Skip to main content
All CollectionsTemplatesBasic
Request File Download From CrowdStrike Using Real Time Response - Workflow Template
Request File Download From CrowdStrike Using Real Time Response - Workflow Template

Nested workflow that will take the CrowdStrike Device ID and a file path and will provide a download link to pass to a Sandbox vendor

Updated over 6 months ago

This workflow template enables automated file retrieval from CrowdStrike endpoints using Real Time Response. It's designed for security professionals needing to pull suspicious files from devices for further analysis. The workflow opens an RTR session, downloads the specified file, and provides a download link—either public or private—ideally used to transfer files securely to a sandbox environment or attach to an incident ticket for comprehensive endpoint detection and response (EDR) and threat hunting tasks.

Take Me to the Template

Use Cases

Endpoint Detection and Response (EDR) , Threat Hunting

Workflow Breakdown

  1. When called from a parent workflow provide the CrowdStrike device id, file with path, and if the link should be public or private

  2. Open a Real Time Response Session with CrowdStrike to the specified device

  3. Request the file to be downloaded from the device

  4. Poll for the download process to complete

  5. Once complete provide a link to pass to a Sandbox solution to scan or attach to a ticketing system

Vendors

CrowdStrike

Workflow Output

On Success, a link to the requested file.

Related Articles
CrowdStrike
Open a PagerDuty Incident on Host Detection (CrowdStrike) - Workflow Template
Create IOCs on Malicious Files from a CrowdStrike Detection - Workflow Template
Isolate or Unisolate device on Microsoft Defender for Endpoint - Workflow Template
Download a File from a SentinelOne Threat ID - Workflow Template
Did this answer your question?