X

Our website uses cookies to enhance your browsing experience.

CONTINUE TO SITE >

How to Remotely Remediate an Incident

Introduction

This document and video will demonstrate how to use Real Time Response to access and remediate an endpoint with Falcon Insight. Real Time Response provides the tools to limit exposure, remediate systems, and protect the larger environment.

Video

 

Prerequisites

  • Subscription: Falcon Insight
  • Hosts:
    • Powershell: 3.0 or later is recommended; at least 2.0 is required. PowerShell constrained language mode must not be enabled.
    • .NET Framework: 4.5 or later is recommended; at least 3.5 is required
    • Falcon sensor for Windows version 4.5.6806 or later
    • Network access: a host must be online for you to connect to it. You can connect to a host when it’s been network contained.
  • User Role: You must have the Real Time Responder role to connect to a host. The Falcon Host Administrator role does not include access to real time response. You must assign the role “Real Time Responder” to each user that you want to have access to real time response.

Establish the Session

In the Falcon UI, navigate to Activity > Detections.  Commonly, a new detection will be the event that triggers a need for remediation.

Directly from a given detection, you will see an the option to “Connect to Host”.

Remediate - connect to detection

You can also connect to a host from Hosts > Host Management.

Remediate - connect to host

Remediate the System

Once connected, you will be presented with a list of commands available in Real Time Response that include the capabilities listed below.

  • Navigate the file system, upload or delete files, and perform many file system operations
  • List running processes and kill processes
  • Retrieve memory dumps, event logs, or any other files
  • Show network connections
  • Query, create, or modify registry keys

Remediate - Real time response

In this step, you can also gather evidence for future investigations using the “get” command.  This will collect files from the remote system for further investigation following the incident.

Remediate - download

End the Session

After remediating the system in question and gathering any forensic evidence, you can close the session.

Remediate - close

You will be prompted to confirm the session should be ended.

Remediate - confirm close

Conclusion

Real Time Response is a powerful tool that gives security administrations the ability to remotely remediate systems in minutes without physical access to the system. For more information on Falcon Host, see the additional resources and links below.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial