Skip to content

Invoke FalconMalQuery

Jump to bottom
bk-cs edited this page Oct 6, 2022 · 18 revisions

Invoke-FalconMalQuery

SYNOPSIS

Initiate a Falcon MalQuery YARA hunt, exact search or fuzzy search

DESCRIPTION

Requires 'MalQuery: Write'.

PARAMETERS

Name Type Min Max Allowed Pipeline PipelineByName Description
YaraRule String Schedule a YARA-based search
Type String hex
ascii
wide 		Search pattern type
Value String Search pattern value
FilterFiletype String[] cdf
cdfv2
cjava
dalvik
doc
docx
elf32
elf64
email
html
hwp
java.arc
lnk
macho
pcap
pdf
pe32
pe64
perl
ppt
pptx
python
pythonc
rtf
swf
text
xls
xlsx 		File type to include with the result
FilterMeta String[] sha256
md5
type
size
first_seen
label
family 		Subset of metadata fields to include in the result
MinSize String Minimum file size specified in bytes or multiples of KB/MB/GB
MaxSize String Maximum file size specified in bytes or multiples of KB/MB/GB
MinDate String Limit results to files first seen after this date
MaxDate String Limit results to files first seen before this date
Limit Int32 Maximum number of results per request
Fuzzy Switch Search MalQuery quickly but with more potential for false positives

SYNTAX

Invoke-FalconMalQuery [-Type] <String> [-Value] <String> [[-FilterFiletype] <String[]>] [[-FilterMeta] <String[]>] [[-MinSize] <String>] [[-MaxSize] <String>] [[-MinDate] <String>] [[-MaxDate] <String>] [[-Limit] <Int32>] [-WhatIf] [-Confirm] [<CommonParameters>]
Invoke-FalconMalQuery [-YaraRule] <String> [[-FilterFiletype] <String[]>] [[-FilterMeta] <String[]>] [[-MinSize] <String>] [[-MaxSize] <String>] [[-MinDate] <String>] [[-MaxDate] <String>] [[-Limit] <Int32>] [-WhatIf] [-Confirm] [<CommonParameters>]
Invoke-FalconMalQuery [-Type] <String> [-Value] <String> [[-FilterMeta] <String[]>] [[-Limit] <Int32>] -Fuzzy [-WhatIf] [-Confirm] [<CommonParameters>]

USAGE

2022-10-06: PSFalcon v2.2.3

Clone this wiki locally