Skip to content

Invoke FalconQuarantineAction

bk-cs edited this page Sep 14, 2023 · 22 revisions

Invoke-FalconQuarantineAction

SYNOPSIS

Perform actions on quarantined files

DESCRIPTION

Requires 'Quarantined Files: Write'.

PARAMETERS

Name Type Description Min Max Allowed Pipeline PipelineByName
Action String Action to perform release
unrelease
delete
Filter String Falcon Query Language statement
Query String Match phrase prefix
Comment String Audit log comment
Id String[] Quarantined file identifier X X

SYNTAX

Invoke-FalconQuarantineAction [-Action] <String> [[-Comment] <String>] [-Id] <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]
Invoke-FalconQuarantineAction [-Action] <String> -Filter <String> [[-Query] <String>] [[-Comment] <String>] [-WhatIf] [-Confirm] [<CommonParameters>]

REFERENCE

Endpoints

PATCH /quarantine/entities/quarantined-files/v1
PATCH /quarantine/queries/quarantined-files/v1

falconpy

UpdateQuarantinedDetectsByIds
UpdateQfByQuery

USAGE

Delete specific quarantined files

Invoke-FalconQuarantineAction -Action delete -Id <id>, <id>

Release quarantined files using a filtered search

Invoke-FalconQuarantineAction -Action release -Filter "device.hostname:'EXAMPLE-PC'"

See Test-FalconQuarantineAction.

2023-04-25: PSFalcon v2.2.5

Clone this wiki locally