-
Notifications
You must be signed in to change notification settings - Fork 81
Authentication
| Command | Permission |
|---|---|
| Request-FalconToken | |
| Revoke-FalconToken | |
| Test-FalconToken |
During a PowerShell session, you must have a valid OAuth2 access token in order to make requests to the CrowdStrike
Falcon APIs. You can do this using Request-FalconToken, or input your ClientId/ClientSecret when prompted after
issuing a PSFalcon command.
After a valid OAuth2 token is received, it is cached with your credentials. Your cached token is checked and refreshed as needed while running PSFalcon commands.
Request-FalconToken -ClientId 'client_id' -ClientSecret 'client_secret'WARNING: Request-FalconToken defaults to the us-1 cloud. If your environment exists within a different
cloud, the module will attempt to use automatic redirection, except when the target cloud is us-gov-1. Defining
-Cloud or -Hostname ensures that your token request goes to the proper cloud without relying on re-direction
and is required when using us-gov-1.
Authentication token requests are sent to the us-1 cloud by default. You may use the -Cloud or -Hostname
parameters to set it using a cloud, or full URL value. The accepted hostname values can be viewed using tab
auto-completion. Your Cloud/Hostname choice is saved and all requests are sent using the cached information.
In MSSP (also known as "Flight Control") configurations, you can target specific child environments ("CIDs")
using the -MemberCid parameter during authentication token requests. Your choice is saved and all requests are
sent to that particular member CID unless a new Request-FalconToken request is made specifying a new member CID,
or you Revoke-FalconToken.
Revoke-FalconTokenTest-FalconToken can be used to verify whether you have an active OAuth2 access token cached.
PS>Test-FalconToken
Token Hostname ClientId MemberCid
----- -------- -------- ---------
True https://api.crowdstrike.com REDACTED
The Token property of the output from Test-FalconToken provides a [boolean] value of your current status.
PS>(Test-FalconToken).Token
True
PSFalcon does not provide a method for securely handling your API client credentials. The Microsoft.PowerShell.SecretStore
module is a cross-platform option that works with PSFalcon. You can follow the steps below to install the module
and use it with Request-FalconToken.
NOTE: Microsoft.PowerShell.SecretManagement is a pre-requisite for the
Microsoft.PowerShell.SecretStore module. It will be installed during the Install-Module step.
Install-Module -Name Microsoft.PowerShell.SecretStore -Scope CurrentUserNOTE: Using the default configuration, Microsoft.PowerShell.SecretStore will prompt for a password to access
your secret vault. You can remove the password requirement to use the vault with a script or as part of a
scheduled task, which leaves the vault accessible to the account that was used to create it. You will be asked to
create, confirm and remove a password after entering this command.
Set-SecretStoreConfiguration -Scope CurrentUser -Authentication None -Interaction NoneOnce the module is installed and configured as desired, create a vault to store your API client(s):
Register-SecretVault -ModuleName Microsoft.PowerShell.SecretStore -Name MyVaultRequest-FalconToken requires multiple parameters to request a token. Each individual API client can be stored
with the relevant parameters (including MemberCid) in your new vault:
$ApiClient = @{
ClientId = 'my_client_id'
ClientSecret = 'my_client_value'
Hostname = 'https://api.crowdstrike.com'
}
Set-Secret -Name MyApiClient -Secret $ApiClient -Vault MyVaultOnce stored, credentials can be retrieved using your chosen -Name, and you can splat the parameters with
Request-FalconToken:
Get-Secret -Name MyApiClient -Vault MyVault -AsPlainText | ForEach-Object { Request-FalconToken @_ }If desired, a simple function can be added to your PowerShell profile to retrieve your credentials and request a token by name:
function Request-SecretToken ([string] $Name) {
if (-not(Get-Module -Name PSFalcon)) {
Import-Module -Name PSFalcon
} elseif ((Test-FalconToken -ErrorAction SilentlyContinue).Token -eq $true) {
Revoke-FalconToken
}
$Secret = Get-Secret -Name $Name -Vault MyVault -AsPlainText
if ($Secret) {
Request-FalconToken @Secret
} else {
throw "No secret found matching '$String'."
}
}Once added to your profile, you can retrieve your credential set and request a token in a single step:
Request-SecretToken MyApiClient
- Using PSFalcon
-
Commands by Permission
- Actors (Falcon Intelligence)
- Alerts
- API integrations
- App Logs
- Assets
- CAO Hunting
- Case Templates
- Cases
- Channel File Control Settings
- Cloud Security API Assets
- Configuration Assessment
- Content Update Policies
- Correlation Rules
- CSPM registration
- Custom IOA rules
- Device Content
- Device control policies
- Event streams
- Falcon Complete Dashboards
- Falcon Container Image
- Falcon Data Replicator
- Falcon FileVantage
- Falcon FileVantage Content
- Firewall management
- Flight Control
- Host groups
- Host Migration
- Hosts
- Identity Protection Entities
- Identity Protection GraphQL
- Identity Protection Policy Rules
- Incidents
- Indicators (Falcon Intelligence)
- Installation tokens
- Installation token settings
- IOA Exclusions
- IOC Manager APIs
- IOCs
- IT Automation - Policies
- IT Automation - Task Executions
- IT Automation - Tasks
- IT Automation - User Groups
- Kubernetes Protection
- Machine Learning exclusions
- MalQuery
- Malware Families (Falcon Intelligence)
- Message Center
- Mobile Enrollment
- Monitoring rules (Falcon Intelligence Recon)
- NGSIEM
- NGSIEM Dashboards
- NGSIEM Lookup Files
- NGSIEM Parsers
- NGSIEM Saved Queries
- On demand scans (ODS)
- OverWatch Dashboard
- Prevention Policies
- Quarantined Files
- QuickScan Pro
- Real time response
- Real time response (admin)
- Reports (Falcon Intelligence)
- Response policies
- Rules (Falcon Intelligence)
- Sample uploads
- Sandbox (Falcon Intelligence)
- Scheduled Reports
- Sensor Download
- Sensor update policies
- Sensor Usage
- Sensor Visibility Exclusions
- Snapshot
- Snapshot Scanner Image Download
- Tailored Intelligence
- Threatgraph
- User management
- Vulnerabilities
- Vulnerabilities (Falcon Intelligence)
- Workflow
- Zero Trust Assessment
- Other Commands
- Examples
-
CrowdStrike SDKs
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust