { .SYNOPSIS Search for intelligence reports .DESCRIPTION -Requires 'Reports (Falcon X): Read'. +Requires 'Reports (Falcon Intelligence): Read'. .PARAMETER Id Report identifier .PARAMETER Filter @@ -192,7 +192,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Intel +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIntel #> [CmdletBinding(DefaultParameterSetName='/intel/queries/reports/v1:get',SupportsShouldProcess)] param( @@ -249,9 +249,9 @@ https://github.com/crowdstrike/psfalcon/wiki/Intel function Get-FalconRule { <# .SYNOPSIS -Search for Falcon X rulesets +Search for Falcon Intelligence rulesets .DESCRIPTION -Requires 'Rules (Falcon X): Read'. +Requires 'Rules (Falcon Intelligence): Read'. .PARAMETER Id Ruleset identifier .PARAMETER Type @@ -281,7 +281,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Intel +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconRule #> [CmdletBinding(DefaultParameterSetName='/intel/queries/rules/v1:get',SupportsShouldProcess)] param( @@ -346,7 +346,7 @@ function Receive-FalconIntel { .SYNOPSIS Download an intelligence report .DESCRIPTION -Requires 'Reports (Falcon X): Read'. +Requires 'Reports (Falcon Intelligence): Read'. .PARAMETER Path Destination path [default: .pdf] .PARAMETER Id @@ -354,7 +354,7 @@ Report identifier .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Intel +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconIntel #> [CmdletBinding(DefaultParameterSetName='/intel/entities/report-files/v1:get',SupportsShouldProcess)] param( @@ -399,7 +399,7 @@ function Receive-FalconRule { .SYNOPSIS Download the most recent ruleset,or a specific ruleset .DESCRIPTION -Requires 'Rules (Falcon X): Read'. +Requires 'Rules (Falcon Intelligence): Read'. .PARAMETER Type Ruleset type, used to retrieve the latest ruleset .PARAMETER Path @@ -409,7 +409,7 @@ Ruleset identifier, used for a specific ruleset .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Intel +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconRule #> [CmdletBinding(DefaultParameterSetName='/intel/entities/rules-files/v1:get',SupportsShouldProcess)] param( diff --git a/Public/ioa.ps1 b/Public/ioa.ps1 index 1bcb1ad6..aa3f758d 100644 --- a/Public/ioa.ps1 +++ b/Public/ioa.ps1 @@ -25,7 +25,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconHorizonIoaEvent #> [CmdletBinding(DefaultParameterSetName='/ioa/entities/events/v1:get',SupportsShouldProcess)] param( @@ -105,7 +105,7 @@ Azure subscription identifier .PARAMETER AzureTenantId Azure tenant identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconHorizonIoaUser #> [CmdletBinding(DefaultParameterSetName='/ioa/entities/users/v1:get',SupportsShouldProcess)] param( diff --git a/Public/ioarules.ps1 b/Public/ioarules.ps1 index 94dc7992..6beb2e11 100644 --- a/Public/ioarules.ps1 +++ b/Public/ioarules.ps1 @@ -3,10 +3,10 @@ function Edit-FalconIoaGroup { .SYNOPSIS Modify a custom Indicator of Attack rule group .DESCRIPTION -Requires 'Custom IOA Rules: Write'. - All fields (plus 'rulegroup_version') are required when making a rule group change. PSFalcon adds missing values automatically using data from your existing rule group. + +Requires 'Custom IOA Rules: Write'. .PARAMETER Name Rule group name .PARAMETER Enabled @@ -18,7 +18,7 @@ Audit log comment .PARAMETER Id Rule group identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconIoaGroup #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rule-groups/v1:patch',SupportsShouldProcess)] param( @@ -68,14 +68,14 @@ function Edit-FalconIoaRule { .SYNOPSIS Modify custom Indicator of Attack rules within a rule group .DESCRIPTION -Requires 'Custom IOA Rules: Write'. - All fields are required (plus 'rulegroup_version') when making a rule group change. PSFalcon adds missing values automatically using data from your existing rule group. If an existing rule is submitted within 'rule_updates', it will be filtered to the required properties ('comment', 'description', 'disposition_id', 'enabled', 'field_values', 'instance_id', 'name', and 'pattern_severity') including those under 'field_values' ('name', 'label', 'type' and 'values'). + +Requires 'Custom IOA Rules: Write'. .PARAMETER Comment Audit log comment .PARAMETER RuleUpdate @@ -83,7 +83,7 @@ An array of rule properties .PARAMETER RulegroupId Rule group identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconIoaRule #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rules/v1:patch',SupportsShouldProcess)] param( @@ -156,7 +156,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIoaGroup #> [CmdletBinding(DefaultParameterSetName='/ioarules/queries/rule-groups/v1:get',SupportsShouldProcess)] param( @@ -230,7 +230,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIoaPlatform #> [CmdletBinding(DefaultParameterSetName='/ioarules/queries/platforms/v1:get',SupportsShouldProcess)] param( @@ -290,7 +290,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIoaRule #> [CmdletBinding(DefaultParameterSetName='/ioarules/queries/rules/v1:get',SupportsShouldProcess)] param( @@ -364,7 +364,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIoaSeverity #> [CmdletBinding(DefaultParameterSetName='/ioarules/queries/pattern-severities/v1:get',SupportsShouldProcess)] param( @@ -418,7 +418,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIoaType #> [CmdletBinding(DefaultParameterSetName='/ioarules/queries/rule-types/v1:get',SupportsShouldProcess)] param( @@ -468,7 +468,7 @@ Rule group description .PARAMETER Comment Audit log comment .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/New-FalconIoaGroup #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rule-groups/v1:post',SupportsShouldProcess)] param( @@ -501,10 +501,10 @@ function New-FalconIoaRule { .SYNOPSIS Create a custom Indicator of Attack rule within a rule group .DESCRIPTION -Requires 'Custom IOA Rules: Write'. - 'RuleTypeId' and 'DispositionId' values can be found using 'Get-FalconIoaType -Detailed' under the 'id' and 'disposition_map' properties. + +Requires 'Custom IOA Rules: Write'. .PARAMETER Name Rule name .PARAMETER PatternSeverity @@ -522,7 +522,7 @@ Audit log comment .PARAMETER RulegroupId Rule group identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/New-FalconIoaRule #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rules/v1:post',SupportsShouldProcess)] param( @@ -589,7 +589,7 @@ Audit log comment .PARAMETER Id Rule group identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconIoaGroup #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rule-groups/v1:delete',SupportsShouldProcess)] param( @@ -630,7 +630,7 @@ Rule group identifier .PARAMETER Id Rule identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconIoaRule #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rules/v1:delete',SupportsShouldProcess)] param( @@ -672,7 +672,7 @@ Requires 'Custom IOA Rules: Write'. .PARAMETER Field An array of rule properties .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Test-FalconIoaRule #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rules/validate/v1:post',SupportsShouldProcess)] param( diff --git a/Public/iocs.ps1 b/Public/iocs.ps1 index 3bcaa4c3..ec9e484b 100644 --- a/Public/iocs.ps1 +++ b/Public/iocs.ps1 @@ -35,7 +35,7 @@ Ignore warnings and modify all indicators .PARAMETER Id Indicator identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconIoc #> [CmdletBinding(DefaultParameterSetName='/iocs/entities/indicators/v1:patch',SupportsShouldProcess)] param( @@ -140,7 +140,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIoc #> [CmdletBinding(DefaultParameterSetName='/iocs/queries/indicators/v1:get',SupportsShouldProcess)] param( @@ -239,7 +239,7 @@ Generate retroactive detections for hosts that have observed the indicator .PARAMETER IgnoreWarning Ignore warnings and create all indicators .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/New-FalconIoc #> [CmdletBinding(DefaultParameterSetName='/iocs/entities/indicators/v1:post',SupportsShouldProcess)] param( @@ -360,7 +360,7 @@ Audit log comment .PARAMETER Id Indicator identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconIoc #> [CmdletBinding(DefaultParameterSetName='/iocs/entities/indicators/v1:delete',SupportsShouldProcess)] param( diff --git a/Public/kubernetes-protection.ps1 b/Public/kubernetes-protection.ps1 index 6b8892fb..1963b332 100644 --- a/Public/kubernetes-protection.ps1 +++ b/Public/kubernetes-protection.ps1 @@ -9,7 +9,7 @@ AWS cloud region .PARAMETER Id AWS account identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconContainerAwsAccount #> [CmdletBinding(DefaultParameterSetName='/kubernetes-protection/entities/accounts/aws/v1:patch', SupportsShouldProcess)] @@ -57,7 +57,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconContainerAwsAccount #> [CmdletBinding(DefaultParameterSetName='/kubernetes-protection/entities/accounts/aws/v1:get', SupportsShouldProcess)] @@ -102,7 +102,7 @@ Requires 'Kubernetes Protection: Read'. .PARAMETER Cloud Cloud provider .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconContainerCloud #> [CmdletBinding(DefaultParameterSetName='/kubernetes-protection/entities/cloud-locations/v1:get', SupportsShouldProcess)] @@ -154,7 +154,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconContainerCluster #> [CmdletBinding(DefaultParameterSetName='/kubernetes-protection/entities/kubernetes/clusters/v1:get', SupportsShouldProcess)] @@ -209,7 +209,7 @@ Requires 'Kubernetes Protection: Write'. .PARAMETER ScanType Scan type .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconContainerScan #> [CmdletBinding(DefaultParameterSetName='/kubernetes-protection/entities/scan/trigger/v1:post', SupportsShouldProcess)] @@ -240,7 +240,7 @@ AWS cloud region .PARAMETER Id AWS account identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/New-FalconContainerAwsAccount #> [CmdletBinding(DefaultParameterSetName='/kubernetes-protection/entities/accounts/aws/v1:post', SupportsShouldProcess)] @@ -270,7 +270,7 @@ Regenerate the API key for Falcon Container Security Docker registry integration .DESCRIPTION Requires 'Kubernetes Protection: Write'. .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/New-FalconContainerKey #> [CmdletBinding(DefaultParameterSetName='/kubernetes-protection/entities/integration/api-key/v1:post', SupportsShouldProcess)] @@ -290,7 +290,7 @@ Cluster name .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconContainerYaml #> [CmdletBinding(DefaultParameterSetName='/kubernetes-protection/entities/integration/agent/v1:get', SupportsShouldProcess)] @@ -338,7 +338,7 @@ Requires 'Kubernetes Protection: Write'. .PARAMETER Id AWS account identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Kubernetes-Protection +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconContainerAwsAccount #> [CmdletBinding(DefaultParameterSetName='/kubernetes-protection/entities/accounts/aws/v1:delete', SupportsShouldProcess)] diff --git a/Public/malquery.ps1 b/Public/malquery.ps1 index f041e294..96461f69 100644 --- a/Public/malquery.ps1 +++ b/Public/malquery.ps1 @@ -7,7 +7,7 @@ Requires 'MalQuery: Read'. .PARAMETER Id Request identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/MalQuery +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconMalQuery #> [CmdletBinding(DefaultParameterSetName='/malquery/entities/requests/v1:get',SupportsShouldProcess)] param( @@ -33,7 +33,7 @@ Retrieve Falcon MalQuery search and download quotas .DESCRIPTION Requires 'MalQuery: Read'. .LINK -https://github.com/crowdstrike/psfalcon/wiki/MalQuery +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconMalQueryQuota #> [CmdletBinding(DefaultParameterSetName='/malquery/aggregates/quotas/v1:get',SupportsShouldProcess)] param() @@ -55,7 +55,7 @@ Requires 'MalQuery: Read'. .PARAMETER Id Sha256 hash value .LINK -https://github.com/crowdstrike/psfalcon/wiki/MalQuery +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconMalQuerySample #> [CmdletBinding(DefaultParameterSetName='/malquery/entities/metadata/v1:get',SupportsShouldProcess)] param( @@ -90,7 +90,7 @@ Requires 'MalQuery: Write'. .PARAMETER Id Sha256 hash value .LINK -https://github.com/crowdstrike/psfalcon/wiki/MalQuery +https://github.com/crowdstrike/psfalcon/wiki/Group-FalconMalQuerySample #> [CmdletBinding(DefaultParameterSetName='/malquery/entities/samples-multidownload/v1:post', SupportsShouldProcess)] @@ -146,7 +146,7 @@ Maximum number of results per request .PARAMETER Fuzzy Search MalQuery quickly but with more potential for false positives .LINK -https://github.com/crowdstrike/psfalcon/wiki/MalQuery +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconMalQuery #> [CmdletBinding(DefaultParameterSetName='/malquery/queries/exact-search/v1:post',SupportsShouldProcess)] param( @@ -237,7 +237,7 @@ Sha256 hash value or MalQuery sample archive identifier .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/MalQuery +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconMalQuerySample #> [CmdletBinding(DefaultParameterSetName='/malquery/entities/download-files/v1:get',SupportsShouldProcess)] param( @@ -288,13 +288,13 @@ function Search-FalconMalQueryHash { .SYNOPSIS Perform a simple Falcon MalQuery YARA Hunt for a Sha256 hash .DESCRIPTION -Requires 'MalQuery: Write'. +Performs a YARA Hunt for the given hash, then checks every 5 seconds--for up to 60 seconds--for a result. -Performs a YARA Hunt for the given hash, then checks every 5 seconds--for up to 30 seconds--for a result. +Requires 'MalQuery: Write'. .PARAMETER Sha256 Sha256 hash value .LINK -https://github.com/crowdstrike/psfalcon/wiki/MalQuery +https://github.com/crowdstrike/psfalcon/wiki/Search-FalconMalQueryHash #> [CmdletBinding(DefaultParameterSetName='/malquery/queries/hunt/v1:post',SupportsShouldProcess)] param( @@ -319,7 +319,7 @@ https://github.com/crowdstrike/psfalcon/wiki/MalQuery $i += 5 $Result = Get-FalconMalQuery -Id $Request.reqid } until ( - ($Result.status -ne 'inprogress') -or ($i -ge 30) + ($Result.status -ne 'inprogress') -or ($i -ge 60) ) } $Result diff --git a/Public/message-center.ps1 b/Public/message-center.ps1 index 113df954..82db4ec4 100644 --- a/Public/message-center.ps1 +++ b/Public/message-center.ps1 @@ -13,7 +13,7 @@ User identifier .PARAMETER Id Case identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Message-Center +https://github.com/crowdstrike/psfalcon/wiki/Add-FalconCompleteActivity #> [CmdletBinding(DefaultParameterSetName='/message-center/entities/case-activity/v1:post',SupportsShouldProcess)] param( @@ -59,7 +59,7 @@ Incident identifier .PARAMETER Id Case identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Message-Center +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconCompleteCase #> [CmdletBinding(DefaultParameterSetName='/message-center/entities/case/v1:patch',SupportsShouldProcess)] param( @@ -130,7 +130,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Message-Center +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconCompleteActivity #> [CmdletBinding(DefaultParameterSetName='/message-center/queries/case-activities/v1:get',SupportsShouldProcess)] param( @@ -200,7 +200,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Message-Center +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconCompleteCase #> [CmdletBinding(DefaultParameterSetName='/message-center/queries/cases/v1:get',SupportsShouldProcess)] param( @@ -264,7 +264,7 @@ Incident identifier .PARAMETER UserId User identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Message-Center +https://github.com/crowdstrike/psfalcon/wiki/New-FalconCompleteCase #> [CmdletBinding(DefaultParameterSetName='/message-center/entities/case/v1:post',SupportsShouldProcess)] param( @@ -347,7 +347,7 @@ Attachment identifier .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Message-Center +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconCompleteAttachment #> [CmdletBinding(DefaultParameterSetName='/message-center/entities/case-attachment/v1:get', SupportsShouldProcess)] @@ -397,7 +397,7 @@ User identifier .PARAMETER Id Case identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-Complete-Message-Center +https://github.com/crowdstrike/psfalcon/wiki/Send-FalconCompleteAttachment #> [CmdletBinding(DefaultParameterSetName='/message-center/entities/case-attachment/v1:post', SupportsShouldProcess)] diff --git a/Public/mobile-enrollment.ps1 b/Public/mobile-enrollment.ps1 index fa035a32..f9e46440 100644 --- a/Public/mobile-enrollment.ps1 +++ b/Public/mobile-enrollment.ps1 @@ -11,7 +11,7 @@ Expiration time [default: 30 days] .PARAMETER Email Email address .LINK -https://github.com/crowdstrike/psfalcon/wiki/Mobile-Enrollment +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconMobileAction #> [CmdletBinding(DefaultParameterSetName='/enrollments/entities/details/v3:post',SupportsShouldProcess)] param( diff --git a/Public/mssp.ps1 b/Public/mssp.ps1 index 29dd7dbc..735616c2 100644 --- a/Public/mssp.ps1 +++ b/Public/mssp.ps1 @@ -9,7 +9,7 @@ CID group identifier .PARAMETER Cid CID .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Add-FalconCidGroupMember #> [CmdletBinding(DefaultParameterSetName='/mssp/entities/cid-group-members/v1:post',SupportsShouldProcess)] param( @@ -55,7 +55,7 @@ User Group identifier .PARAMETER RoleId Role identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Add-FalconGroupRole #> [CmdletBinding(DefaultParameterSetName='/mssp/entities/mssp-roles/v1:post',SupportsShouldProcess)] param( @@ -101,7 +101,7 @@ User group identifier .PARAMETER UserId User identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Add-FalconUserGroupMember #> [CmdletBinding(DefaultParameterSetName='/mssp/entities/user-group-members/v1:post',SupportsShouldProcess)] param( @@ -145,7 +145,7 @@ CID group description .PARAMETER Id CID group identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconCidGroup #> [CmdletBinding(DefaultParameterSetName='/mssp/entities/cid-groups/v1:patch',SupportsShouldProcess)] param( @@ -183,7 +183,7 @@ User group name .PARAMETER Description User group description .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconUserGroup #> [CmdletBinding(DefaultParameterSetName='/mssp/entities/user-groups/v1:patch',SupportsShouldProcess)] param( @@ -231,7 +231,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconCidGroup #> [CmdletBinding(DefaultParameterSetName='/mssp/queries/cid-groups/v1:get',SupportsShouldProcess)] param( @@ -295,7 +295,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconCidGroupMember #> [CmdletBinding(DefaultParameterSetName='/mssp/queries/cid-group-members/v1:get',SupportsShouldProcess)] param( @@ -365,7 +365,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconGroupRole #> [CmdletBinding(DefaultParameterSetName='/mssp/queries/mssp-roles/v1:get',SupportsShouldProcess)] param( @@ -444,7 +444,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconMemberCid #> [CmdletBinding(DefaultParameterSetName='/mssp/queries/children/v1:get',SupportsShouldProcess)] param( @@ -505,7 +505,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconUserGroup #> [CmdletBinding(DefaultParameterSetName='/mssp/queries/user-groups/v1:get',SupportsShouldProcess)] param( @@ -569,7 +569,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconUserGroupMember #> [CmdletBinding(DefaultParameterSetName='/mssp/queries/user-group-members/v1:get',SupportsShouldProcess)] param( @@ -623,7 +623,7 @@ CID group name .PARAMETER Description CID group description .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/New-FalconCidGroup #> [CmdletBinding(DefaultParameterSetName='/mssp/entities/cid-groups/v1:post',SupportsShouldProcess)] param( @@ -652,7 +652,7 @@ User group name .PARAMETER Description User group description .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/New-FalconUserGroup #> [CmdletBinding(DefaultParameterSetName='/mssp/entities/user-groups/v1:post',SupportsShouldProcess)] param( @@ -679,7 +679,7 @@ Requires 'Flight Control: Write'. .PARAMETER Id CID group .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconCidGroup #> [CmdletBinding(DefaultParameterSetName='/mssp/entities/cid-groups/v1:delete',SupportsShouldProcess)] param( @@ -716,7 +716,7 @@ CID group identifier .PARAMETER Cid CID .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconCidGroupMember #> [CmdletBinding(DefaultParameterSetName='/mssp/entities/cid-group-members/v1:delete',SupportsShouldProcess)] param( @@ -760,7 +760,7 @@ User group identifier .PARAMETER RoleId Role identifier, or leave blank to remove user group/CID group association .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconGroupRole #> [CmdletBinding(DefaultParameterSetName='/mssp/entities/mssp-roles/v1:delete',SupportsShouldProcess)] param( @@ -810,7 +810,7 @@ Requires 'Flight Control: Write'. .PARAMETER Id User group identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconUserGroup #> [CmdletBinding(DefaultParameterSetName='/mssp/entities/user-groups/v1:delete',SupportsShouldProcess)] param( @@ -847,7 +847,7 @@ User group identifier .PARAMETER UserId User identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Flight-Control +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconUserGroupMember #> [CmdletBinding(DefaultParameterSetName='/mssp/entities/user-group-members/v1:delete',SupportsShouldProcess)] param( diff --git a/Public/oauth2.ps1 b/Public/oauth2.ps1 index 3c430ae9..ac5c9ac9 100644 --- a/Public/oauth2.ps1 +++ b/Public/oauth2.ps1 @@ -25,7 +25,7 @@ Member CID, used when authenticating within a multi-CID environment ('Falcon Fli .PARAMETER Collector A hashtable containing 'Path', 'Token' and 'Enabled' properties for 'Register-FalconEventCollector' .LINK -https://github.com/crowdstrike/psfalcon/wiki/Authentication +https://github.com/crowdstrike/psfalcon/wiki/Request-FalconToken #> [CmdletBinding(DefaultParameterSetName='Hostname',SupportsShouldProcess)] param( @@ -198,7 +198,7 @@ Revoke your active OAuth2 access token Revokes your active OAuth2 access token and clears cached credential information ('ClientId', 'ClientSecret', 'MemberCid', 'Cloud'/'Hostname') from the module. .LINK -https://github.com/crowdstrike/psfalcon/wiki/Authentication +https://github.com/crowdstrike/psfalcon/wiki/Revoke-FalconToken #> [CmdletBinding(DefaultParameterSetName='/oauth2/revoke:post',SupportsShouldProcess)] param() @@ -233,7 +233,7 @@ Display OAuth2 access token status Displays a [PSCustomObject] containing token status ('Token') along with cached 'Hostname', 'ClientId' and 'MemberCid' values. .LINK -https://github.com/crowdstrike/psfalcon/wiki/Authentication +https://github.com/crowdstrike/psfalcon/wiki/Test-FalconToken #> [CmdletBinding()] param() diff --git a/Public/overwatch-dashboards.ps1 b/Public/overwatch-dashboards.ps1 index 826a6cd1..8dbc7173 100644 --- a/Public/overwatch-dashboards.ps1 +++ b/Public/overwatch-dashboards.ps1 @@ -7,7 +7,7 @@ Requires 'OverWatch Dashboard: Read'. .PARAMETER Filter Falcon Query Language expression to limit results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-OverWatch-Dashboards +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconOverWatchEvent #> [CmdletBinding(DefaultParameterSetName='/overwatch-dashboards/aggregates/ow-events-global-counts/v1:get', SupportsShouldProcess)] @@ -35,7 +35,7 @@ Requires 'OverWatch Dashboard: Read'. .PARAMETER Filter Falcon Query Language expression to limit results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-OverWatch-Dashboards +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconOverWatchDetection #> [CmdletBinding(DefaultParameterSetName='/overwatch-dashboards/aggregates/detections-global-counts/v1:get', SupportsShouldProcess)] @@ -63,7 +63,7 @@ Requires 'OverWatch Dashboard: Read'. .PARAMETER Filter Falcon Query Language expression to limit results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-OverWatch-Dashboards +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconOverWatchIncident #> [CmdletBinding(DefaultParameterSetName='/overwatch-dashboards/aggregates/incidents-global-counts/v1:get', SupportsShouldProcess)] diff --git a/Public/policy-device-control.ps1 b/Public/policy-device-control.ps1 index 91b7f6fb..95f13fac 100644 --- a/Public/policy-device-control.ps1 +++ b/Public/policy-device-control.ps1 @@ -15,7 +15,7 @@ Policy description .PARAMETER Setting Policy settings .LINK -https://github.com/CrowdStrike/psfalcon/wiki/USB-Device-Control-Policy +https://github.com/CrowdStrike/psfalcon/wiki/Edit-FalconDeviceControlPolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/device-control/v1:patch',SupportsShouldProcess)] param( @@ -112,7 +112,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/CrowdStrike/psfalcon/wiki/USB-Device-Control-Policy +https://github.com/CrowdStrike/psfalcon/wiki/Get-FalconDeviceControlPolicy #> [CmdletBinding(DefaultParameterSetName='/policy/queries/device-control/v1:get',SupportsShouldProcess)] param( @@ -195,7 +195,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/CrowdStrike/psfalcon/wiki/USB-Device-Control-Policy +https://github.com/CrowdStrike/psfalcon/wiki/Get-FalconDeviceControlPolicyMember #> [CmdletBinding(DefaultParameterSetName='/policy/queries/device-control-members/v1:get',SupportsShouldProcess)] param( @@ -249,7 +249,7 @@ Host group identifier .PARAMETER Id Policy identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/USB-Device-Control-Policy +https://github.com/CrowdStrike/psfalcon/wiki/Invoke-FalconDeviceControlPolicyAction #> [CmdletBinding(DefaultParameterSetName='/policy/entities/device-control-actions/v1:post', SupportsShouldProcess)] @@ -309,7 +309,7 @@ Policy description .PARAMETER Settings Hashtable of policy settings .LINK -https://github.com/CrowdStrike/psfalcon/wiki/USB-Device-Control-Policy +https://github.com/CrowdStrike/psfalcon/wiki/New-FalconDeviceControlPolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/device-control/v1:post',SupportsShouldProcess)] param( @@ -390,7 +390,7 @@ Requires 'Device Control Policies: Write'. .PARAMETER Id Policy identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/USB-Device-Control-Policy +https://github.com/CrowdStrike/psfalcon/wiki/Remove-FalconDeviceControlPolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/device-control/v1:delete',SupportsShouldProcess)] param( @@ -421,16 +421,16 @@ function Set-FalconDeviceControlPrecedence { .SYNOPSIS Set Falcon Device Control policy precedence .DESCRIPTION -Requires 'Device Control Policies: Write'. - All policy identifiers must be supplied in order (with the exception of the 'platform_default' policy) to define policy precedence. + +Requires 'Device Control Policies: Write'. .PARAMETER PlatformName Operating system platform .PARAMETER Id Policy identifiers in desired precedence order .LINK -https://github.com/CrowdStrike/psfalcon/wiki/USB-Device-Control-Policy +https://github.com/CrowdStrike/psfalcon/wiki/Set-FalconDeviceControlPrecedence #> [CmdletBinding(DefaultParameterSetName='/policy/entities/device-control-precedence/v1:post', SupportsShouldProcess)] diff --git a/Public/policy-firewall-management.ps1 b/Public/policy-firewall-management.ps1 index 54379b13..9c1a1d31 100644 --- a/Public/policy-firewall-management.ps1 +++ b/Public/policy-firewall-management.ps1 @@ -13,7 +13,7 @@ Policy name .PARAMETER Description Policy description .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconFirewallPolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/firewall/v1:patch',SupportsShouldProcess)] param( @@ -98,7 +98,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconFirewallPolicy #> [CmdletBinding(DefaultParameterSetName='/policy/queries/firewall/v1:get',SupportsShouldProcess)] param( @@ -185,7 +185,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconFirewallPolicyMember #> [CmdletBinding(DefaultParameterSetName='/policy/queries/firewall-members/v1:get',SupportsShouldProcess)] param( @@ -240,7 +240,7 @@ Host group identifier .PARAMETER Id Policy identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconFirewallPolicyAction #> [CmdletBinding(DefaultParameterSetName='/policy/entities/firewall-actions/v1:post',SupportsShouldProcess)] param( @@ -296,7 +296,7 @@ Operating system platform .PARAMETER Description Policy description .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/New-FalconFirewallPolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/firewall/v1:post',SupportsShouldProcess)] param( @@ -367,7 +367,7 @@ Requires 'Firewall Management: Write'. .PARAMETER Id Policy identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconFirewallPolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/firewall/v1:delete',SupportsShouldProcess)] param( @@ -398,16 +398,16 @@ function Set-FalconFirewallPrecedence { .SYNOPSIS Set Falcon Firewall Management policy precedence .DESCRIPTION -Requires 'Firewall Management: Write'. - All policy identifiers must be supplied in order (with the exception of the 'platform_default' policy) to define policy precedence. + +Requires 'Firewall Management: Write'. .PARAMETER PlatformName Operating system platform .PARAMETER Id Policy identifiers in desired precedence order .LINK -https://github.com/crowdstrike/psfalcon/wiki/Firewall-Management +https://github.com/crowdstrike/psfalcon/wiki/Set-FalconFirewallPrecedence #> [CmdletBinding(DefaultParameterSetName='/policy/entities/firewall-precedence/v1:post',SupportsShouldProcess)] param( diff --git a/Public/policy-ioa-exclusions.ps1 b/Public/policy-ioa-exclusions.ps1 index a26e61df..22cf5ce1 100644 --- a/Public/policy-ioa-exclusions.ps1 +++ b/Public/policy-ioa-exclusions.ps1 @@ -21,7 +21,7 @@ The resulting output can be passed to 'New-FalconIoaExclusion' to create an excl .PARAMETER Detection Falcon detection content, including 'behaviors' and 'device' .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/ConvertTo-FalconIoaExclusion #> [CmdletBinding()] param( @@ -72,7 +72,7 @@ Audit log comment .PARAMETER Id Exclusion identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconIoaExclusion #> [CmdletBinding(DefaultParameterSetName='/policy/entities/ioa-exclusions/v1:patch',SupportsShouldProcess)] param( @@ -147,7 +147,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIoaExclusion #> [CmdletBinding(DefaultParameterSetName='/policy/queries/ioa-exclusions/v1:get',SupportsShouldProcess)] param( @@ -196,10 +196,10 @@ function New-FalconIoaExclusion { .SYNOPSIS Create an Indicator of Attack exclusion .DESCRIPTION -Requires 'IOA Exclusions: Write'. - 'ConvertTo-FalconIoaExclusion' can be used to generate the required Indicator of Attack exclusion properties using an existing detection. + +Requires 'IOA Exclusions: Write'. .PARAMETER Name Exclusion name .PARAMETER PatternId @@ -217,7 +217,7 @@ Exclusion description .PARAMETER Comment Audit log comment .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/New-FalconIoaExclusion #> [CmdletBinding(DefaultParameterSetName='/policy/entities/ioa-exclusions/v1:post',SupportsShouldProcess)] param( @@ -288,7 +288,7 @@ Audit log comment .PARAMETER Id Exclusion identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconIoaExclusion #> [CmdletBinding(DefaultParameterSetName='/policy/entities/ioa-exclusions/v1:delete',SupportsShouldProcess)] param( diff --git a/Public/policy-ml-exclusions.ps1 b/Public/policy-ml-exclusions.ps1 index 73a383d6..d74a5401 100644 --- a/Public/policy-ml-exclusions.ps1 +++ b/Public/policy-ml-exclusions.ps1 @@ -17,7 +17,7 @@ The resulting output can be passed to 'New-FalconMlExclusion' to create an exclu .PARAMETER Detection Falcon detection content, including 'behaviors' and 'device' .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/ConvertTo-FalconMlExclusion #> [CmdletBinding()] param( @@ -60,7 +60,7 @@ Audit log comment .PARAMETER Id Exclusion identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconMlExclusion #> [CmdletBinding(DefaultParameterSetName='/policy/entities/ml-exclusions/v1:patch',SupportsShouldProcess)] param( @@ -122,7 +122,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconMlExclusion #> [CmdletBinding(DefaultParameterSetName='/policy/queries/ml-exclusions/v1:get',SupportsShouldProcess)] param( @@ -170,10 +170,10 @@ function New-FalconMlExclusion { .SYNOPSIS Create a Machine Learning exclusion .DESCRIPTION -Requires 'Machine Learning Exclusions: Write'. - 'ConvertTo-FalconMlExclusion' can be used to generate the required Machine Learning exclusion properties using an existing detection. + +Requires 'Machine Learning Exclusions: Write'. .PARAMETER Value RegEx pattern value .PARAMETER ExcludedFrom @@ -183,7 +183,7 @@ Host group identifier or 'all' to apply to all hosts .PARAMETER Comment Audit log comment .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/New-FalconMlExclusion #> [CmdletBinding(DefaultParameterSetName='/policy/entities/ml-exclusions/v1:post',SupportsShouldProcess)] param( @@ -234,7 +234,7 @@ Audit log comment .PARAMETER Id Exclusion identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconMlExclusion #> [CmdletBinding(DefaultParameterSetName='/policy/entities/ml-exclusions/v1:delete',SupportsShouldProcess)] param( diff --git a/Public/policy-prevention.ps1 b/Public/policy-prevention.ps1 index 99072a7d..54d47b23 100644 --- a/Public/policy-prevention.ps1 +++ b/Public/policy-prevention.ps1 @@ -15,7 +15,7 @@ Policy description .PARAMETER Setting Policy settings .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconPreventionPolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/prevention/v1:patch',SupportsShouldProcess)] param( @@ -111,7 +111,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconPreventionPolicy #> [CmdletBinding(DefaultParameterSetName='/policy/queries/prevention/v1:get',SupportsShouldProcess)] param( @@ -194,7 +194,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconPreventionPolicyMember #> [CmdletBinding(DefaultParameterSetName='/policy/queries/prevention-members/v1:get',SupportsShouldProcess)] param( @@ -248,7 +248,7 @@ Host or rule group identifier .PARAMETER Id Policy identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconPreventionPolicyAction #> [CmdletBinding(DefaultParameterSetName='/policy/entities/prevention-actions/v1:post',SupportsShouldProcess)] param( @@ -314,7 +314,7 @@ Policy description .PARAMETER Setting An array of policy settings .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/New-FalconPreventionPolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/prevention/v1:post',SupportsShouldProcess)] param( @@ -396,7 +396,7 @@ Requires 'Prevention Policies: Write'. .PARAMETER Id Policy identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconPreventionPolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/prevention/v1:delete',SupportsShouldProcess)] param( @@ -427,16 +427,16 @@ function Set-FalconPreventionPrecedence { .SYNOPSIS Set Prevention policy precedence .DESCRIPTION -Requires 'Prevention Policies: Write'. - All policy identifiers must be supplied in order (with the exception of the 'platform_default' policy) to define policy precedence. + +Requires 'Prevention Policies: Write'. .PARAMETER PlatformName Operating system platform .PARAMETER Id Policy identifiers in desired precedence order .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Set-FalconPreventionPrecedence #> [CmdletBinding(DefaultParameterSetName='/policy/entities/prevention-precedence/v1:post',SupportsShouldProcess)] param( diff --git a/Public/policy-response.ps1 b/Public/policy-response.ps1 index 1948c7d9..abdf9d51 100644 --- a/Public/policy-response.ps1 +++ b/Public/policy-response.ps1 @@ -15,7 +15,7 @@ Policy description .PARAMETER Setting Policy settings .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response-Policy +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconResponsePolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/response/v1:patch',SupportsShouldProcess)] param( @@ -110,7 +110,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response-Policy +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconResponsePolicy #> [CmdletBinding(DefaultParameterSetName='/policy/queries/response/v1:get',SupportsShouldProcess)] param( @@ -193,7 +193,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response-Policy +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconResponsePolicyMember #> [CmdletBinding(DefaultParameterSetName='/policy/queries/response-members/v1:get',SupportsShouldProcess)] param( @@ -247,7 +247,7 @@ Host group identifier .PARAMETER Id Policy identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response-Policy +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconResponsePolicyAction #> [CmdletBinding(DefaultParameterSetName='/policy/entities/response-actions/v1:post',SupportsShouldProcess)] param( @@ -305,7 +305,7 @@ Policy description .PARAMETER Settings Policy settings .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response-Policy +https://github.com/crowdstrike/psfalcon/wiki/New-FalconResponsePolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/response/v1:post',SupportsShouldProcess)] param( @@ -384,7 +384,7 @@ Requires 'Response Policies: Write'. .PARAMETER Id Policy identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response-Policy +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconResponsePolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/response/v1:delete',SupportsShouldProcess)] param( @@ -415,16 +415,16 @@ function Set-FalconResponsePrecedence { .SYNOPSIS Set Real-time Response policy precedence .DESCRIPTION -Requires 'Response Policies: Write'. - All policy identifiers must be supplied in order (with the exception of the 'platform_default' policy) to define policy precedence. + +Requires 'Response Policies: Write'. .PARAMETER PlatformName Operating system platform .PARAMETER Id Policy identifiers in desired precedence order .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response-Policy +https://github.com/crowdstrike/psfalcon/wiki/Set-FalconResponsePrecedence #> [CmdletBinding(DefaultParameterSetName='/policy/entities/response-precedence/v1:post',SupportsShouldProcess)] param( diff --git a/Public/policy-sensor-update.ps1 b/Public/policy-sensor-update.ps1 index ca9f7a62..c8f4fdc7 100644 --- a/Public/policy-sensor-update.ps1 +++ b/Public/policy-sensor-update.ps1 @@ -15,7 +15,7 @@ Policy description .PARAMETER Setting Policy settings .LINK -https://github.com/crowdstrike/psfalcon/wiki/Sensor-Update-Policy +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconSensorUpdatePolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/sensor-update/v2:patch',SupportsShouldProcess)] param( @@ -60,13 +60,24 @@ https://github.com/crowdstrike/psfalcon/wiki/Sensor-Update-Policy } process { if ($Array) { - @($Array).foreach{ + foreach ($i in $Array) { # Select allowed fields, when populated - $i = $_ [string[]]$Select = @('id','name','description','platform_name','settings').foreach{ + if ($_ -eq 'settings') { + # Filter 'settings' + $i.settings = $i.settings | Select-Object @($i.settings.PSObject.Properties | + Where-Object { $null -ne $_.Value -and $_.Value -ne '' }).Name + if ($i.settings.variants) { + # Filter 'variants' + $i.settings.variants = @($i.settings.variants).foreach{ + $_ | Select-Object @($_.PSObject.Properties | Where-Object { + $null -ne $_.Value -and $_.Value -ne '' }).Name + } + } + } if ($i.$_) { $_ } } - $List.Add(($i | Select-Object $Select)) + if ($Select) { $List.Add(($i | Select-Object $Select)) } } } else { Invoke-Falcon @Param -Inputs $PSBoundParameters @@ -90,7 +101,7 @@ Requires 'Sensor Update Policies: Read'. .PARAMETER Platform Operating system platform .LINK -https://github.com/crowdstrike/psfalcon/wiki/Sensor-Update-Policy +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconBuild #> [CmdletBinding(DefaultParameterSetName='/policy/combined/sensor-update-builds/v1:get',SupportsShouldProcess)] param( @@ -128,7 +139,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Sensor-Update-Policy +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconKernel #> [CmdletBinding(DefaultParameterSetName='/policy/combined/sensor-update-kernels/v1:get',SupportsShouldProcess)] param( @@ -199,7 +210,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Sensor-Update-Policy +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconSensorUpdatePolicy #> [CmdletBinding(DefaultParameterSetName='/policy/queries/sensor-update/v1:get',SupportsShouldProcess)] param( @@ -282,7 +293,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Sensor-Update-Policy +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconSensorUpdatePolicyMember #> [CmdletBinding(DefaultParameterSetName='/policy/queries/sensor-update-members/v1:get',SupportsShouldProcess)] param( @@ -336,7 +347,7 @@ Include additional properties .PARAMETER Id Host identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Sensor-Update-Policy +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconUninstallToken #> [CmdletBinding(DefaultParameterSetName='/policy/combined/reveal-uninstall-token/v1:post', SupportsShouldProcess)] @@ -386,7 +397,7 @@ Host group identifier .PARAMETER Id Policy identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Sensor-Update-Policy +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconSensorUpdatePolicyAction #> [CmdletBinding(DefaultParameterSetName='/policy/entities/sensor-update-actions/v1:post',SupportsShouldProcess)] param( @@ -444,7 +455,7 @@ Policy description .PARAMETER Setting Policy settings .LINK -https://github.com/crowdstrike/psfalcon/wiki/Sensor-Update-Policy +https://github.com/crowdstrike/psfalcon/wiki/New-FalconSensorUpdatePolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/sensor-update/v2:post',SupportsShouldProcess)] param( @@ -491,11 +502,24 @@ https://github.com/crowdstrike/psfalcon/wiki/Sensor-Update-Policy } process { if ($Array) { - @($Array).foreach{ + foreach ($i in $Array) { # Select allowed fields, when populated - $i = $_ - [string[]]$Select = @('name','description','platform_name','settings').foreach{ if ($i.$_) { $_ }} - $List.Add(($i | Select-Object $Select)) + [string[]]$Select = @('name','description','platform_name','settings').foreach{ + if ($_ -eq 'settings') { + # Filter 'settings' + $i.settings = $i.settings | Select-Object @($i.settings.PSObject.Properties | + Where-Object { $null -ne $_.Value -and $_.Value -ne '' }).Name + if ($i.settings.variants) { + # Filter 'variants' + $i.settings.variants = @($i.settings.variants).foreach{ + $_ | Select-Object @($_.PSObject.Properties | Where-Object { + $null -ne $_.Value -and $_.Value -ne '' }).Name + } + } + } + if ($i.$_) { $_ } + } + if ($Select) { $List.Add(($i | Select-Object $Select)) } } } else { Invoke-Falcon @Param -Inputs $PSBoundParameters @@ -519,7 +543,7 @@ Requires 'Sensor Update Policies: Write'. .PARAMETER Id Policy identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Sensor-Update-Policy +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconSensorUpdatePolicy #> [CmdletBinding(DefaultParameterSetName='/policy/entities/sensor-update/v1:delete',SupportsShouldProcess)] param( @@ -550,16 +574,16 @@ function Set-FalconSensorUpdatePrecedence { .SYNOPSIS Set Sensor Update policy precedence .DESCRIPTION -Requires 'Sensor Update Policies: Write'. - All policy identifiers must be supplied in order (with the exception of the 'platform_default' policy) to define policy precedence. + +Requires 'Sensor Update Policies: Write'. .PARAMETER PlatformName Operating system platform .PARAMETER Id Policy identifiers in desired precedence order .LINK -https://github.com/crowdstrike/psfalcon/wiki/Sensor-Update-Policy +https://github.com/crowdstrike/psfalcon/wiki/Set-FalconSensorUpdatePrecedence #> [CmdletBinding(DefaultParameterSetName='/policy/entities/sensor-update-precedence/v1:post', SupportsShouldProcess)] diff --git a/Public/policy-sv-exclusions.ps1 b/Public/policy-sv-exclusions.ps1 index 2782c3d3..daeefc79 100644 --- a/Public/policy-sv-exclusions.ps1 +++ b/Public/policy-sv-exclusions.ps1 @@ -13,7 +13,7 @@ Host group identifier or 'all' to apply to all hosts .PARAMETER Comment Audit log comment .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconSvExclusion #> [CmdletBinding(DefaultParameterSetName='/policy/entities/sv-exclusions/v1:patch',SupportsShouldProcess)] param( @@ -75,7 +75,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconSvExclusion #> [CmdletBinding(DefaultParameterSetName='/policy/queries/sv-exclusions/v1:get',SupportsShouldProcess)] param( @@ -131,7 +131,7 @@ Audit log comment .PARAMETER GroupId Host group identifier or 'all' to apply to all hosts .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/New-FalconSvExclusion #> [CmdletBinding(DefaultParameterSetName='/policy/entities/sv-exclusions/v1:post',SupportsShouldProcess)] param( @@ -177,7 +177,7 @@ Audit log comment .PARAMETER Id Exclusion identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconSvExclusion #> [CmdletBinding(DefaultParameterSetName='/policy/entities/sv-exclusions/v1:delete',SupportsShouldProcess)] param( diff --git a/Public/psf-config.ps1 b/Public/psf-config.ps1 index aa0749d2..076c53e0 100644 --- a/Public/psf-config.ps1 +++ b/Public/psf-config.ps1 @@ -11,7 +11,7 @@ Selected items to export from your current CID, or leave unspecified to export a .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Configuration-Import-Export +https://github.com/crowdstrike/psfalcon/wiki/Export-FalconConfig #> [CmdletBinding(DefaultParameterSetName='ExportItem',SupportsShouldProcess)] param( @@ -121,7 +121,7 @@ Modify specified 'platform_default' policies to match import .PARAMETER ModifyExisting Modify existing specified items to match import .LINK -https://github.com/crowdstrike/psfalcon/wiki/Configuration-Import-Export +https://github.com/crowdstrike/psfalcon/wiki/Import-FalconConfig #> [CmdletBinding(SupportsShouldProcess)] param( @@ -334,9 +334,9 @@ https://github.com/crowdstrike/psfalcon/wiki/Configuration-Import-Export function Invoke-PolicyAction ([string]$Type,[string]$Action,[string]$PolicyId,[string]$GroupId) { try { # Perform an action on a policy and output result - if ($GroupId) { + if ($GroupId -and $PolicyId) { $PolicyId | & "Invoke-Falcon$($Type)Action" -Name $Action -GroupId $GroupId - } else { + } elseif ($PolicyId) { $PolicyId | & "Invoke-Falcon$($Type)Action" -Name $Action } } catch { @@ -783,10 +783,11 @@ https://github.com/crowdstrike/psfalcon/wiki/Configuration-Import-Export if ($Config.Result | Where-Object { $_.action -ne 'Ignored' }) { # Output warning for existing policy precedence foreach ($Item in ($Config.Result | Where-Object { $_.action -eq 'Created' -and $_.type -match - 'Policy$' } | Select-Object type,platform)) { + 'Policy$' } | Select-Object type,platform -Unique)) { if ($Config.($Item.type).Cid | Where-Object { $_.platform_name -eq $Item.platform -and $_.name -ne 'platform_default' }) { - Write-Warning "Existing $($Item.platform) $($Item.type) items were found. Verify precedence!" + $PSCmdlet.WriteWarning("[Import-FalconConfig] Existing $($Item.platform) $( + $Item.type) items were found. Verify precedence!") } } } diff --git a/Public/psf-devices.ps1 b/Public/psf-devices.ps1 index 1893057f..07468077 100644 --- a/Public/psf-devices.ps1 +++ b/Public/psf-devices.ps1 @@ -3,8 +3,6 @@ function Find-FalconDuplicate { .SYNOPSIS Find potential duplicate hosts within your Falcon environment .DESCRIPTION -Requires 'Hosts: Read'. - If the 'Hosts' parameter is not provided, all Host information will be retrieved. An error will be displayed if required fields 'cid', 'device_id', 'first_seen', 'last_seen', 'hostname' and any defined 'filter' value are not present. @@ -15,12 +13,14 @@ within the output. Hosts can be hidden from the Falcon console by piping the results of 'Find-FalconDuplicate' to 'Invoke-FalconHostAction' using the action 'hide_host'. + +Requires 'Hosts: Read'. .PARAMETER Hosts Array of detailed Host results .PARAMETER Filter Property to determine duplicate Host in addition to 'Hostname' .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Find-FalconDuplicate #> [CmdletBinding(SupportsShouldProcess)] param( @@ -67,7 +67,7 @@ https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management GroupBy = $Criteria } $Output = Group-Selection @Param - if ($Output) { $Output } else { Write-Warning "No duplicates found." } + if ($Output) { $Output } else { $PSCmdlet.WriteWarning("[Find-FalconDuplicate] No duplicates found.") } } } } @@ -76,15 +76,15 @@ function Find-FalconHostname { .SYNOPSIS Find hosts using a list of hostnames .DESCRIPTION -Requires 'Hosts: Read'. +Performs an exact match hostname search in groups of 20. -Performs an exact-match hostname search in groups of 20. +Requires 'Hosts: Read'. .PARAMETER Array An array containing one or more hostnames .PARAMETER Path Path to a plaintext file containing hostnames .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Find-FalconHostname #> [CmdletBinding(DefaultParameterSetName='Path',SupportsShouldProcess)] param( @@ -122,7 +122,7 @@ https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management [object[]]$HostList = Get-FalconHost -Filter $Filter -Detailed | Select-Object hostname,device_id @($TempList).foreach{ if ($HostList.hostname -notcontains $_) { - Write-Warning "[Find-FalconHostname] No match found for '$_'." + $PSCmdlet.WriteWarning("[Find-FalconHostname] No match found for '$_'.") } } if ($HostList) { $HostList } diff --git a/Public/psf-humio.ps1 b/Public/psf-humio.ps1 index 86cb878e..40231f60 100644 --- a/Public/psf-humio.ps1 +++ b/Public/psf-humio.ps1 @@ -13,7 +13,7 @@ Humio ingestion token .PARAMETER Enable Define events to send to the collector .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Third-party-ingestion +https://github.com/CrowdStrike/psfalcon/wiki/Register-FalconEventCollector #> [CmdletBinding()] [OutputType([void])] @@ -51,7 +51,7 @@ output provided by a PSFalcon command. .PARAMETER Object PSFalcon command output .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Third-party-ingestion +https://github.com/CrowdStrike/psfalcon/wiki/Send-FalconEvent #> [CmdletBinding()] [OutputType([void])] @@ -104,7 +104,7 @@ function Show-FalconEventCollector { .SYNOPSIS Display existing Humio ingestion endpoint and token .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Third-party-ingestion +https://github.com/CrowdStrike/psfalcon/wiki/Show-FalconEventCollector #> [CmdletBinding()] [OutputType([PSCustomObject])] @@ -118,7 +118,7 @@ function Unregister-FalconEventCollector { .SYNOPSIS Remove an existing Humio ingestion endpoint and token .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Third-party-ingestion +https://github.com/CrowdStrike/psfalcon/wiki/Unregister-FalconEventCollector #> [CmdletBinding()] param() diff --git a/Public/psf-output.ps1 b/Public/psf-output.ps1 index ec37b6f7..59e187f8 100644 --- a/Public/psf-output.ps1 +++ b/Public/psf-output.ps1 @@ -25,7 +25,7 @@ Response object to format .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Importing,-Syntax-and-Output +https://github.com/CrowdStrike/psfalcon/wiki/Export-FalconReport #> [CmdletBinding()] param( @@ -148,7 +148,7 @@ Message label .PARAMETER Object Response object to format .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Third-party-ingestion +https://github.com/CrowdStrike/psfalcon/wiki/Send-FalconWebhook #> [CmdletBinding()] param( @@ -226,7 +226,7 @@ https://github.com/CrowdStrike/psfalcon/wiki/Third-party-ingestion function Show-FalconMap { <# .SYNOPSIS -Display indicators on the Falcon X Indicator Map +Display indicators on the Falcon Intelligence Indicator Map .DESCRIPTION Your default web browser will be used to view the Indicator Map. @@ -234,7 +234,7 @@ Show-FalconMap will accept domains, SHA256 hashes, IP addresses and URLs. Invali .PARAMETER Indicator Indicator to display on the Indicator map .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Third-party-ingestion +https://github.com/CrowdStrike/psfalcon/wiki/Show-FalconMap #> [CmdletBinding(SupportsShouldProcess)] param( @@ -288,6 +288,8 @@ Display information about your PSFalcon module .DESCRIPTION Outputs an object containing module, user and system version information that is helpful for diagnosing problems with the PSFalcon module. +.LINK +https://github.com/CrowdStrike/psfalcon/wiki/Show-FalconModule #> [CmdletBinding()] param() diff --git a/Public/psf-policies.ps1 b/Public/psf-policies.ps1 index 10145293..89e91c74 100644 --- a/Public/psf-policies.ps1 +++ b/Public/psf-policies.ps1 @@ -1,12 +1,115 @@ +function Compare-FalconPreventionPhase { +<# +.SYNOPSIS +Compare a Falcon Prevention Policy against recommended implementation phases +.DESCRIPTION +Requires 'Prevention Policies: Read'. +.PARAMETER Id +Policy identifier +.LINK +https://github.com/CrowdStrike/psfalcon/wiki/Compare-FalconPreventionPhase +#> + [CmdletBinding(SupportsShouldProcess)] + [OutputType([PSCustomObject[]])] + param( + [Parameter(Mandatory,ValueFromPipeline,ValueFromPipelineByPropertyName,Position=1)] + [ValidatePattern('^[a-fA-F0-9]{32}$')] + [string]$Id + ) + begin { + # Define allowed OSes and path to json settings + [string[]]$AllowedOS = 'Linux','Mac','Windows' + $List = [System.Collections.Generic.List[string]]@() + } + process { if ($Id) { @($Id).foreach{ $List.Add($_) }}} + end { + if ($List) { + # Collect detailed policy information for unique identifiers + $PolicyList = Get-FalconPreventionPolicy -Id ($List | Select-Object -Unique) -EA 0 | Select-Object id, + name,platform_name,prevention_settings | Sort-Object platform_name + $List | Where-Object { $PolicyList.id -notcontains $_ } | ForEach-Object { + # Generate error when 'id' values were not found + Write-Error "'$_' was not found." + } + if ($PolicyList) { + [string]$Ineligible = '[Compare-FalconPreventionPolicy] {0} is ineligible. [{1}]' + if ($PolicyList.platform_name) { + # Import json settings for allowed 'platform_name' values + $Compare = @{} + [string]$JsonPath = Join-Path (Show-FalconModule).ModulePath Policy + $PolicyList.platform_name | Select-Object -Unique | Where-Object { $AllowedOS -contains $_ } | + ForEach-Object { + [string]$FilePath = (Join-Path $JsonPath "$($_.ToLower()).json") + if (Test-Path $FilePath) { + $JsonValue = try { Get-Content $FilePath | ConvertFrom-Json } catch {} + if ($JsonValue) { + $Compare[$_] = $JsonValue + } else { + Write-Error "Failed to import $_ comparison template." + } + } else { + Write-Error "Failed to locate $_ comparison template. [$FilePath]" + } + } + } + if (!$Compare.Values) { + throw "No comparison templates were successfully imported." + } else { + foreach ($Policy in $PolicyList) { + if ($AllowedOS -notcontains $Policy.platform_name) { + $PSCmdlet.WriteWarning(($Ineligible -f $Policy.id,$Policy.platform_name)) + } elseif (!$Policy.prevention_settings) { + $PSCmdlet.WriteWarning(($Ineligible -f $Policy.id,'Missing prevention_settings')) + } elseif ($Compare.($Policy.platform_name)) { + # Filter to settings for eligible policies + [PSCustomObject[]]$Ref = $Compare.($Policy.platform_name) + foreach ($Category in $Policy.prevention_settings) { + foreach ($Setting in $Category.settings) { + $Output = [PSCustomObject]@{ + policy_id = $Policy.id + policy_name = $Policy.name + platform_name = $Policy.platform_name + category = $Category.name + id = $Setting.id + name = $Setting.name + value = if ($Setting.type -eq 'toggle') { + $Setting.value.enabled + } elseif ($Setting.type -eq 'mlslider') { + $Setting.value.PSObject.Properties.Value -join ':' + } + } + foreach ($Phase in $Compare.($Policy.platform_name).phase) { + # Include id and value for each phase + ($Ref | Where-Object { $_.phase -eq $Phase }).prevention_settings | + Where-Object { $_.id -eq $Setting.id } | ForEach-Object { + $Value = if ($_.type -eq 'toggle') { + $_.value.enabled + } elseif ($_.type -eq 'mlslider') { + $_.value.PSObject.Properties.Value -join ':' + } + Set-Property $Output ('phase',$Phase -join '_') $Value + } + } + Set-Property $Output 'description' $Setting.description + $Output + } + } + } + } + } + } + } + } +} function Copy-FalconDeviceControlPolicy { <# .SYNOPSIS Duplicate a Falcon Device Control policy .DESCRIPTION -Requires 'Device Control Policies: Read', 'Device Control Policies: Write'. - The specified Falcon Device Control policy will be duplicated without assigned Host Groups. If a policy description is not supplied, the description from the existing policy will be used. + +Requires 'Device Control Policies: Read', 'Device Control Policies: Write'. .PARAMETER Name Policy name .PARAMETER Description @@ -14,7 +117,7 @@ Policy description .PARAMETER Id Policy identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/USB-Device-Control-Policy +https://github.com/CrowdStrike/psfalcon/wiki/Copy-FalconDeviceControlPolicy #> [CmdletBinding(SupportsShouldProcess)] param( @@ -56,10 +159,10 @@ function Copy-FalconFirewallPolicy { .SYNOPSIS Duplicate a Falcon Firewall Management policy .DESCRIPTION -Requires 'Firewall Management: Read', 'Firewall Management: Write'. - The specified Falcon Firewall Management policy will be duplicated without assigned Host Groups. If a policy description is not supplied, the description from the existing policy will be used. + +Requires 'Firewall Management: Read', 'Firewall Management: Write'. .PARAMETER Name Policy name .PARAMETER Description @@ -67,7 +170,7 @@ Policy description .PARAMETER Id Policy identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Firewall-Management +https://github.com/CrowdStrike/psfalcon/wiki/Copy-FalconFirewallPolicy #> [CmdletBinding(SupportsShouldProcess)] param( @@ -116,10 +219,10 @@ function Copy-FalconPreventionPolicy { .SYNOPSIS Duplicate a Prevention policy .DESCRIPTION -Requires 'Prevention Policies: Read', 'Prevention Policies: Write'. - The specified Prevention policy will be duplicated without assigned Host Groups. If a policy description is not supplied, the description from the existing policy will be used. + +Requires 'Prevention Policies: Read', 'Prevention Policies: Write'. .PARAMETER Name Policy name .PARAMETER Description @@ -127,7 +230,7 @@ Policy description .PARAMETER Id Policy identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Detection-and-Prevention-Policies +https://github.com/CrowdStrike/psfalcon/wiki/Copy-FalconPreventionPolicy #> [CmdletBinding(SupportsShouldProcess)] param( @@ -169,10 +272,10 @@ function Copy-FalconResponsePolicy { .SYNOPSIS Duplicate a Real-time Response policy .DESCRIPTION -Requires 'Response Policies: Read', 'Response Policies: Write'. - The specified Real-time Response policy will be duplicated without assigned Host Groups. If a policy description is not supplied, the description from the existing policy will be used. + +Requires 'Response Policies: Read', 'Response Policies: Write'. .PARAMETER Name Policy name .PARAMETER Description @@ -180,7 +283,7 @@ Policy description .PARAMETER Id Policy identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Real-time-Response-Policy +https://github.com/CrowdStrike/psfalcon/wiki/Copy-FalconResponsePolicy #> [CmdletBinding(SupportsShouldProcess)] param( @@ -222,10 +325,10 @@ function Copy-FalconSensorUpdatePolicy { .SYNOPSIS Duplicate a Sensor Update policy .DESCRIPTION -Requires 'Sensor Update Policies: Read', 'Sensor Update Policies: Write'. - The specified Sensor Update policy will be duplicated without assigned Host Groups. If a policy description is not supplied, the description from the existing policy will be used. + +Requires 'Sensor Update Policies: Read', 'Sensor Update Policies: Write'. .PARAMETER Name Policy name .PARAMETER Description @@ -233,7 +336,7 @@ Policy description .PARAMETER Id Policy identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Sensor-Update-Policy +https://github.com/CrowdStrike/psfalcon/wiki/Copy-FalconSensorUpdatePolicy #> [CmdletBinding(SupportsShouldProcess)] param( diff --git a/Public/psf-real-time-response.ps1 b/Public/psf-real-time-response.ps1 index 706cc27f..ccd471d6 100644 --- a/Public/psf-real-time-response.ps1 +++ b/Public/psf-real-time-response.ps1 @@ -3,19 +3,19 @@ function Get-FalconQueue { .SYNOPSIS Create a report of Real-time Response commands in the offline queue .DESCRIPTION -Requires 'Real Time Response: Read', 'Real Time Response: Write' and 'Real Time Response (Admin): Write'. - Creates a CSV of pending Real-time Response commands and their related session information. By default, sessions within the offline queue expire 7 days after creation. Sessions can have additional commands appended to them to extend their expiration time. Additional host information can be appended to the results using the 'Include' parameter. + +Requires 'Real Time Response: Read', 'Real Time Response: Write' and 'Real Time Response (Admin): Write'. .PARAMETER Days Days worth of results to retrieve [default: 7] .PARAMETER Include Include additional properties .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconQueue #> [CmdletBinding()] param( @@ -115,8 +115,6 @@ function Invoke-FalconDeploy { .SYNOPSIS Deploy and run an executable using Real-time Response .DESCRIPTION -Requires 'Hosts: Read', 'Real Time Response (Admin): Write'. - 'Put' files will be checked for identical file names, and if any are found, the Sha256 hash values will be compared between your local and cloud files. If they are different, a prompt will appear asking which file to use. @@ -127,6 +125,8 @@ archive will be 'put' into that folder. If the target is an archive, it will be 'Run' file will be executed. If the target is a file, it will be 'run'. Details of each step will be output to a CSV file in your current directory. + +Requires 'Hosts: Read', 'Real Time Response (Admin): Write'. .PARAMETER File Name of a 'CloudFile' or path to a local executable to upload .PARAMETER Archive @@ -146,7 +146,7 @@ Host group identifier .PARAMETER HostId Host identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconDeploy #> [CmdletBinding(DefaultParameterSetName='HostId_File',SupportsShouldProcess)] param( @@ -517,7 +517,7 @@ Host group identifier .PARAMETER HostId Host identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconRtr #> [CmdletBinding(DefaultParameterSetName='HostId',SupportsShouldProcess)] param( diff --git a/Public/psf-sensors.ps1 b/Public/psf-sensors.ps1 index cd0d076a..66b01f29 100644 --- a/Public/psf-sensors.ps1 +++ b/Public/psf-sensors.ps1 @@ -3,9 +3,9 @@ function Add-FalconSensorTag { .SYNOPSIS Use Real-time Response to add FalconSensorTags to hosts .DESCRIPTION -Requires 'Real Time Response (Admin): Write'. - Provided FalconSensorTag values will be appended to any existing tags. + +Requires 'Hosts: Read', 'Sensor Update Policies: Write' and 'Real Time Response (Admin): Write'. .PARAMETER Tag FalconSensorTag value ['FalconSensorTags/'] .PARAMETER QueueOffline @@ -13,7 +13,7 @@ Add command request to the offline queue .PARAMETER Id Host identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Add-FalconSensorTag #> [CmdletBinding(SupportsShouldProcess)] param( @@ -182,13 +182,13 @@ function Get-FalconSensorTag { .SYNOPSIS Use Real-time Response to display FalconSensorTags assigned to hosts .DESCRIPTION -Requires 'Real Time Response (Admin): Write'. +Requires 'Hosts: Read' and 'Real Time Response (Admin): Write'. .PARAMETER QueueOffline Add command request to the offline queue .PARAMETER Id Host identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconSensorTag #> [CmdletBinding(SupportsShouldProcess)] param( @@ -291,9 +291,9 @@ function Remove-FalconSensorTag { .SYNOPSIS Use Real-time Response to remove FalconSensorTags from hosts .DESCRIPTION -Requires 'Real Time Response (Admin): Write'. - Provided FalconSensorTag values will be removed from existing tags and others will be left unmodified. + +Requires 'Hosts: Read', 'Sensor Update Policies: Write' and 'Real Time Response (Admin): Write'. .PARAMETER Tag FalconSensorTag value ['FalconSensorTags/'] .PARAMETER Id @@ -301,7 +301,7 @@ Host identifier .PARAMETER QueueOffline Add command request to the offline queue .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconSensorTag #> [CmdletBinding(SupportsShouldProcess)] param( @@ -475,12 +475,12 @@ function Uninstall-FalconSensor { .SYNOPSIS Use Real-time Response to uninstall the Falcon sensor from a host .DESCRIPTION -Requires 'Hosts: Read', 'Sensor Update Policies: Write', 'Real Time Response: Read', and 'Real Time Response -(Admin): Write'. - This command uses information from the registry and/or relevant Falcon command line utilities of the target host to uninstall the Falcon sensor. If the sensor is damaged or malfunctioning, Real-time Response may not work properly and/or the uninstallation may not succeed. + +Requires 'Hosts: Read', 'Sensor Update Policies: Write', 'Real Time Response: Read', and 'Real Time Response +(Admin): Write'. .PARAMETER QueueOffline Add command request to the offline queue .PARAMETER Include @@ -488,7 +488,7 @@ Include additional properties .PARAMETER Id Host identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Host-and-Host-Group-Management +https://github.com/crowdstrike/psfalcon/wiki/Uninstall-FalconSensor #> [CmdletBinding(SupportsShouldProcess)] param( diff --git a/Public/quarantine.ps1 b/Public/quarantine.ps1 index 00d99611..b07b9123 100644 --- a/Public/quarantine.ps1 +++ b/Public/quarantine.ps1 @@ -23,7 +23,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Quarantine +https://github.com/CrowdStrike/psfalcon/wiki/Get-FalconQuarantine #> [CmdletBinding(DefaultParameterSetName='/quarantine/queries/quarantined-files/v1:get',SupportsShouldProcess)] param( @@ -89,7 +89,7 @@ Audit log comment .PARAMETER Id Quarantined file identifier .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Quarantine +https://github.com/CrowdStrike/psfalcon/wiki/Invoke-FalconQuarantineAction #> [CmdletBinding(DefaultParameterSetName='/quarantine/entities/quarantined-files/v1:patch', SupportsShouldProcess)] @@ -137,7 +137,7 @@ Requires 'Quarantined Files: Write'. .PARAMETER Filter Falcon Query Language statement .LINK -https://github.com/CrowdStrike/psfalcon/wiki/Quarantine +https://github.com/CrowdStrike/psfalcon/wiki/Test-FalconQuarantineAction #> [CmdletBinding(DefaultParameterSetName='/quarantine/aggregates/action-update-count/v1:get', SupportsShouldProcess)] diff --git a/Public/real-time-response.ps1 b/Public/real-time-response.ps1 index 76f1a437..f9838672 100644 --- a/Public/real-time-response.ps1 +++ b/Public/real-time-response.ps1 @@ -3,19 +3,19 @@ function Confirm-FalconAdminCommand { .SYNOPSIS Verify the status of a Real-time Response 'admin' command issued to a single-host session .DESCRIPTION -Requires 'Real Time Response (Admin): Write'. - Confirms the status of an executed 'admin' command. The single-host Real-time Response APIs require that commands be confirmed to 'acknowledge' that they have been processed as part of your API-based workflow. Failing to confirm after commands can lead to unexpected results. A 'sequence_id' value of 0 is added if the parameter is not specified. + +Requires 'Real Time Response (Admin): Write'. .PARAMETER SequenceId Sequence identifier .PARAMETER CloudRequestId Command request identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Confirm-FalconAdminCommand #> [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/admin-command/v1:get', SupportsShouldProcess)] @@ -44,19 +44,19 @@ function Confirm-FalconCommand { .SYNOPSIS Verify the status of a Real-time Response 'read-only' command issued to a single-host session .DESCRIPTION -Requires 'Real Time Response: Read'. - Confirms the status of an executed 'read-only' command. The single-host Real-time Response APIs require that commands be confirmed to 'acknowledge' that they have been processed as part of your API-based workflow. Failing to confirm after commands can lead to unexpected results. A 'sequence_id' value of 0 is added if the parameter is not specified. + +Requires 'Real Time Response: Read'. .PARAMETER SequenceId Sequence identifier .PARAMETER CloudRequestId Command request identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Confirm-FalconCommand #> [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/command/v1:get',SupportsShouldProcess)] param( @@ -92,7 +92,7 @@ Length of time to wait for a result, in seconds .PARAMETER BatchGetCmdReqId Batch 'get' command identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Confirm-FalconGetFile #> [CmdletBinding(DefaultParameterSetName='/real-time-response/combined/batch-get-command/v1:get', SupportsShouldProcess)] @@ -143,19 +143,19 @@ function Confirm-FalconResponderCommand { .SYNOPSIS Verify the status of a Real-time Response 'active-responder' command issued to a single-host session .DESCRIPTION -Requires 'Real Time Response: Write'. - Confirms the status of an executed 'active-responder' command. The single-host Real-time Response APIs require that commands be confirmed to 'acknowledge' that they have been processed as part of your API-based workflow. Failing to confirm after commands can lead to unexpected results. A 'sequence_id' value of 0 is added if the parameter is not specified. + +Requires 'Real Time Response: Write'. .PARAMETER SequenceId Sequence identifier .PARAMETER CloudRequestId Command request identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Confirm-FalconResponderCommand #> [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/active-responder-command/v1:get', SupportsShouldProcess)] @@ -200,7 +200,7 @@ Path to script file .PARAMETER Id Script identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconScript #> [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/scripts/v1:patch',SupportsShouldProcess)] param( @@ -269,7 +269,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconPutFile #> [CmdletBinding(DefaultParameterSetName='/real-time-response/queries/put-files/v1:get',SupportsShouldProcess)] param( @@ -336,7 +336,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconScript #> [CmdletBinding(DefaultParameterSetName='/real-time-response/queries/scripts/v1:get',SupportsShouldProcess)] param( @@ -385,12 +385,12 @@ function Get-FalconSession { .SYNOPSIS Search for Real-time Response sessions .DESCRIPTION -Requires 'Real Time Response: Read'. - Real-time Response sessions are segmented by permission,meaning that only sessions that were created using your OAuth2 API Client will be visible. 'Get-FalconQueue' can be used to find and export information about sessions in the 'offline queue'. + +Requires 'Real Time Response: Read'. .PARAMETER Id Session identifier .PARAMETER Filter @@ -410,7 +410,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconSession #> [CmdletBinding(DefaultParameterSetName='/real-time-response/queries/sessions/v1:get',SupportsShouldProcess)] param( @@ -463,13 +463,13 @@ function Invoke-FalconAdminCommand { .SYNOPSIS Issue a Real-time Response admin command to an existing single-host or batch session .DESCRIPTION -Requires 'Real Time Response (Admin): Write'. - Sessions can be started using 'Start-FalconSession'. A successfully created session will contain a 'session_id' or 'batch_id' value which can be used with the '-SessionId' or '-BatchId' parameters. The 'Wait' parameter will use 'Confirm-FalconAdminCommand' or 'Confirm-FalconGetFile' to check for command results every 5 seconds for a total of 60 seconds. + +Requires 'Real Time Response (Admin): Write'. .PARAMETER Command Real-time Response command .PARAMETER Argument @@ -485,7 +485,7 @@ Batch session identifier .PARAMETER Wait Use 'Confirm-FalconAdminCommand' or 'Confirm-FalconGetFile' to retrieve command results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconAdminCommand #> [CmdletBinding(DefaultParameterSetName='/real-time-response/combined/batch-admin-command/v1:post', SupportsShouldProcess)] @@ -591,13 +591,13 @@ function Invoke-FalconBatchGet { .SYNOPSIS Issue a Real-time Response batch 'get' command to an existing batch session .DESCRIPTION -Requires 'Real Time Response: Write'. - When a 'get' command has been issued, the 'batch_get_cmd_req_id' property will be returned. That value is used to verify the completion of the file transfer using 'Confirm-FalconBatchGet'. The 'Wait' parameter will use 'Confirm-FalconGetFile' to check for command results every 5 seconds for a total of 60 seconds. + +Requires 'Real Time Response: Write'. .PARAMETER FilePath Path to file on target host .PARAMETER Timeout @@ -609,7 +609,7 @@ Batch session identifier .PARAMETER Wait Use 'Confirm-FalconGetFile' to attempt to retrieve results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconBatchGet #> [CmdletBinding(DefaultParameterSetName='/real-time-response/combined/batch-get-command/v1:post', SupportsShouldProcess)] @@ -660,12 +660,12 @@ https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response } @($Request.hosts).Where({ $_.errors }).foreach{ # Write warning for hosts in batch that produced errors - Write-Warning "[Invoke-FalconBatchGet] $(@($_.errors.code, - $_.errors.message) -join ': ') [aid: $($_.aid)]" + $PSCmdlet.WriteWarning("[Invoke-FalconBatchGet] $(@($_.errors.code, + $_.errors.message) -join ': ') [aid: $($_.aid)]") } @($Request.hosts).Where({ $_.stderr }).foreach{ # Write warning for hosts in batch that produced 'stderr' - Write-Warning "[Invoke-FalconBatchGet] $($_.stderr) [aid: $($_.aid)]" + $PSCmdlet.WriteWarning("[Invoke-FalconBatchGet] $($_.stderr) [aid: $($_.aid)]") } if ($Wait) { for ($i = 0; $i -lt 60 -and !$Result.sha256; $i += 5) { @@ -688,13 +688,13 @@ function Invoke-FalconCommand { .SYNOPSIS Issue a Real-time Response read-only command to an existing single-host or batch session .DESCRIPTION -Requires 'Real Time Response: Read'. - Sessions can be started using 'Start-FalconSession'. A successfully created session will contain a 'session_id' or 'batch_id' value which can be used with the '-SessionId' or '-BatchId' parameters. The 'Wait' parameter will use 'Confirm-FalconCommand' to check for command results every 5 seconds for a total of 60 seconds. + +Requires 'Real Time Response: Read'. .PARAMETER Command Real-time Response command .PARAMETER Argument @@ -710,7 +710,7 @@ Batch session identifier .PARAMETER Wait Use 'Confirm-FalconCommand' to retrieve single-host command results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconCommand #> [CmdletBinding(DefaultParameterSetName='/real-time-response/combined/batch-command/v1:post', SupportsShouldProcess)] @@ -798,13 +798,13 @@ function Invoke-FalconResponderCommand { .SYNOPSIS Issue a Real-time Response active-responder command to an existing single-host or batch session .DESCRIPTION -Requires 'Real Time Response: Write'. - Sessions can be started using 'Start-FalconSession'. A successfully created session will contain a 'session_id' or 'batch_id' value which can be used with the '-SessionId' or '-BatchId' parameters. The 'Wait' parameter will use 'Confirm-FalconResponderCommand' to check for command results every 5 seconds for a total of 60 seconds. + +Requires 'Real Time Response: Write'. .PARAMETER Command Real-time Response command .PARAMETER Argument @@ -820,7 +820,7 @@ Batch session identifier .PARAMETER Wait Use 'Confirm-FalconResponderCommand' to retrieve single-host command results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconResponderCommand #> [CmdletBinding(DefaultParameterSetName='/real-time-response/combined/batch-active-responder-command/v1:post', SupportsShouldProcess)] @@ -931,11 +931,11 @@ function Receive-FalconGetFile { .SYNOPSIS Download a password protected .7z archive containing a Real-time Response 'get' file [password: 'infected'] .DESCRIPTION -Requires 'Real Time Response: Write'. - 'Sha256' and 'SessionId' values can be found using 'Confirm-FalconGetFile'. 'Invoke-FalconResponderCommand' or 'Invoke-FalconAdminCommand' can be used to issue a 'get' command to a single-host, and 'Invoke-FalconBatchGet' can be used for multiple hosts within existing Real-time Response session. + +Requires 'Real Time Response: Write'. .PARAMETER Path Destination path .PARAMETER Sha256 @@ -945,7 +945,7 @@ Session identifier .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconGetFile #> [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/extracted-file-contents/v1:get', SupportsShouldProcess)] @@ -1004,7 +1004,7 @@ Session identifier .PARAMETER CloudRequestId Cloud request identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconCommand #> [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/queued-sessions/command/v1:delete', SupportsShouldProcess)] @@ -1034,17 +1034,17 @@ function Remove-FalconGetFile { .SYNOPSIS Remove Real-time Response 'get' files .DESCRIPTION -Requires 'Real Time Response: Write'. - Delete files previously retrieved during a Real-time Response session. The required 'Id' and 'SessionId' values are contained in the results of 'Start-FalconSession' and 'Invoke-FalconAdminCommand' or 'Invoke-FalconBatchGet' commands. + +Requires 'Real Time Response: Write'. .PARAMETER SessionId Session identifier .PARAMETER Id Real-time Response 'get' file identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconGetFile #> [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/file/v2:delete',SupportsShouldProcess)] param( @@ -1077,7 +1077,7 @@ Requires 'Real Time Response (Admin): Write'. .PARAMETER Id Real-time Response 'put' file identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconPutFile #> [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/put-files/v1:delete', SupportsShouldProcess)] @@ -1106,7 +1106,7 @@ Requires 'Real Time Response (Admin): Write'. .PARAMETER Id Script identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconScript #> [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/scripts/v1:delete',SupportsShouldProcess)] param( @@ -1134,7 +1134,7 @@ Requires 'Real Time Response: Read'. .PARAMETER Id Session identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconSession #> [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/sessions/v1:delete', SupportsShouldProcess)] @@ -1169,7 +1169,7 @@ Comment for audit log .PARAMETER Path Path to local file .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Send-FalconPutFile #> [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/put-files/v1:post',SupportsShouldProcess)] param( @@ -1223,7 +1223,7 @@ Audit log comment .PARAMETER Path Path to local file or string-based script content .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Send-FalconScript #> [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/scripts/v1:post',SupportsShouldProcess)] param( @@ -1270,14 +1270,14 @@ function Start-FalconSession { .SYNOPSIS Initialize a single-host or batch Real-time Response session .DESCRIPTION -Requires 'Real Time Response: Read'. - Real-time Response sessions require Host identifier values. Sessions that are successfully started return a 'session_id' (for single hosts) or 'batch_id' (multiple hosts) value which can be used to issue commands that will be processed by the host(s) in the session. Commands can be issued using 'Invoke-FalconCommand', 'Invoke-FalconResponderCommand', 'Invoke-FalconAdminCommand' and 'Invoke-FalconBatchGet'. + +Requires 'Real Time Response: Read'. .PARAMETER QueueOffline Add non-responsive hosts to the offline queue .PARAMETER Timeout @@ -1287,7 +1287,7 @@ Add hosts to an existing batch session .PARAMETER Id Host identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Start-FalconSession #> [CmdletBinding(DefaultParameterSetName='/real-time-response/combined/batch-init-session/v1:post', SupportsShouldProcess)] @@ -1338,8 +1338,8 @@ https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response [string]$BatchId = $_.batch_id @($_.resources.PSObject.Properties.Value).Where({ $_.errors }).foreach{ # Write warning for hosts in batch that produced errors - Write-Warning "[Start-FalconSession] $( - @($_.errors.code,$_.errors.message) -join ': ') [aid: $($_.aid)]" + $PSCmdlet.WriteWarning("[Start-FalconSession] $( + @($_.errors.code,$_.errors.message) -join ': ') [aid: $($_.aid)]") } @($_.resources.PSObject.Properties.Value).Where({ $_.session_id }).foreach{ # Append 'batch_id' for hosts with a 'session_id' @@ -1363,11 +1363,11 @@ function Update-FalconSession { .SYNOPSIS Refresh a single-host or batch Real-time Response session to prevent expiration .DESCRIPTION -Requires 'Real Time Response: Read'. - Real-time Response sessions expire after 10 minutes by default. Any commands that were issued to a session that take longer than 10 minutes will not return results without refreshing the session to keep it alive until the command process completes. + +Requires 'Real Time Response: Read'. .PARAMETER QueueOffline Add non-responsive hosts to the offline queue .PARAMETER Timeout @@ -1379,7 +1379,7 @@ Host identifier, for a single-host session .PARAMETER BatchId Batch session identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response +https://github.com/crowdstrike/psfalcon/wiki/Update-FalconSession #> [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/refresh-session/v1:post', SupportsShouldProcess)] @@ -1429,8 +1429,8 @@ https://github.com/crowdstrike/psfalcon/wiki/Real-time-Response if ($Endpoint -eq '/real-time-response/combined/batch-refresh-session/v1:post') { @($_.PSObject.Properties.Value).Where({ $_.errors }).foreach{ # Write warning for hosts in batch that produced errors - Write-Warning "[Update-FalconSession] $( - @($_.errors.code,$_.errors.message) -join ': ') [aid: $($_.aid)]" + $PSCmdlet.WriteWarning("[Update-FalconSession] $( + @($_.errors.code,$_.errors.message) -join ': ') [aid: $($_.aid)]") } # Output 'batch_id' and 'hosts' containing result [PSCustomObject]@{ diff --git a/Public/recon.ps1 b/Public/recon.ps1 index baea7a5d..42128714 100644 --- a/Public/recon.ps1 +++ b/Public/recon.ps1 @@ -1,9 +1,9 @@ function Edit-FalconReconAction { <# .SYNOPSIS -Modify a Falcon X Recon action +Modify a Falcon Intelligence Recon action .DESCRIPTION -Requires 'Monitoring Rules (Falcon X Recon): Write'. +Requires 'Monitoring Rules (Falcon Intelligence Recon): Write'. .PARAMETER Frequency Action frequency .PARAMETER Recipient @@ -13,7 +13,7 @@ Action status .PARAMETER Id Action identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconReconAction #> [CmdletBinding(DefaultParameterSetName='/recon/entities/actions/v1:patch',SupportsShouldProcess)] param( @@ -63,9 +63,9 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon function Edit-FalconReconNotification { <# .SYNOPSIS -Modify a Falcon X Recon notification +Modify a Falcon Intelligence Recon notification .DESCRIPTION -Requires 'Monitoring Rules (Falcon X Recon): Write'. +Requires 'Monitoring Rules (Falcon Intelligence Recon): Write'. .PARAMETER Array An array of notifications to modify in a single request .PARAMETER Id @@ -75,7 +75,7 @@ Notification status .PARAMETER AssignedToUuid User identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconReconNotification #> [CmdletBinding(DefaultParameterSetName='/recon/entities/notifications/v1:patch',SupportsShouldProcess)] param( @@ -136,9 +136,9 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon function Edit-FalconReconRule { <# .SYNOPSIS -Modify a Falcon X Recon monitoring rule +Modify a Falcon Intelligence Recon monitoring rule .DESCRIPTION -Requires 'Monitoring Rules (Falcon X Recon): Write'. +Requires 'Monitoring Rules (Falcon Intelligence Recon): Write'. .PARAMETER Array An array of monitoring rules to modify in a single request .PARAMETER Id @@ -152,7 +152,7 @@ Monitoring rule priority .PARAMETER Permission Permission level [public: 'All Intel users', private: 'Recon Admins'] .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconReconRule #> [CmdletBinding(DefaultParameterSetName='/recon/entities/rules/v1:patch',SupportsShouldProcess)] param( @@ -219,9 +219,9 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon function Get-FalconReconAction { <# .SYNOPSIS -Search for Falcon X Recon actions +Search for Falcon Intelligence Recon actions .DESCRIPTION -Requires 'Monitoring Rules (Falcon X Recon): Read'. +Requires 'Monitoring Rules (Falcon Intelligence Recon): Read'. .PARAMETER Id Action identifier .PARAMETER Filter @@ -241,7 +241,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconReconAction #> [CmdletBinding(DefaultParameterSetName='/recon/queries/actions/v1:get',SupportsShouldProcess)] param( @@ -286,9 +286,9 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon function Get-FalconReconNotification { <# .SYNOPSIS -Search for Falcon X Recon notifications +Search for Falcon Intelligence Recon notifications .DESCRIPTION -Requires 'Monitoring Rules (Falcon X Recon): Read'. +Requires 'Monitoring Rules (Falcon Intelligence Recon): Read'. .PARAMETER Id Notification identifier .PARAMETER Filter @@ -314,7 +314,7 @@ Translate to English .PARAMETER Combined Include raw intelligence content and translate to English .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconReconNotification #> [CmdletBinding(DefaultParameterSetName='/recon/queries/notifications/v1:get',SupportsShouldProcess)] param( @@ -374,9 +374,9 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon function Get-FalconReconRule { <# .SYNOPSIS -Search for Falcon X Recon monitoring rules +Search for Falcon Intelligence Recon monitoring rules .DESCRIPTION -Requires 'Monitoring Rules (Falcon X Recon): Read'. +Requires 'Monitoring Rules (Falcon Intelligence Recon): Read'. .PARAMETER Id Monitoring rule identifier .PARAMETER Filter @@ -396,7 +396,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconReconRule #> [CmdletBinding(DefaultParameterSetName='/recon/queries/rules/v1:get',SupportsShouldProcess)] param( @@ -444,15 +444,15 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon function Get-FalconReconRulePreview { <# .SYNOPSIS -Preview Falcon X Recon monitoring rule notification count and distribution +Preview Falcon Intelligence Recon monitoring rule notification count and distribution .DESCRIPTION -Requires 'Monitoring Rules (Falcon X Recon): Read'. +Requires 'Monitoring Rules (Falcon Intelligence Recon): Read'. .PARAMETER Topic Monitoring rule topic .PARAMETER Filter Monitoring rule filter .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconReconRulePreview #> [CmdletBinding(DefaultParameterSetName='/recon/aggregates/rules-preview/GET/v1:post',SupportsShouldProcess)] param( @@ -474,9 +474,9 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon function New-FalconReconAction { <# .SYNOPSIS -Create Falcon X Recon monitoring rule actions +Create Falcon Intelligence Recon monitoring rule actions .DESCRIPTION -Requires 'Monitoring Rules (Falcon X Recon): Write'. +Requires 'Monitoring Rules (Falcon Intelligence Recon): Write'. .PARAMETER RuleId Monitoring rule identifier .PARAMETER Type @@ -486,7 +486,7 @@ Notification frequency .PARAMETER Recipient Notification recipient .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon +https://github.com/crowdstrike/psfalcon/wiki/New-FalconReconAction #> [CmdletBinding(DefaultParameterSetName='/recon/entities/actions/v1:post',SupportsShouldProcess)] param( @@ -537,9 +537,9 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon function New-FalconReconRule { <# .SYNOPSIS -Create Falcon X Recon monitoring rules +Create Falcon Intelligence Recon monitoring rules .DESCRIPTION -Requires 'Monitoring Rules (Falcon X Recon): Write'. +Requires 'Monitoring Rules (Falcon Intelligence Recon): Write'. .PARAMETER Array An array of monitoring rules to create in a single request .PARAMETER Name @@ -553,7 +553,7 @@ Monitoring rule priority .PARAMETER Permission Permission level [public: 'All Intel users', private: 'Recon Admins'] .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon +https://github.com/crowdstrike/psfalcon/wiki/New-FalconReconRule #> [CmdletBinding(DefaultParameterSetName='/recon/entities/rules/v1:post',SupportsShouldProcess)] param( @@ -620,13 +620,13 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon function Remove-FalconReconAction { <# .SYNOPSIS -Remove an action from a Falcon X Recon monitoring rule +Remove an action from a Falcon Intelligence Recon monitoring rule .DESCRIPTION -Requires 'Monitoring Rules (Falcon X Recon): Write'. +Requires 'Monitoring Rules (Falcon Intelligence Recon): Write'. .PARAMETER Id Action identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconReconAction #> [CmdletBinding(DefaultParameterSetName='/recon/entities/actions/v1:delete',SupportsShouldProcess)] param( @@ -647,13 +647,13 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon function Remove-FalconReconNotification { <# .SYNOPSIS -Remove Falcon X Recon notifications +Remove Falcon Intelligence Recon notifications .DESCRIPTION -Requires 'Monitoring Rules (Falcon X Recon): Write'. +Requires 'Monitoring Rules (Falcon Intelligence Recon): Write'. .PARAMETER Id Notification identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconReconNotification #> [CmdletBinding(DefaultParameterSetName='/recon/entities/notifications/v1:delete',SupportsShouldProcess)] param( @@ -682,13 +682,13 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon function Remove-FalconReconRule { <# .SYNOPSIS -Remove Falcon X Recon monitoring rules +Remove Falcon Intelligence Recon monitoring rules .DESCRIPTION -Requires 'Monitoring Rules (Falcon X Recon): Write'. +Requires 'Monitoring Rules (Falcon Intelligence Recon): Write'. .PARAMETER Id Monitoring rule identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X-Recon +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconReconRule #> [CmdletBinding(DefaultParameterSetName='/recon/entities/rules/v1:delete',SupportsShouldProcess)] param( diff --git a/Public/reports.ps1 b/Public/reports.ps1 index 1cb5e2fc..e5baa60e 100644 --- a/Public/reports.ps1 +++ b/Public/reports.ps1 @@ -25,7 +25,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Scheduled-Reports-and-Searches +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconScheduledReport #> [CmdletBinding(DefaultParameterSetName='/reports/queries/scheduled-reports/v1:get',SupportsShouldProcess)] param( @@ -105,7 +105,7 @@ Requires 'Scheduled Reports: Read'. .PARAMETER Id Report identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Scheduled-Reports-and-Searches +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconScheduledReport #> [CmdletBinding(DefaultParameterSetName='/reports/entities/scheduled-reports/execution/v1:post', SupportsShouldProcess)] @@ -141,7 +141,7 @@ Report identifier .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Scheduled-Reports-and-Searches +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconScheduledReport #> [CmdletBinding(DefaultParameterSetName='/reports/entities/report-executions-download/v1:get', SupportsShouldProcess)] @@ -206,7 +206,7 @@ Requires 'Scheduled Reports: Read'. .PARAMETER Id Report identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Scheduled-Reports-and-Searches +https://github.com/crowdstrike/psfalcon/wiki/Redo-FalconScheduledReport #> [CmdletBinding(DefaultParameterSetName='/reports/entities/report-executions-retry/v1:post', SupportsShouldProcess)] diff --git a/Public/samples.ps1 b/Public/samples.ps1 index a79db26b..ee1d132b 100644 --- a/Public/samples.ps1 +++ b/Public/samples.ps1 @@ -7,7 +7,7 @@ Requires 'Sample Uploads: Read'. .PARAMETER Id Sha256 hash value .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconSample #> [CmdletBinding(DefaultParameterSetName='/samples/queries/samples/GET/v1:post',SupportsShouldProcess)] param( @@ -48,7 +48,7 @@ Sha256 hash value .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconSample #> [CmdletBinding(DefaultParameterSetName='/samples/entities/samples/v3:get',SupportsShouldProcess)] param( @@ -98,7 +98,7 @@ Requires 'Sample Uploads: Write'. .PARAMETER Id Sha256 hash value .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconSample #> [CmdletBinding(DefaultParameterSetName='/samples/entities/samples/v3:delete',SupportsShouldProcess)] param( @@ -122,12 +122,12 @@ function Send-FalconSample { .SYNOPSIS Upload a sample file .DESCRIPTION -Requires 'Sample Uploads: Write'. - -A successful upload will provide a 'sha256' value that can be used in submissions to the Falcon X Sandbox or +A successful upload will provide a 'sha256' value that can be used in submissions to the Falcon Sandbox or Falcon QuickScan. Maximum file size is 256MB. ZIP archives will automatically redirect to the archive submission API. + +Requires 'Sample Uploads: Write'. .PARAMETER IsConfidential Prohibit sample from being displayed in MalQuery [default: True] .PARAMETER Comment @@ -137,7 +137,7 @@ File name .PARAMETER Path Path to local file .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X +https://github.com/crowdstrike/psfalcon/wiki/Send-FalconSample #> [CmdletBinding(DefaultParameterSetName='/samples/entities/samples/v3:post',SupportsShouldProcess)] param( diff --git a/Public/scanner.ps1 b/Public/scanner.ps1 index 426315da..9282983c 100644 --- a/Public/scanner.ps1 +++ b/Public/scanner.ps1 @@ -3,7 +3,7 @@ function Get-FalconQuickScan { .SYNOPSIS Search for Falcon QuickScan results .DESCRIPTION -Requires 'Quick Scan (Falcon X): Read'. +Requires 'Quick Scan (Falcon Intelligence): Read'. .PARAMETER Id QuickScan identifier .PARAMETER Filter @@ -21,7 +21,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconQuickScan #> [CmdletBinding(DefaultParameterSetName='/scanner/queries/scans/v1:get',SupportsShouldProcess)] param( @@ -66,9 +66,9 @@ function Get-FalconQuickScanQuota { .SYNOPSIS Display monthly Falcon QuickScan quota .DESCRIPTION -Requires 'Quick Scan (Falcon X): Read'. +Requires 'Quick Scan (Falcon Intelligence): Read'. .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconQuickScanQuota #> [CmdletBinding(DefaultParameterSetName='/scanner/queries/scans/v1:get',SupportsShouldProcess)] param() @@ -86,23 +86,23 @@ function New-FalconQuickScan { .SYNOPSIS Submit a volume of files to Falcon QuickScan .DESCRIPTION -Requires 'Quick Scan (Falcon X): Write'. - -'Ids' values (Sha256 hashes) are retrieved from files that are uploaded using 'Send-FalconSample'. Files must be +'Id' values (Sha256 hashes) are retrieved from files that are uploaded using 'Send-FalconSample'. Files must be uploaded before they can be used with Falcon QuickScan. Time required for analysis increases with the number of samples in a volume but usually takes less than 1 minute. + +Requires 'Quick Scan (Falcon Intelligence): Write'. .PARAMETER Id Sha256 hash value .LINK -https://github.com/crowdstrike/psfalcon/wiki/Falcon-X +https://github.com/crowdstrike/psfalcon/wiki/New-FalconQuickScan #> [CmdletBinding(DefaultParameterSetName='/scanner/entities/scans/v1:post',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/scanner/entities/scans/v1:post',Mandatory,ValueFromPipeline, ValueFromPipelineByPropertyName,Position=1)] [ValidatePattern('^[A-Fa-f0-9]{64}$')] - [Alias('samples','Ids')] + [Alias('samples','Ids','sha256')] [string[]]$Id ) begin { @@ -110,6 +110,7 @@ https://github.com/crowdstrike/psfalcon/wiki/Falcon-X Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Format = @{ Body = @{ root = @('samples') }} + Max = 1000 } [System.Collections.Generic.List[string]]$List = @() } diff --git a/Public/sensors.ps1 b/Public/sensors.ps1 index 987d50b2..29944363 100644 --- a/Public/sensors.ps1 +++ b/Public/sensors.ps1 @@ -3,11 +3,11 @@ function Get-FalconCcid { .SYNOPSIS Retrieve your Falcon Customer Checksum Identifier (CCID) .DESCRIPTION -Requires 'Sensor Download: Read'. - Returns your Customer Checksum Identifier which is requested during the installation of the Falcon Sensor. + +Requires 'Sensor Download: Read'. .LINK -https://github.com/crowdstrike/psfalcon/wiki/Sensor-Download +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconCcid #> [CmdletBinding(DefaultParameterSetName='/sensors/queries/installers/ccid/v1:get',SupportsShouldProcess)] param() @@ -36,7 +36,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Sensor-Download +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconInstaller #> [CmdletBinding(DefaultParameterSetName='/sensors/queries/installers/v1:get',SupportsShouldProcess)] param( @@ -92,7 +92,7 @@ Connection label .PARAMETER Format Format for streaming events [default: json] .LINK -https://github.com/crowdstrike/psfalcon/wiki/Event-Streams +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconStream #> [CmdletBinding(DefaultParameterSetName='/sensors/entities/datafeed/v2:get',SupportsShouldProcess)] param( @@ -124,7 +124,7 @@ Sha256 hash value .PARAMETER Force Overwrite an existing file when present .LINK -https://github.com/crowdstrike/psfalcon/wiki/Sensor-Download +https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconInstaller #> [CmdletBinding(DefaultParameterSetName='/sensors/entities/download-installer/v1:get',SupportsShouldProcess)] param( @@ -175,7 +175,7 @@ Connection label .PARAMETER Partition Partition number .LINK -https://github.com/crowdstrike/psfalcon/wiki/Event-Streams +https://github.com/crowdstrike/psfalcon/wiki/Update-FalconStream #> [CmdletBinding(DefaultParameterSetName='/sensors/entities/datafeed-actions/v1/{partition}:post', SupportsShouldProcess)] diff --git a/Public/settings.ps1 b/Public/settings.ps1 index ac43e287..639d5375 100644 --- a/Public/settings.ps1 +++ b/Public/settings.ps1 @@ -11,7 +11,7 @@ Policy enablement status .PARAMETER Id Policy identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconHorizonPolicy #> [CmdletBinding(DefaultParameterSetName='/settings/entities/policy/v1:patch',SupportsShouldProcess)] param( @@ -47,7 +47,7 @@ Scan interval .PARAMETER CloudPlatform Cloud platform .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconHorizonSchedule #> [CmdletBinding(DefaultParameterSetName='/settings/scan-schedule/v1:post',SupportsShouldProcess)] param( @@ -88,7 +88,7 @@ Cloud platform .PARAMETER Detailed Retrieve detailed information .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconHorizonPolicy #> [CmdletBinding(DefaultParameterSetName='/settings/entities/policy/v1:get',SupportsShouldProcess)] param( @@ -141,7 +141,7 @@ Requires 'CSPM Registration: Read'. .PARAMETER CloudPlatform Cloud platform .LINK -https://github.com/crowdstrike/psfalcon/wiki/Horizon +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconHorizonSchedule #> [CmdletBinding(DefaultParameterSetName='/settings/scan-schedule/v1:get',SupportsShouldProcess)] param( diff --git a/Public/spotlight.ps1 b/Public/spotlight.ps1 index 32b7edde..68be43e9 100644 --- a/Public/spotlight.ps1 +++ b/Public/spotlight.ps1 @@ -7,7 +7,7 @@ Requires 'Spotlight Vulnerabilities: Read'. .PARAMETER Id Remediation identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Spotlight +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconRemediation #> [CmdletBinding(DefaultParameterSetName='/spotlight/entities/remediations/v2:get',SupportsShouldProcess)] param( @@ -72,7 +72,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Spotlight +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconVulnerability #> [CmdletBinding(DefaultParameterSetName='/spotlight/queries/vulnerabilities/v1:get',SupportsShouldProcess)] param( @@ -145,7 +145,7 @@ Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK -https://github.com/crowdstrike/psfalcon/wiki/Spotlight +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconVulnerabilityLogic #> [CmdletBinding(DefaultParameterSetName='/spotlight/queries/evaluation-logic/v1:get',SupportsShouldProcess)] param( diff --git a/Public/ti.ps1 b/Public/ti.ps1 new file mode 100644 index 00000000..49af9b94 Binary files /dev/null and b/Public/ti.ps1 differ diff --git a/Public/user-management.ps1 b/Public/user-management.ps1 index 712bf6bf..c07403b8 100644 --- a/Public/user-management.ps1 +++ b/Public/user-management.ps1 @@ -11,7 +11,7 @@ User role .PARAMETER Cid Customer identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Users-and-Roles +https://github.com/crowdstrike/psfalcon/wiki/Add-FalconRole #> [CmdletBinding(DefaultParameterSetName='/user-roles/entities/user-roles/v1:post',SupportsShouldProcess)] param( @@ -76,7 +76,7 @@ Last name .PARAMETER Id User identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Users-and-Roles +https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconUser #> [CmdletBinding(DefaultParameterSetName='/user-management/entities/users/v1:patch',SupportsShouldProcess)] param( @@ -88,8 +88,8 @@ https://github.com/crowdstrike/psfalcon/wiki/Users-and-Roles [string]$LastName, [Parameter(ParameterSetName='/user-management/entities/users/v1:patch',Mandatory,ValueFromPipeline, ValueFromPipelineByPropertyName,Position=3)] - [Alias('user_uuid','uuid')] [ValidatePattern('^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$')] + [Alias('user_uuid','uuid')] [string]$Id ) begin { @@ -120,7 +120,7 @@ Customer identifier .PARAMETER Detailed Retrieve detailed information .LINK -https://github.com/crowdstrike/psfalcon/wiki/Users-and-Roles +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconRole #> [CmdletBinding(DefaultParameterSetName='/user-management/queries/roles/v1:get', SupportsShouldProcess)] @@ -193,8 +193,6 @@ Search for users Requires 'User Management: Read'. .PARAMETER Id User identifier -.PARAMETER Username -Username .PARAMETER Filter Falcon Query Language expression to limit results .PARAMETER Offset @@ -203,12 +201,14 @@ Position to begin retrieving results Property and direction to sort results .PARAMETER Limit Maximum number of results per request +.PARAMETER Username +Username .PARAMETER Detailed Retrieve detailed information .PARAMETER Include Include additional properties .LINK -https://github.com/crowdstrike/psfalcon/wiki/Users-and-Roles +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconUser #> [CmdletBinding(DefaultParameterSetName='/user-management/queries/users/v1:get',SupportsShouldProcess)] param( @@ -217,12 +217,6 @@ https://github.com/crowdstrike/psfalcon/wiki/Users-and-Roles [ValidatePattern('^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$')] [Alias('ids','uuid')] [string[]]$Id, - [Parameter(ParameterSetName='/users/queries/user-uuids-by-email/v1:get',Mandatory)] - [ValidateScript({ - if ((Test-RegexValue $_) -eq 'email') { $true } else { throw "'$_' is not a valid email address." } - })] - [Alias('uid','Usernames')] - [string[]]$Username, [Parameter(ParameterSetName='/user-management/queries/users/v1:get',Position=1)] [string]$Filter, [Parameter(ParameterSetName='/user-management/queries/users/v1:get',Position=2)] @@ -234,11 +228,18 @@ https://github.com/crowdstrike/psfalcon/wiki/Users-and-Roles [int]$Limit, [Parameter(ParameterSetName='/user-management/queries/users/v1:get',Position=4)] [int]$Offset, + [Parameter(ParameterSetName='Username',Mandatory)] + [ValidateScript({ + if ((Test-RegexValue $_) -eq 'email') { $true } else { throw "'$_' is not a valid email address." } + })] + [Alias('uid','Usernames')] + [string[]]$Username, [Parameter(ParameterSetName='/user-management/queries/users/v1:get')] + [Parameter(ParameterSetName='Username')] [switch]$Detailed, [Parameter(ParameterSetName='/user-management/queries/users/v1:get')] [Parameter(ParameterSetName='/user-management/entities/users/GET/v1:post')] - [Parameter(ParameterSetName='/users/queries/user-uuids-by-email/v1:get')] + [Parameter(ParameterSetName='Username')] [ValidateSet('roles',IgnoreCase=$false)] [string[]]$Include ) @@ -255,16 +256,32 @@ https://github.com/crowdstrike/psfalcon/wiki/Users-and-Roles } process { if ($Id) { @($Id).foreach{ $List.Add($_) }}} end { - if ($List) { $PSBoundParameters['Id'] = @($List | Select-Object -Unique) } - if ($Include) { - $Request = Invoke-Falcon @Param -Inputs $PSBoundParameters - if ($Request -and !$Request.uuid) { $Request = @($Request).foreach{ ,[PSCustomObject]@{ uuid = $_ }}} - if ($Include -contains 'roles') { - @($Request).foreach{ Set-Property $_ roles @(Get-FalconRole -UserId $_.uuid) } + if ($Username) { + # Re-submit 'Username' values as filtered searches + $Username = @($Username | Select-Object -Unique) + for ($i = 0; $i -lt ($Username | Measure-Object).Count; $i += 20) { + [string]$Filter = ($Username[$i..($i + 19)] | ForEach-Object { "uid:*'$_'" }) -join ',' + if ($Filter) { + $Search = @{ Filter = $Filter } + if ($Include) { $Search['Include'] = $Include } + if ($Detailed) { $Search['Detailed'] = $Detailed } + & $MyInvocation.MyCommand.Name @Search + } } - $Request } else { - Invoke-Falcon @Param -Inputs $PSBoundParameters + if ($IdList) { $PSBoundParameters['Id'] = @($List | Select-Object -Unique) } + if ($Include) { + $Request = Invoke-Falcon @Param -Inputs $PSBoundParameters + if ($Request -and !$Request.uuid) { + $Request = @($Request).foreach{ ,[PSCustomObject]@{ uuid = $_ }} + } + if ($Include -contains 'roles') { + @($Request).foreach{ Set-Property $_ roles @(Get-FalconRole -UserId $_.uuid) } + } + $Request + } else { + Invoke-Falcon @Param -Inputs $PSBoundParameters + } } } } @@ -279,7 +296,7 @@ Action name .PARAMETER Id User identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Users-and-Roles +https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconUserAction #> [CmdletBinding(DefaultParameterSetName='/user-management/entities/user-actions/v1:post',SupportsShouldProcess)] param( @@ -328,7 +345,7 @@ Customer identifier .PARAMETER ValidateOnly Validate if user is allowed but do not create them .LINK -https://github.com/crowdstrike/psfalcon/wiki/Users-and-Roles +https://github.com/crowdstrike/psfalcon/wiki/New-FalconUser #> [CmdletBinding(DefaultParameterSetName='/user-management/entities/users/v1:post',SupportsShouldProcess)] param( @@ -384,7 +401,7 @@ User role .PARAMETER Cid Customer identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Users-and-Roles +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconRole #> [CmdletBinding(DefaultParameterSetName='/user-roles/entities/user-roles/v1:delete',SupportsShouldProcess)] param( @@ -445,12 +462,13 @@ Requires 'User Management: Write'. .PARAMETER Id User identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Users-and-Roles +https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconUser #> [CmdletBinding(DefaultParameterSetName='/user-management/entities/users/v1:delete',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/user-management/entities/users/v1:delete',Mandatory,ValueFromPipeline, ValueFromPipelineByPropertyName,Position=1)] + [ValidatePattern('^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$')] [Alias('user_uuid','uuid')] [string]$Id ) diff --git a/Public/zero-trust-assessment.ps1 b/Public/zero-trust-assessment.ps1 index f0a26b9e..0142da47 100644 --- a/Public/zero-trust-assessment.ps1 +++ b/Public/zero-trust-assessment.ps1 @@ -7,7 +7,7 @@ Requires 'Zero Trust Assessment: Read'. .PARAMETER Id Host identifier .LINK -https://github.com/crowdstrike/psfalcon/wiki/Zero-Trust-Assessment +https://github.com/crowdstrike/psfalcon/wiki/Get-FalconZta #> [CmdletBinding(DefaultParameterSetName='/zero-trust-assessment/entities/audit/v1:get',SupportsShouldProcess)] param(