X

Our website uses cookies to enhance your browsing experience.

CONTINUE TO SITE >

How to Remotely Remediate an Incident

Introduction

This document and video will demonstrate how to use Real Time Response to access and remediate an endpoint with Falcon Insight. Real Time Response provides the tools to limit exposure, remediate systems, and protect the larger environment.

Video

Prerequisites

  • Subscription: Falcon Insight
  • Hosts Requirements: The specific requirements for the host can be found in the support documentation for Real Time Response.
  • User Role: Falcon users must have one of the three Real Time Responder roles to remotely connect to a host. The Falcon Administrator role does not include access to real time response by default. You must assign the appropriate role to each user that needs access to Real Time Response.

rtr role list

Establish the Session

In the Falcon UI, navigate to Activity > Detections.  Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action.

detection connect to host

You can also connect to a host from Hosts > Host Management.

Remediate - connect to host

Remediation Options

Run Commands

Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.

  • Navigate the file system and perform many file system operations
  • Put and get files to and from the system to the CrowdStrike cloud
  • Stage commonly used programs and powershell scripts 
  • Create supportability scripts as needed
  • List running processes and kill processes
  • Retrieve memory dumps, event logs, or any other files
  • Show network connections
  • Query, create, or modify registry keys

rtr command list

Edit and Run Scripts

In the Real Time Response session, you also have the option to edit and run scripts.

rtr edit button

 

This gives you the option to write any script to be remotely executed on the remote system. In this example, the script will delete a persistence registry key and an unwanted user account.

rtr script

Stage scripts and executables

As a real time response administrator, you also have the option to create and save scripts for repeated use. By opening the summary panel, you see all of the scripts and executables readily available for deployment within your organization.

rtr panel

 

By simply clicking on one of the stored scripts, it is moved to the command line where you can enter any additional parameters – in this case, a ticket number.

rtr runscript option

End the Session

After remediating the system in question and gathering any forensic evidence, you can close the session.

rtr close

 

You will be prompted to confirm the session should be ended.

rtr close prompt

Real Time Response Policies

The default Real Time Response policy allows for basic functionality on managed endpoints. Falcon administrators can create and modify those policies to enable the right level of response actions as needed within the organization or for specific endpoint groups. Detailed documentation on Real Time Response policies is available in the Falcon UI.

Conclusion

Real Time Response is a powerful tool that gives security administrations the ability to remotely access systems for administration tasks, remediation actions or forensics collection, etc. without requiring physical access to the system. For more information on the CrowdStrike solution, see the additional resources and links below.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial