-
Notifications
You must be signed in to change notification settings - Fork 69
Authentication
- Get an auth token
- Verifying token status
- Revoke an auth token
- Securing credentials
- Authentication within a script
Command | Permission |
---|---|
Request-FalconToken | |
Revoke-FalconToken | |
Test-FalconToken |
During a PowerShell session, you must have a valid OAuth2 access token in order to make requests to the CrowdStrike
Falcon APIs. You can do this using Request-FalconToken
, or input your ClientId/ClientSecret when prompted after
issuing a PSFalcon command.
After a valid OAuth2 token is received, it is cached with your credentials. Your cached token is checked and refreshed as needed while running PSFalcon commands.
Request-FalconToken -ClientId 'client_id' -ClientSecret 'client_secret'
WARNING: Request-FalconToken
defaults to the us-1
cloud. If your environment exists within a different
cloud, the module will attempt to use automatic redirection, except when the target cloud is us-gov-1
. Defining
Cloud
or Hostname
ensures that your token request goes to the proper cloud without relying on re-direction
and is required when using us-gov-1
.
Authentication token requests are sent to the us-1
cloud by default. You may use the Cloud
or Hostname
parameters to set it using a cloud, or full URL value. The accepted hostname values can be viewed using tab
auto-completion. Your Cloud/Hostname choice is saved and all requests are sent using the cached information.
In MSSP (also known as "Flight Control") configurations, you can target specific child environments ("CIDs")
using the MemberCid
parameter during authentication token requests. Your choice is saved and all requests are
sent to that particular member CID unless a new Request-FalconToken
request is made specifying a new member CID,
or you Revoke-FalconToken
.
Test-FalconToken
can be used to verify whether you have an active OAuth2 access token cached.
Test-FalconToken
Token Hostname ClientId MemberCid
----- -------- -------- ---------
True https://api.crowdstrike.com <redacted>
The Token
property of the output from Test-FalconToken
provides a [boolean]
value of your current status.
(Test-FalconToken).Token
True
The command Revoke-FalconToken
will revoke your current authorization token and clear it from your local cache.
Revoke-FalconToken
PSFalcon does not provide a method for securely handling your API client credentials. The Microsoft.PowerShell.SecretStore module is a
cross-platform option that works with PSFalcon. You can follow the steps below to install the module and use it
with Request-FalconToken
.
NOTE: Microsoft.PowerShell.SecretManagement is a pre-requisite for the Microsoft.PowerShell.SecretStore
module. It will be installed during the Install-Module
step.
Install-Module -Name Microsoft.PowerShell.SecretStore -Scope CurrentUser
NOTE: Using the default configuration, Microsoft.PowerShell.SecretStore
will prompt for a password to access
your secret vault. You can remove the password requirement to use the vault with a script or as part of a
scheduled task, which leaves the vault accessible to the account that was used to create it. You will be asked to
create, confirm and remove a password after entering this command.
Set-SecretStoreConfiguration -Scope CurrentUser -Authentication None -Interaction None
Once the module is installed and configured as desired, create a vault to store your API client(s):
Register-SecretVault -ModuleName Microsoft.PowerShell.SecretStore -Name MyVault
Request-FalconToken
requires multiple parameters to request a token. Each individual API client can be stored
with the relevant parameters (including MemberCid
) in your new vault:
$ApiClient = @{
ClientId = 'my_client_id'
ClientSecret = 'my_client_value'
Hostname = 'https://api.crowdstrike.com'
}
Set-Secret -Name MyApiClient -Secret $ApiClient -Vault MyVault
Once stored, credentials can be retrieved using your chosen Name
, and you can splat the parameters with
Request-FalconToken
:
Get-Secret -Name MyApiClient -Vault MyVault -AsPlainText | ForEach-Object { Request-FalconToken @_ }
If desired, a simple function can be added to your PowerShell profile to retrieve your credentials and request a token by name:
function Request-SecretToken ([string] $Name) {
if (-not(Get-Module -Name PSFalcon)) {
Import-Module -Name PSFalcon
} elseif ((Test-FalconToken -ErrorAction SilentlyContinue).Token -eq $true) {
Revoke-FalconToken
}
$Secret = Get-Secret -Name $Name -Vault MyVault -AsPlainText
if ($Secret) {
Request-FalconToken @Secret
} else {
throw "No secret found matching '$String'."
}
}
Once added to your profile, you can retrieve your credential set and request a token in a single step:
Request-SecretToken MyApiClient
The request of an authorization token can happen as part of a script that performs other tasks. Here is a re-usable example which defines the necessary parameters, and can optionally authenticate within a specific member CID (found within Flight Control environments).
#Requires -Version 5.1
using module @{ModuleName='PSFalcon';ModuleVersion='2.2'}
[CmdletBinding()]
param(
[Parameter(Mandatory,Position=1)]
[ValidatePattern('^[a-fA-F0-9]{32}$')]
[string]$ClientId,
[Parameter(Mandatory,Position=2)]
[ValidatePattern('^\w{40}$')]
[string]$ClientSecret,
[Parameter(Position=3)]
[ValidatePattern('^[a-fA-F0-9]{32}$')]
[string]$MemberCid,
[Parameter(Position=4)]
[ValidateSet('us-1','us-2','us-gov-1','eu-1')]
[string]$Cloud
)
begin {
$Token = @{}
@('ClientId','ClientSecret','Cloud','MemberCid').foreach{
if ($PSBoundParameters.$_) { $Token[$_] = $PSBoundParameters.$_ }
}
}
process {
try {
Request-FalconToken @Token
if ((Test-FalconToken).Token -eq $true) {
# Insert code to run here
}
} catch {
throw $_
} finally {
if ((Test-FalconToken).Token -eq $true) { Revoke-FalconToken }
}
}
In multi-CID configurations, you can create an OAuth2 API Client Id/Secret in the "parent" CID that has access to
the "member" (a.k.a. "child") CIDs. A lot of data is visible at the parent level, but some data is only visible
within each child. After creating an API Client, you can use that to retrieve a list of all available member CIDs
(or provide specific members using MemberCid
) and run PSFalcon commands within each child, while pausing between
authorization token request attempts to avoid rate limiting.
#Requires -Version 5.1
using module @{ModuleName='PSFalcon';ModuleVersion='2.2'}
[CmdletBinding()]
param(
[Parameter(Mandatory,Position=1)]
[ValidatePattern('^[a-fA-F0-9]{32}$')]
[string]$ClientId,
[Parameter(Mandatory,Position=2)]
[ValidatePattern('^\w{40}$')]
[string]$ClientSecret,
[Parameter(Position=3)]
[ValidatePattern('^[a-fA-F0-9]{32}$')]
[string[]]$MemberCid,
[Parameter(Position=4)]
[ValidateSet('us-1','us-2','us-gov-1','eu-1')]
[string]$Cloud
)
begin {
$Token = @{}
@('ClientId','ClientSecret','Cloud').foreach{
if ($PSBoundParameters.$_) { $Token[$_] = $PSBoundParameters.$_ }
}
if (!$MemberCid) {
Request-FalconToken @Token
if ((Test-FalconToken).Token -eq $true) {
# Gather available Member CIDs
[string[]]$MemberCid = Get-FalconMemberCid -Detailed -All | Where-Object { $_.status -eq 'active' } |
Select-Object -ExpandProperty child_cid
Revoke-FalconToken
}
}
}
process {
foreach ($Cid in $MemberCid) {
try {
Request-FalconToken @Token -MemberCid $Cid
if ((Test-FalconToken).Token -eq $true) {
# Insert code to run in each CID here
}
} catch {
Write-Error $_
} finally {
if ((Test-FalconToken).Token -eq $true) {
Revoke-FalconToken
Start-Sleep -Seconds 5
}
}
}
}
- Using PSFalcon
-
Commands and Permissions
- Configuration Import/Export
- Container Security
- Detection and Prevention Policies
- Discover for Cloud and Containers
- Discover
- Event Streams
- Falcon Complete Dashboards
- Falcon Complete Message Center
- Falcon Data Replicator
- Falcon Intelligence
- Falcon Intelligence Recon
- Falcon OverWatch Dashboards
- Falcon Sandbox
- FileVantage
- Firewall Management
- Flight Control
- Horizon
- Host and Host Group Management
- Identity Protection
- Image Assessment
- Incident and Detection Monitoring
- Installation Tokens
- Kubernetes Protection
- MalQuery
- Mobile Host Enrollment
- On-Demand Scanning
- Quarantine
- Real-time Response
- Real-time Response Policy
- Scheduled Reports and Searches
- Sensor Download
- Sensor Update Policy
- Spotlight
- Tailored Intelligence
- Third-party ingestion
- USB Device Control Policy
- Users and Roles
- Zero Trust Assessment
- Examples
-
CrowdStrike SDKs
- PSFalcon - PowerShell
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust