forked from Cephalowat/PSFalcon
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Get-CsIoc.psm1
121 lines (96 loc) · 2.96 KB
/
Get-CsIoc.psm1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
function Get-CsIoc {
<#
.SYNOPSIS
Search the custom IOCs in your account
.PARAMETER TYPE
Type of the indicator
.PARAMETER VALUE
String representation of the indicator
.PARAMETER AFTER
Find custom IOCs created after this time (RFC-3339 timestamp)
.PARAMETER BEFORE
Find custom IOCs created before this time (RFC-3339 timestamp)
.PARAMETER POLICY
Find custom IOCs within a policy [default: 'detect']
.PARAMETER SOURCE
Source where this indicator originated
.PARAMETER SHARE
Share level of indicator [default: 'red']
.PARAMETER CREATEDBY
User who created the custom IOC
.PARAMETER DELETEDBY
User who deleted the custom IOC
.PARAMETER DELETED
Include deleted IOCs [default: False]
.PARAMETER LIMIT
The maximum records to return [default: 500]
.PARAMETER OFFSET
The offset to start retrieving records from [default: 0]
.PARAMETER ALL
Repeat requests until all results are retrieved
#>
[CmdletBinding()]
[OutputType([psobject])]
param(
[ValidateSet('domain', 'ipv4', 'ipv6', 'md5', 'sha256')]
[string]
$Type,
[ValidateLength(1,200)]
[string]
$Value,
[string]
$After,
[string]
$Before,
[ValidateSet('detect', 'none')]
[string]
$Policy = 'detect',
[ValidateLength(1,200)]
[string]
$Source,
[ValidateSet('red')]
[string]
$Share = 'red',
[string]
$CreatedBy,
[string]
$DeletedBy,
[boolean]
$Deleted = $false,
[ValidateRange(1,500)]
[int]
$Limit = 500,
[int]
$Offset = 0,
[switch]
$All
)
process{
$Param = @{
Uri = '/indicators/queries/iocs/v1?limit=' + [string] $Limit + '&offset=' + [string] $Offset +
'&policies=' + $Policy + '&share_levels=' + $Share + '&include_deleted=' + $Deleted
Method = 'get'
Header = @{
accept = 'application/json'
'content-type' = 'application/json'
}
}
switch ($PSBoundParameters.Keys) {
'Type' { $Param.Uri += '&types=' + $Type }
'Value' { $Param.Uri += '&values=' + $Value }
'After' { $Param.Uri += '&from.expiration_timestamp=' + $Type }
'Before' { $Param.Uri += '&to.expiration_timestamp=' + $Type }
'Source' { $Param.Uri += '&sources=' + $Type }
'CreatedBy' { $Param.Uri += '&created_by=' + $Type }
'DeletedBy' { $Param.Uri += '&deleted_by=' + $Type }
'Debug' { $Param['Debug'] = $true }
'Verbose' { $Param['Verbose'] = $true }
}
if ($All) {
Join-CsResult -Activity $MyInvocation.MyCommand.Name -Param $Param
}
else {
Invoke-CsAPI @Param
}
}
}