Comments (3)
Invoke-FalconDeploy
combines the put
and run
Real-time Response commands. put
does not provide the ability to specify a destination--it uploads the file to the current directory. If you want it to be in a different directory, you have to cd
to that location first.
Invoke-FalconDeploy
was created as a mechanism to deploy the Falcon Forensics executable, so I don't really have any intention of modifying it, especially because it works for most "upload and run this exe" use cases.
If you'd like to use a more complicated workflow (like using put
to place the file in a specific directory), I recommend either using a combination of commands with Invoke-FalconRTR
or creating a script with the necessary commands to step through each of the parts of what you're trying to do. It might look something like...
Start-FalconSession ...
Send-FalconCommand -Command cd ...
Send-FalconAdminCommand -Command put ...
Send-FalconAdminCommand -Command run ...
Then you'll have to keep track of the responses and update accordingly. You can see an example of how to do this by looking at the code within Invoke-FalconRTR
(the Invoke-RTR
function in Public\Scripts.ps1
) or Invoke-FalconDeploy
(Invoke-Deploy
in the same Scripts.ps1
file) if you'd like to output the results to CSV.
from psfalcon.
Thanks for the quick response.
I was using RTR commands like the "cd ......" "put foo.bar" "run foo.bar" and noticed the code was becoming multiple lines of code that could be replaced with the single line of Invoke-Deploy.
Could I start the session - send the command to CD into my folder then Invoke-Deploy and have it run from there?
from psfalcon.
Yes. Invoke-FalconRTR
is meant as a way to run a single Real-time Response command. It creates the session (or batch), sends the command and outputs the results. Although it can be used repeatedly (and the API itself will "append" commands to existing sessions), the "proper" way to do it is to run through each individual step.
You can see examples of that entire workflow on the wiki: https://github.com/CrowdStrike/psfalcon/wiki/Real-time-Response#send-real-time-response-commands-to-a-batch-of-hosts
You'll basically follow those steps, but issue multiple commands to a single (or batch) session. If it's something that will take longer than the maximum timeout of 600 seconds (which defaults to 30 seconds if you don't specify it when issuing the command), you'll also need to keep a timer going and Update-FalconSession
periodically to ensure the session running on each host does not expire.
You'll also want to add logic to only continue if the previous command was successful, so you don't end up doing things like using put
in the wrong directory. You can see some examples of this with Invoke-FalconDeploy
where it only selects successful hosts and then specifies the OptionalHostIds
field on the next command.
from psfalcon.
Related Issues (20)
- [ BUG ] `400: The ids parameter must be present...` error when using Turkish display language HOT 1
- [ BUG ] `Get-FalconRole` does not display custom roles HOT 4
- [ BUG ] `Invoke-FalconDeploy` incorrect execution order when queued HOT 4
- [ QUESTION ] `System.TypeInitializationException` error with `Uninstall-FalconSensor` HOT 4
- `SendASync` error with `Invoke-FalconDeploy` HOT 5
- [ BUG ] Get-FalconAsset code 400 error offset 10000 and limit 100 HOT 1
- [ BUG ] `Import-FalconConfig` ignores `FirewallGroup` HOT 1
- [ BUG ] `New-FalconReconRule` generating `Invalid Request` error with single rule HOT 4
- [ BUG ] `Receive` commands generate `index out of range` errors even when successful HOT 6
- [ BUG ] `Add-SensorTag` and `Remove-SensorTag` dont append/remove tags even through reboot HOT 4
- [ BUG ] `Write-Result not recognized` when using `Request-FalconToken` HOT 6
- [ ENHANCEMENT ] Add command to overwrite SensorTags instead of appending HOT 4
- [ BUG ] `Get-FalconHost` error on hostname HOT 5
- [ BUG ] `Id` does not match pattern when using `Get-FalconAsset` HOT 2
- [ DOCUMENTATION ] `tags` should be included in the list of available filters for `Get-FalconHost` HOT 1
- [ BUG ] `Import-FalconConfig` improperly assigns non-existent `rule_group_ids` when creating `FilewallPolicy` HOT 1
- {"code":400,"message":"offset 10000 and limit 100 are invalid; offset + limit must be less than or equal to 10000"} HOT 3
- [ QUESTION ] Client Secret as Secure String HOT 1
- [ BUG ] `Get-FalconAlert -All -Detailed` returns `413 - Request Too Large` HOT 2
- [ ENHANCEMENT ] Add ParameterSet to `Invoke-FalconAlertAction` and `Invoke-FalconIncidentAction` to allow for multiple actions in one API query HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from psfalcon.