Public/samples.ps1

function Get-FalconSample {
<#
.SYNOPSIS
Retrieve detailed information about accessible sample files
.DESCRIPTION
Requires 'Sample Uploads: Read'.
.PARAMETER Id
Sha256 hash value
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Get-FalconSample
#>

    [CmdletBinding(DefaultParameterSetName='/samples/queries/samples/GET/v1:post',SupportsShouldProcess)]
    param(
        [Parameter(ParameterSetName='/samples/queries/samples/GET/v1:post',Mandatory,
            ValueFromPipelineByPropertyName,ValueFromPipeline,Position=1)]
        [ValidatePattern('^[A-Fa-f0-9]{64}$')]
        [Alias('sha256s','sha256','Ids')]
        [string[]]$Id
    )
    begin {
        $Param = @{
            Command = $MyInvocation.MyCommand.Name
            Endpoint = $PSCmdlet.ParameterSetName
            Format = @{ Body = @{ root = @('sha256s') }}
        }
        [System.Collections.Generic.List[string]]$List = @()
    }
    process { if ($Id) { @($Id).foreach{ $List.Add($_) }}}
    end {
        if ($List) {
            $PSBoundParameters['Id'] = @($List | Select-Object -Unique)
            Invoke-Falcon @Param -Inputs $PSBoundParameters
        }
    }
}
function Receive-FalconSample {
<#
.SYNOPSIS
Download a sample
.DESCRIPTION
Requires 'Sample Uploads: Read'.
.PARAMETER Path
Destination path
.PARAMETER PasswordProtected
Archive and password protect the sample with password 'infected'
.PARAMETER Id
Sha256 hash value
.PARAMETER Force
Overwrite an existing file when present
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconSample
#>

    [CmdletBinding(DefaultParameterSetName='/samples/entities/samples/v3:get',SupportsShouldProcess)]
    param(
        [Parameter(ParameterSetName='/samples/entities/samples/v3:get',Mandatory,Position=1)]
        [string]$Path,
        [Parameter(ParameterSetName='/samples/entities/samples/v3:get',Position=2)]
        [Alias('password_protected')]
        [boolean]$PasswordProtected,
        [Parameter(ParameterSetName='/samples/entities/samples/v3:get',Mandatory,ValueFromPipelineByPropertyName,
            ValueFromPipeline,Position=3)]
        [ValidatePattern('^[A-Fa-f0-9]{64}$')]
        [Alias('Ids')]
        [string]$Id,
        [Parameter(ParameterSetName='/samples/entities/samples/v3:get')]
        [switch]$Force
    )
    begin {
        $Param = @{
            Command = $MyInvocation.MyCommand.Name
            Endpoint = $PSCmdlet.ParameterSetName
            Headers = @{ Accept = 'application/octet-stream' }
            Format = @{
                Query = @('ids','password_protected')
                Outfile = 'path'
            }
        }
    }
    process {
        $OutPath = Test-OutFile $PSBoundParameters.Path
        if ($OutPath.Category -eq 'ObjectNotFound') {
            Write-Error @OutPath
        } elseif ($PSBoundParameters.Path) {
            if ($OutPath.Category -eq 'WriteError' -and !$Force) {
                Write-Error @OutPath
            } else {
                Invoke-Falcon @Param -Inputs $PSBoundParameters
            }
        }
    }
}
function Remove-FalconSample {
<#
.SYNOPSIS
Remove a sample
.DESCRIPTION
Requires 'Sample Uploads: Write'.
.PARAMETER Id
Sha256 hash value
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconSample
#>

    [CmdletBinding(DefaultParameterSetName='/samples/entities/samples/v3:delete',SupportsShouldProcess)]
    param(
        [Parameter(ParameterSetName='/samples/entities/samples/v3:delete',Mandatory,
            ValueFromPipelineByPropertyName,ValueFromPipeline,Position=1)]
        [ValidatePattern('^[A-Fa-f0-9]{64}$')]
        [Alias('Ids')]
        [string]$Id
    )
    begin {
        $Param = @{
            Command = $MyInvocation.MyCommand.Name
            Endpoint = $PSCmdlet.ParameterSetName
            Format = @{ Query = @('ids') }
        }
    }
    process { Invoke-Falcon @Param -Inputs $PSBoundParameters }
}
function Send-FalconSample {
<#
.SYNOPSIS
Upload a sample file
.DESCRIPTION
A successful upload will provide a 'sha256' value that can be used in submissions to the Falcon Sandbox or
Falcon QuickScan.
 
Maximum file size is 256MB. ZIP and 7z archives will automatically redirect to 'Send-FalconSampleArchive'.
 
Requires 'Sample Uploads: Write'.
.PARAMETER IsConfidential
Prohibit sample from being displayed in MalQuery [default: True]
.PARAMETER Comment
Audit log comment
.PARAMETER Name
File name
.PARAMETER Path
Path to local file
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Send-FalconSample
#>

    [CmdletBinding(DefaultParameterSetName='/samples/entities/samples/v3:post',SupportsShouldProcess)]
    param(
        [Parameter(ParameterSetName='/samples/entities/samples/v3:post',Position=1)]
        [Alias('is_confidential')]
        [boolean]$IsConfidential,
        [Parameter(ParameterSetName='/samples/entities/samples/v3:post',Position=2)]
        [string]$Comment,
        [Parameter(ParameterSetName='/samples/entities/samples/v3:post',ValueFromPipelineByPropertyName,
            Position=3)]
        [Alias('file_name','FileName')]
        [string]$Name,
        [Parameter(ParameterSetName='/samples/entities/samples/v3:post',Mandatory,
            ValueFromPipelineByPropertyName,Position=4)]
        [ValidateScript({
            if (Test-Path $_ -PathType Leaf) {
                $true
            } else {
                throw "Cannot find path '$_' because it does not exist or is a directory."
            }
        })]
        [Alias('body','FullName')]
        [string]$Path
    )
    begin {
        $Param = @{
            Command = $MyInvocation.MyCommand.Name
            Endpoint = $PSCmdlet.ParameterSetName
            Headers = @{ ContentType = 'application/octet-stream' }
            Format = @{
                Query = @('comment','file_name','is_confidential')
                Body = @{ root = @('body') }
            }
        }
    }
    process {
        if (!$PSBoundParameters.Name) {
            $PSBoundParameters['Name'] = [System.IO.Path]::GetFileName($PSBoundParameters.Path)
        }
        if ($PSBoundParameters.Path -match '\.(7z|zip)$') {
            Send-FalconSampleArchive @PSBoundParameters
        } else {
            Invoke-Falcon @Param -Inputs $PSBoundParameters
        }
    }
}