ConvertTo FalconIoaExclusion
Output required fields to create an Indicator of Attack exclusion from a Falcon alert or detection
Uses the 'behaviors' of a detection, or specific properties of an alert to create a new Indicator of Attack exclusion. Specfically, it maps the following properties these fields:
behavior_id/pattern_id > pattern_id display_name > pattern_name cmdline > cl_regex filepath > ifn_regex device.groups > groups
The 'cl_regex' and 'ifn_regex' fields are escaped using the [regex]::Escape() PowerShell accelerator. The 'ifn_regex' output also replaces the NT device path ('Device/HarddiskVolume') with a wildcard. If the host involved in the alert/detection is not in any host groups, the resulting exclusion will apply to all host groups.
The output of this command can be passed to 'New-FalconIoaExclusion' to create an exclusion.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| Detection | Object | Falcon alert or detection | X |
ConvertTo-FalconIoaExclusion [-Detection] <Object> [<CommonParameters>]2025-09-19: PSFalcon v2.2.9
