Public/quarantine.ps1
function Get-FalconQuarantine { <# .SYNOPSIS Search for quarantined files .DESCRIPTION Requires 'Quarantined Files: Read'. .PARAMETER Id Quarantined file identifier .PARAMETER Filter Falcon Query Language expression to limit results .PARAMETER Query Match phrase prefix .PARAMETER Sort Property and direction to sort results .PARAMETER Limit Maximum number of results per request .PARAMETER Offset Position to begin retrieving results .PARAMETER Detailed Retrieve detailed information .PARAMETER All Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK https://github.com/crowdstrike/psfalcon/wiki/Get-FalconQuarantine #> [CmdletBinding(DefaultParameterSetName='/quarantine/queries/quarantined-files/v1:get',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/quarantine/entities/quarantined-files/GET/v1:post',Mandatory, ValueFromPipelineByPropertyName,ValueFromPipeline)] [ValidatePattern('^[a-fA-F0-9]{32}_[A-Fa-f0-9]{64}$')] [Alias('Ids')] [string[]]$Id, [Parameter(ParameterSetName='/quarantine/queries/quarantined-files/v1:get',Position=1)] [ValidateScript({ Test-FqlStatement $_ })] [string]$Filter, [Parameter(ParameterSetName='/quarantine/queries/quarantined-files/v1:get',Position=2)] [Alias('q')] [string]$Query, [Parameter(ParameterSetName='/quarantine/queries/quarantined-files/v1:get',Position=3)] [ValidateSet('hostname.asc','hostname.desc','username.asc','username.desc','date_updated.asc', 'date_updated.desc','date_created.asc','date_created.desc','paths.path.asc','paths.path.desc', 'paths.state.asc','paths.state.desc','state.asc','state.desc',IgnoreCase=$false)] [string]$Sort, [Parameter(ParameterSetName='/quarantine/queries/quarantined-files/v1:get',Position=4)] [ValidateRange(1,5000)] [int32]$Limit, [Parameter(ParameterSetName='/quarantine/queries/quarantined-files/v1:get')] [int32]$Offset, [Parameter(ParameterSetName='/quarantine/queries/quarantined-files/v1:get')] [switch]$Detailed, [Parameter(ParameterSetName='/quarantine/queries/quarantined-files/v1:get')] [switch]$All, [Parameter(ParameterSetName='/quarantine/queries/quarantined-files/v1:get')] [switch]$Total ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Format = @{ Query = @('sort','limit','filter','offset','q') Body = @{ root = @('ids') } } } [System.Collections.Generic.List[string]]$List = @() } process { if ($Id) { @($Id).foreach{ $List.Add($_) }}} end { if ($List) { $PSBoundParameters['Id'] = @($List | Select-Object -Unique) } Invoke-Falcon @Param -Inputs $PSBoundParameters } } function Invoke-FalconQuarantineAction { <# .SYNOPSIS Perform actions on quarantined files .DESCRIPTION Requires 'Quarantined Files: Write'. .PARAMETER Action Action to perform .PARAMETER Filter Falcon Query Language statement .PARAMETER Query Match phrase prefix .PARAMETER Comment Audit log comment .PARAMETER Id Quarantined file identifier .LINK https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconQuarantineAction #> [CmdletBinding(DefaultParameterSetName='/quarantine/entities/quarantined-files/v1:patch', SupportsShouldProcess)] param( [Parameter(ParameterSetName='/quarantine/entities/quarantined-files/v1:patch',Mandatory,Position=1)] [Parameter(ParameterSetName='/quarantine/queries/quarantined-files/v1:patch',Mandatory,Position=1)] [ValidateSet('release','unrelease','delete',IgnoreCase=$false)] [string]$Action, [Parameter(ParameterSetName='/quarantine/queries/quarantined-files/v1:patch',Mandatory)] [ValidateScript({ Test-FqlStatement $_ })] [string]$Filter, [Parameter(ParameterSetName='/quarantine/queries/quarantined-files/v1:patch',Position=3)] [Alias('q')] [string]$Query, [Parameter(ParameterSetName='/quarantine/entities/quarantined-files/v1:patch',Position=2)] [Parameter(ParameterSetName='/quarantine/queries/quarantined-files/v1:patch',Position=4)] [string]$Comment, [Parameter(ParameterSetName='/quarantine/entities/quarantined-files/v1:patch',Mandatory, ValueFromPipelineByPropertyName,ValueFromPipeline,Position=3)] [ValidatePattern('^[a-fA-F0-9]{32}_[A-Fa-f0-9]{64}$')] [Alias('Ids')] [string[]]$Id ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Format = @{ Body = @{ root = @('action','filter','ids','comment','q') }} Max = 500 } [System.Collections.Generic.List[string]]$List = @() } process { if ($Id) { @($Id).foreach{ $List.Add($_) }}} end { if ($List) { $PSBoundParameters['Id'] = @($List | Select-Object -Unique) } Invoke-Falcon @Param -Inputs $PSBoundParameters } } function Test-FalconQuarantineAction { <# .SYNOPSIS Check the number of quarantined files potentially affected by a filter-based action .DESCRIPTION Requires 'Quarantined Files: Write'. .PARAMETER Filter Falcon Query Language statement .LINK https://github.com/crowdstrike/psfalcon/wiki/Test-FalconQuarantineAction #> [CmdletBinding(DefaultParameterSetName='/quarantine/aggregates/action-update-count/v1:get', SupportsShouldProcess)] param( [Parameter(ParameterSetName='/quarantine/aggregates/action-update-count/v1:get',Mandatory,Position=1)] [ValidateScript({ Test-FqlStatement $_ })] [string]$Filter ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Format = @{ Query = @('filter') } } } process { Invoke-Falcon @Param -Inputs $PSBoundParameters } } |