Skip to content

Get FalconAsset

bk-cs edited this page Sep 4, 2024 · 27 revisions

Get-FalconAsset

SYNOPSIS

Search for assets in Falcon Discover

DESCRIPTION

Requires 'Falcon Discover: Read' and 'Falcon Discover IoT: Read'.

PARAMETERS

Name Type Description Min Max Allowed Pipeline PipelineByName
Id String[] Asset identifier X X
Filter String Falcon Query Language expression to limit results

account_enabled
ad_user_account_control
agent_version
aid
assigned_to
bios_manufacturer
bios_version
cid
city
classification
confidence
country
cpu_manufacturer
creation_timestamp
current_local_ip
data_providers
data_providers_count
department
descriptions
discoverer_aids
discoverer_count
discoverer_platform_names
discoverer_product_type_descs
discoverer_tags
email
entity_type
external_ip
field_metadata
first_discoverer_aid
first_discoverer_ip
first_seen_timestamp
fqdn
groups
hostname
id
internet_exposure
kernel_version
last_discoverer_aid
last_seen_timestamp
local_ip_addresses
local_ips_count
location
mac_addresses
machine_domain
managed_by
network_interfaces
network_interfaces.interface_alias
network_interfaces.interface_description
network_interfaces.local_ip
network_interfaces.mac_address
network_interfaces.network_prefix
number_of_disk_drives
object_guid
object_sid
os_is_eol
os_service_pack
os_version
ou
owned_by
physical_core_count
platform_name
processor_package_count
product_type
product_type_desc
reduced_functionality_mode
servicenow_id
site_name
state
system_manufacturer
system_product_name
system_serial_number
tags
used_for

Account:
account_name
account_type
admin_privileges
cid
first_seen_timestamp
id
last_failed_login_hostname
last_failed_login_timestamp
last_failed_login_type
last_successful_login_host_city
last_successful_login_host_country
last_successful_login_hostname
last_successful_login_remote_ip
last_successful_login_timestamp
last_successful_login_type
login_domain
password_last_set_timestamp
user_sid
username

External:
asset_id
asset_type
confidence
connectivity_status
criticality
criticality_description
criticality_timestamp
criticality_username
data_providers
discovered_by
dns_domain.fqdn
dns_domain.isps
dns_domain.parent_domain
dns_domain.resolved_ips
dns_domain.services.applications.category
dns_domain.services.applications.cpe
dns_domain.services.applications.name
dns_domain.services.applications.vendor
dns_domain.services.applications.version
dns_domain.services.cloud_provider
dns_domain.services.cpes
dns_domain.services.first_seen
dns_domain.services.hosting_provider
dns_domain.services.id
dns_domain.services.last_seen
dns_domain.services.platform_name
dns_domain.services.port
dns_domain.services.protocol
dns_domain.services.protocol_port
dns_domain.services.status
dns_domain.services.status_code
dns_domain.services.transport
dns_domain.type
first_seen
id
internet_exposure
ip.aid
ip.asn
ip.cloud_vm.description
ip.cloud_vm.instance_id
ip.cloud_vm.lifecycle
ip.cloud_vm.mac_address
ip.cloud_vm.owner_id
ip.cloud_vm.platform
ip.cloud_vm.private_ip
ip.cloud_vm.public_ip
ip.cloud_vm.region
ip.cloud_vm.security_groups
ip.cloud_vm.source
ip.cloud_vm.status
ip.fqdns
ip.ip_address
ip.isp
ip.location.area_code
ip.location.city
ip.location.country_code
ip.location.country_name
ip.location.postal_code
ip.location.region_code
ip.location.region_name
ip.location.timezone
ip.ptr
ip.services.applications.category
ip.services.applications.cpe
ip.services.applications.name
ip.services.applications.vendor
ip.services.applications.version
ip.services.cloud_provider
ip.services.cpes
ip.services.first_seen
ip.services.last_seen
ip.services.platform_name
ip.services.port
ip.services.protocol
ip.services.protocol_port
ip.services.status
ip.services.status_code
ip.services.transport
last_seen
manual
perimeter
subsidiaries.id
subsidiaries.name
triage.action
triage.assigned_to
triage.description
triage.status
triage.updated_by
triage.updated_timestamp

IoT:
device_family
device_class
device_type
device_mode
business_criticality
line_of_business
virtual_zone
subnet
purdue_level
vlan
local_ip_addresses
mac_addresses
physical_connections_count
data_providers

Login:
account_id
account_name
account_type
admin_privileges
aggregation_time_interval
aid
cid
failure_description
host_city
host_country
host_id
hostname
id
is_suspicious
local_ip
login_domain
login_event_count
login_status
login_timestamp
login_type
remote_ip
user_sid
username
Sort String Property and direction to sort results
Limit Int32 Maximum number of results per request
Include String[] Include additional properties login_event
browser_extension
host_info
install_usage
system_insights
third_party
risk_factors
Offset Int32 Position to begin retrieving results
After String Pagination token to retrieve the next set of results
Detailed Switch Retrieve detailed information
All Switch Repeat requests until all available results are retrieved
Total Switch Display total result count instead of results
Account Switch Search for user account assets
Application Switch Search for applications
External Switch Search for external assets
IoT Switch Search for IoT assets
Login Switch Search for login events

SYNTAX

Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [-Offset <Int32>] [-All] [-Total] [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -External [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -Login [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -IoT [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -Application [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -Account [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-Offset <Int32>] [-Detailed] [-All] [-Total] -External [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-Offset <Int32>] [-Detailed] [-All] [-Total] -Login [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-After <String>] [-Detailed] [-All] [-Total] -IoT [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-Offset <Int32>] [-All] [-Total] -Application [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [-Offset <Int32>] [-Detailed] [-All] [-Total] -Account [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [-After <String>] -Detailed [-All] [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [-After <String>] -Detailed [-All] -Application [-WhatIf] [-Confirm] [<CommonParameters>]

REFERENCE

Endpoints

GET /discover/combined/applications/v1
GET /discover/combined/hosts/v1
GET /discover/entities/accounts/v1
GET /discover/entities/applications/v1
GET /discover/entities/hosts/v1
GET /discover/entities/iot-hosts/v1
GET /discover/entities/logins/v1
GET /discover/queries/accounts/v1
GET /discover/queries/applications/v1
GET /discover/queries/hosts/v1
GET /discover/queries/iot-hosts/v2
GET /discover/queries/logins/v1
GET /fem/entities/external-assets/v1
GET /fem/queries/external-assets/v1

falconpy

query_hosts
get_external_assets
get_logins
get_iot_hosts
get_hosts
get_applications
get_accounts
query_external_assets
query_logins
query_iot_hostsV2
query_applications
query_accounts
combined_hosts
combined_applications

USAGE

Find Unmanaged Assets within a given Subnet

Get-FalconAsset -Filter "entity_type:'unmanaged'+network_interfaces.local_ip:'192.168.25.0/24'" [-Detailed] [-All]

Find assets using a filtered search

Get-FalconAsset -Filter "entity_type:'managed'+product_type_desc:'Workstation'+platform_name:'Windows'+last_seen_timestamp:>'now-7d'" [-Detailed] [-All]

Get information about specific assets

Get-FalconAsset -Id <id>, <id>

2024-09-03: PSFalcon v2.2.7

Clone this wiki locally