-
Notifications
You must be signed in to change notification settings - Fork 69
Invoke FalconRtr
Start a Real-time Response session, execute a command and output the result
Requires 'Real time response: Read', 'Real time response: Write' or 'Real time response (admin): Write' depending on 'Command' provided, plus 'Hosts: Read' if using 'Include' or 'GroupId'.
Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
---|---|---|---|---|---|---|---|
Command | String | Real-time Response command | |||||
Argument | String | Arguments to include with the command | |||||
Timeout | Int32 | Length of time to wait for a result, in seconds [default: 600] | 30 |
600 |
|||
QueueOffline | Boolean | Add non-responsive hosts to the offline queue | |||||
Include | String[] | Include additional properties |
agent_version cid external_ip first_seen hostname last_seen local_ip mac_address os_build os_version platform_name product_type product_type_desc serial_number system_manufacturer system_product_name tags
|
||||
GroupId | String | Host group identifier | |||||
HostId | String[] | Host identifier | X | X |
Invoke-FalconRtr [-Command] <String> [[-Argument] <String>] [[-Timeout] <Int32>] [[-QueueOffline] <Boolean>] [[-Include] <String[]>] -HostId <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]
Invoke-FalconRtr [-Command] <String> [[-Argument] <String>] [[-Timeout] <Int32>] [[-QueueOffline] <Boolean>] [[-Include] <String[]>] -GroupId <String> [-WhatIf] [-Confirm] [<CommonParameters>]
PSFalcon has a custom command named Invoke-FalconRtr
that is designed to perform all the necessary steps to initiate a session with one or more hosts, send a command and output the results. Invoke-FalconRtr
can target one or more host(s) (HostId
), or the members of a Host Group (GroupId
).
Invoke-FalconRtr -Command ls -Arguments C:\Windows -HostId <id>, <id>
Invoke-FalconRtr -Command ls -Arguments C:\Windows -GroupId <id>
WARNING: This command is not designed for a multi-step Real-time Response workflow and will negatively impact certain operations.
For instance, if you were to cd
into a directory and attempt to put
a file by running Invoke-FalconRtr
twice, Invoke-FalconRtr
will reset back to the root of your system drive between the cd
and put
commands, causing the file to be placed in the wrong directory.
If you find that your script needs to be more complex, you can follow the instructions below to create a custom Real-time Response workflow with multiple commands. PSFalcon includes commands for each Real-time Response permission level.
-
Invoke-FalconCommand
,Confirm-FalconCommand
-
Invoke-FalconResponderCommand
,Confirm-FalconResponderCommand
-
Invoke-FalconAdminCommand
,Confirm-FalconAdminCommand
Invoke-FalconRtr -Command runscript -Argument '-CloudFile="HelloWorld"' -HostId <id>, <id> -QueueOffline $true
Get-FalconHost -Filter "platform_name:'Windows'+last_seen:>'now-15m'" -All | Invoke-FalconRtr -Command runscript -Argument '-CloudFile="HelloWorld"'
$Json = [PSCustomObject]@{ Path = 'C:\windows\system32\notepad.exe' } | ConvertTo-Json -Compress
Invoke-FalconRtr -Command falconscript -Argument ('-Name="FileInfo" -JsonInput=```' + "'$Json'" + '```') -HostId <id>
See Upload and execute a local script.
See Upload and execute a local script as a secondary process.
2024-02-08: PSFalcon v2.2.6
- Using PSFalcon
-
Commands and Permissions
- Configuration Import/Export
- Container Security
- Detection and Prevention Policies
- Discover for Cloud and Containers
- Discover
- Event Streams
- Falcon Complete Dashboards
- Falcon Complete Message Center
- Falcon Data Replicator
- Falcon Intelligence
- Falcon Intelligence Recon
- Falcon OverWatch Dashboards
- Falcon Sandbox
- FileVantage
- Firewall Management
- Flight Control
- Horizon
- Host and Host Group Management
- Identity Protection
- Image Assessment
- Incident and Detection Monitoring
- Installation Tokens
- Kubernetes Protection
- MalQuery
- Mobile Host Enrollment
- On-Demand Scanning
- Quarantine
- Real-time Response
- Real-time Response Policy
- Scheduled Reports and Searches
- Sensor Download
- Sensor Update Policy
- Spotlight
- Tailored Intelligence
- Third-party ingestion
- USB Device Control Policy
- Users and Roles
- Zero Trust Assessment
- Examples
-
CrowdStrike SDKs
- PSFalcon - PowerShell
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust