Real time Response
NOTE: PSFalcon has a custom command named Invoke-FalconRTR that is designed to perform all the necessary steps to initiate a session with one or more hosts, send a command and output the results.
Invoke-FalconRTR -Command ls -Arguments C:\Windows -HostIds <id>, <id>If the hosts you're targeting are currently offline, you can add your Real-time Response commands to the "offline queue" using the -QueueOffline parameter.
Invoke-FalconRTR -Command runscript -Arguments "-CloudFile='HelloWorld'" -HostIds <id>, <id> -QueueOffline $trueIf you find that your script needs to be more complex, you can follow the instructions below to create a custom Real-time Response workflow with multiple commands.
NOTE: PSFalcon includes commands for each Real-time Response permission level.
-
Invoke-FalconCommand,Confirm-FalconCommand -
Invoke-FalconResponderCommand,Confirm-FalconResponderCommand -
Invoke-FalconAdminCommand,Confirm-FalconAdminCommand
$Batch = Start-FalconSession -HostIds <id>, <id>Invoke-FalconCommand -Command ls -Arguments C:\Windows -BatchId $Batch.batch_idNOTE: Required when you expect to exceed the default session expiration time (5 minutes).
Update-FalconSession -BatchId $Batch.batch_id$Session = Start-FalconSession -HostId <id>$Command = Invoke-FalconCommand -Command ls -Arguments C:\Windows -SessionId $Session.session_idConfirm-FalconCommand -CloudRequestId $Command.cloud_request_idNOTE: Required when you expect to exceed the default session expiration time (10 minutes).
Update-FalconSession -SessionId $Session.session_idNOTE: The command Invoke-FalconDeploy was developed to support mass-deployment of Falcon Forensics. It is designed to upload a file to your ‘Put’ Files library, create a session with target hosts, push the file to those hosts, then execute it and output the results to CSV.
NOTE: Because Real-time Response does not interact with logged in users, the executable must be able to be run silently and without user interaction.
Invoke-FalconDeploy -HostIds <id>, <id> -Path $pwd\File.exe [-QueueOffline]$Get = Invoke-FalconRTR -Command get -Arguments "C:\example.exe" -HostIds <id>, <id>Once the batch 'get' request has been submitted using Invoke-FalconRTR, you can check the status of each batch_get_cmd_req_id to see if the file is ready to download.
$Confirm = ($Get.batch_get_cmd_req_id | Group-Object).Name | ForEach-Object {
Confirm-FalconGetFile -BatchGetCmdReqId $_
}The upload from the host has completed once the file has populated sha256 and created_at values. You can use the sha256 and session_id values to download the files, and in the following example, each file will be downloaded and saved in your local directory, using the sha256 and aid values to name the archive.
$Confirm | Where-Object { $_.sha256 -and $_.created_at -and $_.session_id } | ForEach-Object {
$Param = @{
Sha256 = $_.sha256
SessionId = $_.session_id
Path = "$pwd\$($_.aid)_$($_.sha256).7z"
}
Receive-FalconGetFile @Param
}NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.
Get-FalconSession [-Detailed] [-All]NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.
Get-FalconSession -Ids <id>, <id> -QueueNOTE: PSFalcon has a custom command named Get-FalconQueue which will create a CSV file with information about sessions that have pending queued commands or have been created in the last 7 days (by default). If you wish to get more specific, you can use Get-FalconSession to find queued sessions, and the command below to get detailed information.
Get-FalconQueue [-Days]Send-FalconScript -Path $pwd\hello_world.ps1 -Platform windows -PermissionType groupGet-FalconScript [-Detailed] [-All]Edit-FalconScript -Id <id>Remove-FalconScript -Ids <id>, <id>Send-FalconPutFile -Path $pwd\File.exeGet-FalconPutFile [-Detailed] [-All]Remove-FalconPutFile -Ids <id>