Skip to content

Third party ingestion

Jump to bottom
bk-CS edited this page Oct 11, 2022 · 16 revisions

CrowdStrike Falcon

Command Permission
Register-FalconEventCollector
Send-FalconEvent
Send-FalconWebhook
Show-FalconEventCollector
Show-FalconMap
Unregister-FalconEventCollector

Humio event ingestion

Configure a Humio collector

The -Enable parameter is optional and will configure PSFalcon to send requests or responses to Humio as they occur.

The -Token parameter expects your Humio ingest token.

Register-FalconEventCollector -Uri https://cloud.community.humio.com -Token <string> -Enable responses, requests

Display your collector

Show-FalconEventCollector

Send objects to Humio

Once a collector has been defined through Register-FalconEventCollector, any [PSCustomObject] can be sent to Humio.

Get-FalconHost -Limit 1 -Detailed | Send-FalconEvent
Send-FalconEvent -Object ([PSCustomObject]@{ Example = 'my_string' })

Remove your collector

Unregister-FalconEventCollector

Webhook ingestion

Send objects to Slack

Any [PSCustomObject] can be sent to a Slack webhook.

Get-FalconHost -Limit 1 -Detailed | Send-FalconWebhook -Type Slack -Uri https://hooks.slack.com/services/... 
Send-FalconWebhook -Type Slack -Uri https://hooks.slack.com/services/... -Object ([PSCustomObject]@{ Example = 'my_string' })

Falcon X Indicator Map

Map indicators

Get-FalconIndicator -Filter "type:'hash_sha256'" -Limit 5 | Show-FalconMap
Show-FalconMap -Indicator www.google.com, 8.8.8.8

Clone this wiki locally