Public/archives.ps1

function Expand-FalconSampleArchive {
<#
.SYNOPSIS
Extract files from an uploaded sample archive to make them available for analysis.

Use the returned 'id' with 'Get-FalconSampleExtraction' to retrieve extraction status.
.DESCRIPTION
Requires 'Sample uploads: Write'.
.PARAMETER ExtractAll
Extract all files from sample [default: True]
.PARAMETER File
Object(s) containing 'name', 'comment', and 'is_confidential' for uniquely handling individual files
.PARAMETER Id
Sample archive identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Expand-FalconSampleArchive
#>

    [CmdletBinding(DefaultParameterSetName='/archives/entities/extractions/v1:post',SupportsShouldProcess)]
    param(
        [Parameter(ParameterSetName='/archives/entities/extractions/v1:post',Position=1)]
        [Alias('extract_all')]
        [boolean]$ExtractAll,
        [Parameter(ParameterSetName='/archives/entities/extractions/v1:post',Position=2)]
        [ValidateScript({
            foreach ($Object in $_) {
                $Param = @{
                    Object = $Object
                    Command = 'Expand-FalconSampleArchive'
                    Endpoint = '/archives/entities/extractions/v1:post'
                    Allowed = @('comment','is_confidential','name')
                }
                Confirm-Parameter @Param
            }
        })]
        [Alias('files')]
        [object[]]$File,
        [Parameter(ParameterSetName='/archives/entities/extractions/v1:post',Mandatory,
            ValueFromPipelineByPropertyName,ValueFromPipeline,Position=3)]
        [ValidatePattern('^[A-Fa-f0-9]{64}$')]
        [Alias('sha256')]
        [string]$Id
    )
    begin {
        $Param = @{
            Command = $MyInvocation.MyCommand.Name
            Endpoint = $PSCmdlet.ParameterSetName
            Format = @{ Body = @{ root = @('extract_all','sha256','files') }}
        }
    }
    process {
        if (!$PSBoundParameters.File -and !$PSBoundParameters.ExtractAll) {
            $PSBoundParameters['ExtractAll'] = $true
        }
        Invoke-Falcon @Param -Inputs $PSBoundParameters
    }
}
function Get-FalconSampleArchive {
<#
.SYNOPSIS
Retrieve status for uploaded sample archives or a list of the files inside them
.DESCRIPTION
Requires 'Sample uploads: Read'.
.PARAMETER Offset
Position to begin retrieving results
.PARAMETER Limit
Maximum number of results per request
.PARAMETER IncludeFiles
Include list of file names
.PARAMETER Id
Sample archive identifier
.PARAMETER FileList
Return a list of files inside the sample archive
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Get-FalconSampleArchive
#>

    [CmdletBinding(DefaultParameterSetName='/archives/entities/archives/v1:get',SupportsShouldProcess)]
    param(
        [Parameter(ParameterSetName='/archives/entities/archives/v1:get',Position=1)]
        [Alias('include_files')]
        [boolean]$IncludeFiles,
        [Parameter(ParameterSetName='/archives/entities/archive-files/v1:get',Position=2)]
        [int]$Limit,
        [Parameter(ParameterSetName='/archives/entities/archive-files/v1:get')]
        [string]$Offset,
        [Parameter(ParameterSetName='/archives/entities/archives/v1:get',Mandatory,ValueFromPipelineByPropertyName,
            ValueFromPipeline)]
        [Parameter(ParameterSetName='/archives/entities/archive-files/v1:get',Mandatory,
            ValueFromPipelineByPropertyName,ValueFromPipeline)]
        [ValidatePattern('^[A-Fa-f0-9-]{32,64}$')]
        [Alias('sha256')]
        [string]$Id,
        [Parameter(ParameterSetName='/archives/entities/archive-files/v1:get',Mandatory)]
        [switch]$FileList
    )
    begin {
        $Param = @{
            Command = $MyInvocation.MyCommand.Name
            Endpoint = $PSCmdlet.ParameterSetName
            Format = @{ Query = @('offset','limit','id','include_files') }
        }
    }
    process { Invoke-Falcon @Param -Inputs $PSBoundParameters }
}
function Get-FalconSampleExtraction {
<#
.SYNOPSIS
Retrieve status for sample archive extractions or the files inside them
.DESCRIPTION
Requires 'Sample uploads: Read'.
.PARAMETER Offset
Position to begin retrieving results
.PARAMETER Limit
Maximum number of results per request
.PARAMETER IncludeFiles
Include list of file names
.PARAMETER Id
Sample archive identifier
.PARAMETER FileList
Return the list of files extracted from the sample archive
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Get-FalconSampleExtraction
#>

    [CmdletBinding(DefaultParameterSetName='/archives/entities/extractions/v1:get',SupportsShouldProcess)]
    param(
        [Parameter(ParameterSetName='/archives/entities/extractions/v1:get',Position=1)]
        [Alias('include_files')]
        [boolean]$IncludeFiles,
        [Parameter(ParameterSetName='/archives/entities/extraction-files/v1:get',Position=2)]
        [int]$Limit,
        [Parameter(ParameterSetName='/archives/entities/extraction-files/v1:get')]
        [string]$Offset,
        [Parameter(ParameterSetName='/archives/entities/extractions/v1:get',Mandatory,
            ValueFromPipelineByPropertyName,ValueFromPipeline)]
        [Parameter(ParameterSetName='/archives/entities/extraction-files/v1:get',Mandatory,
            ValueFromPipelineByPropertyName,ValueFromPipeline)]
        [ValidatePattern('^[A-Fa-f0-9-]{32,64}$')]
        [Alias('sha256')]
        [string]$Id,
        [Parameter(ParameterSetName='/archives/entities/extraction-files/v1:get',Mandatory)]
        [switch]$FileList
    )
    begin {
        $Param = @{
            Command = $MyInvocation.MyCommand.Name
            Endpoint = $PSCmdlet.ParameterSetName
            Format = @{ Query = @('offset','limit','id','include_files') }
        }
    }
    process { Invoke-Falcon @Param -Inputs $PSBoundParameters }
}
function Remove-FalconSampleArchive {
<#
.SYNOPSIS
Delete a sample archive
.DESCRIPTION
Requires 'Sample uploads: Write'.
.PARAMETER Id
Sample archive identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconSampleArchive
#>

    [CmdletBinding(DefaultParameterSetName='/archives/entities/archives/v1:delete',SupportsShouldProcess)]
    param(
        [Parameter(ParameterSetName='/archives/entities/archives/v1:delete',Mandatory,
            ValueFromPipelineByPropertyName,ValueFromPipeline,Position=1)]
        [ValidatePattern('^[A-Fa-f0-9]{64}$')]
        [Alias('sha256')]
        [string]$Id
    )
    begin {
        $Param = @{
            Command = $MyInvocation.MyCommand.Name
            Endpoint = $PSCmdlet.ParameterSetName
            Format = @{ Query = @('id') }
        }
    }
    process { Invoke-Falcon @Param -Inputs $PSBoundParameters }
}
function Send-FalconSampleArchive {
<#
.SYNOPSIS
Upload an archive containing sample files.

Once upload has been completed, use the returned 'sha256' value with 'Expand-FalconSampleArchive' to extract files
for submission to Falcon Intelligence Sandbox or QuickScan.
.DESCRIPTION
Requires 'Sample uploads: Write'.
.PARAMETER IsConfidential
Prohibit sample(s) from being displayed in MalQuery [default: True]
.PARAMETER Comment
Audit log comment
.PARAMETER Password
Password to extract files from archive
.PARAMETER Name
File name
.PARAMETER Path
Path to local file
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Send-FalconSampleArchive
#>

    [CmdletBinding(DefaultParameterSetName='/archives/entities/archives/v2:post',SupportsShouldProcess)]
    param(
        [Parameter(ParameterSetName='/archives/entities/archives/v2:post',Position=1)]
        [Alias('is_confidential')]
        [boolean]$IsConfidential,
        [Parameter(ParameterSetName='/archives/entities/archives/v2:post',Position=2)]
        [string]$Comment,
        [Parameter(ParameterSetName='/archives/entities/archives/v2:post',Position=3)]
        [string]$Password,
        [Parameter(ParameterSetName='/archives/entities/archives/v2:post',Position=4)]
        [string]$Name,
        [Parameter(ParameterSetName='/archives/entities/archives/v2:post',Mandatory,
            ValueFromPipelineByPropertyName,Position=5)]
        [ValidateScript({
            if (Test-Path $_ -PathType Leaf) {
                if ($_ -match '\.(7z|zip)$') {
                    $true
                } else {
                    throw 'Only ZIP and 7z files are accepted.'
                }
            } else {
                throw "Cannot find path '$_' because it does not exist or is a directory."
            }
        })]
        [Alias('file','FullName')]
        [string]$Path
    )
    begin {
        $Param = @{
            Command = $MyInvocation.MyCommand.Name
            Endpoint = $PSCmdlet.ParameterSetName
            Format = @{ Formdata = @('is_confidential','comment','file','name','password') }
        }
    }
    process {
        if (!$PSBoundParameters.Name) {
            $PSBoundParameters['Name'] = [System.IO.Path]::GetFileName($PSBoundParameters.Path)
        }
        Invoke-Falcon @Param -Inputs $PSBoundParameters
    }
}