Module Structure
PSFalcon v2.2.9 is organized around CrowdStrike Falcon API service categories, with cmdlets grouped by functionality:OAuth2 & Authentication
Token management and authentication
Host & Device Management
Host groups, device control, and grouping tags
Prevention & Response
Prevention policies, response policies, and IOA rules
Real-Time Response
Interactive command sessions and remote actions
Detection & Incidents
Alerts, detections, behaviors, and incident management
Threat Intelligence
Actors, indicators, malware families, and reports
Cloud Security
AWS, Azure, GCP account management and posture
Container Security
Container policies, images, registries, and vulnerabilities
Naming Conventions
PSFalcon follows PowerShell best practices with consistent verb-noun patterns:Standard Verbs
| Verb | Purpose | Example |
|---|---|---|
Get- | Retrieve resources | Get-FalconHost, Get-FalconAlert |
New- | Create new resources | New-FalconHostGroup, New-FalconIoc |
Edit- | Modify existing resources | Edit-FalconHostGroup, Edit-FalconUser |
Remove- | Delete resources | Remove-FalconHostGroup, Remove-FalconIoc |
Invoke- | Perform actions | Invoke-FalconHostAction, Invoke-FalconRtr |
Request- | Request credentials/tokens | Request-FalconToken |
Revoke- | Revoke credentials/tokens | Revoke-FalconToken |
Start- | Start operations | Start-FalconSession, Start-FalconScan |
Stop- | Stop operations | Stop-FalconScan, Stop-FalconMigration |
Send- | Upload files/data | Send-FalconSample, Send-FalconPutFile |
Receive- | Download files/data | Receive-FalconInstaller, Receive-FalconArtifact |
Noun Structure
All cmdlets use theFalcon prefix followed by the resource type:
Get-FalconHost- Get host informationGet-FalconHostGroup- Get host group informationGet-FalconHostGroupMember- Get host group membershipNew-FalconIoaExclusion- Create IOA exclusionEdit-FalconFirewallPolicy- Modify firewall policy
Common Parameters
PSFalcon cmdlets share common parameter patterns for consistency:Identifiers
Resource identifier(s), typically 32-character hexadecimal valuesPattern:
^[a-fA-F0-9]{32}$Aliases: ids, device_id, device_ids, host_ids, etc.Filtering & Search
Falcon Query Language (FQL) expression to limit resultsExample:
"hostname:'DESKTOP-*'+platform_name:'Windows'"Property and direction to sort resultsFormat:
property_name.asc or property_name.descExample: "last_seen.desc"Maximum number of results per requestDefault: Varies by cmdlet (typically 100 or 500)Maximum: Varies by API endpoint (typically 5000)
Position to begin retrieving results for paginationDefault:
0Retrieve all available results using automatic pagination
Retrieve detailed information instead of identifier-only results
Common Properties
Resource name (policies, groups, etc.)
Resource description
PowerShell Features
All cmdlets support standard PowerShell features:- Pipeline support: Most cmdlets accept pipeline input via
ValueFromPipelineorValueFromPipelineByPropertyName - Parameter validation: Built-in validation for patterns, sets, and custom scripts
- ShouldProcess: Many modification cmdlets support
-WhatIfand-Confirm - Progress indicators: Long-running operations display progress
API Credential Caching
PSFalcon caches your API credentials and token after successful authentication: Cached Information:ClientId- OAuth2 client identifierClientSecret- OAuth2 client secretHostname- CrowdStrike API hostname/cloudMemberCid- Member CID for multi-CID environmentsExpiration- Token expiration timestamp
Error Handling
PSFalcon cmdlets return detailed error information:Module Information
2.2.9
Brendan Kremian
CrowdStrike
5.1 minimum required
Desktop, Core (cross-platform support)
Next Steps
OAuth2 Authentication
Learn how to authenticate and manage tokens
Host Management
Manage hosts, groups, and device actions
Real-Time Response
Execute commands on remote hosts
Prevention Policies
Configure prevention and response policies