-
Notifications
You must be signed in to change notification settings - Fork 81
Edit FalconReconRule
bk-cs edited this page Dec 19, 2024
·
21 revisions
Modify a Falcon Intelligence Recon monitoring rule
Requires 'Monitoring rules (Falcon Intelligence Recon): Write'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| InputObject | Object[] | One or more monitoring rules to modify in a single request | X | ||||
| Id | String | Monitoring rule identifier | |||||
| Name | String | Monitoring rule name | |||||
| Filter | String | Monitoring rule filter | |||||
| Priority | String | Monitoring rule priority |
highmediumlow
|
||||
| Permission | String | Permission level [public: 'All Intel users', private: 'Recon Admins'] |
privatepublic
|
||||
| BreachMonitoring | Boolean | Monitor for breach data | |||||
| BreachMonitorOnly | Boolean | Monitor only for breach data. Must be accompanied by BreachMonitoring: True. | |||||
| SubstringMatching | Boolean | Monitor for substring matches. Only available for the 'Typosquatting' topic. | |||||
| MatchOnTsqResultType | String[] | Monitor for basedomains and/or subdomains. Only available for the 'Typosquatting' topic. |
basedomainssubdomains
|
Edit-FalconReconRule [-Id] <String> [-Name] <String> [-Filter] <String> [-Priority] <String> [-Permission] <String> [[-BreachMonitoring] <Boolean>] [[-BreachMonitorOnly] <Boolean>] [[-SubstringMatching] <Boolean>] [[-MatchOnTsqResultType] <String[]>] [-WhatIf] [-Confirm] [<CommonParameters>]Edit-FalconReconRule -InputObject <Object[]> [-WhatIf] [-Confirm] [<CommonParameters>]PATCH /recon/entities/rules/v1
Edit-FalconReconRule -Id <id> -Name psfalcon_example_updated -Priority medium$Array = @(
@{
id = <id>
priority = "high"
},
@{
id = <id>
priority = "high"
}
)
Edit-FalconReconRule -Array $Array2024-12-19: PSFalcon v2.2.8

- Using PSFalcon
-
Commands by Permission
- Actors (Falcon Intelligence)
- Alerts
- API integrations
- App Logs
- Assets
- CAO Hunting
- Case Templates
- Cases
- Channel File Control Settings
- Cloud Security API Assets
- Configuration Assessment
- Content Update Policies
- Correlation Rules
- CSPM registration
- Custom IOA rules
- Device Content
- Device control policies
- Event streams
- Falcon Complete Dashboards
- Falcon Container Image
- Falcon Data Replicator
- Falcon FileVantage
- Falcon FileVantage Content
- Firewall management
- Flight Control
- Host groups
- Host Migration
- Hosts
- Identity Protection Entities
- Identity Protection GraphQL
- Identity Protection Policy Rules
- Incidents
- Indicators (Falcon Intelligence)
- Installation tokens
- Installation token settings
- IOA Exclusions
- IOC Manager APIs
- IOCs
- IT Automation - Policies
- IT Automation - Task Executions
- IT Automation - Tasks
- IT Automation - User Groups
- Kubernetes Protection
- Machine Learning exclusions
- MalQuery
- Malware Families (Falcon Intelligence)
- Message Center
- Mobile Enrollment
- Monitoring rules (Falcon Intelligence Recon)
- NGSIEM
- NGSIEM Dashboards
- NGSIEM Lookup Files
- NGSIEM Parsers
- NGSIEM Saved Queries
- On demand scans (ODS)
- OverWatch Dashboard
- Prevention Policies
- Quarantined Files
- QuickScan Pro
- Real time response
- Real time response (admin)
- Reports (Falcon Intelligence)
- Response policies
- Rules (Falcon Intelligence)
- Sample uploads
- Sandbox (Falcon Intelligence)
- Scheduled Reports
- Sensor Download
- Sensor update policies
- Sensor Usage
- Sensor Visibility Exclusions
- Snapshot
- Snapshot Scanner Image Download
- Tailored Intelligence
- Threatgraph
- User management
- Vulnerabilities
- Vulnerabilities (Falcon Intelligence)
- Workflow
- Zero Trust Assessment
- Other Commands
- Examples
-
CrowdStrike SDKs
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust