Skip to main content

Workflow Template: QuickAction - Run Command on CrowdStrike Host

Run common commands against the host of an associated case using CrowdStrike Real Time Response.

Updated yesterday

The "QuickAction - Run Command on CrowdStrike Host" workflow template streamlines endpoint management by enabling users to execute common commands on a host associated with a case using CrowdStrike Real Time Response. This workflow enhances device and user compliance and bolsters Endpoint Detection and Response (EDR) capabilities. It efficiently collects command outputs and appends them as notes to the case, ensuring comprehensive documentation and facilitating swift incident resolution.

Take Me to the Template

Use Cases

Device \u0026 User Compliance , Endpoint Detection and Response (EDR) , Function

Workflow Breakdown

  1. Query the user for commands to be executed (options include netstat, ps, mount, ipconfig, env)

  2. The device ID is extracted from the corresponding case or it can be provided in the user query

  3. An RTR session is created and the device queried to check its online state

  4. The commands given are iterated over and the results collected

  5. The results are added as a note to the case

Vendors

Utils, HTTP, CrowdStrike, Torq Cases

Related Articles
Workflow Template: QuickAction - Get Device Details using CrowdStrike
Workflow Template: Download File From Host Using CrowdStrike RTR with Socrates
Workflow Template: QuickAction - Download File From Host Using CrowdStrike RTR
Workflow Template: Scan Device in CrowdStrike
Workflow Template: Scan Device in CrowdStrike with Socrates
Did this answer your question?