PSFalcon provides access to CrowdStrike Falcon Intelligence for threat research, indicator management, and adversary tracking.
Custom Indicators (IOCs) Understanding Indicator Types Custom indicators support multiple types:
domain : Domain namesipv4 , ipv6 : IP addressesmd5 , sha256 : File hashesregistry : Registry keysusername : User account names
Create Custom Indicators # Create a malicious domain indicator New-FalconIoc - Type domain ` - Value 'malicious.example.com' ` - Action detect ` - Platform @ ( 'windows' , 'mac' , 'linux' ) ` - Severity high ` - Description 'C2 domain from incident IR-2024-001' ` - Tag @ ( 'C2' , 'Incident-2024-001' ) # Create a SHA256 hash indicator with prevention New-FalconIoc - Type sha256 ` - Value 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' ` - Action prevent ` - Platform @ ( 'windows' ) ` - Severity critical ` - Filename 'malware.exe' ` - Description 'Ransomware payload'
Indicator Actions
no_action
Generate a detection but take no preventive action
detect
Generate a detection event
prevent
Block execution and generate detection
allow
Allowlist the indicator (overrides detections)
Search and Manage Indicators Search Indicators
Update Indicators
Delete Indicators
# List all custom indicators Get-FalconIoc - Detailed - All # Search by type Get-FalconIoc - Filter "type:'sha256'" - Detailed # Find indicators by tag Get-FalconIoc - Filter "tags:'C2'" - Detailed - All # Search by value pattern Get-FalconIoc - Filter "value:*'example.com'" - Detailed # Get specific indicator by ID Get-FalconIoc - Id 'abc123def456...'
Host Group Scoping # Apply indicator to specific host groups $Groups = Get-FalconHostGroup - Filter "name:*'Production'*" New-FalconIoc - Type domain ` - Value 'threat.local' ` - Action prevent ` - HostGroup @ ( $Groups [ 0 ].id) ` - Description 'Block in production only' # Apply globally to all hosts New-FalconIoc - Type ipv4 ` - Value '192.0.2.100' ` - Action prevent ` - AppliedGlobally $true ` - Description 'Global threat IP'
Retroactive Detections # Enable retrodetect to generate detections for past activity Edit-FalconIoc - Id $IndicatorId - Retrodetect $true # Create new indicator with retrodetect New-FalconIoc - Type sha256 ` - Value $FileHash ` - Action detect ` - Retrodetect $true ` - Description 'Check historical executions'
Retrodetect scans host activity history and may generate multiple detections for previously observed indicators. Use this feature carefully in production environments.
Threat Intelligence Reports Search Intelligence Reports # Get all available reports Get-FalconIntel - Detailed - All # Search by keyword Get-FalconIntel - Query 'ransomware' - Detailed # Filter by report type Get-FalconIntel - Filter "type:'intelligence report'" - Detailed # Search by target industry Get-FalconIntel - Filter "target_industries:'Financial Services'" - Detailed # Find recent reports Get-FalconIntel - Filter "created_date:>='now-30d'" - Sort created_date.desc - Detailed
Download Intelligence Reports # Get report details $Report = Get-FalconIntel - Filter "name:*'APT29'*" - Detailed | Select-Object - First 1 # Download report PDF Receive-FalconIntel - Id $Report .id - Path "./reports/ $( $Report .slug ) .pdf" # Bulk download recent reports Get-FalconIntel - Filter "created_date:>='now-7d'" | ForEach-Object { Receive-FalconIntel - Id $_ .id - Path "./reports/ $( $_ .slug ) .pdf" }
Threat Actors Search for Actors # List all tracked actors Get-FalconActor - Detailed - All # Search by name Get-FalconActor - Query 'BEAR' - Detailed # Filter by target country Get-FalconActor - Filter "target_countries:'United States'" - Detailed # Find actors by capability Get-FalconActor - Filter "target_industries:'Technology'" - Detailed
MITRE ATT&CK Mapping # Get actor with TTPs $Actor = Get-FalconActor - Filter "name:'FANCY BEAR'" - Include tactic_and_technique - Detailed # View techniques used by actor $Actor .tactic_and_technique # Download MITRE ATT&CK data Receive-FalconAttck - Slug $Actor .slug - Format json - Path './intel/' # Get detailed TTP information Get-FalconAttck - Slug $Actor .slug | Get-FalconAttck
Indicators from Intelligence Search Intelligence Indicators # Find recent malicious indicators Get-FalconIndicator - Filter "published_date:>='now-7d'" - Detailed - All # Search by indicator type Get-FalconIndicator - Filter "type:'domain'" - Detailed - Limit 100 # Find indicators by malware family Get-FalconIndicator - Filter "malware_families:'emotet'" - Detailed # Include related indicators Get-FalconIndicator - Filter "indicator:'192.0.2.*'" - IncludeRelation $true - Detailed
Import Intelligence Indicators as Custom IOCs # Get high-confidence recent indicators $Indicators = Get-FalconIndicator - Filter "_marker:>='90'+published_date:>='now-1d'" - Detailed - All # Convert to custom IOCs foreach ( $Indicator in $Indicators ) { try { New-FalconIoc - Type $Indicator .type ` - Value $Indicator .indicator ` - Action detect ` - Source "Falcon Intel: $( $Indicator .malware_families -join ', ' ) " ` - Description "Imported from intelligence report" ` - Severity high Write-Host "Imported: $( $Indicator .indicator ) " } catch { Write-Warning "Failed to import $( $Indicator .indicator ) : $_ " } }
Malware Families # List malware families Get-FalconMalwareFamily - Detailed - All # Search by name Get-FalconMalwareFamily - Query 'ransomware' - Detailed # Get MITRE ATT&CK for malware family $Family = Get-FalconMalwareFamily - Filter "name:'WannaCry'" - Detailed Get-FalconMalwareFamily - Id $Family .id - Mitre # Download MITRE data Receive-FalconMalwareFamilyAttck - Slug $Family .slug - Format JSON - Path './intel/'
Vulnerabilities (CVEs) # Search for CVE information Get-FalconCve - Query 'Microsoft Exchange' - Detailed - All # Find recent critical CVEs Get-FalconCve - Filter "created_date:>='now-30d'" - Detailed # Get specific CVE details Get-FalconCve - Id 'CVE-2024-1234' # Search by CVSS score Get-FalconCve - Filter "cvss_score:>=9.0" - Detailed
Detection Rules Search Snort/Suricata Rules # Get latest Snort/Suricata ruleset Get-FalconRule - Type snort - suricata - master - Detailed # Download latest rules $LatestRules = Get-FalconRule - Type snort - suricata - master | Select-Object - First 1 Receive-FalconRule - Id $LatestRules .id - Path './rules/snort-latest.zip' # Get rule changelog Get-FalconRule - Type snort - suricata - changelog - Detailed - All
YARA Rules # Get latest YARA rules $YaraRules = Get-FalconRule - Type yara - master - Detailed | Select-Object - First 1 # Download YARA ruleset Receive-FalconRule - Id $YaraRules .id - Path './rules/yara-master.zip' # Get incremental updates Get-FalconRule - Type yara - update - Detailed - All
Practical Threat Hunting Workflow
Research Threat Actor
# Find actor information $Actor = Get-FalconActor - Query 'APT28' - Include tactic_and_technique - Detailed Write-Host "Actor: $( $Actor .name ) " Write-Host "Description: $( $Actor .short_description ) " Write-Host "First Activity: $( $Actor .first_activity_date ) "
Identify TTPs
# Review MITRE ATT&CK techniques $Actor .tactic_and_technique | ForEach-Object { Write-Host " $( $_ .tactic ) - $( $_ .technique ) " }
Gather Indicators
# Find related indicators $Indicators = Get-FalconIndicator - Filter "actors:*' $( $Actor .name ) '*" - Detailed - All Write-Host "Found $( $Indicators .Count ) indicators"
Create Custom IOCs
# Import high-confidence indicators $Indicators | Where-Object { $_ ._marker -ge 80 } | ForEach-Object { New-FalconIoc - Type $_ .type ` - Value $_ .indicator ` - Action detect ` - Tag @ ( $Actor .name , 'ThreatHunt-2024' ) ` - Description " $( $Actor .name ) indicator" ` - Source "Falcon Intelligence" }
Download Intelligence Reports
# Get related reports $Reports = Get-FalconIntel - Query $Actor .name - Detailed foreach ( $Report in $Reports ) { Receive-FalconIntel - Id $Report .id - Path "./hunt/ $( $Report .slug ) .pdf" }
Hunt for Activity
# Search for detections matching IOCs $Detections = Get-FalconDetection - Filter "tags:*'ThreatHunt-2024'*" - Detailed - All if ( $Detections ) { Write-Host "ALERT: Found $( $Detections .Count ) detections matching hunt criteria" $Detections | Select-Object hostname , detection_id , severity }
Automated Intelligence Import # Daily import of new high-confidence indicators function Import-DailyIntelligence { # Get yesterday's high-confidence indicators $Indicators = Get-FalconIndicator - Filter "published_date:>='now-1d'+_marker:>=85" - Detailed - All $ImportCount = 0 $SkipCount = 0 foreach ( $Indicator in $Indicators ) { # Check if already imported $Existing = Get-FalconIoc - Filter "value:' $( $Indicator .indicator ) '" - Detailed if ( -not $Existing ) { try { New-FalconIoc - Type $Indicator .type ` - Value $Indicator .indicator ` - Action detect ` - Platform @ ( 'windows' , 'mac' , 'linux' ) ` - Severity medium ` - Source 'Auto-Import' ` - Description "Intel: $( $Indicator .malware_families -join ', ' ) " ` - Tag @ ( 'AutoImport' , ( Get-Date - Format 'yyyy-MM-dd' )) $ImportCount ++ } catch { Write-Warning "Failed: $( $Indicator .indicator ) - $_ " } } else { $SkipCount ++ } } Write-Host "Imported: $ImportCount | Skipped (existing): $SkipCount " } # Run the import Import-DailyIntelligence
Indicator Management Best Practices
Tag indicators by campaign, threat actor, or incident for trackingUse expiration dates to automatically disable time-limited indicators
Set appropriate actions (detect vs prevent) based on confidence level
Apply retrodetect selectively to avoid alert fatigue
Document sources in the description fieldUse host group scoping for testing before global deployment
False Positive Risk : Always validate intelligence indicators before setting action to prevent. Start with detect to assess impact.
Next Steps
Managing Policies Configure prevention policies based on threat intelligence
Cloud Security Extend threat intelligence to cloud environments
