Skip to main content
Manage threat intelligence including actors, reports, indicators, vulnerabilities, malware families, and detection rules.

Cmdlets

Get-FalconActor

Search for Falcon Intelligence threat actors. Permissions: Actors (Falcon Intelligence): Read
Id
string[]
Threat actor identifier
Filter
string
Falcon Query Language expression to limit results
Query
string
Perform a generic substring search across available fields
Sort
string
Property and direction to sort results. Valid values:
  • name|asc, name|desc
  • target_countries|asc, target_countries|desc
  • target_industries|asc, target_industries|desc
  • type|asc, type|desc
  • created_date|asc, created_date|desc
  • last_activity_date|asc, last_activity_date|desc
  • last_modified_date|asc, last_modified_date|desc
Limit
int32
Maximum number of results per request (1-5000)
Field
string[]
Specific fields to return, or a predefined collection name surrounded by two underscores [default: basic]
Include
string
Include additional information. Valid values: tactic_and_technique
Offset
int32
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results
Example
# Search for actors targeting specific countries
Get-FalconActor -Filter "target_countries:'US'" -Detailed

# Get detailed information for a specific actor
Get-FalconActor -Id 'BEAR-001' -Field name,description,target_countries

# Search for actors with MITRE ATT&CK tactics and techniques
Get-FalconActor -Filter "type:'nation_state'" -Include tactic_and_technique -Detailed

Get-FalconAttck

Search for MITRE ATT&CK tactic and technique information related to specific actors. Permissions: Actors (Falcon Intelligence): Read
Id
string[]
Tactic and technique identifier, by actor
Slug
string
Actor identifier (‘slug’)
Example
# Get MITRE ATT&CK tactics and techniques for an actor
Get-FalconAttck -Slug 'fancy-bear'

Get-FalconCve

Search for Falcon Intelligence CVE reports. Permissions: Vulnerabilities (Falcon Intelligence): Read
Id
string[]
CVE identifier
Filter
string
Falcon Query Language expression to limit results
Query
string
Perform a generic substring search across available fields
Sort
string
Property and direction to sort results
Limit
int
Maximum number of results per request
Offset
string
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results
Example
# Search for recent CVEs
Get-FalconCve -Filter "created_date:>'2024-01-01'" -Detailed

# Get details for a specific CVE
Get-FalconCve -Id 'CVE-2024-1234'

# Search for high severity vulnerabilities
Get-FalconCve -Filter "severity:'HIGH'" -All

Get-FalconIndicator

Search for Falcon Intelligence indicators. Permissions: Indicators (Falcon Intelligence): Read
Id
string[]
Indicator identifier
Filter
string
Falcon Query Language expression to limit results
Query
string
Perform a generic substring search across available fields
Sort
string
Property and direction to sort results. Valid values:
  • id|asc, id|desc
  • indicator|asc, indicator|desc
  • type|asc, type|desc
  • published_date|asc, published_date|desc
  • last_updated|asc, last_updated|desc
  • _marker|asc, _marker|desc
Limit
int32
Maximum number of results per request (1-5000)
IncludeDeleted
boolean
Include previously deleted indicators
IncludeRelation
boolean
Include related indicators
Offset
int32
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results
Example
# Search for malicious IP indicators
Get-FalconIndicator -Filter "type:'ip_address'" -Detailed

# Get indicators published in the last 7 days
Get-FalconIndicator -Filter "published_date:>'now-7d'" -IncludeRelation $true

# Search for domain indicators
Get-FalconIndicator -Query 'malicious-domain.com' -All

Get-FalconIntel

Search for Falcon Intelligence reports. Permissions: Reports (Falcon Intelligence): Read
Id
string[]
Report identifier
Filter
string
Falcon Query Language expression to limit results
Query
string
Perform a generic substring search across available fields
Sort
string
Property and direction to sort results. Valid values:
  • name|asc, name|desc
  • target_countries|asc, target_countries|desc
  • target_industries|asc, target_industries|desc
  • type|asc, type|desc
  • created_date|asc, created_date|desc
  • last_modified_date|asc, last_modified_date|desc
Limit
int32
Maximum number of results per request (1-5000)
Field
string[]
Specific fields, or a predefined collection name surrounded by two underscores [default: basic]
Offset
int32
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results
Example
# Search for recent intelligence reports
Get-FalconIntel -Filter "created_date:>'2024-01-01'" -Detailed

# Get a specific report
Get-FalconIntel -Id 'CSIT-12345'

# Search for reports targeting healthcare industry
Get-FalconIntel -Filter "target_industries:'Healthcare'" -All

Get-FalconMalwareFamily

Search for Falcon Intelligence malware families. Permissions: Malware Families (Falcon Intelligence): Read
Id
string[]
Malware family identifier
Filter
string
Falcon Query Language expression to limit results
Query
string
Perform a generic substring search across available fields
Sort
string
Property and direction to sort results
Limit
int32
Maximum number of results per request (1-5000)
Field
string[]
Specific fields to return
Offset
int32
Position to begin retrieving results
Mitre
switch
Retrieve MITRE TTP information for malware families
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results
Example
# Search for ransomware families
Get-FalconMalwareFamily -Filter "family_type:'ransomware'" -Detailed

# Get MITRE TTPs for a malware family
Get-FalconMalwareFamily -Id 'emotet' -Mitre

Get-FalconRule

Search for Falcon Intelligence rulesets. Permissions: Rules (Falcon Intelligence): Read
Id
string[]
Ruleset identifier
Type
string
required
Ruleset type. Valid values:
  • common-event-format
  • cql-changelog, cql-master, cql-update
  • netwitness
  • snort-suricata-changelog, snort-suricata-master, snort-suricata-update
  • yara-changelog, yara-master, yara-update
Name
string[]
Ruleset name
Description
string[]
Ruleset description
Tag
string[]
Ruleset tag
MinCreatedDate
int32
Filter results to those created on or after a date
MaxCreatedDate
string
Filter results to those created on or before a date
Query
string
Perform a generic substring search across available fields
Sort
string
Property and direction to sort results
Limit
int32
Maximum number of results per request (1-5000)
Offset
int32
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results
Example
# Get YARA master ruleset
Get-FalconRule -Type yara-master -Detailed

# Get Snort/Suricata rules from the last 30 days
Get-FalconRule -Type snort-suricata-changelog -MinCreatedDate (Get-Date).AddDays(-30).ToFileTimeUtc()

# Search for specific rule by tag
Get-FalconRule -Type yara-master -Tag 'ransomware'

Receive-FalconAttck

Download MITRE ATT&CK information for an actor. Permissions: Actors (Falcon Intelligence): Read
Format
string
Export format. Valid values: csv, json [default: json]
Path
string
Destination path (default: ./slug.format)
Slug
string
required
Actor identifier
Force
switch
Overwrite an existing file when present
Example
# Download actor ATT&CK data as JSON
Receive-FalconAttck -Slug 'fancy-bear' -Path './actor-ttps.json'

# Download as CSV format
Receive-FalconAttck -Slug 'fancy-bear' -Format csv -Path './actor-ttps.csv' -Force

Receive-FalconIntel

Download a Falcon Intelligence report. Permissions: Reports (Falcon Intelligence): Read
Path
string
Destination path (default: slug.pdf)
Id
string
required
Report identifier
Force
switch
Overwrite an existing file when present
Example
# Download an intelligence report
Receive-FalconIntel -Id 'CSIT-12345' -Path './threat-report.pdf'

# Download and overwrite existing file
Receive-FalconIntel -Id 'CSIT-12345' -Path './report.pdf' -Force

Receive-FalconMalwareFamilyAttck

Download MITRE ATT&CK information for a malware family. Permissions: Malware Families (Falcon Intelligence): Read
Format
string
Export format. Valid values: CSV, JSON, JSON_NAVIGATOR [default: JSON]
Path
string
Destination path (default: ./slug.format)
Slug
string
required
Malware family identifier
Force
switch
Overwrite an existing file when present
Example
# Download malware family ATT&CK data
Receive-FalconMalwareFamilyAttck -Slug 'emotet' -Path './emotet-ttps.json'

# Download as CSV
Receive-FalconMalwareFamilyAttck -Slug 'emotet' -Format CSV -Path './emotet.csv'

Receive-FalconRule

Download the most recent or a specific Falcon Intelligence ruleset. Permissions: Rules (Falcon Intelligence): Read
Type
string
Ruleset type, used to retrieve the latest ruleset. Valid values:
  • common-event-format
  • cql-changelog, cql-master, cql-update
  • netwitness
  • snort-suricata-changelog, snort-suricata-master, snort-suricata-update
  • yara-changelog, yara-master, yara-update
IfNoneMatch
string
Download the latest rule set only if it doesn’t have a matching ‘tags’ value
IfModifiedSince
string
Restrict results to those modified after a provided date (HTTP, ANSIC or RFC850 format)
Path
string
required
Destination path (must end with .gz, .gzip, or .zip)
Id
int32
Ruleset identifier, used for a specific ruleset
Force
switch
Overwrite an existing file when present
Example
# Download latest YARA master ruleset
Receive-FalconRule -Type yara-master -Path './yara-rules.zip'

# Download specific ruleset by ID
Receive-FalconRule -Id 12345 -Path './ruleset.zip'

# Download only if modified
Receive-FalconRule -Type snort-suricata-master -Path './snort.zip' -IfModifiedSince 'Mon, 01 Jan 2024 00:00:00 GMT'

IOC Management

Manage custom indicators of compromise

MalQuery

Hunt for malware samples using YARA

Sandbox Analysis

Submit and analyze files in Falcon Sandbox

Build docs developers (and LLMs) love

Get started for freeTalk to us