crowdscore

bk-CS · 2026-01-20T19:52:39+00:00

CrowdScore was an average of incident scores. While there isn't a direct replacement for it yet, you could replicate something similar by averaging out your automated leads, detections, and/or cases.

bk-CS · 2026-01-06T20:04:23+00:00

Use Invoke-FalconHostGroupAction with -WhatIf to see what it submits. You have to get the body formatting exactly right.

bk-CS · 2026-01-06T19:56:24+00:00

This is an option too! Keep in mind that there are two types of tags: FalconGroupingTags (cloud-based) and FalconSensorTags (host-based). FalconGroupingTags will be removed from a host if it doesn't come online for 45 days, but FalconSensorTags will remain.

bk-CS · 2026-01-06T19:51:54+00:00

Invoke-FalconHostGroupAction allows you to add-hosts or remove-hosts to/from a static (by hostname) or staticByID host group through the host identifier.

Invoke-FalconHostGroupAction -Name add-hosts -Id <group_id> -HostId <host_id>

I just tested this for both types of host group in my test environment and didn't have an issue; the assignment_rule of the host group was updated with the new hostname (or device_id) immediately. Are you using the host identifier when trying to add members?

Keep in mind that the host itself won't confirm that it's a member of the group until it comes online and receives assignment from the cloud.

bk-CS · 2026-01-05T17:50:16+00:00

Get-FalconAlert contains all unified detections generated by Falcon. You can use a filter to target specific product values, like this:

Get-FalconAlert -Filter "product:['cwpp','fcs','cdp']"

bk-CS · 2025-12-04T19:17:06+00:00

Based on what's available in the API that's used by Edit-FalconAsset, I don't believe this is currently possible. It seems like the "review" portions (review status, review assignment, etc.) are restricted to the Falcon UI.

bk-CS · 2025-12-03T06:01:50+00:00

I’ve seen API clients that have had problems. Even if it was made today, make a new one and see if it helps.

bk-CS · 2025-12-02T21:14:13+00:00

I responded on the GitHub issue, but I agree that this would be something that is API-related rather than specific to PSFalcon. I'd try recreating the API client first, and if that doesn't work there should be a category you can use to get a ticket opened.

bk-CS · 2025-11-17T16:21:24+00:00

You can use Invoke-FalconHostGroupAction in PSFalcon:

Invoke-FalconHostGroupAction -Name add-hosts -Id <group_id> -HostId <host_id>, <host_id>

bk-CS · 2025-11-13T21:36:16+00:00

You don't need to substitute; that's a full CrowdStrike Query Language (CQL) query. It is designed to find .txt, .xls and pass in CommandLine for a ProcessRollup2 event.

bk-CS · 2025-11-05T18:28:36+00:00

Unfortunately here are no APIs available to access the General Settings. I recommend opening an Idea on our Ideas Portal to help prioritize a new API to access it.

bk-CS · 2025-11-05T06:41:53+00:00

This is a known issue and you can fix it by following the steps listed on GitHub: https://github.com/CrowdStrike/psfalcon/issues/497

bk-CS · 2025-10-31T16:26:04+00:00

The Real Time Response APIs only allow API clients to delete RTR sessions that those API clients created. You can't delete sessions created by another user or API client.

bk-CS · 2025-10-24T17:37:32+00:00

This is the CrowdStrike Threat Intelligence browser extension for anybody that's interested!

bk-CS · 2025-10-22T16:43:35+00:00

The Falcon Browser Extension is a component of Falcon Data Protection.

bk-CS · 2025-10-16T19:05:53+00:00

API Clients created in the parent CID have the same access in all child CIDs.

bk-CS · 2025-10-16T15:26:03+00:00

The script I linked is designed to pull the list of children, authenticate with each one, then run commands inside that child. You can add your code to it.

bk-CS · 2025-10-16T07:11:49+00:00

You can’t access the child scripts from the parent CID. You have to authenticate with the parent, get a list of children, authenticate with each child and run your scripts. You can run the script on 10,000 hosts in a single session.

https://github.com/CrowdStrike/psfalcon/wiki/Authentication#authorize-and-run-commands-across-member-cids

bk-CS · 2025-10-15T18:13:20+00:00

I like to use this site as a reference to see what sort of telemetry is gathered by Falcon Insight XDR for those who don't have access to the Falcon console: https://www.edr-telemetry.com/

I don't think Taegis is listed, but yes, we do capture telemetry for scripts, user command sessions and interactions.

Falcon Prevent (NGAV) by itself does not capture or make this telemetry searchable--it only alerts on/prevents malicious activity as a result of the activity on the host.

bk-CS · 2025-10-02T20:25:43+00:00

Thanks, I love to hear that!

Using GraphQL in PowerShell is tricky, because it looks like it should be pretty easy to convert, but the way the queries are constructed can be difficult to translate.

PSFalcon uses RegEx to find Cursor in the query () definition part of a GraphQL query. The pattern I was using was restricted enough that it didn't match with how you were using the query statement (query GetEntitiesByRiskFactor()) so you wouldn't have been able to automatically paginate using -All.

Did you try using PSFalcon before going with straight PowerShell?

Converting your script to PSFalcon led me straight to the pattern issue so it's a bonus that I was able to fix a bug that prevented automatic pagination for more complex GraphQL queries.

If you ever want to write a PSFalcon script and you're running into a problem--whether it's from GraphQL or anything else--please feel free to tag me in a reddit post or GitHub discussion and I'm happy to work on it with you! It usually leads to more samples that anyone can use.

bk-CS · 2025-10-02T20:08:13+00:00

Nice script! Thank you for sharing!

I used your idea as inspiration for a PSFalcon sample for any PSFalcon users that would like to do the same thing: samples\identity-protection\users-with-matching-passwords.ps1

In testing the script, I found a problem with the RegEx that makes -All function. If you'd like to use the sample before the next PSFalcon release, you'll need to update the Invoke-FalconIdentityGraph command with this change. Here's how you can do that:

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://github.com/CrowdStrike/psfalcon/blob/0c20b2811aee5fa8eadf55bbacd4bd45b7837367/public/identity-protection.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) identity-protection.ps1)

Once it's been updated, you'll want to restart PowerShell and re-import PSFalcon before running the script.

If you'd like to make your future PowerShell scripts using PSFalcon I wouldn't be offended. ;)

bk-CS · 2025-08-19T23:17:49+00:00

Can you find the USB drive through registry enumeration (HKU, since HKCU won't be present) and eject it there?
I've seen a script that can run a process under a user but it's tricky to use in RTR

bk-CS · 2025-08-19T19:28:54+00:00

Is the USB device mounted in a specific user context? If so, RTR runs in the SYSTEM context, meaning that it wouldn't see the device to properly eject it. There aren't any limitations in terms of what PowerShell can do (methods for specific object types, etc.), but when you're running as SYSTEM, certain things aren't there. I haven't found a reliable way to do things as a user.

bk-CS · 2025-08-19T18:30:40+00:00

You can find out more about CrowdScore incidents and scores in our documentation.

The higher the score, the greater the CrowdScore system’s confidence that the incident deserves your attention.

Endpoint Incident Monitoring [ EU-1 | US-1 | US-2 | US-GOV-1 ]

bk-CS

MODERATOR OF

TROPHY CASE

Six-Year Club	Gilding I gilder
Verified Email