-
Notifications
You must be signed in to change notification settings - Fork 81
New FalconIdentityRule
bk-cs edited this page Dec 19, 2024
·
2 revisions
Create Falcon Identity Protection policy rules
Requires 'Identity Protection Policy Rules: Write'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| Name | String | Rule name | |||||
| Action | String | Rule action |
ADD_TO_WATCH_LISTALLOWAPPLY_SSO_POLICYBLOCKFORCE_PASSWORD_CHANGEMFA
|
||||
| Trigger | String | Rule trigger |
accessaccountEventalertfederatedAccess
|
||||
| Enabled | Boolean | Rule enablement status | |||||
| SimulationMode | Boolean | Enable simulation mode | |||||
| Activity | Object | Object containing 'accessType' and/or 'accessTypeCustom', for rule conditions based on access | |||||
| Destination | Object | Object containing 'entityId' and/or 'groupMembership', for rule conditions based on destination | |||||
| SourceEndpoint | Object | Object containing 'entityId' and/or 'groupMembership', for define rule conditions based on source endpoints | |||||
| SourceUser | Object | Object containing 'entityId' and/or 'groupMembership', for define rule conditions based on source users |
New-FalconIdentityRule [-Name] <String> [-Action] <String> [-Trigger] <String> [-Enabled] <Boolean> [-SimulationMode] <Boolean> [[-Activity] <Object>] [[-Destination] <Object>] [[-SourceEndpoint] <Object>] [[-SourceUser] <Object>] [-WhatIf] [-Confirm] [<CommonParameters>]POST /identity-protection/entities/policy-rules/v1
api_preempt_proxy_post_policy_rules
$Param = @{
Name = 'Example policy rule'
Action = 'BLOCK'
Trigger = 'access'
Destination = @{
entityId = @{
exclude = @('guid')
include = @('guid')
}
groupMembership = @{
exclude = @('guid')
include = @('guid')
}
}
Activity = @{
accessType = @{
exclude = @('AUTHENTICATION')
include = @('REMOTE_DESKTOP')
}
accessTypeCustom = @{
exclude = @('EX1')
include = @('INC1','INC2')
}
}
Enabled = $true
SimulationMode = $false
SourceEndpoint = @{
entityId = @{
exclude = @('guid')
include = @('guid','guid')
}
groupMembership = @{
include = @('guid')
}
}
SourceUser = @{
entityId = @{
exclude = @('guid')
include = @('guid','guid')
}
groupMembership = @{
exclude = @('guid')
include = @('guid','guid')
}
}
}
New-FalconIdentityRule @Param2024-12-19: PSFalcon v2.2.8

- Using PSFalcon
-
Commands by Permission
- Actors (Falcon Intelligence)
- Alerts
- API integrations
- App Logs
- Assets
- CAO Hunting
- Case Templates
- Cases
- Channel File Control Settings
- Cloud Security API Assets
- Configuration Assessment
- Content Update Policies
- Correlation Rules
- CSPM registration
- Custom IOA rules
- Device Content
- Device control policies
- Event streams
- Falcon Complete Dashboards
- Falcon Container Image
- Falcon Data Replicator
- Falcon FileVantage
- Falcon FileVantage Content
- Firewall management
- Flight Control
- Host groups
- Host Migration
- Hosts
- Identity Protection Entities
- Identity Protection GraphQL
- Identity Protection Policy Rules
- Incidents
- Indicators (Falcon Intelligence)
- Installation tokens
- Installation token settings
- IOA Exclusions
- IOC Manager APIs
- IOCs
- IT Automation - Policies
- IT Automation - Task Executions
- IT Automation - Tasks
- IT Automation - User Groups
- Kubernetes Protection
- Machine Learning exclusions
- MalQuery
- Malware Families (Falcon Intelligence)
- Message Center
- Mobile Enrollment
- Monitoring rules (Falcon Intelligence Recon)
- NGSIEM
- NGSIEM Dashboards
- NGSIEM Lookup Files
- NGSIEM Parsers
- NGSIEM Saved Queries
- On demand scans (ODS)
- OverWatch Dashboard
- Prevention Policies
- Quarantined Files
- QuickScan Pro
- Real time response
- Real time response (admin)
- Reports (Falcon Intelligence)
- Response policies
- Rules (Falcon Intelligence)
- Sample uploads
- Sandbox (Falcon Intelligence)
- Scheduled Reports
- Sensor Download
- Sensor update policies
- Sensor Usage
- Sensor Visibility Exclusions
- Snapshot
- Snapshot Scanner Image Download
- Tailored Intelligence
- Threatgraph
- User management
- Vulnerabilities
- Vulnerabilities (Falcon Intelligence)
- Workflow
- Zero Trust Assessment
- Other Commands
- Examples
-
CrowdStrike SDKs
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust