[ QUESTION ] How to Target All Clients

[slamanna212]

Description of your question
I work for an MSP and I have been tasked with using this tool to add IOA exclusions to all of our clients. Based on the great documentation I have read here, I should be able to create an API key for the parent account and then use that api info for everything. I am unsure if that is correct, and if it is, I am unsure how to actually target all clients. I have checked issues and the samples and did not see anything relevant but I could have missed something.

Expected behavior
I should be able to target all of the clients without having to make API keys for each one

Environment (please complete the following information):

• OS: Windows 11 23H2
• PowerShell: 5.1.22621.5624
• PSFalcon: v2.2.8

Additional context
I found this comment from 2 years ago, but the link to this github is not valid and the info is not on the page it takes me to as far as I can tell: https://www.reddit.com/r/crowdstrike/comments/10y305b/comment/j8070t6/

Thank You!

[bk-cs]

Create an API client in the parent, and use it to pull your list of children, authenticate to each child and run code. The updated link for the example template is here: https://github.com/CrowdStrike/psfalcon/wiki/Authentication#authorize-and-run-commands-across-member-CIDs

Export-FalconConfig can be used to export IoaExclusion. Once you have exported it from the source CID, you can use Import-FalconConfig to create the exclusion in each child.

[AmaroMiranda]

1. Ensure You Have MSSP / Flight Control Access
   Your parent CID must have access to the Flight Control API (a multi-tenant access mechanism for MSSPs)
   crowdstrike.com
   falconpy.io
   .

Ensure your API scopes include IOA exclusions, HostGroups, etc.
GitHub
+4
falconpy.io
+4
GitHub
+4
.

2. Retrieve Child Tenants (Member CIDs)
   Use the MSSP-specific endpoints:

swift
GET /mssp/queries/children/v1
GET /mssp/entities/children/v1
These list all child CIDs under your parent tenant
crowdstrike.com
+1
falconpy.io
+1
falconpy.io
+3
Reddit
+3
Reddit
+3
.

In PSFalcon v2.x, this is exposed via Get-FalconMemberCID.

3. Create IOA Exclusions for Each Child Tenant
   Once you have a list of child CIDs, loop through them. For each tenant:

powershell
Example pseudocode
$MemberCIDs = Get-FalconMemberCID
foreach ($cid in $MemberCIDs) {
New-FalconIoaExclusion -MemberCID $cid -PatternId "XYZ" -Description "Your IOA exclusion"
}
Use the same parent-level credentials. Specify -MemberCID (or the API call using member_cid query) to target each child tenant.

4. No Need to Create Individual API Keys
   You do NOT need to create an API key per child CID.

A single parent-level API client can operate across all child CIDs with proper scope and use of member_cid.