-
Notifications
You must be signed in to change notification settings - Fork 72
Get FalconAsset
bk-cs edited this page Sep 4, 2024
·
27 revisions
Search for assets in Falcon Discover
Requires 'Falcon Discover: Read' and 'Falcon Discover IoT: Read'.
Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
---|---|---|---|---|---|---|---|
Id | String[] | Asset identifier | X | X | |||
Filter | String |
Falcon Query Language expression to limit resultsaccount_enabled ad_user_account_control agent_version aid assigned_to bios_manufacturer bios_version cid city classification confidence country cpu_manufacturer creation_timestamp current_local_ip data_providers data_providers_count department descriptions discoverer_aids discoverer_count discoverer_platform_names discoverer_product_type_descs discoverer_tags email entity_type external_ip field_metadata first_discoverer_aid first_discoverer_ip first_seen_timestamp fqdn groups hostname id internet_exposure kernel_version last_discoverer_aid last_seen_timestamp local_ip_addresses local_ips_count location mac_addresses machine_domain managed_by network_interfaces network_interfaces.interface_alias network_interfaces.interface_description network_interfaces.local_ip network_interfaces.mac_address network_interfaces.network_prefix number_of_disk_drives object_guid object_sid os_is_eol os_service_pack os_version ou owned_by physical_core_count platform_name processor_package_count product_type product_type_desc reduced_functionality_mode servicenow_id site_name state system_manufacturer system_product_name system_serial_number tags used_for Account: account_name account_type admin_privileges cid first_seen_timestamp id last_failed_login_hostname last_failed_login_timestamp last_failed_login_type last_successful_login_host_city last_successful_login_host_country last_successful_login_hostname last_successful_login_remote_ip last_successful_login_timestamp last_successful_login_type login_domain password_last_set_timestamp user_sid username External: asset_id asset_type confidence connectivity_status criticality criticality_description criticality_timestamp criticality_username data_providers discovered_by dns_domain.fqdn dns_domain.isps dns_domain.parent_domain dns_domain.resolved_ips dns_domain.services.applications.category dns_domain.services.applications.cpe dns_domain.services.applications.name dns_domain.services.applications.vendor dns_domain.services.applications.version dns_domain.services.cloud_provider dns_domain.services.cpes dns_domain.services.first_seen dns_domain.services.hosting_provider dns_domain.services.id dns_domain.services.last_seen dns_domain.services.platform_name dns_domain.services.port dns_domain.services.protocol dns_domain.services.protocol_port dns_domain.services.status dns_domain.services.status_code dns_domain.services.transport dns_domain.type first_seen id internet_exposure ip.aid ip.asn ip.cloud_vm.description ip.cloud_vm.instance_id ip.cloud_vm.lifecycle ip.cloud_vm.mac_address ip.cloud_vm.owner_id ip.cloud_vm.platform ip.cloud_vm.private_ip ip.cloud_vm.public_ip ip.cloud_vm.region ip.cloud_vm.security_groups ip.cloud_vm.source ip.cloud_vm.status ip.fqdns ip.ip_address ip.isp ip.location.area_code ip.location.city ip.location.country_code ip.location.country_name ip.location.postal_code ip.location.region_code ip.location.region_name ip.location.timezone ip.ptr ip.services.applications.category ip.services.applications.cpe ip.services.applications.name ip.services.applications.vendor ip.services.applications.version ip.services.cloud_provider ip.services.cpes ip.services.first_seen ip.services.last_seen ip.services.platform_name ip.services.port ip.services.protocol ip.services.protocol_port ip.services.status ip.services.status_code ip.services.transport last_seen manual perimeter subsidiaries.id subsidiaries.name triage.action triage.assigned_to triage.description triage.status triage.updated_by triage.updated_timestamp IoT: device_family device_class device_type device_mode business_criticality line_of_business virtual_zone subnet purdue_level vlan local_ip_addresses mac_addresses physical_connections_count data_providers Login: account_id account_name account_type admin_privileges aggregation_time_interval aid cid failure_description host_city host_country host_id hostname id is_suspicious local_ip login_domain login_event_count login_status login_timestamp login_type remote_ip user_sid username |
|||||
Sort | String | Property and direction to sort results | |||||
Limit | Int32 | Maximum number of results per request | |||||
Include | String[] | Include additional properties |
login_event browser_extension host_info install_usage system_insights third_party risk_factors
|
||||
Offset | Int32 | Position to begin retrieving results | |||||
After | String | Pagination token to retrieve the next set of results | |||||
Detailed | Switch | Retrieve detailed information | |||||
All | Switch | Repeat requests until all available results are retrieved | |||||
Total | Switch | Display total result count instead of results | |||||
Account | Switch | Search for user account assets | |||||
Application | Switch | Search for applications | |||||
External | Switch | Search for external assets | |||||
IoT | Switch | Search for IoT assets | |||||
Login | Switch | Search for login events |
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [-Offset <Int32>] [-All] [-Total] [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -External [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -Login [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -IoT [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -Application [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset -Id <String[]> -Account [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-Offset <Int32>] [-Detailed] [-All] [-Total] -External [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-Offset <Int32>] [-Detailed] [-All] [-Total] -Login [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-After <String>] [-Detailed] [-All] [-Total] -IoT [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [-Offset <Int32>] [-All] [-Total] -Application [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [-Offset <Int32>] [-Detailed] [-All] [-Total] -Account [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [-After <String>] -Detailed [-All] [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconAsset [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [-After <String>] -Detailed [-All] -Application [-WhatIf] [-Confirm] [<CommonParameters>]
GET /discover/combined/applications/v1
GET /discover/combined/hosts/v1
GET /discover/entities/accounts/v1
GET /discover/entities/applications/v1
GET /discover/entities/hosts/v1
GET /discover/entities/iot-hosts/v1
GET /discover/entities/logins/v1
GET /discover/queries/accounts/v1
GET /discover/queries/applications/v1
GET /discover/queries/hosts/v1
GET /discover/queries/iot-hosts/v2
GET /discover/queries/logins/v1
GET /fem/entities/external-assets/v1
GET /fem/queries/external-assets/v1
query_hosts
get_external_assets
get_logins
get_iot_hosts
get_hosts
get_applications
get_accounts
query_external_assets
query_logins
query_iot_hostsV2
query_applications
query_accounts
combined_hosts
combined_applications
Get-FalconAsset -Filter "entity_type:'unmanaged'+network_interfaces.local_ip:'192.168.25.0/24'" [-Detailed] [-All]
Get-FalconAsset -Filter "entity_type:'managed'+product_type_desc:'Workstation'+platform_name:'Windows'+last_seen_timestamp:>'now-7d'" [-Detailed] [-All]
Get-FalconAsset -Id <id>, <id>
2024-09-03: PSFalcon v2.2.7
- Using PSFalcon
-
Commands by Permission
- Actors (Falcon Intelligence)
- Alerts
- API integrations
- App Logs
- Channel File Control Settings
- Configuration Assessment
- Content Update Policies
- Correlation Rules
- CSPM registration
- Custom IOA rules
- Detections
- Device Content
- Device control policies
- Event streams
- Falcon Complete Dashboards
- Falcon Container Image
- Falcon Data Replicator
- Falcon Discover
- Falcon FileVantage
- Falcon FileVantage Content
- Firewall management
- Flight Control
- Host groups
- Host Migration
- Hosts
- Identity Protection Entities
- Identity Protection GraphQL
- Identity Protection Policy Rules
- Incidents
- Indicators (Falcon Intelligence)
- Installation tokens
- Installation token settings
- IOA Exclusions
- IOC Manager APIs
- IOCs
- Kubernetes Protection
- Machine Learning exclusions
- MalQuery
- Malware Families (Falcon Intelligence)
- Message Center
- Mobile Enrollment
- Monitoring rules (Falcon Intelligence Recon)
- On demand scans (ODS)
- OverWatch Dashboard
- Prevention Policies
- Quarantined Files
- QuickScan Pro
- Real time response
- Real time response (admin)
- Reports (Falcon Intelligence)
- Response policies
- Rules (Falcon Intelligence)
- Sample uploads
- Sandbox (Falcon Intelligence)
- Scheduled Reports
- Sensor Download
- Sensor update policies
- Sensor Usage
- Sensor Visibility Exclusions
- Snapshot
- Snapshot Scanner Image Download
- Tailored Intelligence
- Threatgraph
- User management
- Vulnerabilities
- Vulnerabilities (Falcon Intelligence)
- Workflow
- Zero Trust Assessment
- Other Commands
- Examples
-
CrowdStrike SDKs
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust