CrowdStrike Falcon - Get Endpoint Forensics Data

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to https://xsoar.pan.dev/docs/reference/packs/malware-investigation-and-response. This playbook extracts data from the host using RTR commands. For example, commands for getting a list of running processes and network connections.

CrowdStrike Falcon · 9 tasks · 1 input · 3 outputs

Inputs

  • DeviceId — The ID of the host to use.

Outputs

  • CrowdStrike.Command — The results of the forensics commands.
  • CrowdStrike.Device — CrowdStrike Device's information.
  • Endpoint — Device's information.

Commands used

cs-falcon-rtr-list-network-stats cs-falcon-rtr-list-processes cs-falcon-search-device setIncident

Flowchart

yes yes yes Start Start List processes - cs-falcon-rtr-list-processes List processes cs-falcon-rtr-list-processes List network connections - cs-falcon-rtr-list-network-stats List network connections cs-falcon-rtr-list-network-stats Done Done Check if the device is online Check if the device is on... Check if device ID provided Check if device ID provided Get Device Status - cs-falcon-search-device Get Device Status cs-falcon-search-device Provide an Endpoint ID Provide an Endpoint ID Set the endpoint IDs to the incident field - setIncident Set the endpoint IDs to t... setIncident