Skip to content

Invoke FalconAdminCommand

Jump to bottom
bk-cs edited this page Dec 12, 2022 · 21 revisions

Invoke-FalconAdminCommand

SYNOPSIS

Issue a Real-time Response admin command to an existing single-host or batch session

DESCRIPTION

Sessions can be started using 'Start-FalconSession'. A successfully created session will contain a 'session_id' or 'batch_id' value which can be used with the '-SessionId' or '-BatchId' parameters.

The 'Wait' parameter will use 'Confirm-FalconAdminCommand' or 'Confirm-FalconGetFile' to check for command results every 5 seconds for a total of 60 seconds.

Requires 'Real Time Response (Admin): Write'.

PARAMETERS

Name Type Min Max Allowed Pipeline PipelineByName Description
Command String cat
cd
clear
cp
csrutil
cswindiag
encrypt
env
eventlog backup
eventlog export
eventlog list
eventlog view
filehash
get
getsid
help
history
ifconfig
ipconfig
kill
ls
map
memdump
mkdir
mount
mv
netstat
ps
put
put-and-run
reg delete
reg load
reg query
reg set
reg unload
restart
rm
run
runscript
shutdown
umount
unmap
update history
update install
update list
update install
users
xmemdump
zip 		Real-time Response command
Argument String Arguments to include with the command
Timeout Int32 30 600 Length of time to wait for a result, in seconds
OptionalHostId String[] Restrict execution to specific host identifiers
SessionId String X Session identifier
BatchId String X Batch session identifier
Wait Switch Use 'Confirm-FalconAdminCommand' or 'Confirm-FalconGetFile' to retrieve command results

SYNTAX

Invoke-FalconAdminCommand [-Command] <String> [[-Argument] <String>] [[-Timeout] <Int32>] [[-OptionalHostId] <String[]>] -BatchId <String> [-Wait] [-WhatIf] [-Confirm] [<CommonParameters>]
Invoke-FalconAdminCommand [-Command] <String> [[-Argument] <String>] -SessionId <String> [-Wait] [-WhatIf] [-Confirm] [<CommonParameters>]

SDK Reference

falconpy

BatchAdminCmd
RTR_ExecuteAdminCommand

USAGE

2022-12-12: PSFalcon v2.2.3

Clone this wiki locally