psfalcon
rtr
Our great sponsors
psfalcon | rtr | |
---|---|---|
169 | 25 | |
317 | 90 | |
2.8% | - | |
9.2 | 3.3 | |
6 days ago | 5 months ago | |
PowerShell | PowerShell | |
The Unlicense | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
psfalcon
-
Migrate child cid to parent cid
Rather than using flight control, you could consider doing a import/export of your configuration, then mass uninstall and reinstall each individual existing CID into your new single CID. The parent would really only help with policy inheritence/detection rollup/rbac which you would no longer need after converting to a single instance.
-
Get Falcon Scanning Results Via API
Try using PSFalcon and Get-FalconDetection to see what's in a detection record.
- Filter issue with Get-FalconAsset
- Identity API for PSfalcon or FalconPY
-
Change sensor grouping tags via API
Add-FalconSensorTag Get-FalconSensorTag Remove-FalconSensorTag
- API for removing VDIs older than 24 hours
-
Create IOA Falconpy
There's an example of required fields under the New-FalconIoaRule wiki page, along with the values for disposition_id.
-
APIs for Operational stuffs
https://github.com/CrowdStrike/falconpy/tree/main/samples https://github.com/CrowdStrike/psfalcon/tree/master/samples
-
Status of API batch RTR commands when queued offline
Check out Get-FalconQueue. It goes through a few steps:
-
Invoke-FalconDeploy Behavior Change
Could you open an issue and include a PowerShell transcript with $VerbosePreference = 'Continue'?
rtr
-
PSFalcon query help...
Login history is available using Get-FalconHost. You’ll need an RTR script to query the existing user accounts: https://github.com/bk-cs/rtr/tree/main/list_local_user
-
Using RTR to launch a browser on the user screen
The only thing I've done as a user is the send_message script, and it's not ideal due to the limited amount of time it displays on the screen.
-
Kape via RTR
And here's an RTR script that will run an exe as a secondary process: https://github.com/bk-cs/rtr/tree/main/run_cli_tool
-
Workflow result output
The output of your script needs to be in Json format and the output schema defines what the fields are (along with the format of those fields). You can find PowerShell examples here: https://github.com/bk-cs/rtr
-
RTR script script to uninstall application
My run_cli_tool script uses Start-Process with PassThru to run an executable and avoid the timeout.
-
RtR scripts running in user environment
I created this a while ago: https://github.com/bk-cs/rtr/tree/main/send_message
-
2022-10-03 - PSFalcon, Bulk RTR Queuing, and STDOUT Redirection to LogScale
In BK’s personal GitHub repo, he has an artisanal collection of scripts that can be used with RTR. For this example, we’re going to use this one to enumerate Chrome and Edge extensions. If you’re looking at the script, you’ll notice that right at the top is this line:
-
Enumerating Chrome Plugins
I made a workflow-friendly version of this, too: https://github.com/bk-cs/rtr/tree/main/list_browser_extension
-
PSFalcon offline output
You can also log the results of Real-time Response scripts themselves to Humio, like I did in my example library.
- Extract URL
What are some alternatives?
falconpy - The CrowdStrike Falcon SDK for Python
nettu-booking
swagger-ui - Swagger UI is a collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API.
broot - A new way to see and navigate directory trees : https://dystroy.org/broot
PowerFGT - PowerShell module to manage Fortinet (FortiGate) Firewall
nikochal
BulkStrike - BulkStrike enables the usage of CrowdStrike Real Time Response (RTR) to bulk execute commands on multiple machines.
PSKoans - A simple, fun, and interactive way to learn the PowerShell language through Pester unit testing.
SnipeitPS - Powershell API Wrapper for Snipe-it
PSWinReporting - This PowerShell Module has multiple functionalities, but one of the signature features of this module is the ability to parse Security logs on Domain Controllers providing easy to use access to AD Events.
KaceSMA - A module for interacting with a Quest Kace Systems Management Appliance API via Powershell.
PSFalcon - PowerShell for CrowdStrike Falcon's OAuth2 APIs