Invoke FalconResponderCommand
bk-cs edited this page Apr 28, 2023
·
19 revisions
Issue a Real-time Response active-responder command to an existing single-host or batch session
Sessions can be started using 'Start-FalconSession'. A successfully created session will contain a 'session_id' or 'batch_id' value which can be used with the '-SessionId' or '-BatchId' parameters.
The 'Wait' parameter will use 'Confirm-FalconResponderCommand' or 'Confirm-FalconGetFile' to check for command results every 20 seconds until complete or processing ends.
Requires 'Real time response: Write'.
Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
---|---|---|---|---|---|---|---|
Command | String | Real-time Response command |
cat cd clear cp csrutil encrypt env eventlog backup eventlog export eventlog list eventlog view filehash get getsid help history ifconfig ipconfig kill ls map memdump mkdir mount mv netstat ps reg delete reg load reg query reg set reg unload restart rm runscript shutdown umount unmap update history update install update list update install users xmemdump zip
|
||||
Argument | String | Arguments to include with the command | |||||
OptionalHostId | String[] | Restrict execution to specific host identifiers | |||||
Timeout | Int32 | Length of time to wait for a result, in seconds [default: 30] | 1 |
600 |
|||
HostTimeout | Int32 | Length of time to wait for a result from target host(s), in seconds | 1 |
600 |
|||
SessionId | String | Session identifier | X | ||||
BatchId | String | Batch session identifier | X | ||||
Wait | Switch | Use 'Confirm-FalconResponderCommand' or 'Confirm-FalconGetFile' to retrieve command result |
Invoke-FalconResponderCommand [-Command] <String> [[-Argument] <String>] [[-OptionalHostId] <String[]>] [[-Timeout] <Int32>] [[-HostTimeout] <Int32>] -BatchId <String> [-Wait] [-WhatIf] [-Confirm] [<CommonParameters>]
Invoke-FalconResponderCommand [-Command] <String> [[-Argument] <String>] -SessionId <String> [-Wait] [-WhatIf] [-Confirm] [<CommonParameters>]
POST /real-time-response/combined/batch-active-responder-command/v1
POST /real-time-response/entities/active-responder-command/v1
BatchActiveResponderCmd
RTR_ExecuteActiveResponderCommand
2023-04-25: PSFalcon v2.2.5
- Using PSFalcon
-
Commands and Permissions
- Configuration Import/Export
- Container Security
- Detection and Prevention Policies
- Discover for Cloud and Containers
- Discover
- Event Streams
- Falcon Complete Dashboards
- Falcon Complete Message Center
- Falcon Data Replicator
- Falcon Intelligence
- Falcon Intelligence Recon
- Falcon OverWatch Dashboards
- Falcon Sandbox
- FileVantage
- Firewall Management
- Flight Control
- Horizon
- Host and Host Group Management
- Identity Protection
- Image Assessment
- Incident and Detection Monitoring
- Installation Tokens
- Kubernetes Protection
- MalQuery
- Mobile Host Enrollment
- On-Demand Scanning
- Quarantine
- Real-time Response
- Real-time Response Policy
- Scheduled Reports and Searches
- Sensor Download
- Sensor Update Policy
- Spotlight
- Tailored Intelligence
- Third-party ingestion
- USB Device Control Policy
- Users and Roles
- Zero Trust Assessment
- Examples
-
CrowdStrike SDKs
- PSFalcon - PowerShell
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust