Skip to content

New FalconFileVantageRule

bk-cs edited this page Sep 3, 2024 · 3 revisions

New-FalconFileVantageRule

SYNOPSIS

Create a rule within a FileVantage rule group

DESCRIPTION

Requires 'Falcon FileVantage: Write'.

PARAMETERS

Name Type Description Min Max Allowed Pipeline PipelineByName
Precedence Int32 Precedence for the new rule inside of the existing rule group X
Path String Path of the directory, file, or registry key to monitor 1 250 X
Depth String Monitoring depth below the initial target directory/file/registry key 1
2
3
4
5
ANY
X
Severity String Rule severity Low
Medium
High
Critical
X
Description String Rule description 500 X
Include String User
Restrict monitoring to changes made by one or more users
X
Exclude String User
Exclude changes made by one or more users
X
IncludeProcess String Restrict monitoring to changes made by one or more processes X
ExcludeProcess String Exclude changes made by one or more processes X
IncludeUser String Restrict monitoring to changes made by one or more users X
ExcludeUser String Exclude changes made by one or more users X
DirectoryAttribute Boolean Track directory attribute change events X
DirectoryCreate Boolean Track directory create events X
DirectoryDelete Boolean Track directory delete events X
DirectoryPermission Boolean Track directory permission change events X
DirectoryRename Boolean Track directory rename events X
FileAttribute Boolean Track file attribute change events X
FileChange Boolean Track file change events X
FileDelete Boolean Track file delete events X
FilePermission Boolean Track file permission change events X
FileRename Boolean Track file rename events X
FileWrite Boolean Track file write events X
RegKeyCreate Boolean Track registry key create events X
RegKeyDelete Boolean Track registry key delete events X
RegKeyPermission Boolean Track registry key permission change events X
RegKeyRename Boolean Track registry key rename events X
RegKeySet Boolean Track registry key set events X
RegValueCreate Boolean Track registry value create events X
RegValueDelete Boolean Track registry value delete events X
EnableContentCapture Boolean Enable the capture of file content during events X
ContentFiles String[] A specific list of files to monitor for content changes X
ContentRegistryValues String[] A specific list of registry paths to monitor for content changes (matching Include/Exclude) X
HashCapture Boolean Track file hash X
RuleGroupId String FileVantage rule group identifier X

SYNTAX

New-FalconFileVantageRule [-Precedence] <Int32> [-Path] <String> [[-Depth] <String>] [[-Severity] <String>] [[-Description] <String>] [[-Include] <String>] [[-Exclude] <String>] [[-IncludeProcess] <String>] [[-ExcludeProcess] <String>] [[-IncludeUser] <String>] [[-ExcludeUser] <String>] [[-DirectoryAttribute] <Boolean>] [[-DirectoryCreate] <Boolean>] [[-DirectoryDelete] <Boolean>] [[-DirectoryPermission] <Boolean>] [[-DirectoryRename] <Boolean>] [[-FileAttribute] <Boolean>] [[-FileChange] <Boolean>] [[-FileDelete] <Boolean>] [[-FilePermission] <Boolean>] [[-FileRename] <Boolean>] [[-FileWrite] <Boolean>] [[-RegKeyCreate] <Boolean>] [[-RegKeyDelete] <Boolean>] [[-RegKeyPermission] <Boolean>] [[-RegKeyRename] <Boolean>] [[-RegKeySet] <Boolean>] [[-RegValueCreate] <Boolean>] [[-RegValueDelete] <Boolean>] [[-EnableContentCapture] <Boolean>] [[-ContentFiles] <String[]>] [[-ContentRegistryValues] <String[]>] [[-HashCapture] <Boolean>] -RuleGroupId <String> [-WhatIf] [-Confirm] [<CommonParameters>]

REFERENCE

Endpoints

POST /filevantage/entities/rule-groups-rules/v1

falconpy

createRules

USAGE

2024-09-03: PSFalcon v2.2.7

Clone this wiki locally