New FalconIoaRule

New-FalconIoaRule

SYNOPSIS

Create a custom Indicator of Attack rule within a rule group

DESCRIPTION

'RuleTypeId' and 'DispositionId' values can be found using 'Get-FalconIoaType -Detailed' under the 'id' and 'disposition_map' properties.

Requires 'Custom IOA Rules: Write'.

PARAMETERS

Name	Type	Allowed	PipelineByName	Description
Name	String		X	Rule name
PatternSeverity	String	`critical` `high` `medium` `low` `informational`	X	Rule severity
RuletypeId	String	`1` `2` `5` `6` `9` `10` `11` `12`	X	Rule type
DispositionId	Int32	`10` `20` `30`	X	Disposition identifier [10: Monitor, 20: Detect, 30: Block]
FieldValue	Object[]		X	An array of rule properties
Description	String		X	Rule description
Comment	String		X	Audit log comment
RulegroupId	String		X	Rule group identifier

SYNTAX

New-FalconIoaRule [-Name] <String> [-PatternSeverity] <String> [-RuletypeId] <String> [-DispositionId] <Int32> [-FieldValue] <Object[]> [[-Description] <String>] [[-Comment] <String>] [-RulegroupId] <String> [-WhatIf] [-Confirm] [<CommonParameters>]

USAGE

Create custom IOA rules

$Group = Get-FalconIoaGroup -Filter "name:'updatedRuleGroup'" -Detailed
$FieldValue = @{
    label = 'Grandparent Image Filename'
    name = 'GrandparentImageFilename'
    type = 'excludable'
    values = @(
        @{
            label = 'include'
            value = '.+bug.exe'
        }
    )
}
New-FalconIoaRule -RulegroupId $Group.id -Name 'BugRule' -PatternSeverity critical -RuletypeId 5 -DispositionId 30 -FieldValue $FieldValue

2022-10-20: PSFalcon v2.2.3

Using PSFalcon
Commands by Permission
Other Commands
Examples
- Code Examples
- Samples
CrowdStrike SDKs
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust

Provide feedback

Saved searches

Use saved searches to filter your results more quickly