Authentication
- Get an auth token
- Verifying token status
- Revoke an auth token
- Securing credentials
- Authentication within a script
| Command | Permission |
|---|---|
| Request-FalconToken | |
| Revoke-FalconToken | |
| Test-FalconToken |
During a PowerShell session, you must have a valid OAuth2 access token in order to make requests to the CrowdStrike
Falcon APIs. You can do this using Request-FalconToken, or input your ClientId/ClientSecret when prompted after
issuing a PSFalcon command.
After a valid OAuth2 token is received, it is cached with your credentials. Your cached token is checked and refreshed as needed while running PSFalcon commands.
Request-FalconToken -ClientId 'client_id' -ClientSecret 'client_secret'WARNING: Request-FalconToken defaults to the us-1 cloud. If your environment exists within a different
cloud, the module will attempt to use automatic redirection, except when the target cloud is us-gov-1. Defining
Cloud or Hostname ensures that your token request goes to the proper cloud without relying on re-direction
and is required when using us-gov-1.
Authentication token requests are sent to the us-1 cloud by default. You may use the Cloud or Hostname
parameters to set it using a cloud, or full URL value. The accepted hostname values can be viewed using tab
auto-completion. Your Cloud/Hostname choice is saved and all requests are sent using the cached information.
In MSSP (also known as "Flight Control") configurations, you can target specific child environments ("CIDs")
using the MemberCid parameter during authentication token requests. Your choice is saved and all requests are
sent to that particular member CID unless a new Request-FalconToken request is made specifying a new member CID,
or you Revoke-FalconToken.
Test-FalconToken can be used to verify whether you have an active OAuth2 access token cached.
Test-FalconToken
Token Hostname ClientId MemberCid
----- -------- -------- ---------
True https://api.crowdstrike.com <redacted>
The Token property of the output from Test-FalconToken provides a [boolean] value of your current status.
(Test-FalconToken).Token
TrueThe command Revoke-FalconToken will revoke your current authorization token and clear it from your local cache.
Revoke-FalconTokenPSFalcon does not provide a method for securely handling your API client credentials. The Microsoft.PowerShell.SecretStore module is a
cross-platform option that works with PSFalcon. You can follow the steps below to install the module and use it
with Request-FalconToken.
NOTE: Microsoft.PowerShell.SecretManagement is a pre-requisite for the Microsoft.PowerShell.SecretStore
module. It will be installed during the Install-Module step.
Install-Module -Name Microsoft.PowerShell.SecretStore -Scope CurrentUserNOTE: Using the default configuration, Microsoft.PowerShell.SecretStore will prompt for a password to access
your secret vault. You can remove the password requirement to use the vault with a script or as part of a
scheduled task, which leaves the vault accessible to the account that was used to create it. You will be asked to
create, confirm and remove a password after entering this command.
Set-SecretStoreConfiguration -Scope CurrentUser -Authentication None -Interaction NoneOnce the module is installed and configured as desired, create a vault to store your API client(s):
Register-SecretVault -ModuleName Microsoft.PowerShell.SecretStore -Name MyVaultRequest-FalconToken requires multiple parameters to request a token. Each individual API client can be stored
with the relevant parameters (including MemberCid) in your new vault:
$ApiClient = @{
ClientId = 'my_client_id'
ClientSecret = 'my_client_value'
Hostname = 'https://api.crowdstrike.com'
}
Set-Secret -Name MyApiClient -Secret $ApiClient -Vault MyVaultOnce stored, credentials can be retrieved using your chosen Name, and you can splat the parameters with
Request-FalconToken:
Get-Secret -Name MyApiClient -Vault MyVault -AsPlainText | ForEach-Object { Request-FalconToken @_ }If desired, a simple function can be added to your PowerShell profile to retrieve your credentials and request a token by name:
function Request-SecretToken ([string] $Name) {
if (-not(Get-Module -Name PSFalcon)) {
Import-Module -Name PSFalcon
} elseif ((Test-FalconToken -ErrorAction SilentlyContinue).Token -eq $true) {
Revoke-FalconToken
}
$Secret = Get-Secret -Name $Name -Vault MyVault -AsPlainText
if ($Secret) {
Request-FalconToken @Secret
} else {
throw "No secret found matching '$String'."
}
}Once added to your profile, you can retrieve your credential set and request a token in a single step:
Request-SecretToken MyApiClientThe request of an authorization token can happen as part of a script that performs other tasks. Here is a re-usable example which defines the necessary parameters, and can optionally authenticate within a specific member CID (found within Flight Control environments).
#Requires -Version 5.1
using module @{ModuleName='PSFalcon';ModuleVersion='2.2'}
[CmdletBinding()]
param(
[Parameter(Mandatory,Position=1)]
[ValidatePattern('^[a-fA-F0-9]{32}$')]
[string]$ClientId,
[Parameter(Mandatory,Position=2)]
[ValidatePattern('^\w{40}$')]
[string]$ClientSecret,
[Parameter(Position=3)]
[ValidatePattern('^[a-fA-F0-9]{32}$')]
[string]$MemberCid,
[Parameter(Position=4)]
[ValidateSet('us-1','us-2','us-gov-1','eu-1')]
[string]$Cloud
)
begin {
$Token = @{}
@('ClientId','ClientSecret','Cloud','MemberCid').foreach{
if ($PSBoundParameters.$_) { $Token[$_] = $PSBoundParameters.$_ }
}
}
process {
try {
Request-FalconToken @Token
if ((Test-FalconToken).Token -eq $true) {
# Insert code to run here
}
} catch {
throw $_
} finally {
if ((Test-FalconToken).Token -eq $true) { Revoke-FalconToken }
}
}In multi-CID configurations, you can create an OAuth2 API Client Id/Secret in the "parent" CID that has access to
the "member" (a.k.a. "child") CIDs. A lot of data is visible at the parent level, but some data is only visible
within each child. After creating an API Client, you can use that to retrieve a list of all available member CIDs
(or provide specific members using MemberCid) and run PSFalcon commands within each child, while pausing between
authorization token request attempts to avoid rate limiting.
#Requires -Version 5.1
using module @{ModuleName='PSFalcon';ModuleVersion='2.2'}
[CmdletBinding()]
param(
[Parameter(Mandatory,Position=1)]
[ValidatePattern('^[a-fA-F0-9]{32}$')]
[string]$ClientId,
[Parameter(Mandatory,Position=2)]
[ValidatePattern('^\w{40}$')]
[string]$ClientSecret,
[Parameter(Position=3)]
[ValidatePattern('^[a-fA-F0-9]{32}$')]
[string[]]$MemberCid,
[Parameter(Position=4)]
[ValidateSet('us-1','us-2','us-gov-1','eu-1')]
[string]$Cloud
)
begin {
$Token = @{}
@('ClientId','ClientSecret','Cloud').foreach{
if ($PSBoundParameters.$_) { $Token[$_] = $PSBoundParameters.$_ }
}
if (!$MemberCid) {
Request-FalconToken @Token
if ((Test-FalconToken).Token -eq $true) {
# Gather available Member CIDs
[string[]]$MemberCid = Get-FalconMemberCid -Detailed -All | Where-Object { $_.status -eq 'active' } |
Select-Object -ExpandProperty child_cid
Revoke-FalconToken
}
}
}
process {
foreach ($Cid in $MemberCid) {
try {
Request-FalconToken @Token -MemberCid $Cid
if ((Test-FalconToken).Token -eq $true) {
# Insert code to run in each CID here
}
} catch {
Write-Error $_
} finally {
if ((Test-FalconToken).Token -eq $true) {
Revoke-FalconToken
Start-Sleep -Seconds 5
}
}
}
}