Skip to main content

Workflow Template: QuickAction - Download File From Host Using CrowdStrike RTR

This workflow takes in a file path and returns a temporary URL to download the file using the CrowdStrike Real Time Response API.

Updated over 2 weeks ago

The "QuickAction - Download File From Host Using CrowdStrike RTR" workflow template streamlines the process of retrieving files from endpoints using CrowdStrike's Real-Time Response (RTR) capabilities. Designed for Endpoint Detection and Response (EDR) use cases, it automates file download requests, checks device online status, and manages RTR sessions. This workflow enhances incident response efficiency by ensuring critical files are accessible for analysis, even if the host is initially offline.

Take Me to the Template

Use Cases

Endpoint Detection and Response (EDR) , Function

Workflow Breakdown

  1. The user is queried for a file path, a comment for the action and a wait time to completion in minutes

  2. The device ID is extracted from the corresponding case

  3. The host's online state is checked; if offline the workflow will wait five minutes before retrying, up to the time specified by the user

  4. Once the machine is online, an RTR session is created; the file download is requested

  5. After waiting, the file download status is checked; if not complete, the workflow will pause 5 seconds before retrying

  6. If the file is successfully downloaded, a note including the temporary URL is added to the case

  7. The RTR session is deleted

Vendors

Utils, CrowdStrike, Torq Cases

Related Articles
Workflow Template: Request File Download From CrowdStrike Using Real Time Response
Workflow Template: QuickAction - Get Device Details using CrowdStrike
Workflow Template: QuickAction - Manage containment on a device in CrowdStrike
Workflow Template: Download File From Host Using CrowdStrike RTR with Socrates
Workflow Template: QuickAction - Run Command on CrowdStrike Host
Did this answer your question?