Skip to content

Invoke FalconIdentityGraph

Jump to bottom
bk-cs edited this page Apr 28, 2023 · 24 revisions

Invoke-FalconIdentityGraph

SYNOPSIS

Interact with Falcon Identity using GraphQL

DESCRIPTION

The 'All' parameter requires that your GraphQL statement contain an 'after' cursor variable definition and 'pageInfo { hasNextPage endCursor }'.

Requires 'Identity Protection GraphQL: Write', and other 'Identity Protection' permission(s) depending on query.

PARAMETERS

Name Type Description Min Max Allowed Pipeline PipelineByName
String String A complete GraphQL statement X
Variable Hashtable A hashtable containing variables used in your GraphQL statement X
All Switch Repeat requests until all available results are retrieved

SYNTAX

Invoke-FalconIdentityGraph [-String] <String> [[-Variable] <Hashtable>] [-All] [-WhatIf] [-Confirm] [<CommonParameters>]

USAGE

Queries can be created using GraphiQl. [ US-1 | US-2 | EU-1 | US-GOV-1 ]

$Query = '{
  entities(types: [USER], archived: false, first: 10, dataSources: [ACTIVE_DIRECTORY]) {
    nodes {
      primaryDisplayName
      secondaryDisplayName
      riskScoreSeverity
      accounts {
        description
        ... on ActiveDirectoryAccountDescriptor {
          passwordAttributes {
            lastChange
          }
          creationTime
          objectSid
          samAccountName
          domain
          enabled
          ou
          lastUpdateTime
        }
      }
    }
  }
}'
Invoke-FalconIdentityGraph -String $Query

To have the results paginated using the All parameter, you must define a Cursor variable, and include it within entities along with the relevant pageInfo properties. When the results are paginated using All, PSFalcon will display the contents of entities.nodes directly, rather than the entire response object (similar to other PSFalcon commands).

$Query = 'query ($after: Cursor) {
  entities(types: [USER], archived: false, after: $after, first: 10, dataSources: [ACTIVE_DIRECTORY]) {
    nodes {
      primaryDisplayName
      secondaryDisplayName
      riskScoreSeverity
      accounts {
        description
        ... on ActiveDirectoryAccountDescriptor {
          passwordAttributes {
            lastChange
          }
          creationTime
          objectSid
          samAccountName
          domain
          enabled
          ou
          lastUpdateTime
        }
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}'
Invoke-FalconIdentityGraph -String $Query -All

Query for the first 5 administrator accounts

Invoke-FalconIdentityGraph -String '{entities(roles:[BuiltinAdministratorRole] sortKey:PRIMARY_DISPLAY_NAME sortOrder:ASCENDING first:5) {nodes{primaryDisplayName secondaryDisplayName}}}'

Query for the top 10 users with the highest risk score

Invoke-FalconIdentityGraph -String '{entities(types:[USER] minRiskScoreSeverity:MEDIUM sortKey: RISK_SCORE sortOrder:DESCENDING first:10) {nodes{primaryDisplayName secondaryDisplayName isHuman:hasRole(type:HumanUserAccountRole) isProgrammatic:hasRole(type:ProgrammaticUserAccountRole) ... on UserEntity{emailAddresses} riskScore riskScoreSeverity riskFactors {type severity}}}}'

Query for accounts that have not completed learning mode

$Query = 'query ($after: Cursor) {
  entities(types: [USER], archived: false, learned: false, after: $after, first: 1000) {
    nodes {
      primaryDisplayName
      secondaryDisplayName
      accounts {
        ... on ActiveDirectoryAccountDescriptor {
          domain
        }
      }
    }
    pageInfo {
      hasNextPage
      endCursor
    }
  }
}'
Invoke-FalconIdentityGraph -String $Query -All

2023-04-25: PSFalcon v2.2.5

Clone this wiki locally