-
Notifications
You must be signed in to change notification settings - Fork 72
Edit FalconIoaRule
bk-cs edited this page Oct 21, 2022
·
21 revisions
Modify custom Indicator of Attack rules within a rule group
All fields are required (plus 'rulegroup_version') when making a rule group change. PSFalcon adds missing values automatically using data from your existing rule group.
If an existing rule is submitted within 'rule_updates', it will be filtered to the required properties ('comment', 'description', 'disposition_id', 'enabled', 'field_values', 'instance_id', 'name', and 'pattern_severity') including those under 'field_values' ('name', 'label', 'type' and 'values').
Requires 'Custom IOA Rules: Write'.
Name | Type | Min | Max | Allowed | Pipeline | PipelineByName | Description |
---|---|---|---|---|---|---|---|
Comment | String | Audit log comment | |||||
RuleUpdate | Object[] | X | An array of rule properties | ||||
RulegroupId | String | X | Rule group identifier |
Edit-FalconIoaRule [[-Comment] <String>] [[-RuleUpdate] <Object[]>] [-RulegroupId] <String> [-WhatIf] [-Confirm] [<CommonParameters>]
$Group = Get-FalconIoaGroup -Filter "name:'updatedRuleGroup'" -Detailed
$RuleUpdates = @(
@{
name = 'BugRule'
pattern_severity = 'critical'
enabled = $true
description = 'Stops the bug'
disposition_id = 30
instance_id = '1'
field_values = @(
@{
label = 'Grandparent Image Filename'
name = 'GrandparentImageFilename'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.+updatebug.exe'
}
)
},
@{
label = 'Grandparent Command Line'
name = 'GrandparentCommandLine'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.*'
}
)
},
@{
label = 'Parent Image Filename'
name = 'ParentImageFilename'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.*'
}
)
},
@{
label = 'Parent Command Line'
name = 'ParentCommandLine'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.*'
}
)
},
@{
label = 'Image Filename'
name = 'ImageFilename'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.*'
}
)
},
@{
label = 'Command Line'
name = 'CommandLine'
type = 'excludable'
values = @(
@{
label = 'include'
value = '.*'
}
)
}
)
}
)
Edit-FalconIoaRule -RulegroupId $Group.id -RulegroupVersion $Group.version -RuleUpdate $RuleUpdates -Comment 'Updated using PSFalcon'
2022-10-21: PSFalcon v2.2.3
- Using PSFalcon
-
Commands by Permission
- Actors (Falcon Intelligence)
- Alerts
- API integrations
- App Logs
- Channel File Control Settings
- Configuration Assessment
- Content Update Policies
- Correlation Rules
- CSPM registration
- Custom IOA rules
- Detections
- Device Content
- Device control policies
- Event streams
- Falcon Complete Dashboards
- Falcon Container Image
- Falcon Data Replicator
- Falcon Discover
- Falcon FileVantage
- Falcon FileVantage Content
- Firewall management
- Flight Control
- Host groups
- Host Migration
- Hosts
- Identity Protection Entities
- Identity Protection GraphQL
- Identity Protection Policy Rules
- Incidents
- Indicators (Falcon Intelligence)
- Installation tokens
- Installation token settings
- IOA Exclusions
- IOC Manager APIs
- IOCs
- Kubernetes Protection
- Machine Learning exclusions
- MalQuery
- Malware Families (Falcon Intelligence)
- Message Center
- Mobile Enrollment
- Monitoring rules (Falcon Intelligence Recon)
- On demand scans (ODS)
- OverWatch Dashboard
- Prevention Policies
- Quarantined Files
- QuickScan Pro
- Real time response
- Real time response (admin)
- Reports (Falcon Intelligence)
- Response policies
- Rules (Falcon Intelligence)
- Sample uploads
- Sandbox (Falcon Intelligence)
- Scheduled Reports
- Sensor Download
- Sensor update policies
- Sensor Usage
- Sensor Visibility Exclusions
- Snapshot
- Snapshot Scanner Image Download
- Tailored Intelligence
- Threatgraph
- User management
- Vulnerabilities
- Vulnerabilities (Falcon Intelligence)
- Workflow
- Zero Trust Assessment
- Other Commands
- Examples
-
CrowdStrike SDKs
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust