This workflow template enables automated file retrieval from CrowdStrike endpoints using Real Time Response. It's designed for security professionals needing to pull suspicious files from devices for further analysis. The workflow opens an RTR session, downloads the specified file, and provides a download link—either public or private—ideally used to transfer files securely to a sandbox environment or attach to an incident ticket for comprehensive endpoint detection and response (EDR) and threat hunting tasks.
Use Cases
Endpoint Detection and Response (EDR) , Threat Hunting
Workflow Breakdown
When called from a parent workflow provide the CrowdStrike device id, file with path, and if the link should be public or private
Open a Real Time Response Session with CrowdStrike to the specified device
Request the file to be downloaded from the device
Poll for the download process to complete
Once complete provide a link to pass to a Sandbox solution to scan or attach to a ticketing system
Vendors
CrowdStrike
Workflow Output
On Success, a link to the requested file.