Skip to content

New FalconIoaRule

bk-cs edited this page Oct 24, 2022 · 22 revisions

New-FalconIoaRule

SYNOPSIS

Create a custom Indicator of Attack rule within a rule group

DESCRIPTION

'RuleTypeId' and 'DispositionId' values can be found using 'Get-FalconIoaType -Detailed' under the 'id' and 'disposition_map' properties.

Requires 'Custom IOA Rules: Write'.

PARAMETERS

Name Type Min Max Allowed Pipeline PipelineByName Description
Name String X Rule name
PatternSeverity String critical
high
medium
low
informational
X Rule severity
RuletypeId String 1
2
5
6
9
10
11
12
X Rule type
DispositionId Int32 10
20
30
X Disposition identifier [10: Monitor, 20: Detect, 30: Block]
FieldValue Object[] X An array of rule properties
Description String X Rule description
Comment String X Audit log comment
RulegroupId String X Rule group identifier

SYNTAX

New-FalconIoaRule [-Name] <String> [-PatternSeverity] <String> [-RuletypeId] <String> [-DispositionId] <Int32> [-FieldValue] <Object[]> [[-Description] <String>] [[-Comment] <String>] [-RulegroupId] <String> [-WhatIf] [-Confirm] [<CommonParameters>]

SDK Reference

falconpy

create_rule

USAGE

Create custom IOA rules

$Group = Get-FalconIoaGroup -Filter "name:'updatedRuleGroup'" -Detailed
$FieldValue = @{
    label = 'Grandparent Image Filename'
    name = 'GrandparentImageFilename'
    type = 'excludable'
    values = @(
        @{
            label = 'include'
            value = '.+bug.exe'
        }
    )
}
New-FalconIoaRule -RulegroupId $Group.id -Name 'BugRule' -PatternSeverity critical -RuletypeId 5 -DispositionId 30 -FieldValue $FieldValue

2022-10-24: PSFalcon v2.2.3

Clone this wiki locally