Skip to main content

What is PSFalcon?

PSFalcon is a PowerShell module that helps CrowdStrike Falcon users interact with the CrowdStrike Falcon OAuth2 APIs without having extensive knowledge of APIs or PowerShell. PSFalcon simplifies automation and enables you to perform actions outside of the Falcon UI.

Key Features

Comprehensive API Coverage

Access 700+ cmdlets covering all major Falcon APIs including hosts, detections, incidents, policies, and more

Cross-Platform Support

Works on Windows (PowerShell 5.1+), Linux, and macOS (PowerShell 6+)

OAuth2 Authentication

Secure authentication with automatic token refresh and credential caching

Real-time Response

Execute Real-time Response commands across multiple hosts simultaneously

What You Can Do

PSFalcon helps you automate tasks and streamline workflows:
  • Bulk Operations: Modify large numbers of detections, incidents, policies, or rules in a single script
  • Real-time Response: Perform actions on many devices simultaneously using RTR cmdlets
  • File Operations: Upload or download malware samples and Real-time Response files
  • Multi-CID Management: Create and modify configurations for MSSP parent and child environments
  • Custom Reporting: Generate reports and export data in formats that suit your needs
  • Integration: Build workflows that integrate Falcon with your existing tools and processes

Use Cases

Automate detection triage, incident response workflows, and threat hunting activities across your environment.
Deploy and manage prevention policies, sensor update policies, and firewall rules at scale.
Query and report on host information, sensor versions, and deployment status across your fleet.
Manage multiple customer environments efficiently with Falcon Flight Control (multi-CID) support.

Requirements

Before you begin, ensure you have:
1

Active Falcon Subscription

An active CrowdStrike Falcon subscription with access to the modules you need
2

PowerShell Environment

  • Windows: PowerShell 5.1 or later
  • Linux/macOS: PowerShell 6 or later
3

API Credentials

A Falcon OAuth2 API Client with appropriate roles and permissions
API credentials are created in the Falcon console under Support and resources > API Clients and Keys. Ensure your API client has the necessary scopes for the operations you plan to perform.

Module Information

  • Version: 2.2.9
  • Author: Brendan Kremian
  • Company: CrowdStrike
  • PowerShell Editions: Desktop, Core
  • License: View License

Getting Help

Need assistance?
All PSFalcon cmdlets follow PowerShell naming conventions with the Falcon prefix (e.g., Get-FalconHost, New-FalconHostGroup). Use Get-Command -Module PSFalcon to see all available cmdlets.

Next Steps

Installation

Install PSFalcon from the PowerShell Gallery

Quick Start

Get started with your first PSFalcon script

Build docs developers (and LLMs) love

Get started for freeTalk to us