Public/reports.ps1
function Get-FalconScheduledReport { <# .SYNOPSIS Search for scheduled report or searches and their execution information .DESCRIPTION Requires 'Scheduled Reports: Read'. .PARAMETER Id Scheduled report or scheduled search identifier .PARAMETER Filter Falcon Query Language expression to limit results .PARAMETER Query Perform a generic substring search across available fields .PARAMETER Sort Property and direction to sort results .PARAMETER Limit Maximum number of results per request .PARAMETER Offset Position to begin retrieving results .PARAMETER Execution Retrieve information about scheduled report execution .PARAMETER Detailed Retrieve detailed information .PARAMETER All Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK https://github.com/crowdstrike/psfalcon/wiki/Get-FalconScheduledReport #> [CmdletBinding(DefaultParameterSetName='/reports/queries/scheduled-reports/v1:get',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/reports/entities/scheduled-reports/v1:get',Mandatory, ValueFromPipelineByPropertyName,ValueFromPipeline)] [Parameter(ParameterSetName='/reports/entities/report-executions/v1:get',Mandatory, ValueFromPipelineByPropertyName,ValueFromPipeline)] [ValidatePattern('^[a-fA-F0-9]{32}$')] [Alias('Ids')] [string[]]$Id, [Parameter(ParameterSetName='/reports/queries/scheduled-reports/v1:get',Position=1)] [Parameter(ParameterSetName='/reports/queries/report-executions/v1:get',Position=1)] [ValidateScript({ Test-FqlStatement $_ })] [string]$Filter, [Parameter(ParameterSetName='/reports/queries/scheduled-reports/v1:get',Position=2)] [Parameter(ParameterSetName='/reports/queries/report-executions/v1:get',Position=2)] [Alias('q')] [string]$Query, [Parameter(ParameterSetName='/reports/queries/scheduled-reports/v1:get',Position=3)] [Parameter(ParameterSetName='/reports/queries/report-executions/v1:get',Position=3)] [ValidateSet('created_on.asc','created_on.desc','last_updated_on.asc','last_updated_on.desc', 'last_execution_on.asc','last_execution_on.desc','next_execution_on.asc','next_execution_on.desc', IgnoreCase=$false)] [string]$Sort, [Parameter(ParameterSetName='/reports/queries/scheduled-reports/v1:get',Position=4)] [Parameter(ParameterSetName='/reports/queries/report-executions/v1:get',Position=4)] [ValidateRange(1,5000)] [int32]$Limit, [Parameter(ParameterSetName='/reports/queries/scheduled-reports/v1:get')] [Parameter(ParameterSetName='/reports/queries/report-executions/v1:get')] [int32]$Offset, [Parameter(ParameterSetName='/reports/queries/report-executions/v1:get',Mandatory)] [Parameter(ParameterSetName='/reports/entities/report-executions/v1:get',Mandatory)] [switch]$Execution, [Parameter(ParameterSetName='/reports/queries/scheduled-reports/v1:get')] [Parameter(ParameterSetName='/reports/queries/report-executions/v1:get')] [switch]$Detailed, [Parameter(ParameterSetName='/reports/queries/scheduled-reports/v1:get')] [Parameter(ParameterSetName='/reports/queries/report-executions/v1:get')] [switch]$All, [Parameter(ParameterSetName='/reports/queries/scheduled-reports/v1:get')] [Parameter(ParameterSetName='/reports/queries/report-executions/v1:get')] [switch]$Total ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Format = @{ Query = @('sort','limit','ids','filter','offset','q') } } [System.Collections.Generic.List[string]]$List = @() } process { if ($Id) { @($Id).foreach{ $List.Add($_) } } elseif ($Execution -and $Detailed) { [void]$PSBoundParameters.Remove('Detailed') $Request = Invoke-Falcon @Param -Inputs $PSBoundParameters if ($Request) { & $MyInvocation.MyCommand.Name -Id $Request -Execution } } else { Invoke-Falcon @Param -Inputs $PSBoundParameters } } end { if ($List) { $PSBoundParameters['Id'] = @($List | Select-Object -Unique) Invoke-Falcon @Param -Inputs $PSBoundParameters } } } function Invoke-FalconScheduledReport { <# .SYNOPSIS Execute a scheduled report .DESCRIPTION Requires 'Scheduled Reports: Read'. .PARAMETER Id Report identifier .LINK https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconScheduledReport #> [CmdletBinding(DefaultParameterSetName='/reports/entities/scheduled-reports/execution/v1:post', SupportsShouldProcess)] param( [Parameter(ParameterSetName='/reports/entities/scheduled-reports/execution/v1:post',Mandatory, ValueFromPipelineByPropertyName,ValueFromPipeline,Position=1)] [ValidatePattern('^[a-fA-F0-9]{32}$')] [string]$Id ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Format = @{ Body = @{ root = @('raw_array') }} } } process { $PSBoundParameters['raw_array'] = @{ id = $PSBoundParameters.Id } [void]$PSBoundParameters.Remove('Id') Invoke-Falcon @Param -Inputs $PSBoundParameters } } function Receive-FalconScheduledReport { <# .SYNOPSIS Download a scheduled report or search result .DESCRIPTION Requires 'Scheduled Reports: Read'. .PARAMETER Path Destination path .PARAMETER Id Report identifier .PARAMETER Force Overwrite an existing file when present .LINK https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconScheduledReport #> [CmdletBinding(DefaultParameterSetName='/reports/entities/report-executions-download/v1:get', SupportsShouldProcess)] param( [Parameter(ParameterSetName='/reports/entities/report-executions-download/v1:get', ValueFromPipelineByPropertyName,Position=1)] [Alias('result_metadata','last_execution')] [object]$Path, [Parameter(ParameterSetName='/reports/entities/report-executions-download/v1:get',Mandatory, ValueFromPipelineByPropertyName,ValueFromPipeline,Position=2)] [ValidatePattern('^[a-fA-F0-9]{32}$')] [Alias('Ids')] [string]$Id, [Parameter(ParameterSetName='/reports/entities/report-executions-download/v1:get')] [switch]$Force ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Headers = @{ Accept = 'application/octet-stream' } Format = @{ Query = @('ids') Outfile = 'path' } } } process { if ($PSBoundParameters.Id -and !$PSBoundParameters.Path) { # If 'Id' is present without 'Path', attempt to retry with report/execution detail $Request = Get-FalconScheduledReport -Id $PSBoundParameters.Id -EA 0 if (!$Request) { $Request = Get-FalconScheduledReport -Execution -Id $PSBoundParameters.Id -EA 0 } $Request | & $MyInvocation.MyCommand.Name } else { $PSBoundParameters.Path = switch ($PSBoundParameters.Path) { # Update 'Path' using report detail { $_.result_metadata.report_file_name } { # Update 'Id' using 'last_execution.id' if provided with report properties $PSBoundParameters.Id = $_.id $_.result_metadata.report_file_name } { $_.report_file_name } { $_.report_file_name } { $_ -is [string] } { $_ } } $OutPath = Test-OutFile $PSBoundParameters.Path if ($OutPath.Category -eq 'ObjectNotFound') { Write-Error @OutPath } elseif ($OutPath.Category -eq 'WriteError' -and !$PSBoundParameters.Force) { Write-Error @OutPath } else { Invoke-Falcon @Param -Inputs $PSBoundParameters } } } } function Redo-FalconScheduledReport { <# .SYNOPSIS Retry a scheduled report execution .DESCRIPTION Requires 'Scheduled Reports: Read'. .PARAMETER Id Report identifier .LINK https://github.com/crowdstrike/psfalcon/wiki/Redo-FalconScheduledReport #> [CmdletBinding(DefaultParameterSetName='/reports/entities/report-executions-retry/v1:post', SupportsShouldProcess)] param( [Parameter(ParameterSetName='/reports/entities/report-executions-retry/v1:post',Mandatory, ValueFromPipelineByPropertyName,ValueFromPipeline,Position=1)] [ValidatePattern('^[a-fA-F0-9]{32}$')] [string]$Id ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Format = @{ Body = @{ root = @('raw_array') }} } } process { $PSBoundParameters['raw_array'] = @{ id = $PSBoundParameters.id } [void]$PSBoundParameters.Remove('Id') Invoke-Falcon @Param -Inputs $PSBoundParameters } } |