New FalconIoaRule
Create a custom Indicator of Attack rule within a rule group
Requires 'Custom IOA Rules: Write'.
| Name | Type | Min | Max | Allowed | Pipeline | PipelineByName | Description |
|---|---|---|---|---|---|---|---|
| Name | String | X | Rule name | ||||
| PatternSeverity | String |
criticalhighmediumlowinformational
|
X | Rule severity | |||
| RuletypeId | String |
12569101112
|
X | Rule type | |||
| DispositionId | Int32 |
102030
|
X | Disposition identifier [10: Monitor, 20: Detect, 30: Block] | |||
| FieldValue | Object[] | X | An array of rule properties | ||||
| Description | String | X | Rule description | ||||
| Comment | String | X | Audit log comment | ||||
| RulegroupId | String | X | Rule group identifier |
New-FalconIoaRule [-Name] <String> [-PatternSeverity] <String> [-RuletypeId] <String> [-DispositionId] <Int32> [-FieldValue] <Object[]> [[-Description] <String>] [[-Comment]
<String>] [-RulegroupId] <String> [-WhatIf] [-Confirm] [<CommonParameters>]$Group = Get-FalconIoaGroup -Filter "name:'updatedRuleGroup'" -Detailed $FieldValue = @{ label = 'Grandparent Image Filename' name = 'GrandparentImageFilename' type = 'excludable' values = @( @{ label = 'include' value = '.+bug.exe' } ) } New-FalconIoaRule -RulegroupId $Group.id -Name 'BugRule' -PatternSeverity critical -RuletypeId 5 -DispositionId 30 -FieldValue $FieldValueGenerated 2022-15-06 using PSFalcon v2.2.3
