The "Download File From Host Using CrowdStrike RTR with Socrates" workflow template is designed for efficient Endpoint Detection and Response (EDR). It automates the process of downloading files from a host using CrowdStrike's Real-Time Response (RTR) capabilities. The workflow checks the host's online status, initiates an RTR session, and manages file download requests. It ensures seamless file retrieval by handling offline scenarios and providing a temporary URL for file access, enhancing incident response efficiency.
Use Cases
Endpoint Detection and Response (EDR) , Function
Workflow Breakdown
The user is queried for a file path, a comment for the action and a wait time to completion in minutes
The device ID is extracted from the corresponding case or it can be provided in the user query (for use with Socrates Off-Case)
The host's online state is checked; if offline the workflow will wait five minutes before retrying, up to the time specified by the user
Once the machine is online, an RTR session is created; the file download is requested
After waiting, the file download status is checked; if not complete, the workflow will pause 5 seconds before retrying
If the file is successfully downloaded, a note including the temporary URL is added to the case
The RTR session is deleted
Vendors
Utils, CrowdStrike, Torq Cases