How to Remotely Remediate an Incident
Introduction
This document and video will demonstrate how to use Real Time Response to access and remediate an endpoint with Falcon Insight. Real Time Response provides the tools to limit exposure, remediate systems, and protect the larger environment.
Video
Establish the Session
In the Falcon UI, navigate to Activity > Detections. Commonly, a new detection will be the event that triggers a need for remediation. Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action.
You can also connect to a host from Hosts > Host Management.
Remediation Options:
Run Commands
Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.
- Navigate the file system and perform many file system operations
- Put and get files to and from the system to the CrowdStrike cloud
- Stage commonly used programs and powershell scripts
- Create supportability scripts as needed
- List running processes and kill processes
- Retrieve memory dumps, event logs, or any other files
- Show network connections
- Query, create, or modify registry keys
Edit and Run Scripts
In the Real Time Response session, you also have the option to edit and run scripts.
This gives you the option to write any script to be remotely executed on the remote system. In this example, the script will delete a persistence registry key and an unwanted user account.
Stage scripts and executables
As a real time response administrator, you also have the option to create and save scripts for repeated use. By opening the summary panel, you see all of the scripts and executables readily available for deployment within your organization.
By simply clicking on one of the stored scripts, it is moved to the command line where you can enter any additional parameters – in this case, a ticket number.
End the Session
After remediating the system in question and gathering any forensic evidence, you can close the session.
You will be prompted to confirm the session should be ended.
Real Time Response Policies
The default Real Time Response policy allows for basic functionality on managed endpoints. Falcon administrators can create and modify those policies to enable the right level of response actions as needed within the organization or for specific endpoint groups. Detailed documentation on Real Time Response policies is available in the Falcon UI.
Conclusion
Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below.
