public/ioarules.ps1
|
function Edit-FalconIoaGroup { <# .SYNOPSIS Modify a custom Indicator of Attack rule group .DESCRIPTION All fields (plus 'rulegroup_version') are required when making a rule group change. PSFalcon adds missing values automatically using data from your existing rule group. Requires 'Custom IOA rules: Write'. .PARAMETER Name Rule group name .PARAMETER Enabled Rule group enablement status .PARAMETER Description Rule group description .PARAMETER Comment Audit log comment .PARAMETER Id Rule group identifier .LINK https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconIoaGroup #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rule-groups/v1:patch',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/ioarules/entities/rule-groups/v1:patch',ValueFromPipelineByPropertyName, Position=1)] [string]$Name, [Parameter(ParameterSetName='/ioarules/entities/rule-groups/v1:patch',ValueFromPipelineByPropertyName, Position=2)] [boolean]$Enabled, [Parameter(ParameterSetName='/ioarules/entities/rule-groups/v1:patch',ValueFromPipelineByPropertyName, Position=3)] [string]$Description, [Parameter(ParameterSetName='/ioarules/entities/rule-groups/v1:patch',ValueFromPipelineByPropertyName, Position=4)] [string]$Comment, [Parameter(ParameterSetName='/ioarules/entities/rule-groups/v1:patch',Mandatory, ValueFromPipelineByPropertyName,Position=5)] [ValidatePattern('^[a-fA-F0-9]{32}$')] [Alias('RulegroupId')] [string]$Id ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }} process { $Format = Get-EndpointFormat $PSCmdlet.ParameterSetName if ($Format) { @($Format.Body.root).Where({$_ -ne 'id'}).foreach{ # When not provided, add required fields using existing policy settings if (!$PSBoundParameters.$_) { if (!$Existing) { $Existing = Get-FalconIoaGroup -Id $PSBoundParameters.Id -EA 0 } if ($Existing) { $Value = if ($_ -eq 'rulegroup_version') { $Existing.version } else { $Existing.$_ } $PSBoundParameters[$_] = $Value } } } } Invoke-Falcon @Param -UserInput $PSBoundParameters } } function Edit-FalconIoaRule { <# .SYNOPSIS Modify custom Indicator of Attack rules within a rule group .DESCRIPTION All fields are required when making a rule group change. PSFalcon adds missing values automatically using data from your existing rule group. If an existing rule is submitted within 'rule_updates', it will be filtered to the required properties ('comment', 'description', 'disposition_id', 'enabled', 'field_values', 'instance_id', 'name', and 'pattern_severity') including those under 'field_values' ('name', 'label', 'type' and 'values'). Requires 'Custom IOA rules: Write'. .PARAMETER Comment Audit log comment .PARAMETER RuleUpdate One or more custom Indicator of Attack rules .PARAMETER RulegroupId Rule group identifier .LINK https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconIoaRule #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rules/v2:patch',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/ioarules/entities/rules/v2:patch',Mandatory,ValueFromPipelineByPropertyName, Position=1)] [string]$Comment, [Parameter(ParameterSetName='/ioarules/entities/rules/v2:patch',Mandatory,ValueFromPipelineByPropertyName, Position=2)] [Alias('rule_updates','rules','RuleUpdates')] [object[]]$RuleUpdate, [Parameter(ParameterSetName='/ioarules/entities/rules/v2:patch',Mandatory,ValueFromPipelineByPropertyName, Position=3)] [ValidatePattern('^[a-fA-F0-9]{32}$')] [Alias('rulegroup_id','id')] [string]$RulegroupId ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName } $Param['Format'] = Get-EndpointFormat $Param.Endpoint [System.Collections.Generic.List[object]]$List = @() } process { if ($RuleUpdate) { foreach ($i in $RuleUpdate) { if ($i.field_values) { # Ensure that 'field_values' are submitted as an array with 'name', 'label', 'type' and 'values' [PSCustomObject[]]$i.field_values = $i.field_values | Select-Object name,label,type,values } # Select required properties defined by 'rule_updates' for endpoint $i = [PSCustomObject]$i | Select-Object @($Param.Format.Body.rule_updates).Where({ $_ -ne 'rulegroup_version'}) $List.Add($i) } } } end { # Add 'rulegroup_version' from existing IoaGroup $PSBoundParameters['rulegroup_version'] = (Get-FalconIoaGroup -Id $RulegroupId -EA 0).version if ($List) { # Add 'rule_updates' as an array [void]$PSBoundParameters.Remove('RuleUpdate') $PSBoundParameters['rule_updates'] = @($List) } # Modify 'Format' to ensure 'rule_updates' is properly appended and make request [void]$Param.Format.Body.Remove('rule_updates') $Param.Format.Body.root += 'rule_updates' Invoke-Falcon @Param -UserInput $PSBoundParameters } } function Get-FalconIoaGroup { <# .SYNOPSIS Search for custom Indicator of Attack rule groups .DESCRIPTION Requires 'Custom IOA rules: Read'. .PARAMETER Id Rule group identifier .PARAMETER Filter Falcon Query Language expression to limit results .PARAMETER Query Perform a generic substring search across available fields .PARAMETER Sort Property and direction to sort results .PARAMETER Limit Maximum number of results per request .PARAMETER Offset Position to begin retrieving results .PARAMETER Detailed Retrieve detailed information .PARAMETER All Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIoaGroup #> [CmdletBinding(DefaultParameterSetName='/ioarules/queries/rule-groups/v1:get',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/ioarules/entities/rule-groups/v1:get',Mandatory,ValueFromPipelineByPropertyName, ValueFromPipeline)] [ValidatePattern('^[a-fA-F0-9]{32}$')] [Alias('ids')] [string[]]$Id, [Parameter(ParameterSetName='/ioarules/queries/rule-groups/v1:get',Position=1)] [Parameter(ParameterSetName='/ioarules/queries/rule-groups-full/v1:get',Position=1)] [ValidateScript({ Test-FqlStatement $_ })] [string]$Filter, [Parameter(ParameterSetName='/ioarules/queries/rule-groups/v1:get',Position=2)] [Parameter(ParameterSetName='/ioarules/queries/rule-groups-full/v1:get',Position=2)] [Alias('q')] [string]$Query, [Parameter(ParameterSetName='/ioarules/queries/rule-groups/v1:get',Position=3)] [Parameter(ParameterSetName='/ioarules/queries/rule-groups-full/v1:get',Position=3)] [ValidateSet('created_by.asc','created_by.desc','created_on.asc','created_on.desc','description.asc', 'description.desc','enabled.asc','enabled.desc','modified_by.asc','modified_by.desc', 'modified_on.asc','modified_on.desc','name.asc','name.desc',IgnoreCase=$false)] [string]$Sort, [Parameter(ParameterSetName='/ioarules/queries/rule-groups/v1:get',Position=4)] [Parameter(ParameterSetName='/ioarules/queries/rule-groups-full/v1:get',Position=4)] [ValidateRange(1,500)] [int32]$Limit, [Parameter(ParameterSetName='/ioarules/queries/rule-groups/v1:get')] [Parameter(ParameterSetName='/ioarules/queries/rule-groups-full/v1:get')] [int32]$Offset, [Parameter(ParameterSetName='/ioarules/queries/rule-groups-full/v1:get',Mandatory)] [switch]$Detailed, [Parameter(ParameterSetName='/ioarules/queries/rule-groups/v1:get')] [Parameter(ParameterSetName='/ioarules/queries/rule-groups-full/v1:get')] [switch]$All, [Parameter(ParameterSetName='/ioarules/queries/rule-groups/v1:get')] [switch]$Total ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName } [System.Collections.Generic.List[string]]$List = @() } process { if ($Id) { @($Id).foreach{ $List.Add($_) }}} end { if ($List) { $PSBoundParameters['Id'] = @($List) } @(Invoke-Falcon @Param -UserInput $PSBoundParameters).foreach{ if ($_.version -and $null -eq $_.version) { $_.version = 0 } $_ } } } function Get-FalconIoaPlatform { <# .SYNOPSIS Search for custom Indicator of Attack platforms .DESCRIPTION Requires 'Custom IOA rules: Read'. .PARAMETER Id Platform .PARAMETER Limit Maximum number of results per request .PARAMETER Offset Position to begin retrieving results .PARAMETER Detailed Retrieve detailed information .PARAMETER All Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIoaPlatform #> [CmdletBinding(DefaultParameterSetName='/ioarules/queries/platforms/v1:get',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/ioarules/entities/platforms/v1:get',Mandatory,ValueFromPipelineByPropertyName, ValueFromPipeline)] [ValidateSet('windows','mac','linux',IgnoreCase=$false)] [Alias('ids')] [string[]]$Id, [Parameter(ParameterSetName='/ioarules/queries/platforms/v1:get',Position=1)] [ValidateRange(1,500)] [int32]$Limit, [Parameter(ParameterSetName='/ioarules/queries/platforms/v1:get')] [int32]$Offset, [Parameter(ParameterSetName='/ioarules/queries/platforms/v1:get')] [switch]$Detailed, [Parameter(ParameterSetName='/ioarules/queries/platforms/v1:get')] [switch]$All, [Parameter(ParameterSetName='/ioarules/queries/platforms/v1:get')] [switch]$Total ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName } [System.Collections.Generic.List[string]]$List = @() } process { if ($Id) { @($Id).foreach{ $List.Add($_) }} else { Invoke-Falcon @Param -UserInput $PSBoundParameters } } end { if ($List) { $PSBoundParameters['Id'] = @($List) Invoke-Falcon @Param -UserInput $PSBoundParameters } } } function Get-FalconIoaRule { <# .SYNOPSIS Search for custom Indicator of Attack rules .DESCRIPTION Requires 'Custom IOA rules: Read'. .PARAMETER Id Rule identifier .PARAMETER Filter Falcon Query Language expression to limit results .PARAMETER Query Perform a generic substring search across available fields .PARAMETER Sort Property and direction to sort results .PARAMETER Limit Maximum number of results per request .PARAMETER Offset Position to begin retrieving results .PARAMETER Detailed Retrieve detailed information .PARAMETER All Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIoaRule #> [CmdletBinding(DefaultParameterSetName='/ioarules/queries/rules/v1:get',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/ioarules/entities/rules/GET/v1:post',Mandatory,ValueFromPipelineByPropertyName, ValueFromPipeline)] [ValidatePattern('^\d+$')] [Alias('ids')] [string[]]$Id, [Parameter(ParameterSetName='/ioarules/queries/rules/v1:get',Position=1)] [ValidateScript({ Test-FqlStatement $_ })] [string]$Filter, [Parameter(ParameterSetName='/ioarules/queries/rules/v1:get',Position=2)] [Alias('q')] [string]$Query, [Parameter(ParameterSetName='/ioarules/queries/rules/v1:get',Position=3)] [ValidateSet('rules.created_by.asc','rules.created_by.desc','rules.created_on.asc','rules.created_on.desc', 'rules.current_version.action_label.asc','rules.current_version.action_label.desc', 'rules.current_version.description.asc','rules.current_version.description.desc', 'rules.current_version.modified_by.asc','rules.current_version.modified_by.desc', 'rules.current_version.modified_on.asc','rules.current_version.modified_on.desc', 'rules.current_version.name.asc','rules.current_version.name.desc', 'rules.current_version.pattern_severity.asc','rules.current_version.pattern_severity.desc', 'rules.enabled.asc','rules.enabled.desc','rules.ruletype_name.asc','rules.ruletype_name.desc', IgnoreCase=$false)] [string]$Sort, [Parameter(ParameterSetName='/ioarules/queries/rules/v1:get',Position=4)] [ValidateRange(1,500)] [int32]$Limit, [Parameter(ParameterSetName='/ioarules/queries/rules/v1:get')] [int32]$Offset, [Parameter(ParameterSetName='/ioarules/queries/rules/v1:get')] [switch]$Detailed, [Parameter(ParameterSetName='/ioarules/queries/rules/v1:get')] [switch]$All, [Parameter(ParameterSetName='/ioarules/queries/rules/v1:get')] [switch]$Total ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName } [System.Collections.Generic.List[string]]$List = @() } process { if ($Id) { @($Id).foreach{ $List.Add($_) }} else { Invoke-Falcon @Param -UserInput $PSBoundParameters } } end { if ($List) { $PSBoundParameters['Id'] = @($List) Invoke-Falcon @Param -UserInput $PSBoundParameters } } } function Get-FalconIoaSeverity { <# .SYNOPSIS Search for custom Indicator of Attack severity levels .DESCRIPTION Requires 'Custom IOA rules: Read'. .PARAMETER Id Severity identifier .PARAMETER Limit Maximum number of results per request .PARAMETER Offset Position to begin retrieving results .PARAMETER Detailed Retrieve detailed information .PARAMETER All Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIoaSeverity #> [CmdletBinding(DefaultParameterSetName='/ioarules/queries/pattern-severities/v1:get',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/ioarules/entities/pattern-severities/v1:get',Mandatory, ValueFromPipelineByPropertyName,ValueFromPipeline)] [ValidateSet('critical','high','medium','low','informational',IgnoreCase=$false)] [Alias('ids','pattern_severity')] [string[]]$Id, [Parameter(ParameterSetName='/ioarules/queries/pattern-severities/v1:get',Position=1)] [ValidateRange(1,500)] [int32]$Limit, [Parameter(ParameterSetName='/ioarules/queries/pattern-severities/v1:get')] [int32]$Offset, [Parameter(ParameterSetName='/ioarules/queries/pattern-severities/v1:get')] [switch]$Detailed, [Parameter(ParameterSetName='/ioarules/queries/pattern-severities/v1:get')] [switch]$All, [Parameter(ParameterSetName='/ioarules/queries/pattern-severities/v1:get')] [switch]$Total ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName } [System.Collections.Generic.List[string]]$List = @() } process { if ($Id) { @($Id).foreach{ $List.Add($_) }} else { Invoke-Falcon @Param -UserInput $PSBoundParameters } } end { if ($List) { $PSBoundParameters['Id'] = @($List) Invoke-Falcon @Param -UserInput $PSBoundParameters } } } function Get-FalconIoaType { <# .SYNOPSIS Search for custom Indicator of Attack types .DESCRIPTION Requires 'Custom IOA rules: Read'. .PARAMETER Id Type identifier .PARAMETER Limit Maximum number of results per request .PARAMETER Offset Position to begin retrieving results .PARAMETER Detailed Retrieve detailed information .PARAMETER All Repeat requests until all available results are retrieved .PARAMETER Total Display total result count instead of results .LINK https://github.com/crowdstrike/psfalcon/wiki/Get-FalconIoaType #> [CmdletBinding(DefaultParameterSetName='/ioarules/queries/rule-types/v1:get',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/ioarules/entities/rule-types/v1:get',Mandatory,ValueFromPipelineByPropertyName, ValueFromPipeline)] [ValidatePattern('^\d{1,2}$')] [Alias('ids','ruletype_id')] [string[]]$Id, [Parameter(ParameterSetName='/ioarules/queries/rule-types/v1:get',Position=1)] [ValidateRange(1,500)] [int32]$Limit, [Parameter(ParameterSetName='/ioarules/queries/rule-types/v1:get')] [int32]$Offset, [Parameter(ParameterSetName='/ioarules/queries/rule-types/v1:get')] [switch]$Detailed, [Parameter(ParameterSetName='/ioarules/queries/rule-types/v1:get')] [switch]$All, [Parameter(ParameterSetName='/ioarules/queries/rule-types/v1:get')] [switch]$Total ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName } [System.Collections.Generic.List[string]]$List = @() } process { if ($Id) { @($Id).foreach{ $List.Add($_) }} else { Invoke-Falcon @Param -UserInput $PSBoundParameters } } end { if ($List) { $PSBoundParameters['Id'] = @($List) Invoke-Falcon @Param -UserInput $PSBoundParameters } } } function New-FalconIoaGroup { <# .SYNOPSIS Create a custom Indicator of Attack rule group .DESCRIPTION Requires 'Custom IOA rules: Write'. .PARAMETER Name Rule group name .PARAMETER Platform Operating system platform .PARAMETER Description Rule group description .PARAMETER Comment Audit log comment .LINK https://github.com/crowdstrike/psfalcon/wiki/New-FalconIoaGroup #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rule-groups/v1:post',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/ioarules/entities/rule-groups/v1:post',Mandatory,ValueFromPipelineByPropertyName, Position=1)] [string]$Name, [Parameter(ParameterSetName='/ioarules/entities/rule-groups/v1:post',Mandatory,ValueFromPipelineByPropertyName, Position=2)] [ValidateSet('windows','mac','linux',IgnoreCase=$false)] [Alias('platform_name')] [string]$Platform, [Parameter(ParameterSetName='/ioarules/entities/rule-groups/v1:post',ValueFromPipelineByPropertyName, Position=3)] [string]$Description, [Parameter(ParameterSetName='/ioarules/entities/rule-groups/v1:post',ValueFromPipelineByPropertyName, Position=4)] [string]$Comment ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }} process { Invoke-Falcon @Param -UserInput $PSBoundParameters } } function New-FalconIoaRule { <# .SYNOPSIS Create a custom Indicator of Attack rule within a rule group .DESCRIPTION Requires 'Custom IOA rules: Write'. .PARAMETER Name Rule name .PARAMETER PatternSeverity Rule severity .PARAMETER RuletypeId Rule type .PARAMETER DispositionId Disposition identifier [10: Monitor, 20: Detect, 30: Block] .PARAMETER FieldValue An array of custom Indicator of Attack properties .PARAMETER Description Rule description .PARAMETER Comment Audit log comment .PARAMETER RulegroupId Rule group identifier .LINK https://github.com/crowdstrike/psfalcon/wiki/New-FalconIoaRule #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rules/v1:post',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/ioarules/entities/rules/v1:post',Mandatory,ValueFromPipelineByPropertyName, Position=1)] [string]$Name, [Parameter(ParameterSetName='/ioarules/entities/rules/v1:post',Mandatory,ValueFromPipelineByPropertyName, Position=2)] [Alias('pattern_severity')] [string]$PatternSeverity, [Parameter(ParameterSetName='/ioarules/entities/rules/v1:post',Mandatory,ValueFromPipelineByPropertyName, Position=3)] [Alias('ruletype_id')] [string]$RuletypeId, [Parameter(ParameterSetName='/ioarules/entities/rules/v1:post',Mandatory,ValueFromPipelineByPropertyName, Position=4)] [ValidateSet(10,20,30)] [Alias('disposition_id')] [int32]$DispositionId, [Parameter(ParameterSetName='/ioarules/entities/rules/v1:post',Mandatory,ValueFromPipelineByPropertyName, Position=5)] [Alias('field_values','FieldValues')] [object[]]$FieldValue, [Parameter(ParameterSetName='/ioarules/entities/rules/v1:post',ValueFromPipelineByPropertyName,Position=6)] [string]$Description, [Parameter(ParameterSetName='/ioarules/entities/rules/v1:post',ValueFromPipelineByPropertyName,Position=7)] [string]$Comment, [Parameter(ParameterSetName='/ioarules/entities/rules/v1:post',Mandatory,ValueFromPipelineByPropertyName, Position=8)] [ValidatePattern('^[a-fA-F0-9]{32}$')] [Alias('rulegroup_id','id')] [string]$RulegroupId ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName } $Param['Format'] = Get-EndpointFormat $Param.Endpoint } process { if ($PSBoundParameters.FieldValue) { # Filter 'field_values' to required fields [PSCustomObject[]]$PSBoundParameters.FieldValue = $PSBoundParameters.FieldValue | Select-Object name,label, type,values } # Modify 'Format' to ensure 'field_values' is properly appended and make request [void]$Param.Format.Body.Remove('field_values') $Param.Format.Body.root += 'field_values' Invoke-Falcon @Param -UserInput $PSBoundParameters } } function Remove-FalconIoaGroup { <# .SYNOPSIS Remove custom Indicator of Attack rule groups .DESCRIPTION Requires 'Custom IOA rules: Write'. .PARAMETER Comment Audit log comment .PARAMETER Id Rule group identifier .LINK https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconIoaGroup #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rule-groups/v1:delete',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/ioarules/entities/rule-groups/v1:delete',Position=1)] [string]$Comment, [Parameter(ParameterSetName='/ioarules/entities/rule-groups/v1:delete',Mandatory, ValueFromPipelineByPropertyName,ValueFromPipeline,Position=2)] [ValidatePattern('^[a-fA-F0-9]{32}$')] [Alias('ids')] [string[]]$Id ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName } [System.Collections.Generic.List[string]]$List = @() } process { if ($Id) { @($Id).foreach{ $List.Add($_) }}} end { if ($List) { $PSBoundParameters['Id'] = @($List) Invoke-Falcon @Param -UserInput $PSBoundParameters } } } function Remove-FalconIoaRule { <# .SYNOPSIS Remove custom Indicator of Attack rules from rule groups .DESCRIPTION Requires 'Custom IOA rules: Write'. .PARAMETER Comment Audit log comment .PARAMETER RuleGroupId Rule group identifier .PARAMETER Id Rule identifier .LINK https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconIoaRule #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rules/v1:delete',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/ioarules/entities/rules/v1:delete',Position=1)] [string]$Comment, [Parameter(ParameterSetName='/ioarules/entities/rules/v1:delete',Mandatory,ValueFromPipelineByPropertyName, Position=2)] [ValidatePattern('^[a-fA-F0-9]{32}$')] [Alias('rule_group_id','rulegroup_id','ioa_rule_groups')] [string]$RuleGroupId, [Parameter(ParameterSetName='/ioarules/entities/rules/v1:delete',Mandatory,ValueFromPipelineByPropertyName, Position=3)] [ValidatePattern('^\d+$')] [Alias('ids','rule_ids','instance_id')] [string[]]$Id ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName } [System.Collections.Generic.List[string]]$List = @() } process { if ($Id) { @($Id).foreach{ $List.Add($_) }}} end { if ($List) { $PSBoundParameters['Id'] = @($List) Invoke-Falcon @Param -UserInput $PSBoundParameters } } } function Test-FalconIoaRule { <# .SYNOPSIS Validate fields and patterns of a custom Indicator of Attack rule .DESCRIPTION Requires 'Custom IOA rules: Write'. .PARAMETER Field An array of rule properties .LINK https://github.com/crowdstrike/psfalcon/wiki/Test-FalconIoaRule #> [CmdletBinding(DefaultParameterSetName='/ioarules/entities/rules/validate/v1:post',SupportsShouldProcess)] param( [Parameter(ParameterSetName='/ioarules/entities/rules/validate/v1:post',Mandatory, ValueFromPipelineByPropertyName,Position=1)] [Alias('fields','field_values')] [object[]]$Field ) begin { $Param = @{ Command = $MyInvocation.MyCommand.Name Endpoint = $PSCmdlet.ParameterSetName Format = @{ Body = @{ root = @('fields') }} } } process { Invoke-Falcon @Param -UserInput $PSBoundParameters } } Register-ArgumentCompleter -CommandName New-FalconIoaRule -ParameterName RuleTypeId -ScriptBlock { Get-FalconIoaType } Register-ArgumentCompleter -CommandName New-FalconIoaRule -ParameterName PatternSeverity -ScriptBlock { Get-FalconIoaSeverity } |