Im trying to close all the detects which are older than 30 days #98

kumar4755 · 2021-05-05T17:29:09Z

kumar4755
May 5, 2021

we have 1000K detects which are older than 30days
Im trying to close all the detects which are older than 30 days

Im trying to get the All detect ids older than 30 days and closing them but im able to delete only 5000 could you please help me on this

Below is my code
Thankyou

$Detectid = (Get-CsDetectId -Filter "first_behavior:<'2021-04-05'").resources
"ids" | Out-File 'C:\Desktop\CrowdstrikeAutomation\Detectid.csv'
$Detectid | Out-File 'C:\Desktop\CrowdstrikeAutomation\Detectid.csv' -Append

$Data3=Import-Csv C:\Desktop\CrowdstrikeAutomation\Detectid.csv | select -ExpandProperty ids
$count=0
$output=""
$output=@()

foreach ($i in $Data3){
$output= $output + $i.Trim()
$count=$count+1
if($count -ge 4999){

    $output2 = Edit-CsDetect -Properties @{ assigned_to_uuid = '27bbcc15-262f-4a5c-83a5-f3a935bd3782'; ids = @($output); status = 'closed' } | ConvertTo-Json
    $output2 | Out-File 'C:\Users\c51337\Downloads\CrowdstrikeAutomation\Detectidoutput.csv' -Append
    $count=0
    $output=@()

}
}

Answered by bk-cs

May 6, 2021

In your example, you're using PSFalcon v1 commands (Get-CsDetectId). I recommend updating to v2 and using the equivalent command Get-FalconDetection. You're also exporting to CSV and re-importing the CSV when you don't really need to.

In PSFalcon v1, each command would only return a maximum of 5,000 per request, which is what you're doing with this line:

$Detectid = (Get-CsDetectId -Filter "first_behavior:<'2021-04-05'").resources

You'll need to add the -All parameter to loop through the detections, but keep in mind that the Detections API only returns at maximum of 10,000 results at any one time. If you want to go through more than 10,000 detections, you're going to have to refine your …

View full answer

bk-cs · 2021-05-06T22:03:13Z

bk-cs
May 6, 2021
Maintainer

In your example, you're using PSFalcon v1 commands (Get-CsDetectId). I recommend updating to v2 and using the equivalent command Get-FalconDetection. You're also exporting to CSV and re-importing the CSV when you don't really need to.

In PSFalcon v1, each command would only return a maximum of 5,000 per request, which is what you're doing with this line:

$Detectid = (Get-CsDetectId -Filter "first_behavior:<'2021-04-05'").resources

You'll need to add the -All parameter to loop through the detections, but keep in mind that the Detections API only returns at maximum of 10,000 results at any one time. If you want to go through more than 10,000 detections, you're going to have to refine your filters to find smaller numbers of results and repeat those operations.

Here's an example where I loop through large numbers of detections 1,000 results at a time to hide any detection involving a specific filename. Note that hidden detections are unable to be recovered via API, so be very careful if you choose to hide them: https://github.com/CrowdStrike/psfalcon/wiki/Basic-Scripts#find-and-hide-large-numbers-of-detections

You could potentially modify this script to check for detections that have status:'new' and were created more than 30 days ago, then assign them to your target user and update their status rather than hiding them.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Im trying to close all the detects which are older than 30 days #98

{{title}}

Replies: 1 comment

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Im trying to close all the detects which are older than 30 days #98

kumar4755 May 5, 2021

Below is my code Thankyou

Replies: 1 comment

bk-cs May 6, 2021 Maintainer

kumar4755
May 5, 2021

Below is my code
Thankyou

bk-cs
May 6, 2021
Maintainer