-
Notifications
You must be signed in to change notification settings - Fork 71
New FalconFileVantageRule
bk-cs edited this page Sep 3, 2024
·
3 revisions
Create a rule within a FileVantage rule group
Requires 'Falcon FileVantage: Write'.
Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
---|---|---|---|---|---|---|---|
Precedence | Int32 | Precedence for the new rule inside of the existing rule group | X | ||||
Path | String | Path of the directory, file, or registry key to monitor | 1 |
250 |
X | ||
Depth | String | Monitoring depth below the initial target directory/file/registry key |
1 2 3 4 5 ANY
|
X | |||
Severity | String | Rule severity |
Low Medium High Critical
|
X | |||
Description | String | Rule description | 500 |
X | |||
Include | String | User Restrict monitoring to changes made by one or more users |
X | ||||
Exclude | String | User Exclude changes made by one or more users |
X | ||||
IncludeProcess | String | Restrict monitoring to changes made by one or more processes | X | ||||
ExcludeProcess | String | Exclude changes made by one or more processes | X | ||||
IncludeUser | String | Restrict monitoring to changes made by one or more users | X | ||||
ExcludeUser | String | Exclude changes made by one or more users | X | ||||
DirectoryAttribute | Boolean | Track directory attribute change events | X | ||||
DirectoryCreate | Boolean | Track directory create events | X | ||||
DirectoryDelete | Boolean | Track directory delete events | X | ||||
DirectoryPermission | Boolean | Track directory permission change events | X | ||||
DirectoryRename | Boolean | Track directory rename events | X | ||||
FileAttribute | Boolean | Track file attribute change events | X | ||||
FileChange | Boolean | Track file change events | X | ||||
FileDelete | Boolean | Track file delete events | X | ||||
FilePermission | Boolean | Track file permission change events | X | ||||
FileRename | Boolean | Track file rename events | X | ||||
FileWrite | Boolean | Track file write events | X | ||||
RegKeyCreate | Boolean | Track registry key create events | X | ||||
RegKeyDelete | Boolean | Track registry key delete events | X | ||||
RegKeyPermission | Boolean | Track registry key permission change events | X | ||||
RegKeyRename | Boolean | Track registry key rename events | X | ||||
RegKeySet | Boolean | Track registry key set events | X | ||||
RegValueCreate | Boolean | Track registry value create events | X | ||||
RegValueDelete | Boolean | Track registry value delete events | X | ||||
EnableContentCapture | Boolean | Enable the capture of file content during events | X | ||||
ContentFiles | String[] | A specific list of files to monitor for content changes | X | ||||
ContentRegistryValues | String[] | A specific list of registry paths to monitor for content changes (matching Include/Exclude) | X | ||||
HashCapture | Boolean | Track file hash | X | ||||
RuleGroupId | String | FileVantage rule group identifier | X |
New-FalconFileVantageRule [-Precedence] <Int32> [-Path] <String> [[-Depth] <String>] [[-Severity] <String>] [[-Description] <String>] [[-Include] <String>] [[-Exclude] <String>] [[-IncludeProcess] <String>] [[-ExcludeProcess] <String>] [[-IncludeUser] <String>] [[-ExcludeUser] <String>] [[-DirectoryAttribute] <Boolean>] [[-DirectoryCreate] <Boolean>] [[-DirectoryDelete] <Boolean>] [[-DirectoryPermission] <Boolean>] [[-DirectoryRename] <Boolean>] [[-FileAttribute] <Boolean>] [[-FileChange] <Boolean>] [[-FileDelete] <Boolean>] [[-FilePermission] <Boolean>] [[-FileRename] <Boolean>] [[-FileWrite] <Boolean>] [[-RegKeyCreate] <Boolean>] [[-RegKeyDelete] <Boolean>] [[-RegKeyPermission] <Boolean>] [[-RegKeyRename] <Boolean>] [[-RegKeySet] <Boolean>] [[-RegValueCreate] <Boolean>] [[-RegValueDelete] <Boolean>] [[-EnableContentCapture] <Boolean>] [[-ContentFiles] <String[]>] [[-ContentRegistryValues] <String[]>] [[-HashCapture] <Boolean>] -RuleGroupId <String> [-WhatIf] [-Confirm] [<CommonParameters>]
POST /filevantage/entities/rule-groups-rules/v1
2024-09-03: PSFalcon v2.2.7
- Using PSFalcon
-
Commands and Permissions
- Configuration Import/Export
- Container Security
- Detection and Prevention Policies
- Discover for Cloud and Containers
- Discover
- Event Streams
- Falcon Complete Dashboards
- Falcon Complete Message Center
- Falcon Data Replicator
- Falcon Intelligence
- Falcon Intelligence Recon
- Falcon OverWatch Dashboards
- Falcon Sandbox
- FileVantage
- Firewall Management
- Flight Control
- Horizon
- Host and Host Group Management
- Identity Protection
- Image Assessment
- Incident and Detection Monitoring
- Installation Tokens
- Kubernetes Protection
- MalQuery
- Mobile Host Enrollment
- On-Demand Scanning
- Quarantine
- Real-time Response
- Real-time Response Policy
- Scheduled Reports and Searches
- Sensor Download
- Sensor Update Policy
- Spotlight
- Tailored Intelligence
- Third-party ingestion
- USB Device Control Policy
- Users and Roles
- Zero Trust Assessment
- Examples
-
CrowdStrike SDKs
- PSFalcon - PowerShell
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust