public/real-time-response.ps1

function Confirm-FalconAdminCommand {
<#
.SYNOPSIS
Verify the status of a Real-time Response 'admin' command issued to a single-host session
.DESCRIPTION
Confirms the status of an executed 'admin' command. The single-host Real-time Response APIs require that commands
be confirmed to 'acknowledge' that they have been processed as part of your API-based workflow. Failing to confirm
after commands can lead to unexpected results.

A 'sequence_id' value of 0 is added if the parameter is not specified.

Requires 'Real time response (admin): Write'.
.PARAMETER SequenceId
Sequence identifier
.PARAMETER CloudRequestId
Command request identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Confirm-FalconAdminCommand
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/admin-command/v1:get',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/admin-command/v1:get',Position=1)]
    [Alias('sequence_id')]
    [int32]$SequenceId,
    [Parameter(ParameterSetName='/real-time-response/entities/admin-command/v1:get',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline,Position=2)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('cloud_request_id','task_id')]
    [string]$CloudRequestId
  )
  begin {
    $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }
    if (!$PSBoundParameters.SequenceId) { $PSBoundParameters['SequenceId'] = 0 }
  }
  process { Invoke-Falcon @Param -UserInput $PSBoundParameters }
}
function Confirm-FalconCommand {
<#
.SYNOPSIS
Verify the status of a Real-time Response 'read-only' command issued to a single-host session
.DESCRIPTION
Confirms the status of an executed 'read-only' command. The single-host Real-time Response APIs require that
commands be confirmed to 'acknowledge' that they have been processed as part of your API-based workflow. Failing
to confirm after commands can lead to unexpected results.

A 'sequence_id' value of 0 is added if the parameter is not specified.

Requires 'Real time response: Read'.
.PARAMETER SequenceId
Sequence identifier
.PARAMETER CloudRequestId
Command request identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Confirm-FalconCommand
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/command/v1:get',SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/command/v1:get',Position=1)]
    [Alias('sequence_id')]
    [int32]$SequenceId,
    [Parameter(ParameterSetName='/real-time-response/entities/command/v1:get',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline,Position=2)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('cloud_request_id','task_id')]
    [string]$CloudRequestId
  )
  begin {
    $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }
    if (!$PSBoundParameters.SequenceId) { $PSBoundParameters['sequence_id'] = 0 }
  }
  process { Invoke-Falcon @Param -UserInput $PSBoundParameters }
}
function Confirm-FalconGetFile {
<#
.SYNOPSIS
Verify the status of a Real-time Response 'get' command
.DESCRIPTION
Requires 'Real time response: Write'.
.PARAMETER SessionId
Session identifier
.PARAMETER Timeout
Length of time to wait for a result, in seconds [default: 30]
.PARAMETER BatchGetCmdReqId
Batch 'get' command identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Confirm-FalconGetFile
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/combined/batch-get-command/v1:get',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/file/v2:get',Mandatory,
      ValueFromPipelineByPropertyName)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('session_id')]
    [string]$SessionId,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-get-command/v1:get',Position=1)]
    [ValidateRange(1,600)]
    [int32]$Timeout,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-get-command/v1:get',Mandatory,
      ValueFromPipelineByPropertyName)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('batch_get_cmd_req_id')]
    [string]$BatchGetCmdReqId
  )
  begin { $Param = @{ Command = $MyInvocation.MyCommand.Name }}
  process {
    # Verify 'Endpoint' using SessionId/BatchGetCmdReqId
    $Endpoint = if ($PSBoundParameters.SessionId) {
      '/real-time-response/entities/file/v2:get'
    } else {
      '/real-time-response/combined/batch-get-command/v1:get'
    }
    @(Invoke-Falcon @Param -Endpoint $Endpoint -UserInput $PSBoundParameters).foreach{
      if ($BatchGetCmdReqId) {
        $_.PSObject.Properties | ForEach-Object {
          # Append 'aid' and 'batch_get_cmd_req_id' to each host result and output
          Set-Property $_.Value aid $_.Name
          Set-Property $_.Value batch_get_cmd_req_id $BatchGetCmdReqId
          $_.Value
        }
      } else {
        $_
      }
    }
  }
}
function Confirm-FalconResponderCommand {
<#
.SYNOPSIS
Verify the status of a Real-time Response 'active-responder' command issued to a single-host session
.DESCRIPTION
Confirms the status of an executed 'active-responder' command. The single-host Real-time Response APIs require
that commands be confirmed to 'acknowledge' that they have been processed as part of your API-based workflow.
Failing to confirm after commands can lead to unexpected results.

A 'sequence_id' value of 0 is added if the parameter is not specified.

Requires 'Real time response: Write'.
.PARAMETER SequenceId
Sequence identifier
.PARAMETER CloudRequestId
Command request identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Confirm-FalconResponderCommand
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/active-responder-command/v1:get',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/active-responder-command/v1:get',Position=1)]
    [Alias('sequence_id')]
    [int32]$SequenceId,
    [Parameter(ParameterSetName='/real-time-response/entities/active-responder-command/v1:get',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline,Position=2)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('cloud_request_id','task_id')]
    [string]$CloudRequestId
  )
  begin {
    $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }
    if (!$PSBoundParameters.SequenceId) { $PSBoundParameters['sequence_id'] = 0 }
  }
  process { Invoke-Falcon @Param -UserInput $PSBoundParameters }
}
function Edit-FalconScript {
<#
.SYNOPSIS
Modify a Real-time Response script
.DESCRIPTION
Requires 'Real time response (admin): Write'.
.PARAMETER Platform
Operating system platform
.PARAMETER PermissionType
Permission level [public: 'Administrators' and 'Active Responders', group: 'Administrators', private: creator]
.PARAMETER Name
Script name
.PARAMETER Description
Script description
.PARAMETER Comment
Audit log comment
.PARAMETER Path
Path to script file
.PARAMETER Id
Script identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Edit-FalconScript
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/scripts/v1:patch',SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:patch',
      ValueFromPipelineByPropertyName,Position=1)]
    [ValidateSet('windows','mac','linux',IgnoreCase=$false)]
    [string[]]$Platform,
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:patch',
      ValueFromPipelineByPropertyName,Position=2)]
    [ValidateSet('private','group','public',IgnoreCase=$false)]
    [Alias('permission_type')]
    [string]$PermissionType,
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:patch',
      ValueFromPipelineByPropertyName,Position=3)]
    [string]$Name,
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:patch',
      ValueFromPipelineByPropertyName,Position=4)]
    [string]$Description,
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:patch',
      ValueFromPipelineByPropertyName,Position=5)]
    [ValidateLength(1,4096)]
    [Alias('comments_for_audit_log')]
    [string]$Comment,
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:patch',Mandatory,
      ValueFromPipelineByPropertyName,Position=6)]
    [Alias('content','FullName')]
    [string]$Path,
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:patch',Mandatory,
      ValueFromPipelineByPropertyName,Position=7)]
    [ValidatePattern('^[a-fA-F0-9]{32}_[a-fA-F0-9]{32}$')]
    [string]$Id
  )
  begin {
    $Param = @{
      Command = $MyInvocation.MyCommand.Name
      Endpoint = $PSCmdlet.ParameterSetName
      Headers = @{ ContentType = 'multipart/form-data' }
    }
  }
  process { Invoke-Falcon @Param -UserInput $PSBoundParameters }
}
function Get-FalconLibraryScript {
<#
.SYNOPSIS
Search for scripts in the 'falconscript' library
.DESCRIPTION
Requires 'Real time response (admin): Write'.
.PARAMETER Filter
Falcon Query Language expression to limit results
.PARAMETER Sort
Property and direction to sort results
.PARAMETER Limit
Maximum number of results per request
.PARAMETER Offset
Position to begin retrieving results
.PARAMETER Detailed
Retrieve detailed information
.PARAMETER All
Repeat requests until all available results are retrieved
.PARAMETER Total
Display total result count instead of results
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Get-FalconLibraryScript
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/queries/falcon-scripts/v1:get',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/falcon-scripts/v1:get',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline)]
    [Alias('ids')]
    [string[]]$Id,
    [Parameter(ParameterSetName='/real-time-response/queries/falcon-scripts/v1:get',Position=1)]
    [ValidateScript({ Test-FqlStatement $_ })]
    [string]$Filter,
    [Parameter(ParameterSetName='/real-time-response/queries/falcon-scripts/v1:get',Position=2)]
    [ValidateSet('modified_timestamp.asc','modified_timestamp.desc','name.asc','name.desc',IgnoreCase=$false)]
    [string]$Sort,
    [Parameter(ParameterSetName='/real-time-response/queries/falcon-scripts/v1:get',Position=3)]
    [ValidateRange(1,500)]
    [int32]$Limit,
    [Parameter(ParameterSetName='/real-time-response/queries/falcon-scripts/v1:get')]
    [int32]$Offset,
    [Parameter(ParameterSetName='/real-time-response/queries/falcon-scripts/v1:get')]
    [switch]$Detailed,
    [Parameter(ParameterSetName='/real-time-response/queries/falcon-scripts/v1:get')]
    [switch]$All,
    [Parameter(ParameterSetName='/real-time-response/queries/falcon-scripts/v1:get')]
    [switch]$Total
  )
  begin {
    $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }
    [System.Collections.Generic.List[string]]$List = @()
  }
  process {
    if ($Id) { @($Id).foreach{ $List.Add($_) }} else { Invoke-Falcon @Param -UserInput $PSBoundParameters }
  }
  end {
    if ($List) {
      $PSBoundParameters['Id'] = @($List)
      Invoke-Falcon @Param -UserInput $PSBoundParameters
    }
  }
}
function Get-FalconPutFile {
<#
.SYNOPSIS
Search for Real-time Response 'put' files
.DESCRIPTION
Requires 'Real time response (admin): Write'.
.PARAMETER Id
'Put' file identifier
.PARAMETER Filter
Falcon Query Language expression to limit results
.PARAMETER Sort
Property and direction to sort results
.PARAMETER Limit
Maximum number of results per request
.PARAMETER Offset
Position to begin retrieving results
.PARAMETER Detailed
Retrieve detailed information
.PARAMETER All
Repeat requests until all available results are retrieved
.PARAMETER Total
Display total result count instead of results
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Get-FalconPutFile
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/queries/put-files/v1:get',SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/put-files/v2:get',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline)]
    [ValidatePattern('^[a-fA-F0-9]{32}_[a-fA-F0-9]{32}$')]
    [Alias('ids')]
    [string[]]$Id,
    [Parameter(ParameterSetName='/real-time-response/queries/put-files/v1:get',Position=1)]
    [ValidateScript({ Test-FqlStatement $_ })]
    [string]$Filter,
    [Parameter(ParameterSetName='/real-time-response/queries/put-files/v1:get',Position=2)]
    [string]$Sort,
    [Parameter(ParameterSetName='/real-time-response/queries/put-files/v1:get',Position=3)]
    [ValidateRange(1,100)]
    [int32]$Limit,
    [Parameter(ParameterSetName='/real-time-response/queries/put-files/v1:get')]
    [int32]$Offset,
    [Parameter(ParameterSetName='/real-time-response/queries/put-files/v1:get')]
    [switch]$Detailed,
    [Parameter(ParameterSetName='/real-time-response/queries/put-files/v1:get')]
    [switch]$All,
    [Parameter(ParameterSetName='/real-time-response/queries/put-files/v1:get')]
    [switch]$Total
  )
  begin {
    $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }
    [System.Collections.Generic.List[string]]$List = @()
  }
  process {
    if ($Id) { @($Id).foreach{ $List.Add($_) }} else { Invoke-Falcon @Param -UserInput $PSBoundParameters }
  }
  end {
    if ($List) {
      $Param['Max'] = 200
      $PSBoundParameters['Id'] = @($List)
      Invoke-Falcon @Param -UserInput $PSBoundParameters
    }
  }
}
function Get-FalconScript {
<#
.SYNOPSIS
Search for custom Real-time Response scripts
.DESCRIPTION
Requires 'Real time response (admin): Write'.
.PARAMETER Id
Script identifier
.PARAMETER Filter
Falcon Query Language expression to limit results
.PARAMETER Sort
Property and direction to sort results
.PARAMETER Limit
Maximum number of results per request
.PARAMETER Offset
Position to begin retrieving results
.PARAMETER Detailed
Retrieve detailed information
.PARAMETER All
Repeat requests until all available results are retrieved
.PARAMETER Total
Display total result count instead of results
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Get-FalconScript
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/queries/scripts/v1:get',SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v2:get',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline)]
    [ValidatePattern('^[a-fA-F0-9]{32}_[a-fA-F0-9]{32}$')]
    [Alias('ids')]
    [string[]]$Id,
    [Parameter(ParameterSetName='/real-time-response/queries/scripts/v1:get',Position=1)]
    [ValidateScript({ Test-FqlStatement $_ })]
    [string]$Filter,
    [Parameter(ParameterSetName='/real-time-response/queries/scripts/v1:get',Position=2)]
    [string]$Sort,
    [Parameter(ParameterSetName='/real-time-response/queries/scripts/v1:get',Position=3)]
    [ValidateRange(1,100)]
    [int32]$Limit,
    [Parameter(ParameterSetName='/real-time-response/queries/scripts/v1:get')]
    [int32]$Offset,
    [Parameter(ParameterSetName='/real-time-response/queries/scripts/v1:get')]
    [switch]$Detailed,
    [Parameter(ParameterSetName='/real-time-response/queries/scripts/v1:get')]
    [switch]$All,
    [Parameter(ParameterSetName='/real-time-response/queries/scripts/v1:get')]
    [switch]$Total
  )
  begin {
    $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }
    [System.Collections.Generic.List[string]]$List = @()
  }
  process {
    if ($Id) { @($Id).foreach{ $List.Add($_) }} else { Invoke-Falcon @Param -UserInput $PSBoundParameters }
  }
  end {
    if ($List) {
      $PSBoundParameters['Id'] = @($List)
      Invoke-Falcon @Param -UserInput $PSBoundParameters
    }
  }
}
function Get-FalconSession {
<#
.SYNOPSIS
Search for Real-time Response sessions
.DESCRIPTION
Real-time Response sessions are segmented by permission, meaning that only sessions that were created using
your OAuth2 API Client will be visible. Use the 'Cid' switch to enable viewing of sessions from your entire
environment.

'Get-FalconQueue' can be used to find and export information about sessions in the 'offline queue'.

Requires 'Real time response: Read', and 'Real time response audit: Read' when using the 'Cid' switch.
.PARAMETER Id
Session identifier
.PARAMETER Filter
Falcon Query Language expression to limit results
.PARAMETER Sort
Property and direction to sort results
.PARAMETER Limit
Maximum number of results per request
.PARAMETER WithCommandInfo
Include executed command detail when displaying all sessions in the environment
.PARAMETER Offset
Position to begin retrieving results
.PARAMETER Cid
Expand search to include all sessions created within your environment
.PARAMETER Queue
Restrict search to sessions that have been queued
.PARAMETER Detailed
Retrieve detailed information
.PARAMETER All
Repeat requests until all available results are retrieved
.PARAMETER Total
Display total result count instead of results
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Get-FalconSession
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/queries/sessions/v1:get',SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/queued-sessions/GET/v1:post',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline)]
    [Parameter(ParameterSetName='/real-time-response/entities/sessions/GET/v1:post',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('ids')]
    [string[]]$Id,
    [Parameter(ParameterSetName='/real-time-response/queries/sessions/v1:get',Position=1)]
    [Parameter(ParameterSetName='/real-time-response-audit/combined/sessions/v1:get',Position=1)]
    [ValidateScript({ Test-FqlStatement $_ })]
    [string]$Filter,
    [Parameter(ParameterSetName='/real-time-response/queries/sessions/v1:get',Position=2)]
    [Parameter(ParameterSetName='/real-time-response-audit/combined/sessions/v1:get',Position=2)]
    [string]$Sort,
    [Parameter(ParameterSetName='/real-time-response/queries/sessions/v1:get',Position=3)]
    [Parameter(ParameterSetName='/real-time-response-audit/combined/sessions/v1:get',Position=3)]
    [ValidateRange(1,1000)]
    [int32]$Limit,
    [Parameter(ParameterSetName='/real-time-response-audit/combined/sessions/v1:get',Position=4)]
    [Alias('with_command_info')]
    [boolean]$CommandInfo,
    [Parameter(ParameterSetName='/real-time-response/queries/sessions/v1:get')]
    [Parameter(ParameterSetName='/real-time-response-audit/combined/sessions/v1:get')]
    [int32]$Offset,
    [Parameter(ParameterSetName='/real-time-response-audit/combined/sessions/v1:get',Mandatory)]
    [switch]$Cid,
    [Parameter(ParameterSetName='/real-time-response/entities/queued-sessions/GET/v1:post',Mandatory)]
    [switch]$Queue,
    [Parameter(ParameterSetName='/real-time-response/queries/sessions/v1:get')]
    [switch]$Detailed,
    [Parameter(ParameterSetName='/real-time-response/queries/sessions/v1:get')]
    [Parameter(ParameterSetName='/real-time-response-audit/combined/sessions/v1:get')]
    [switch]$All,
    [Parameter(ParameterSetName='/real-time-response/queries/sessions/v1:get')]
    [Parameter(ParameterSetName='/real-time-response-audit/combined/sessions/v1:get')]
    [switch]$Total
  )
  begin {
    $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }
    [System.Collections.Generic.List[string]]$List = @()
  }
  process {
    if ($Id) { @($Id).foreach{ $List.Add($_) }} else { Invoke-Falcon @Param -UserInput $PSBoundParameters }
  }
  end {
    if ($List) {
      $PSBoundParameters['Id'] = @($List)
      Invoke-Falcon @Param -UserInput $PSBoundParameters
    }
  }
}
function Invoke-FalconAdminCommand {
<#
.SYNOPSIS
Issue a Real-time Response admin command to an existing single-host or batch session
.DESCRIPTION
Sessions can be started using 'Start-FalconSession'. A successfully created session will contain a 'session_id'
or 'batch_id' value which can be used with the '-SessionId' or '-BatchId' parameters.

The 'Wait' parameter will use 'Confirm-FalconAdminCommand' or 'Confirm-FalconGetFile' to check for command
results every 20 seconds until complete or processing ends.

Requires 'Real time response (admin): Write'.
.PARAMETER Command
Real-time Response command
.PARAMETER Argument
Arguments to include with the command
.PARAMETER OptionalHostId
Restrict execution to specific host identifiers
.PARAMETER Timeout
Length of time to wait for a result, in seconds [default: 30]
.PARAMETER HostTimeout
Length of time to wait for a result from target host(s), in seconds
.PARAMETER SessionId
Session identifier
.PARAMETER BatchId
Batch session identifier
.PARAMETER Wait
Use 'Confirm-FalconAdminCommand' or 'Confirm-FalconGetFile' to retrieve command result
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconAdminCommand
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/combined/batch-admin-command/v1:post',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/admin-command/v1:post',Mandatory,Position=1)]
    [Parameter(ParameterSetName='/real-time-response/combined/batch-admin-command/v1:post',Mandatory,
      Position=1)]
    [ValidateSet('cat','cd','clear','cp','csrutil','cswindiag','encrypt','env','eventlog backup','eventlog export',
      'eventlog list','eventlog view','falconscript','filehash','get','getsid','help','history','ifconfig',
      'ipconfig','kill','ls','map','memdump','mkdir','mount','mv','netstat','ps','put','put-and-run','reg delete',
      'reg load','reg query','reg set','reg unload','restart','rm','run','runscript','shutdown','tar','umount',
      'unmap','update history','update install','update list','update query','users','xmemdump','zip',
      IgnoreCase=$false)]
    [Alias('base_command')]
    [string]$Command,
    [Parameter(ParameterSetName='/real-time-response/entities/admin-command/v1:post',Position=2)]
    [Parameter(ParameterSetName='/real-time-response/combined/batch-admin-command/v1:post',Position=2)]
    [Alias('Arguments')]
    [string]$Argument,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-admin-command/v1:post',Position=3)]
    [ValidatePattern('^[a-fA-F0-9]{32}$')]
    [Alias('optional_hosts','OptionalHostIds')]
    [string[]]$OptionalHostId,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-admin-command/v1:post',Position=4)]
    [ValidateRange(1,600)]
    [int32]$Timeout,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-admin-command/v1:post',Position=5)]
    [ValidateRange(1,600)]
    [Alias('host_timeout_duration')]
    [int32]$HostTimeout,
    [Parameter(ParameterSetName='/real-time-response/entities/admin-command/v1:post',Mandatory,
      ValueFromPipelineByPropertyName)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('session_id')]
    [string]$SessionId,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-admin-command/v1:post',Mandatory,
      ValueFromPipelineByPropertyName)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('batch_id')]
    [string]$BatchId,
    [Parameter(ParameterSetName='/real-time-response/entities/admin-command/v1:post')]
    [Parameter(ParameterSetName='/real-time-response/combined/batch-admin-command/v1:post')]
    [switch]$Wait
  )
  begin {
    $Param = @{
      Command = $MyInvocation.MyCommand.Name
      Format = @{
        Query = @('timeout','host_timeout_duration')
        Body = @{ root = @('session_id','base_command','command_string','optional_hosts','batch_id') }
      }
    }
    [System.Collections.Generic.List[string]]$List = @()
  }
  process { if ($OptionalHostId) { @($OptionalHostId).foreach{ $List.Add($_) }}}
  end {
    if ($PSBoundParameters.BatchId -and $PSBoundParameters.Command -eq 'get') {
      # Redirect to 'Invoke-FalconBatchGet' for multi-host 'get' requests
      $GetParam = @{
        FilePath = $PSBoundParameters.Argument
        BatchId = $PSBoundParameters.BatchId
        Wait = $PSBoundParameters.Wait
      }
      if ($Timeout) { $GetParam['Timeout'] = $PSBoundParameters.Timeout }
      if ($List) { $GetParam['OptionalHostId'] = @($List) }
      Invoke-FalconBatchGet @GetParam
    } else {
      # Verify 'Endpoint' using BatchId/SessionId
      [string]$Endpoint = if ($PSBoundParameters.BatchId) {
        if ($List) { $PSBoundParameters['OptionalHostId'] = @($List) }
        '/real-time-response/combined/batch-admin-command/v1:post'
      } elseif ($PSBoundParameters.SessionId) {
        '/real-time-response/entities/admin-command/v1:post'
      }
      if ($Endpoint) {
        if ($PSBoundParameters.HostTimeout) {
          # Add 's' to denote seconds for 'host_timeout_duration'
          $PSBoundParameters.HostTimeout = [string]::Concat($PSBoundParameters.HostTimeout,'s')
        }
        $PSBoundParameters['command_string'] = if ($PSBoundParameters.Argument) {
          # Join 'Command' and 'Argument' into 'command_string'
          @($PSBoundParameters.Command,$PSBoundParameters.Argument) -join ' '
          [void]$PSBoundParameters.Remove('Argument')
        } else {
          $PSBoundParameters.Command
        }
        foreach ($Request in (Invoke-Falcon @Param -Endpoint $Endpoint -UserInput $PSBoundParameters)) {
          if ($BatchId -and @($Request.PSObject.Properties.Value).Where({$_.session_id})) {
            $Request = @($Request.PSObject.Properties.Value).Where({$_.session_id}).foreach{
              # Append 'batch_id' to command results with a 'session_id'
              Set-Property $_ batch_id $BatchId
              $_
            }
          }
          if ($Wait -and $Command -eq 'get') {
            Wait-RtrGet $Request $MyInvocation.MyCommand.Name
          } elseif ($Wait -and $SessionId) {
            Wait-RtrCommand $Request $MyInvocation.MyCommand.Name
          } else {
            Write-Host ($Request | ConvertTo-Json)
            $Request
          }
        }
      }
    }
  }
}
function Invoke-FalconBatchGet {
<#
.SYNOPSIS
Issue a Real-time Response batch 'get' command to an existing batch session
.DESCRIPTION
When a 'get' command has been issued, the 'batch_get_cmd_req_id' property will be returned. That value is used
to verify the completion of the file transfer using 'Confirm-FalconGetFile'.

The 'Wait' parameter will use 'Confirm-FalconGetFile' to check for command results every 20 seconds until complete
or processing ends.

Requires 'Real time response: Write'.
.PARAMETER FilePath
Path to file on target host
.PARAMETER OptionalHostId
Restrict execution to specific host identifiers
.PARAMETER Timeout
Length of time to wait for a result, in seconds [default: 30]
.PARAMETER HostTimeout
Length of time to wait for a result from target host(s), in seconds
.PARAMETER BatchId
Batch session identifier
.PARAMETER Wait
Use 'Confirm-FalconGetFile' to retrieve command result
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconBatchGet
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/combined/batch-get-command/v1:post',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/combined/batch-get-command/v1:post',Mandatory,Position=1)]
    [Alias('file_path')]
    [string]$FilePath,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-get-command/v1:post',Position=2)]
    [ValidatePattern('^[a-fA-F0-9]{32}$')]
    [Alias('optional_hosts','OptionalHostIds')]
    [string[]]$OptionalHostId,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-get-command/v1:post',Position=3)]
    [ValidateRange(1,600)]
    [int32]$Timeout,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-get-command/v1:post',Position=4)]
    [ValidateRange(1,600)]
    [Alias('host_timeout_duration')]
    [int32]$HostTimeout,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-get-command/v1:post',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('batch_id')]
    [string]$BatchId,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-get-command/v1:post')]
    [switch]$Wait
  )
  begin {
    $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }
    [System.Collections.Generic.List[string]]$List = @()
  }
  process { if ($OptionalHostId) { @($OptionalHostId).foreach{ $List.Add($_) }}}
  end {
    if ($List) { $PSBoundParameters['OptionalHostId'] = @($List) }
    if ($PSBoundParameters.HostTimeout) {
      # Add 's' to denote seconds for 'host_timeout_duration'
      $PSBoundParameters.HostTimeout = [string]::Concat($PSBoundParameters.HostTimeout,'s')
    }
    foreach ($Request in (Invoke-Falcon @Param -UserInput $PSBoundParameters)) {
      if ($Request.batch_get_cmd_req_id -and $Request.combined.resources) {
        # Output result with 'batch_get_cmd_req_id' and 'hosts' values
        $Request = [PSCustomObject]@{
          batch_get_cmd_req_id = $Request.batch_get_cmd_req_id
          hosts = @($Request.combined.resources.PSObject.Properties.Value).foreach{
            # Append 'batch_get_cmd_req_id'
            Set-Property $_ batch_get_cmd_req_id $Request.batch_get_cmd_req_id
            $_
          }
        }
        @($Request.hosts).Where({$_.errors}).foreach{
          # Write warning for hosts in batch that produced errors
          $PSCmdlet.WriteWarning(('[Invoke-FalconBatchGet]',($_.errors.code,
            $_.errors.message -join ': '),('[aid: {0}]' -f $_.aid) -join ' '))
        }
        @($Request.hosts).Where({$_.stderr}).foreach{
          # Write warning for hosts in batch that produced 'stderr'
          $PSCmdlet.WriteWarning(('[Invoke-FalconBatchGet]',$_.stderr,
            ('[aid: {0}' -f $_.aid) -join ' '))
        }
      }
      if ($Wait) { Wait-RtrGet $Request $MyInvocation.MyCommand.Name } else { $Request }
    }
  }
}
function Invoke-FalconCommand {
<#
.SYNOPSIS
Issue a Real-time Response read-only command to an existing single-host or batch session
.DESCRIPTION
Sessions can be started using 'Start-FalconSession'. A successfully created session will contain a 'session_id'
or 'batch_id' value which can be used with the '-SessionId' or '-BatchId' parameters.

The 'Wait' parameter will use 'Confirm-FalconCommand' to check for command results every 20 seconds until complete
or processing ends.

Requires 'Real time response: Read'.
.PARAMETER Command
Real-time Response command
.PARAMETER Argument
Arguments to include with the command
.PARAMETER OptionalHostId
Restrict execution to specific host identifiers
.PARAMETER Timeout
Length of time to wait for a result, in seconds [default: 30]
.PARAMETER HostTimeout
Length of time to wait for a result from target host(s), in seconds
.PARAMETER SessionId
Session identifier
.PARAMETER BatchId
Batch session identifier
.PARAMETER Wait
Use 'Confirm-FalconCommand' to retrieve command result
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconCommand
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/combined/batch-command/v1:post',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/command/v1:post',Mandatory,Position=1)]
    [Parameter(ParameterSetName='/real-time-response/combined/batch-command/v1:post',Mandatory,Position=1)]
    [ValidateSet('cat','cd','clear','csrutil','env','eventlog backup','eventlog export','eventlog list',
      'eventlog view','filehash','getsid','help','history','ifconfig','ipconfig','ls','mount','netstat',
      'ps','reg query','users',IgnoreCase=$false)]
    [Alias('base_command')]
    [string]$Command,
    [Parameter(ParameterSetName='/real-time-response/entities/command/v1:post',Position=2)]
    [Parameter(ParameterSetName='/real-time-response/combined/batch-command/v1:post',Position=2)]
    [Alias('Arguments')]
    [string]$Argument,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-command/v1:post',Position=3)]
    [ValidatePattern('^[a-fA-F0-9]{32}$')]
    [Alias('optional_hosts','OptionalHostIds')]
    [string[]]$OptionalHostId,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-command/v1:post',Position=4)]
    [ValidateRange(1,600)]
    [int32]$Timeout,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-command/v1:post',Position=5)]
    [ValidateRange(1,600)]
    [Alias('host_timeout_duration')]
    [int32]$HostTimeout,
    [Parameter(ParameterSetName='/real-time-response/entities/command/v1:post',Mandatory,
      ValueFromPipelineByPropertyName)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('session_id')]
    [string]$SessionId,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-command/v1:post',Mandatory,
      ValueFromPipelineByPropertyName)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('batch_id')]
    [string]$BatchId,
    [Parameter(ParameterSetName='/real-time-response/entities/command/v1:post')]
    [Parameter(ParameterSetName='/real-time-response/combined/batch-command/v1:post')]
    [switch]$Wait
  )
  begin {
    $Param = @{ Command = $MyInvocation.MyCommand.Name }
    [System.Collections.Generic.List[string]]$List = @()
  }
  process { if ($OptionalHostId) { @($OptionalHostId).foreach{ $List.Add($_) }}}
  end {
    # Verify 'Endpoint' using BatchId/SessionId
    $Endpoint = if ($PSBoundParameters.BatchId) {
      if ($List) { $PSBoundParameters['OptionalHostId'] = @($List) }
      '/real-time-response/combined/batch-command/v1:post'
    } else {
      '/real-time-response/entities/command/v1:post'
    }
    if ($Endpoint) {
      if ($PSBoundParameters.HostTimeout) {
        # Add 's' to denote seconds for 'host_timeout_duration'
        $PSBoundParameters.HostTimeout = [string]::Concat($PSBoundParameters.HostTimeout,'s')
      }
      $PSBoundParameters['command_string'] = if ($PSBoundParameters.Argument) {
        # Join 'Command' and 'Argument' into 'command_string'
        @($PSBoundParameters.Command,$PSBoundParameters.Argument) -join ' '
        [void]$PSBoundParameters.Remove('Argument')
      } else {
        $PSBoundParameters.Command
      }
      foreach ($Request in (Invoke-Falcon @Param -Endpoint $Endpoint -UserInput $PSBoundParameters)) {
        if ($BatchId -and @($Request.PSObject.Properties.Value).Where({$_.session_id})) {
          $Request = @($Request.PSObject.Properties.Value).Where({$_.session_id}).foreach{
            # Append 'batch_id' to command results with a 'session_id'
            Set-Property $_ batch_id $BatchId
            $_
          }
        }
        if ($Wait -and $SessionId) {
          Wait-RtrCommand $Request $MyInvocation.MyCommand.Name
        } else {
          $Request
        }
      }
    }
  }
}
function Invoke-FalconResponderCommand {
<#
.SYNOPSIS
Issue a Real-time Response active-responder command to an existing single-host or batch session
.DESCRIPTION
Sessions can be started using 'Start-FalconSession'. A successfully created session will contain a 'session_id'
or 'batch_id' value which can be used with the '-SessionId' or '-BatchId' parameters.

The 'Wait' parameter will use 'Confirm-FalconResponderCommand' or 'Confirm-FalconGetFile' to check for command
results every 20 seconds until complete or processing ends.

Requires 'Real time response: Write'.
.PARAMETER Command
Real-time Response command
.PARAMETER Argument
Arguments to include with the command
.PARAMETER OptionalHostId
Restrict execution to specific host identifiers
.PARAMETER Timeout
Length of time to wait for a result, in seconds [default: 30]
.PARAMETER HostTimeout
Length of time to wait for a result from target host(s), in seconds
.PARAMETER SessionId
Session identifier
.PARAMETER BatchId
Batch session identifier
.PARAMETER Wait
Use 'Confirm-FalconResponderCommand' or 'Confirm-FalconGetFile' to retrieve command result
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Invoke-FalconResponderCommand
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/combined/batch-active-responder-command/v1:post',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/active-responder-command/v1:post',Mandatory,
      Position=1)]
    [Parameter(ParameterSetName='/real-time-response/combined/batch-active-responder-command/v1:post',
      Mandatory,Position=1)]
    [ValidateSet('cat','cd','clear','cp','csrutil','encrypt','env','eventlog backup','eventlog export',
      'eventlog list','eventlog view','filehash','get','getsid','help','history','ifconfig','ipconfig','kill','ls',
      'map','memdump','mkdir','mount','mv','netstat','ps','reg delete','reg load','reg query','reg set',
      'reg unload','restart','rm','runscript','shutdown','tar','umount','unmap','update history','update install',
      'update list','update query','users','xmemdump','zip',IgnoreCase=$false)]
    [Alias('base_command')]
    [string]$Command,
    [Parameter(ParameterSetName='/real-time-response/entities/active-responder-command/v1:post',Position=2)]
    [Parameter(ParameterSetName='/real-time-response/combined/batch-active-responder-command/v1:post',
       Position=2)]
    [Alias('Arguments')]
    [string]$Argument,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-active-responder-command/v1:post',
      Position=3)]
    [ValidatePattern('^[a-fA-F0-9]{32}$')]
    [Alias('optional_hosts','OptionalHostIds')]
    [string[]]$OptionalHostId,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-active-responder-command/v1:post',
       Position=4)]
    [ValidateRange(1,600)]
    [int32]$Timeout,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-active-responder-command/v1:post',
       Position=5)]
    [ValidateRange(1,600)]
    [Alias('host_timeout_duration')]
    [int32]$HostTimeout,
    [Parameter(ParameterSetName='/real-time-response/entities/active-responder-command/v1:post',Mandatory,
      ValueFromPipelineByPropertyName)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('session_id')]
    [string]$SessionId,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-active-responder-command/v1:post',
      Mandatory,ValueFromPipelineByPropertyName)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('batch_id')]
    [string]$BatchId,
    [Parameter(ParameterSetName='/real-time-response/entities/active-responder-command/v1:post')]
    [Parameter(ParameterSetName='/real-time-response/combined/batch-active-responder-command/v1:post')]
    [switch]$Wait
  )
  begin {
    $Param = @{ Command = $MyInvocation.MyCommand.Name }
    [System.Collections.Generic.List[string]]$List = @()
  }
  process { if ($OptionalHostId) { @($OptionalHostId).foreach{ $List.Add($_) }}}
  end {
    if ($PSBoundParameters.BatchId -and $PSBoundParameters.Command -eq 'get') {
      # Redirect to 'Invoke-FalconBatchGet' for multi-host 'get' requests
      $GetParam = @{
        FilePath = $PSBoundParameters.Argument
        BatchId = $PSBoundParameters.BatchId
        Wait = $PSBoundParameters.Wait
      }
      if ($Timeout) { $GetParam['Timeout'] = $PSBoundParameters.Timeout }
      if ($List) { $GetParam['OptionalHostId'] = @($List) }
      Invoke-FalconBatchGet @GetParam
    } else {
      # Verify 'Endpoint' using BatchId/SessionId
      $Endpoint = if ($PSBoundParameters.BatchId) {
        if ($List) { $PSBoundParameters['OptionalHostId'] = @($List) }
        '/real-time-response/combined/batch-active-responder-command/v1:post'
      } elseif ($PSBoundParameters.SessionId) {
        '/real-time-response/entities/active-responder-command/v1:post'
      }
      if ($Endpoint) {
        if ($PSBoundParameters.HostTimeout) {
          # Add 's' to denote seconds for 'host_timeout_duration'
          $PSBoundParameters.HostTimeout = [string]::Concat($PSBoundParameters.HostTimeout,'s')
        }
        $PSBoundParameters['command_string'] = if ($PSBoundParameters.Argument) {
          # Join 'Command' and 'Argument' into 'command_string'
          @($PSBoundParameters.Command,$PSBoundParameters.Argument) -join ' '
          [void]$PSBoundParameters.Remove('Argument')
        } else {
          $PSBoundParameters.Command
        }
        foreach ($Request in (Invoke-Falcon @Param -Endpoint $Endpoint -UserInput $PSBoundParameters)) {
          if ($BatchId -and @($Request.PSObject.Properties.Value).Where({$_.session_id})) {
            $Request = @($Request.PSObject.Properties.Value).Where({$_.session_id}).foreach{
              # Append 'batch_id' to command results with a 'session_id'
              Set-Property $_ batch_id $BatchId
              $_
            }
          }
          if ($Wait -and $Command -eq 'get') {
            Wait-RtrGet $Request $MyInvocation.MyCommand.Name
          } elseif ($Wait -and $SessionId) {
            Wait-RtrCommand $Request $MyInvocation.MyCommand.Name
          } else {
            $Request
          }
        }
      }
    }
  }
}
function Receive-FalconGetFile {
<#
.SYNOPSIS
Download a password protected .7z archive containing a Real-time Response 'get' file [password: 'infected']
.DESCRIPTION
'Sha256' and 'SessionId' values can be found using 'Confirm-FalconGetFile'. 'Invoke-FalconResponderCommand' or
'Invoke-FalconAdminCommand' can be used to issue a 'get' command to a single-host, and 'Invoke-FalconBatchGet' can
be used for multiple hosts within existing Real-time Response session.

Requires 'Real time response: Write'.
.PARAMETER Path
Destination path
.PARAMETER Sha256
Sha256 hash value
.PARAMETER SessionId
Session identifier
.PARAMETER Force
Overwrite an existing file when present
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Receive-FalconGetFile
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/extracted-file-contents/v1:get',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/extracted-file-contents/v1:get',Position=1)]
    [string]$Path,
    [Parameter(ParameterSetName='/real-time-response/entities/extracted-file-contents/v1:get',Mandatory,
      ValueFromPipelineByPropertyName,Position=2)]
    [ValidatePattern('^[A-Fa-f0-9]{64}$')]
    [string]$Sha256,
    [Parameter(ParameterSetName='/real-time-response/entities/extracted-file-contents/v1:get',Mandatory,
      ValueFromPipelineByPropertyName,Position=3)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('session_id')]
    [string]$SessionId,
    [Parameter(ParameterSetName='/real-time-response/entities/extracted-file-contents/v1:get')]
    [switch]$Force
  )
  begin {
    $Param = @{
      Command = $MyInvocation.MyCommand.Name
      Endpoint = $PSCmdlet.ParameterSetName
      Headers = @{ Accept = 'application/x-7z-compressed' }
      Format = Get-EndpointFormat $PSCmdlet.ParameterSetName
    }
    $Param.Format['Outfile'] = 'path'
  }
  process {
    if (!$PSBoundParameters.Path) {
      # When 'Path' is not specified, use 'sha256' from a 'Confirm-FalconGetFile' result
      $PSBoundParameters['Path'] = Join-Path (Get-Location).Path $PSBoundParameters.Sha256
    }
    $PSBoundParameters.Path = Assert-Extension $PSBoundParameters.Path '7z'
    $OutPath = Test-OutFile $PSBoundParameters.Path
    if ($OutPath.Category -eq 'ObjectNotFound') {
      Write-Error @OutPath
    } elseif ($PSBoundParameters.Path) {
      if ($OutPath.Category -eq 'WriteError' -and !$Force) {
        Write-Error @OutPath
      } elseif ($PSBoundParameters.SessionId -and $PSBoundParameters.Sha256) {
        Invoke-Falcon @Param -UserInput $PSBoundParameters
      }
    }
  }
}
function Remove-FalconCommand {
<#
.SYNOPSIS
Remove a command from a queued Real-time Response session
.DESCRIPTION
Requires 'Real time response: Read'.
.PARAMETER SessionId
Session identifier
.PARAMETER CloudRequestId
Cloud request identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconCommand
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/queued-sessions/command/v1:delete',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/queued-sessions/command/v1:delete',Mandatory,
      ValueFromPipelineByPropertyName,Position=1)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('session_id')]
    [string]$SessionId,
    [Parameter(ParameterSetName='/real-time-response/entities/queued-sessions/command/v1:delete',Mandatory,
      ValueFromPipelineByPropertyName,Position=2)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('cloud_request_id','task_id')]
    [string]$CloudRequestId
  )
  begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }}
  process { Invoke-Falcon @Param -UserInput $PSBoundParameters }
}
function Remove-FalconGetFile {
<#
.SYNOPSIS
Remove Real-time Response 'get' files
.DESCRIPTION
Delete files previously retrieved during a Real-time Response session. The required 'Id' and 'SessionId' values
are contained in the results of 'Start-FalconSession' and 'Invoke-FalconAdminCommand' or 'Invoke-FalconBatchGet'
commands.

Requires 'Real time response: Write'.
.PARAMETER SessionId
Session identifier
.PARAMETER Id
Real-time Response 'get' file identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconGetFile
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/file/v2:delete',SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/file/v2:delete',Mandatory,
      ValueFromPipelineByPropertyName,Position=1)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('session_id')]
    [string]$SessionId,
    [Parameter(ParameterSetName='/real-time-response/entities/file/v2:delete',Mandatory,
      ValueFromPipelineByPropertyName,Position=2)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('ids')]
    [string]$Id
  )
  begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }}
  process { Invoke-Falcon @Param -UserInput $PSBoundParameters }
}
function Remove-FalconPutFile {
<#
.SYNOPSIS
Remove a Real-time Response 'put' file
.DESCRIPTION
Requires 'Real time response (admin): Write'.
.PARAMETER Id
Real-time Response 'put' file identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconPutFile
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/put-files/v1:delete',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/put-files/v1:delete',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline,Position=1)]
    [ValidatePattern('^[a-fA-F0-9]{32}_[a-fA-F0-9]{32}$')]
    [Alias('ids')]
    [string]$Id
  )
  begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }}
  process { Invoke-Falcon @Param -UserInput $PSBoundParameters }
}
function Remove-FalconScript {
<#
.SYNOPSIS
Remove a custom Real-time Response script
.DESCRIPTION
Requires 'Real time response (admin): Write'.
.PARAMETER Id
Script identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconScript
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/scripts/v1:delete',SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:delete',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline,Position=1)]
    [ValidatePattern('^[a-fA-F0-9]{32}_[a-fA-F0-9]{32}$')]
    [Alias('ids')]
    [string]$Id
  )
  begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }}
  process { Invoke-Falcon @Param -UserInput $PSBoundParameters }
}
function Remove-FalconSession {
<#
.SYNOPSIS
Remove a Real-time Response session
.DESCRIPTION
Requires 'Real time response: Read'.
.PARAMETER Id
Session identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Remove-FalconSession
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/sessions/v1:delete',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/sessions/v1:delete',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline,Position=1)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('session_id')]
    [string]$Id
  )
  begin { $Param = @{ Command = $MyInvocation.MyCommand.Name; Endpoint = $PSCmdlet.ParameterSetName }}
  process { Invoke-Falcon @Param -UserInput $PSBoundParameters }
}
function Send-FalconPutFile {
<#
.SYNOPSIS
Upload a Real-time Response 'put' file
.DESCRIPTION
Requires 'Real time response (admin): Write'.
.PARAMETER Name
File name
.PARAMETER Description
File description
.PARAMETER Comment
Comment for audit log
.PARAMETER Path
Path to local file
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Send-FalconPutFile
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/put-files/v1:post',SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/put-files/v1:post',
      ValueFromPipelineByPropertyName,Position=1)]
    [ValidateLength(1,32766)]
    [string]$Name,
    [Parameter(ParameterSetName='/real-time-response/entities/put-files/v1:post',Position=2)]
    [string]$Description,
    [Parameter(ParameterSetName='/real-time-response/entities/put-files/v1:post',Position=3)]
    [ValidateLength(1,4096)]
    [Alias('comments_for_audit_log')]
    [string]$Comment,
    [Parameter(ParameterSetName='/real-time-response/entities/put-files/v1:post',Mandatory,
      ValueFromPipelineByPropertyName,Position=4)]
    [ValidateScript({
      if (Test-Path $_ -PathType Leaf) {
        $true
      } else {
        throw "Cannot find path '$_' because it does not exist or is a directory."
      }
    })]
    [Alias('file','FullName')]
    [string]$Path
  )
  begin {
    $Param = @{
      Command = $MyInvocation.MyCommand.Name
      Endpoint = $PSCmdlet.ParameterSetName
      Headers = @{ ContentType = 'multipart/form-data' }
    }
  }
  process { Invoke-Falcon @Param -UserInput $PSBoundParameters }
}
function Send-FalconScript {
<#
.SYNOPSIS
Upload a custom Real-time Response script
.DESCRIPTION
Requires 'Real time response (admin): Write'.
.PARAMETER Platform
Operating system platform
.PARAMETER PermissionType
Permission level [public: 'Administrators' and 'Active Responders', group: 'Administrators', private: creator]
.PARAMETER Name
Script name
.PARAMETER Description
Script description
.PARAMETER Comment
Audit log comment
.PARAMETER Path
Path to local file or string-based script content
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Send-FalconScript
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/scripts/v1:post',SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:post',Mandatory,
      ValueFromPipelineByPropertyName,Position=1)]
    [ValidateSet('windows','mac','linux',IgnoreCase=$false)]
    [string[]]$Platform,
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:post',Mandatory,
      ValueFromPipelineByPropertyName,Position=2)]
    [ValidateSet('private','group','public',IgnoreCase=$false)]
    [Alias('permission_type')]
    [string]$PermissionType,
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:post',ValueFromPipelineByPropertyName,
      Position=3)]
    [ValidateLength(1,32766)]
    [string]$Name,
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:post',ValueFromPipelineByPropertyName,
      Position=4)]
    [string]$Description,
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:post',ValueFromPipelineByPropertyName,
      Position=5)]
    [ValidateLength(1,4096)]
    [Alias('comments_for_audit_log')]
    [string]$Comment,
    [Parameter(ParameterSetName='/real-time-response/entities/scripts/v1:post',Mandatory,
      ValueFromPipelineByPropertyName,Position=6)]
    [Alias('content','FullName')]
    [string]$Path
  )
  begin {
    $Param = @{
      Command = $MyInvocation.MyCommand.Name
      Endpoint = $PSCmdlet.ParameterSetName
      Headers = @{ ContentType = 'multipart/form-data' }
    }
  }
  process { Invoke-Falcon @Param -UserInput $PSBoundParameters }
}
function Start-FalconSession {
<#
.SYNOPSIS
Initialize a single-host or batch Real-time Response session
.DESCRIPTION
Real-time Response sessions require Host identifier values. Sessions that are successfully started return a
'session_id' (for single hosts) or 'batch_id' (multiple hosts) value which can be used to issue commands that
will be processed by the host(s) in the session.

Commands can be issued using 'Invoke-FalconCommand', 'Invoke-FalconResponderCommand', 'Invoke-FalconAdminCommand'
and 'Invoke-FalconBatchGet'.

Requires 'Real time response: Read'.
.PARAMETER QueueOffline
Add non-responsive hosts to the offline queue
.PARAMETER ExistingBatchId
Add hosts to an existing batch session
.PARAMETER Timeout
Length of time to wait for a result, in seconds [default: 30]
.PARAMETER HostTimeout
Length of time to wait for a result from target host(s), in seconds
.PARAMETER Id
Host identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Start-FalconSession
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/combined/batch-init-session/v1:post',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/sessions/v1:post',Position=1)]
    [Parameter(ParameterSetName='/real-time-response/combined/batch-init-session/v1:post',Position=1)]
    [Alias('queue_offline')]
    [boolean]$QueueOffline,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-init-session/v1:post',Position=2)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('existing_batch_id')]
    [string]$ExistingBatchId,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-init-session/v1:post',Position=3)]
    [Parameter(ParameterSetName='/real-time-response/entities/sessions/v1:post',Position=2)]
    [ValidateRange(1,600)]
    [int32]$Timeout,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-init-session/v1:post',Position=4)]
    [ValidateRange(1,600)]
    [Alias('host_timeout_duration')]
    [int32]$HostTimeout,
    [Parameter(ParameterSetName='/real-time-response/entities/sessions/v1:post',Mandatory)]
    [Parameter(ParameterSetName='/real-time-response/combined/batch-init-session/v1:post',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline)]
    [ValidatePattern('^[a-fA-F0-9]{32}$')]
    [ValidateLength(1,10000)]
    [Alias('host_ids','device_id','device_ids','aid','HostId','HostIds')]
    [string[]]$Id
  )
  begin {
    $Param = @{ Command = $MyInvocation.MyCommand.Name }
    [System.Collections.Generic.List[string]]$List = @()
  }
  process { if ($Id) { @($Id).foreach{ $List.Add($_) }}}
  end {
    if ($List) {
      # Verify 'Endpoint' using BatchId/SessionId and select hosts
      [void]$PSBoundParameters.Remove('Id')
      $Endpoint = if ($List.Count -eq 1 -and !$HostTimeout -and !$ExistingBatchId) {
        $PSBoundParameters['device_id'] = @($List)[0]
        '/real-time-response/entities/sessions/v1:post'
      } else {
        if ($PSBoundParameters.HostTimeout) {
          # Add 's' to denote seconds for 'host_timeout_duration'
          $PSBoundParameters.HostTimeout = [string]::Concat($PSBoundParameters.HostTimeout,'s')
        }
        $PSBoundParameters['host_ids'] = @($List)
        '/real-time-response/combined/batch-init-session/v1:post'
      }
      @(Invoke-Falcon @Param -Endpoint $Endpoint -UserInput $PSBoundParameters).foreach{
        if ($_.batch_id -and $_.resources) {
          [string]$BatchId = $_.batch_id
          @($_.resources.PSObject.Properties.Value).Where({$_.errors}).foreach{
            # Write warning for hosts in batch that produced errors
            $PSCmdlet.WriteWarning("[Start-FalconSession] $(
              @($_.errors.code,$_.errors.message) -join ': ') [aid: $($_.aid)]"
)
          }
          @($_.resources.PSObject.Properties.Value).Where({$_.session_id}).foreach{
            # Append 'batch_id' for hosts with a 'session_id'
            Set-Property $_ batch_id $BatchId
          }
          [PSCustomObject]@{
            batch_id = $_.batch_id
            hosts = $_.resources.PSObject.Properties.Value
          }
        } else {
          # Append 'aid' to single host session result
          Set-Property $_ aid $List[0]
          $_
        }
      }
    }
  }
}
function Update-FalconSession {
<#
.SYNOPSIS
Refresh a single-host or batch Real-time Response session to prevent expiration
.DESCRIPTION
Real-time Response sessions expire after 5 minutes by default. Any commands that were issued to a session that
take longer than 5 minutes will not return results without refreshing the session to keep it alive until the
command process completes.

Requires 'Real time response: Read'.
.PARAMETER QueueOffline
Add non-responsive hosts to the offline queue
.PARAMETER HostToRemove
Host identifier(s) to remove from a batch Real-time Response session
.PARAMETER Timeout
Length of time to wait for a result, in seconds [default: 30]
.PARAMETER HostId
Host identifier, for a single-host session
.PARAMETER BatchId
Batch session identifier
.LINK
https://github.com/crowdstrike/psfalcon/wiki/Update-FalconSession
#>

  [CmdletBinding(DefaultParameterSetName='/real-time-response/entities/refresh-session/v1:post',
    SupportsShouldProcess)]
  param(
    [Parameter(ParameterSetName='/real-time-response/entities/refresh-session/v1:post',Position=1)]
    [Parameter(ParameterSetName='/real-time-response/combined/batch-refresh-session/v1:post',Position=1)]
    [Alias('queue_offline')]
    [boolean]$QueueOffline,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-refresh-session/v1:post',Position=2)]
    [ValidatePattern('^[a-fA-F0-9]{32}$')]
    [Alias('hosts_to_remove','HostsToRemove')]
    [string[]]$HostToRemove,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-refresh-session/v1:post',Position=3)]
    [ValidateRange(1,600)]
    [int32]$Timeout,
    [Parameter(ParameterSetName='/real-time-response/entities/refresh-session/v1:post',Mandatory,
      ValueFromPipelineByPropertyName,ValueFromPipeline)]
    [ValidatePattern('^[a-fA-F0-9]{32}$')]
    [Alias('device_id','host_ids','aid')]
    [string]$HostId,
    [Parameter(ParameterSetName='/real-time-response/combined/batch-refresh-session/v1:post',Mandatory,
      ValueFromPipelineByPropertyName)]
    [ValidatePattern('^[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}$')]
    [Alias('batch_id')]
    [string]$BatchId
  )
  begin {
    $Param = @{ Command = $MyInvocation.MyCommand.Name }
    [System.Collections.Generic.List[string]]$List = @()
  }
  process { if ($HostToRemove) { @($HostToRemove).foreach{ $List.Add($_) }}}
  end {
    # Verify 'Endpoint' using HostId/BatchId
    [string]$Endpoint = if ($PSBoundParameters.HostId) {
      '/real-time-response/entities/refresh-session/v1:post'
    } elseif ($PSBoundParameters.BatchId) {
      if ($List) { $PSBoundParameters['HostToRemove'] = @($List) }
      '/real-time-response/combined/batch-refresh-session/v1:post'
    }
    @(Invoke-Falcon @Param -Endpoint $Endpoint -UserInput $PSBoundParameters).foreach{
      if ($Endpoint -eq '/real-time-response/combined/batch-refresh-session/v1:post') {
        @($_.PSObject.Properties.Value).Where({$_.errors}).foreach{
          # Write warning for hosts in batch that produced errors
          $PSCmdlet.WriteWarning("[Update-FalconSession] $(
            @($_.errors.code,$_.errors.message) -join ': ') [aid: $($_.aid)]"
)
        }
        # Output 'batch_id' and 'hosts' containing result
        [PSCustomObject]@{
          batch_id = $BatchId
          hosts = $_.PSObject.Properties.Value
        }
      } else {
        # Append 'aid' to single host session result
        Set-Property $_ aid $HostId
        $_
      }
    }
  }
}