Exporting detections with SensorGroupingTags

[ghost]

Is there anyway to export detections for the past 90 days that includes the severity, SensorGroupingTags, status (true positive/false positive etc) using psfalcon?

[bk-cs]

Not in a single command, but a simple script will do it:

$DetectionList = @(Get-FalconDetection -Filter "created_timestamp:>'now-30d'" -Detailed -All |
Select-Object detection_id,max_severity_displayname,status,device).foreach{
    # Get list of detections and convert 'device' from object to 'device_id' string
    $_.device = $_.device.device_id
    $_
}
if ($DetectionList) {
    foreach ($Device in (Get-FalconHost -Id $DetectionList.device | Select-Object device_id,tags)) {
        @($DetectionList).Where({ $_.device -eq $Device.device_id }).foreach{
            # Get device info using 'device_id' in detections, and append 'tags' as a string joined by commas
            $_.PSObject.Properties.Add((New-Object PSNoteProperty('tags',($Device.tags -join ','))))
        }
    }
    # Export to CSV
    $DetectionList | Export-Csv .\detections.csv -NoTypeInformation
}

You can add additional fields to the output by modifying the Select-Object portion for Get-FalconDetection, but you may need to modify the properties to ensure they're CSV compatible.

If you have more than 10,000 detections in the last 30 days, the Filter used by Get-FalconDetection will need to be modified, and maybe run through a do {} while () loop or repeated until you get all detections.