CrowdStrike Falcon - Get Endpoint Forensics Data
This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook extracts data from the host using RTR commands. For example, commands for getting a list of running processes and network connections.
CrowdStrike Falcon · 9 tasks · 1 input · 3 outputs
Inputs
DeviceId— The ID of the host to use.
Outputs
CrowdStrike.Command— The results of the forensics commands.CrowdStrike.Device— CrowdStrike Device's information.Endpoint— Device's information.
Commands used
cs-falcon-rtr-list-network-stats
cs-falcon-rtr-list-processes
cs-falcon-search-device
setIncident