This workflow allows users to seamlessly retrieve files from devices using CrowdStrike's Real-Time Response feature. On initiation from a parent workflow, it requires the device ID, file path, and privacy preference for link sharing. Once executed, it establishes a session, downloads the requested file, monitors the download's progress, and provides a secure link. This is particularly useful for Endpoint Detection and Response (EDR) and Threat Hunting, where files may need to be analyzed in sandboxes or attached to incident response tickets.
Use Cases
Endpoint Detection and Response (EDR) , Threat Hunting
Workflow Breakdown
When called from a parent workflow provide the CrowdStrike device id, file with path, and if the link should be public or private
Open a Real Time Response Session with CrowdStrike to the specified device
Request the file to be downloaded from the device
Poll for the download process to complete
Once complete provide a link to pass to a Sandbox solution to scan or attach to a ticketing system
Vendors
Utils, CrowdStrike
Workflow Output
On Success, a link to the requested file.