Prerequisites Before you begin, ensure you have:
PSFalcon installed (Installation Guide )
CrowdStrike Falcon API credentials (Client ID and Client Secret)
PowerShell 5.1+ (Windows) or PowerShell 6+ (Linux/macOS)
Authentication Authenticate to the CrowdStrike Falcon API using your OAuth2 credentials.
Basic Authentication Connect to the default US-1 cloud:
Request-FalconToken - ClientId 'your_client_id' - ClientSecret 'your_client_secret'
Cloud-Specific Authentication Connect to a specific CrowdStrike cloud region:
US-1 (Default)
US-2
EU-1
US GovCloud
Request-FalconToken - ClientId 'your_client_id' - ClientSecret 'your_client_secret' - Cloud 'us-1'
Multi-CID (MSSP) Authentication For Falcon Flight Control environments, specify a member CID:
Request-FalconToken - ClientId 'your_client_id' - ClientSecret 'your_client_secret' - MemberCid 'child_cid'
Your credentials and token are cached for automatic re-use. PSFalcon automatically refreshes your token when it’s about to expire (within 240 seconds).
Verify Authentication Check your authentication status:
Example output: Token : True Hostname : https://api.crowdstrike.com ClientId : 1234567890abcdef1234567890abcdef MemberCid :
Use Show-FalconToken to display your current access token value, or Revoke-FalconToken to revoke your token and clear cached credentials.
Your First Query Now that you’re authenticated, let’s retrieve information about hosts in your environment.
List Host IDs Get a list of host identifiers:
This returns an array of host IDs (AIDs):
1234567890abcdef1234567890abcdef abcdef1234567890abcdef1234567890 ...
Get Host Details Retrieve detailed information about specific hosts:
# Get details for specific host IDs $HostIds = @ ( '1234567890abcdef1234567890abcdef' , 'abcdef1234567890abcdef1234567890' ) Get-FalconHost - Id $HostIds
Search with Filters Use Falcon Query Language (FQL) to filter results:
Hostname Filter
Platform Filter
Last Seen Filter
Combined Filters
# Find hosts by hostname Get-FalconHost - Filter "hostname:'DESKTOP-*'" - Detailed
Retrieve All Results By default, API requests return up to 100 results. Use -All to retrieve everything:
# Get all hosts in your environment $AllHosts = Get-FalconHost - Detailed - All # Count total hosts $AllHosts .Count # Display first 5 hosts $AllHosts | Select-Object - First 5 | Format-Table device_id , hostname , platform_name , last_seen
Common Operations Working with Detections Retrieve and manage detections:
# Get recent detections $Detections = Get-FalconDetection - Filter "created_timestamp:>='now-7d'" - Detailed # Count detections by severity $Detections | Group-Object max_severity | Select-Object Name , Count # Update detection status $DetectionIds = $Detections | Where-Object { $_ .status -eq 'new' } | Select-Object - ExpandProperty detection_id Invoke-FalconAlertAction - Name update_status - Value in_progress - Id $DetectionIds
Managing Host Groups # List all host groups $Groups = Get-FalconHostGroup - Detailed # Create a new host group $NewGroup = New-FalconHostGroup - Name 'Production Servers' - Description 'All production server hosts' # Get members of a host group Get-FalconHostGroupMember - Id $NewGroup .id
Real-time Response Start an RTR session and execute commands:
# Start RTR session on a host $Session = Start-FalconSession - Id '1234567890abcdef1234567890abcdef' # Run a command $Command = Invoke-FalconCommand - SessionId $Session .session_id - Command 'ps' # Check command status Confirm-FalconCommand - Id $Command .cloud_request_id # Remove the session Remove-FalconSession - Id $Session .session_id
Policy Management # Get prevention policies $PreventionPolicies = Get-FalconPreventionPolicy - Detailed # Find hosts using a specific policy Get-FalconPreventionPolicyMember - Id $PreventionPolicies [ 0 ].id # Get sensor update policies $SensorPolicies = Get-FalconSensorUpdatePolicy - Detailed
Best Practices
Secure Credential Storage
Never hardcode credentials in scripts. Use secure methods: # Store credentials securely $Credential = Get-Credential $ClientId = $Credential .UserName $ClientSecret = $Credential .GetNetworkCredential ().Password Request-FalconToken - ClientId $ClientId - ClientSecret $ClientSecret
Use Filters Wisely
Filter on the server side to reduce data transfer and improve performance: # Good - filters on server Get-FalconHost - Filter "platform_name:'Windows'" - Detailed # Avoid - retrieves all hosts then filters locally Get-FalconHost - Detailed - All | Where-Object { $_ .platform_name -eq 'Windows' }
Handle Rate Limits
PSFalcon automatically handles rate limits, but for bulk operations, add delays: foreach ( $Host in $HostList ) { Invoke-FalconHostAction - Name hide_host - Id $Host .device_id Start-Sleep - Milliseconds 100 }
Error Handling
Implement proper error handling: try { $Hosts = Get-FalconHost - Filter "hostname:'NONEXISTENT'" - Detailed if ( $Hosts ) { Write-Host "Found $( $Hosts .Count ) hosts" } else { Write-Host "No hosts found" } } catch { Write-Error "Failed to retrieve hosts: $_ " }
Complete Example Script Here’s a complete script that demonstrates common PSFalcon operations:
# ============================================ # PSFalcon Quick Start Example # ============================================ # 1. Authenticate to Falcon API Request-FalconToken - ClientId 'your_client_id' - ClientSecret 'your_client_secret' # Verify authentication $TokenStatus = Test-FalconToken if ( $TokenStatus .Token ) { Write-Host "✓ Successfully authenticated to $( $TokenStatus .Hostname ) " - ForegroundColor Green } else { Write-Error "Authentication failed" exit } # 2. Get host information Write-Host " `n --- Retrieving Host Information ---" - ForegroundColor Cyan # Get Windows hosts seen in the last 7 days $RecentHosts = Get-FalconHost - Filter "platform_name:'Windows'+last_seen:>='now-7d'" - Detailed Write-Host "Found $( $RecentHosts .Count ) Windows hosts active in the last 7 days" # Display summary $RecentHosts | Select-Object - First 5 | Format-Table ` @ { Label = 'Hostname' ; Expression = { $_ .hostname }} , ` @ { Label = 'OS Version' ; Expression = { $_ .os_version }} , ` @ { Label = 'Agent Version' ; Expression = { $_ .agent_version }} , ` @ { Label = 'Last Seen' ; Expression = { $_ .last_seen }} # 3. Check for stale hosts Write-Host " `n --- Checking for Stale Hosts ---" - ForegroundColor Cyan $StaleHosts = Get-FalconHost - Filter "last_seen:<='now-30d'" - Detailed if ( $StaleHosts .Count -gt 0 ) { Write-Warning "Found $( $StaleHosts .Count ) hosts not seen in 30+ days" $StaleHosts | Select-Object - First 10 | Format-Table hostname , last_seen } else { Write-Host "✓ No stale hosts found" - ForegroundColor Green } # 4. Get detection summary Write-Host " `n --- Detection Summary ---" - ForegroundColor Cyan $Detections = Get-FalconDetection - Filter "created_timestamp:>='now-7d'" - Detailed Write-Host "Total detections in last 7 days: $( $Detections .Count ) " # Group by severity $DetectionsBySeverity = $Detections | Group-Object max_severity | Select-Object @ { Name = 'Severity' ; Expression = { $_ .Name }} , Count | Sort-Object Severity $DetectionsBySeverity | Format-Table - AutoSize # 5. List host groups Write-Host " `n --- Host Groups ---" - ForegroundColor Cyan $HostGroups = Get-FalconHostGroup - Detailed Write-Host "Total host groups: $( $HostGroups .Count ) " $HostGroups | Select-Object - First 5 | Format-Table name , description , group_type # 6. Clean up - revoke token Write-Host " `n --- Revoking Token ---" - ForegroundColor Cyan Revoke-FalconToken Write-Host "✓ Token revoked successfully" - ForegroundColor Green
Replace 'your_client_id' and 'your_client_secret' with your actual API credentials before running the script.
Exploring Available Cmdlets Discover all PSFalcon cmdlets:
# List all cmdlets Get-Command - Module PSFalcon # Search for specific cmdlets Get-Command - Module PSFalcon - Name '*Host*' Get-Command - Module PSFalcon - Name '*Detection*' Get-Command - Module PSFalcon - Name '*Policy*' # Get help for a cmdlet Get-Help Get-FalconHost - Full Get-Help Request-FalconToken - Examples
Next Steps
API Reference Explore all available cmdlets and parameters
Example Scripts Browse real-world automation examples
FQL Guide Learn Falcon Query Language for advanced filtering
Real-time Response Master RTR automation with PSFalcon
Getting Help Need help? Check the PSFalcon Wiki for comprehensive documentation, or use PowerShell’s built-in help system with Get-Help <cmdlet-name> -Full. 