Skip to main content
All CollectionsTemplatesBasic
Request File Download From CrowdStrike Using Real Time Response - Workflow Template
Request File Download From CrowdStrike Using Real Time Response - Workflow Template

Nested workflow that will take the CrowdStrike Device ID and a file path and will provide a download link to pass to a Sandbox vendor

Updated over a week ago

This workflow allows users to seamlessly retrieve files from devices using CrowdStrike's Real-Time Response feature. On initiation from a parent workflow, it requires the device ID, file path, and privacy preference for link sharing. Once executed, it establishes a session, downloads the requested file, monitors the download's progress, and provides a secure link. This is particularly useful for Endpoint Detection and Response (EDR) and Threat Hunting, where files may need to be analyzed in sandboxes or attached to incident response tickets.

Take Me to the Template

Use Cases

Endpoint Detection and Response (EDR) , Threat Hunting

Workflow Breakdown

  1. When called from a parent workflow provide the CrowdStrike device id, file with path, and if the link should be public or private

  2. Open a Real Time Response Session with CrowdStrike to the specified device

  3. Request the file to be downloaded from the device

  4. Poll for the download process to complete

  5. Once complete provide a link to pass to a Sandbox solution to scan or attach to a ticketing system

Vendors

Utils, CrowdStrike

Workflow Output

On Success, a link to the requested file.

Related Articles
Create IOCs on Malicious Files from a CrowdStrike Incident - Workflow Template
Create IOCs on Malicious Files from a CrowdStrike Detection - Workflow Template
Isolate or Unisolate device on Microsoft Defender for Endpoint - Workflow Template
Download a File from a SentinelOne Threat ID - Workflow Template
Crowdstrike Falcon Sandbox - File Analysis with Cache - Workflow Template
Did this answer your question?