-
Notifications
You must be signed in to change notification settings - Fork 61
Invoke FalconAdminCommand
bk-cs edited this page Nov 30, 2023
·
20 revisions
Issue a Real-time Response admin command to an existing single-host or batch session
Sessions can be started using 'Start-FalconSession'. A successfully created session will contain a 'session_id' or 'batch_id' value which can be used with the '-SessionId' or '-BatchId' parameters.
The 'Wait' parameter will use 'Confirm-FalconAdminCommand' or 'Confirm-FalconGetFile' to check for command results every 20 seconds until complete or processing ends.
Requires 'Real time response (admin): Write'.
Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
---|---|---|---|---|---|---|---|
Command | String | Real-time Response command |
cat cd clear cp csrutil cswindiag encrypt env eventlog backup eventlog export eventlog list eventlog view falconscript filehash get getsid help history ifconfig ipconfig kill ls map memdump mkdir mount mv netstat ps put put-and-run reg delete reg load reg query reg set reg unload restart rm run runscript shutdown umount unmap update history update install update list update install users xmemdump zip
|
||||
Argument | String | Arguments to include with the command | |||||
OptionalHostId | String[] | Restrict execution to specific host identifiers | |||||
Timeout | Int32 | Length of time to wait for a result, in seconds [default: 30] | 1 |
600 |
|||
HostTimeout | Int32 | Length of time to wait for a result from target host(s), in seconds | 1 |
600 |
|||
SessionId | String | Session identifier | X | ||||
BatchId | String | Batch session identifier | X | ||||
Wait | Switch | Use 'Confirm-FalconAdminCommand' or 'Confirm-FalconGetFile' to retrieve command result |
Invoke-FalconAdminCommand [-Command] <String> [[-Argument] <String>] [[-OptionalHostId] <String[]>] [[-Timeout] <Int32>] [[-HostTimeout] <Int32>] -BatchId <String> [-Wait] [-WhatIf] [-Confirm] [<CommonParameters>]
Invoke-FalconAdminCommand [-Command] <String> [[-Argument] <String>] -SessionId <String> [-Wait] [-WhatIf] [-Confirm] [<CommonParameters>]
POST /real-time-response/combined/batch-admin-command/v1
POST /real-time-response/entities/admin-command/v1
BatchAdminCmd
RTR_ExecuteAdminCommand
2023-11-27: PSFalcon v2.2.6
- Using PSFalcon
-
Commands and Permissions
- Configuration Import/Export
- Container Security
- Detection and Prevention Policies
- Discover for Cloud and Containers
- Discover
- Event Streams
- Falcon Complete Dashboards
- Falcon Complete Message Center
- Falcon Data Replicator
- Falcon Intelligence
- Falcon Intelligence Recon
- Falcon OverWatch Dashboards
- Falcon Sandbox
- FileVantage
- Firewall Management
- Flight Control
- Horizon
- Host and Host Group Management
- Identity Protection
- Image Assessment
- Incident and Detection Monitoring
- Installation Tokens
- Kubernetes Protection
- MalQuery
- Mobile Host Enrollment
- On-Demand Scanning
- Quarantine
- Real-time Response
- Real-time Response Policy
- Scheduled Reports and Searches
- Sensor Download
- Sensor Update Policy
- Spotlight
- Tailored Intelligence
- Third-party ingestion
- USB Device Control Policy
- Users and Roles
- Zero Trust Assessment
- Examples
-
CrowdStrike SDKs
- PSFalcon - PowerShell
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust