Skip to content

Invoke FalconResponderCommand

bk-cs edited this page Dec 19, 2024 · 20 revisions

Invoke-FalconResponderCommand

SYNOPSIS

Issue a Real-time Response active-responder command to an existing single-host or batch session

DESCRIPTION

Sessions can be started using 'Start-FalconSession'. A successfully created session will contain a 'session_id' or 'batch_id' value which can be used with the '-SessionId' or '-BatchId' parameters.

The 'Wait' parameter will use 'Confirm-FalconResponderCommand' or 'Confirm-FalconGetFile' to check for command results every 20 seconds until complete or processing ends.

Requires 'Real time response: Write'.

PARAMETERS

Name Type Description Min Max Allowed Pipeline PipelineByName
Command String Real-time Response command cat
cd
clear
cp
csrutil
encrypt
env
eventlog backup
eventlog export
eventlog list
eventlog view
filehash
get
getsid
help
history
ifconfig
ipconfig
kill
ls
map
memdump
mkdir
mount
mv
netstat
ps
reg delete
reg load
reg query
reg set
reg unload
restart
rm
runscript
shutdown
tar
umount
unmap
update history
update install
update list
update query
users
xmemdump
zip
Argument String Arguments to include with the command
OptionalHostId String[] Restrict execution to specific host identifiers
Timeout Int32 Length of time to wait for a result, in seconds [default: 30] 1 600
HostTimeout Int32 Length of time to wait for a result from target host(s), in seconds 1 600
SessionId String Session identifier X
BatchId String Batch session identifier X
Wait Switch Use 'Confirm-FalconResponderCommand' or 'Confirm-FalconGetFile' to retrieve command result

SYNTAX

Invoke-FalconResponderCommand [-Command] <String> [[-Argument] <String>] [[-OptionalHostId] <String[]>] [[-Timeout] <Int32>] [[-HostTimeout] <Int32>] -BatchId <String> [-Wait] [-WhatIf] [-Confirm] [<CommonParameters>]
Invoke-FalconResponderCommand [-Command] <String> [[-Argument] <String>] -SessionId <String> [-Wait] [-WhatIf] [-Confirm] [<CommonParameters>]

REFERENCE

Endpoints

POST /real-time-response/combined/batch-active-responder-command/v1
POST /real-time-response/entities/active-responder-command/v1

falconpy

BatchActiveResponderCmd
RTR_ExecuteActiveResponderCommand

USAGE

2024-12-19: PSFalcon v2.2.8

Clone this wiki locally