Skip to main content

Get-FalconCloudIoa

Search for Falcon Cloud Security Indicators of Attack (IOA). Required Permission: CSPM registration: Read Alias: Get-FalconHorizonIoa

Syntax

Get-FalconCloudIoa -CloudPlatform <string> [-AccountId <string>] [-AwsAccountId <string>] 
  [-AzureSubscriptionId <string>] [-AzureTenantId <string>] [-ResourceId <string[]>] 
  [-ResourceUuid <string[]>] [-Severity <string>] [-Region <string>] [-Service <string>] 
  [-State <string>] [-Since <string>] [-DateTimeSince <string>] [-Limit <int32>] 
  [-NextToken <string>] [-All] [-Total]

Parameters

CloudPlatform
string
required
Cloud platform to search.Valid values: aws, azureAliases: cloud_provider, cloud_platform
AccountId
string
Cloud account identifier. Can be provided via pipeline.Aliases: account_id
AwsAccountId
string
AWS account identifier (12-digit number).Pattern: ^\d{12}$Aliases: aws_account_id
AzureSubscriptionId
string
Azure subscription identifier (GUID format).Pattern: UUID/GUID formatAliases: azure_subscription_id, subscription_id
AzureTenantId
string
Azure tenant identifier (GUID format).Pattern: UUID/GUID formatAliases: azure_tenant_id, tenant_id
ResourceId
string[]
Resource identifier(s) to filter results.Aliases: resource_id
ResourceUuid
string[]
Resource UUID(s) to filter results.Aliases: resource_uuid
Severity
string
Indicator of Attack severity level.Valid values: High, Medium, Informational
Service
string
Cloud service to filter results.Valid values include: ACM, ACR, App Engine, AppService, BigQuery, Cloud Load Balancing, Cloud Logging, Cloud SQL, Cloud Storage, CloudFormation, CloudTrail, CloudWatch Logs, Cloudfront, Compute Engine, Config, Disk, DynamoDB, EBS, EC2, ECR, EFS, EKS, ELB, EMR, Elasticache, GuardDuty, IAM, Identity, KMS, KeyVault, Kinesis, Kubernetes, Lambda, LoadBalancer, Monitor, NLB/ALB, NetworkSecurityGroup, PostgreSQL, RDS, Redshift, S3, SES, SNS, SQLDatabase, SQLServer, SQS, SSM, Serverless Application Repository, StorageAccount, Subscriptions, VPC, VirtualMachine, VirtualNetwork
State
string
Indicator of Attack state.Valid values: open, closed
Since
string
Filter events using a duration string (e.g., 24h, 7d, 30d).
DateTimeSince
string
Include results that occur after a specific date and time (RFC3339 format).Aliases: date_time_since
Limit
int32
Maximum number of results per request.Range: 1-1000
NextToken
string
Pagination token to retrieve the next set of results.Aliases: next_token
All
switch
Repeat requests until all available results are retrieved.
Total
switch
Display total result count instead of results.

Examples

# Get all high severity IOAs for AWS
Get-FalconCloudIoa -CloudPlatform aws -Severity High -All

# Get IOAs for specific AWS account
Get-FalconCloudIoa -CloudPlatform aws -AwsAccountId 123456789012 -State open

Get-FalconCloudIom

Search for Falcon Cloud Security Indicators of Misconfiguration (IOM). Required Permission: CSPM registration: Read Alias: Get-FalconHorizonIom

Syntax

# Search for IOMs
Get-FalconCloudIom [-Filter <string>] [-Sort <string>] [-Limit <int>] [-Offset <int>] 
  [-NextToken <string>] [-Detailed] [-All] [-Total]

# Get specific IOMs by ID
Get-FalconCloudIom -Id <string[]>

Parameters

Id
string[]
Falcon Cloud Security Indicator of Misconfiguration identifier(s). Can be provided via pipeline.Aliases: ids
Filter
string
Falcon Query Language (FQL) expression to limit results.Must be a valid FQL statement.
Sort
string
Property and direction to sort results.Valid values: account_name.asc, account_name.desc, account_id.asc, account_id.desc, attack_types.asc, attack_types.desc, azure_subscription_id.asc, azure_subscription_id.desc, cloud_provider.asc, cloud_provider.desc, cloud_service_keyword.asc, cloud_service_keyword.desc, status.asc, status.desc, is_managed.asc, is_managed.desc, policy_id.asc, policy_id.desc, policy_type.asc, policy_type.desc, resource_id.asc, resource_id.desc, region.asc, region.desc, scan_time.asc, scan_time.desc, severity.asc, severity.desc, severity_string.asc, severity_string.desc, timestamp.asc, timestamp.desc
Limit
int
Maximum number of results per request.Range: 1-1000
Offset
int
Position to begin retrieving results (used for pagination).
NextToken
string
Pagination token to retrieve the next set of results.Aliases: next_token
Detailed
switch
Retrieve detailed information for IOMs.
All
switch
Repeat requests until all available results are retrieved.
Total
switch
Display total result count instead of results.

Examples

# Get all open misconfigurations
Get-FalconCloudIom -Filter "status:'open'" -All

# Get high severity misconfigurations sorted by severity
Get-FalconCloudIom -Filter "severity_string:'High'" -Sort severity.desc -Limit 100

Notes

  • Use the -Detailed switch to retrieve complete IOM information
  • The -Filter parameter supports complex FQL queries for precise filtering
  • Results can be sorted by multiple properties including severity, timestamp, and account information

Build docs developers (and LLMs) love

Get started for freeTalk to us