Real time Response
NOTE: PSFalcon has a custom command named Invoke-FalconRTR that is designed to perform all the necessary steps to initiate a session with one or more hosts, send a command and output the results. This command is not designed for a multi-step Real-time Response workflow and will negatively impact certain operations. For instance, if you were to cd into a directory and attempt to put a file by running Invoke-FalconRTR twice, Invoke-FalconRTR will reset back to the root of your system drive between the cd and put commands, causing the file to be placed in the wrong directory.
Invoke-FalconRTR -Command ls -Arguments C:\Windows -HostIds <id>, <id>If the hosts you're targeting are currently offline, you can add your Real-time Response commands to the "offline queue" using the -QueueOffline parameter.
Invoke-FalconRTR -Command runscript -Arguments "-CloudFile='HelloWorld'" -HostIds <id>, <id> -QueueOffline $trueIf you find that your script needs to be more complex, you can follow the instructions below to create a custom Real-time Response workflow with multiple commands.
NOTE: PSFalcon includes commands for each Real-time Response permission level.
-
Invoke-FalconCommand,Confirm-FalconCommand -
Invoke-FalconResponderCommand,Confirm-FalconResponderCommand -
Invoke-FalconAdminCommand,Confirm-FalconAdminCommand
$Batch = Start-FalconSession -HostIds <id>, <id>Invoke-FalconCommand -Command ls -Arguments C:\Windows -BatchId $Batch.batch_idNOTE: Required when you expect to exceed the default session expiration time (5 minutes).
Update-FalconSession -BatchId $Batch.batch_id$Session = Start-FalconSession -HostId <id>$Command = Invoke-FalconCommand -Command ls -Arguments C:\Windows -SessionId $Session.session_idConfirm-FalconCommand -CloudRequestId $Command.cloud_request_idNOTE: This step is important! Without retrieving the results from an issued command, the Real-time Response session may not reflect that actions have taken place. For instance, If you cd and don't confirm, you'll stay in your current directory.
NOTE: Required when you expect to exceed the default session expiration time (10 minutes).
Update-FalconSession -SessionId $Session.session_idNOTE: The command Invoke-FalconDeploy was developed to support mass-deployment of Falcon Forensics. It is designed to upload a file to your ‘Put’ Files library, create a session with target hosts, push the file to those hosts, then execute it and output the results to CSV.
NOTE: Because Real-time Response does not interact with logged in users, the executable must be able to be run silently and without user interaction.
Invoke-FalconDeploy -HostIds <id>, <id> -Path $pwd\File.exe [-QueueOffline]$Get = Invoke-FalconRTR -Command get -Arguments "C:\example.exe" -HostIds <id>, <id>Once the batch 'get' request has been submitted using Invoke-FalconRTR, you can check the status of each batch_get_cmd_req_id to see if the file is ready to download.
$Confirm = ($Get.batch_get_cmd_req_id | Group-Object).Name | ForEach-Object {
Confirm-FalconGetFile -BatchGetCmdReqId $_
}The upload from the host has completed once the file has populated sha256 and created_at values. You can use the sha256 and session_id values to download the files, and in the following example, each file will be downloaded and saved in your local directory, using the sha256 and aid values to name the archive.
$Confirm | Where-Object { $_.sha256 -and $_.created_at -and $_.session_id } | ForEach-Object {
$Param = @{
Sha256 = $_.sha256
SessionId = $_.session_id
Path = "$pwd\$($_.aid)_$($_.sha256).7z"
}
Receive-FalconGetFile @Param
}You can re-run the previous command examples (Confirm-FalconGetFile and Receive-FalconGetFile) repeatedly to download additional files as their uploads complete from each individual host.
NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.
Get-FalconSession [-Detailed] [-All]NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.
Get-FalconSession -Ids <id>, <id> -QueueNOTE: PSFalcon has a custom command named Get-FalconQueue which will create a CSV file with information about sessions that have pending queued commands or have been created in the last 7 days (by default). If you wish to get more specific, you can use Get-FalconSession to find queued sessions, and the command below to get detailed information.
Get-FalconQueue [-Days]Send-FalconScript -Path $pwd\hello_world.ps1 -Platform windows -PermissionType groupGet-FalconScript [-Detailed] [-All]Edit-FalconScript -Id <id>Remove-FalconScript -Ids <id>, <id>Send-FalconPutFile -Path $pwd\File.exeGet-FalconPutFile [-Detailed] [-All]Remove-FalconPutFile -Ids <id>