Public/incidents.ps1
function Get-FalconBehavior { <# .SYNOPSIS Search for behaviors .DESCRIPTION Requires 'Incidents: Read'. .PARAMETER Id Behavior identifier .PARAMETER Filter Falcon Query Language expression to limit results .PARAMETER Sort Property and direction to sort results .PARAMETER Limit Maximum number of results per request .PARAMETER Offset Position to begin retrieving results .PARAMETER Detailed Retrieve detailed information .PARAMETER All Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK https://github.com/crowdstrike/psfalcon/wiki/Get-FalconBehavior #> [CmdletBinding(DefaultParameterSetName='/incidents/queries/behaviors/v1:get',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/incidents/entities/behaviors/GET/v1:post',Mandatory, ValueFromPipelineByPropertyName,ValueFromPipeline)] [ValidatePattern('^ind:[a-fA-F0-9]{32}:(\d|\-)+$')] [Alias('Ids','behavior_id')] [string[]]$Id, [Parameter(ParameterSetName='/incidents/queries/behaviors/v1:get',Position=1)] [ValidateScript({ Test-FqlStatement $_ })] [string]$Filter, [Parameter(ParameterSetName='/incidents/queries/behaviors/v1:get',Position=2)] [ValidateSet('timestamp.asc','timestamp.desc',IgnoreCase=$false)] [string]$Sort, [Parameter(ParameterSetName='/incidents/queries/behaviors/v1:get',Position=3)] [ValidateRange(1,500)] [int32]$Limit, [Parameter(ParameterSetName='/incidents/queries/behaviors/v1:get')] [int32]$Offset, [Parameter(ParameterSetName='/incidents/queries/behaviors/v1:get')] [switch]$Detailed, [Parameter(ParameterSetName='/incidents/queries/behaviors/v1:get')] [switch]$All, [Parameter(ParameterSetName='/incidents/queries/behaviors/v1:get')] [switch]$Total ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Format = @{ Query = @('sort','offset','filter','limit') Body = @{ root = @('ids') } } } [System.Collections.Generic.List[string]]$List = @() } process { if ($Id) { @($Id).foreach{ $List.Add($_) }}} end { if ($List) { $PSBoundParameters['Id'] = @($List | Select-Object -Unique) } Invoke-Falcon @Param -Inputs $PSBoundParameters } } function Get-FalconIncident { <# .SYNOPSIS Search for incidents .DESCRIPTION Requires 'Incidents: Read'. .PARAMETER Id Incident identifier .PARAMETER Filter Falcon Query Language expression to limit results .PARAMETER Sort Property and direction to sort results .PARAMETER Limit Maximum number of results per request .PARAMETER Offset Position to begin retrieving results .PARAMETER Detailed Retrieve detailed information .PARAMETER All Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIncident #> [CmdletBinding(DefaultParameterSetName='/incidents/queries/incidents/v1:get',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/incidents/entities/incidents/GET/v1:post',Mandatory, ValueFromPipelineByPropertyName,ValueFromPipeline)] [ValidatePattern('^inc:[a-fA-F0-9]{32}:[a-fA-F0-9]{32}$')] [Alias('Ids','incident_id')] [string[]]$Id, [Parameter(ParameterSetName='/incidents/queries/incidents/v1:get',Position=1)] [ValidateScript({ Test-FqlStatement $_ })] [string]$Filter, [Parameter(ParameterSetName='/incidents/queries/incidents/v1:get',Position=2)] [ValidateSet('assigned_to.asc','assigned_to.desc','assigned_to_name.asc','assigned_to_name.desc', 'end.asc','end.desc','modified_timestamp.asc','modified_timestamp.desc','name.asc','name.desc', 'sort_score.asc','sort_score.desc','start.asc','start.desc','state.asc','state.desc', 'status.asc','status.desc',IgnoreCase=$false)] [string]$Sort, [Parameter(ParameterSetName='/incidents/queries/incidents/v1:get',Position=3)] [ValidateRange(1,500)] [int32]$Limit, [Parameter(ParameterSetName='/incidents/queries/incidents/v1:get')] [int32]$Offset, [Parameter(ParameterSetName='/incidents/queries/incidents/v1:get')] [switch]$Detailed, [Parameter(ParameterSetName='/incidents/queries/incidents/v1:get')] [switch]$All, [Parameter(ParameterSetName='/incidents/queries/incidents/v1:get')] [switch]$Total ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Format = @{ Query = @('sort','offset','filter','limit') Body = @{ root = @('ids') } } } [System.Collections.Generic.List[string]]$List = @() } process { if ($Id) { @($Id).foreach{ $List.Add($_) }}} end { if ($List) { $PSBoundParameters['Id'] = @($List | Select-Object -Unique) } Invoke-Falcon @Param -Inputs $PSBoundParameters } } function Get-FalconScore { <# .SYNOPSIS Search for CrowdScore values .DESCRIPTION Requires 'Incidents: Read'. .PARAMETER Filter Falcon Query Language expression to limit results .PARAMETER Sort Property and direction to sort results .PARAMETER Limit Maximum number of results per request .PARAMETER Offset Position to begin retrieving results .PARAMETER All Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK https://github.com/crowdstrike/psfalcon/wiki/Get-FalconScore #> [CmdletBinding(DefaultParameterSetName='/incidents/combined/crowdscores/v1:get',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/incidents/combined/crowdscores/v1:get',Position=1)] [ValidateScript({ Test-FqlStatement $_ })] [string]$Filter, [Parameter(ParameterSetName='/incidents/combined/crowdscores/v1:get',Position=2)] [ValidateSet('score.asc','score.desc','timestamp.asc','timestamp.desc',IgnoreCase=$false)] [string]$Sort, [Parameter(ParameterSetName='/incidents/combined/crowdscores/v1:get',Position=3)] [ValidateRange(1,2500)] [int32]$Limit, [Parameter(ParameterSetName='/incidents/combined/crowdscores/v1:get')] [int32]$Offset, [Parameter(ParameterSetName='/incidents/combined/crowdscores/v1:get')] [switch]$All, [Parameter(ParameterSetName='/incidents/combined/crowdscores/v1:get')] [switch]$Total ) process { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Format = @{ Query = @('sort','offset','filter','limit') } } Invoke-Falcon @Param -Inputs $PSBoundParameters } } function Invoke-FalconIncidentAction { <# .SYNOPSIS Perform actions on incidents .DESCRIPTION Requires 'Incidents: Write'. .PARAMETER Name Action to perform .PARAMETER Value Value for the chosen action .PARAMETER UpdateDetects Update status of related 'new' detections .PARAMETER OverwriteDetects Replace existing status for related detections .PARAMETER Id Incident identifier .LINK https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconIncidentAction #> [CmdletBinding(DefaultParameterSetName='/incidents/entities/incident-actions/v1:post',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/incidents/entities/incident-actions/v1:post',Mandatory,Position=1)] [ValidateSet('add_tag','delete_tag','unassign','update_description','update_name','update_status', 'update_assigned_to_v2',IgnoreCase=$false)] [string]$Name, [Parameter(ParameterSetName='/incidents/entities/incident-actions/v1:post',Mandatory,Position=2)] [string]$Value, [Parameter(ParameterSetName='/incidents/entities/incident-actions/v1:post',Position=3)] [Alias('update_detects')] [boolean]$UpdateDetects, [Parameter(ParameterSetName='/incidents/entities/incident-actions/v1:post',Position=4)] [Alias('overwrite_detects')] [boolean]$OverwriteDetects, [Parameter(ParameterSetName='/incidents/entities/incident-actions/v1:post',Mandatory, ValueFromPipelineByPropertyName,ValueFromPipeline,Position=5)] [ValidatePattern('^inc:[a-fA-F0-9]{32}:[a-fA-F0-9]{32}$')] [Alias('Ids','incident_id')] [string[]]$Id ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Format = @{ Query = @('update_detects','overwrite_detects') Body = @{ root = @('ids') action_parameters = @('name','value') } } Max = 1000 } [System.Collections.Generic.List[string]]$List = @() } process { if ($Id) { @($Id).foreach{ $List.Add($_) }}} end { if ($List) { $PSBoundParameters['Id'] = @($List | Select-Object -Unique) if ($PSBoundParameters.Name -eq 'update_status') { if ($PSBoundParameters.Value -notmatch '^(closed|in_progress|new|reopened)$') { throw "Valid values for 'update_status': 'closed', 'in_progress', 'new', 'reopened'." } else { $PSBoundParameters['Value'] = switch ($PSBoundParameters.Value) { 'new' { '20' } 'reopened' { '25' } 'in_progress' { '30' } 'closed' { '40' } } } } Invoke-Falcon @Param -Inputs $PSBoundParameters } } } |