Skip to main content

Overview

Real-time Response (RTR) enables interactive command execution on CrowdStrike Falcon hosts. This API provides read-only commands for investigating hosts without making changes to the system.
All RTR operations require an active session. Sessions expire after 5 minutes of inactivity unless refreshed.

Session Management

Start-FalconSession

Initialize a single-host or batch Real-time Response session.
Id
string[]
required
Host identifier(s). Use Get-FalconHost to retrieve host IDs.
QueueOffline
boolean
Add non-responsive hosts to the offline queue for automatic connection when they come online.
ExistingBatchId
string
Add hosts to an existing batch session. Must be a valid batch session UUID.
Timeout
int32
default:"30"
Length of time to wait for a result, in seconds. Valid range: 1-600.
HostTimeout
int32
Length of time to wait for a result from target host(s), in seconds. Valid range: 1-600.
Returns: Single-host session returns session_id, batch session returns batch_id and host details. Required Permission: Real time response: Read
Example: Single Host Session
# Start a session for one host
$Session = Start-FalconSession -Id '1234567890abcdef1234567890abcdef'
Write-Host "Session ID: $($Session.session_id)"
Example: Batch Session
# Start a batch session for multiple hosts
$HostIds = @('1234567890abcdef1234567890abcdef', 'fedcba0987654321fedcba0987654321')
$Batch = Start-FalconSession -Id $HostIds
Write-Host "Batch ID: $($Batch.batch_id)"

Get-FalconSession

Search for existing Real-time Response sessions.
Id
string[]
Session identifier(s) to retrieve.
Filter
string
Falcon Query Language expression to filter results (e.g., "created_at:>'2024-01-01'").
Sort
string
Property and direction to sort results.
Limit
int32
default:"100"
Maximum number of results per request. Valid range: 1-1000.
Offset
int32
Position to begin retrieving results for pagination.
Cid
switch
Expand search to include all sessions created within your environment (requires additional permission).
Queue
switch
Restrict search to sessions in the offline queue.
Detailed
switch
Retrieve detailed information for each session.
All
switch
Repeat requests until all available results are retrieved.
Required Permission: Real time response: Read (and Real time response audit: Read when using -Cid)
Example: Get Session Details
# Retrieve session information
$SessionInfo = Get-FalconSession -Id $Session.session_id -Detailed

Update-FalconSession

Refresh a session to prevent expiration (extends the 5-minute timeout).
HostId
string
Host identifier for a single-host session.
BatchId
string
Batch session identifier.
QueueOffline
boolean
Add non-responsive hosts to the offline queue.
HostToRemove
string[]
Host identifier(s) to remove from a batch session.
Timeout
int32
default:"30"
Length of time to wait for a result, in seconds. Valid range: 1-600.
Required Permission: Real time response: Read
Example: Refresh Session
# Keep session alive during long-running operations
Update-FalconSession -HostId $Session.aid

Remove-FalconSession

Terminate an active Real-time Response session.
Id
string
required
Session identifier to remove.
Required Permission: Real time response: Read
Example: Close Session
# Always close sessions when done
Remove-FalconSession -Id $Session.session_id

Read-Only Commands

Invoke-FalconCommand

Execute read-only RTR commands that do not modify the host system.
Command
string
required
Real-time Response command to execute. Available commands:
  • cat - Display file contents
  • cd - Change directory
  • clear - Clear screen
  • csrutil - Check System Integrity Protection status (macOS)
  • env - Display environment variables
  • eventlog backup - Backup Windows event logs
  • eventlog export - Export Windows event logs
  • eventlog list - List Windows event logs
  • eventlog view - View Windows event log entries
  • filehash - Calculate file hash
  • getsid - Get security identifier
  • help - Display available commands
  • history - Show command history
  • ifconfig - Display network configuration (Unix/macOS)
  • ipconfig - Display network configuration (Windows)
  • ls - List directory contents
  • mount - Display mounted filesystems
  • netstat - Display network connections
  • ps - List running processes
  • reg query - Query Windows registry
  • users - List logged-in users
Argument
string
Arguments to include with the command (e.g., file path, registry key).
SessionId
string
Session identifier for single-host execution.
BatchId
string
Batch session identifier for multi-host execution.
OptionalHostId
string[]
Restrict batch execution to specific host identifiers.
Timeout
int32
default:"30"
Length of time to wait for a result, in seconds. Valid range: 1-600.
HostTimeout
int32
Length of time to wait for a result from target host(s), in seconds. Valid range: 1-600.
Wait
switch
Automatically poll for command completion using Confirm-FalconCommand.
Required Permission: Real time response: Read
Example: List Processes
# Execute 'ps' command and wait for results
$Result = Invoke-FalconCommand -Command ps -SessionId $Session.session_id -Wait
Write-Host $Result.stdout
Example: Check Registry Key
# Query Windows registry
$RegCmd = Invoke-FalconCommand -Command 'reg query' `
  -Argument 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion' `
  -SessionId $Session.session_id -Wait

Confirm-FalconCommand

Verify the status of a read-only command (required to acknowledge command completion).
Failing to confirm commands can lead to unexpected results. Always confirm commands as part of your workflow.
CloudRequestId
string
required
Command request identifier returned from Invoke-FalconCommand.
SequenceId
int32
default:"0"
Sequence identifier for command ordering.
Required Permission: Real time response: Read
Example: Manual Confirmation
# Issue command without -Wait
$Command = Invoke-FalconCommand -Command ps -SessionId $Session.session_id

# Poll for completion
do {
  Start-Sleep -Seconds 2
  $Status = Confirm-FalconCommand -CloudRequestId $Command.cloud_request_id
} until ($Status.complete -eq $true)

Write-Host $Status.stdout

Remove-FalconCommand

Remove a command from a queued Real-time Response session.
SessionId
string
required
Session identifier containing the queued command.
CloudRequestId
string
required
Cloud request identifier of the command to remove.
Required Permission: Real time response: Read
Example: Cancel Queued Command
# Remove a command from the offline queue
Remove-FalconCommand -SessionId $Session.session_id -CloudRequestId $Command.cloud_request_id

Workflow Examples

1

Establish Session

Start an RTR session with the target host(s).
$HostId = (Get-FalconHost -Filter "hostname:'DESKTOP-01'").device_id
$Session = Start-FalconSession -Id $HostId
2

Execute Commands

Run read-only investigation commands.
# Check running processes
$Processes = Invoke-FalconCommand -Command ps -SessionId $Session.session_id -Wait

# List files in suspicious directory
$Files = Invoke-FalconCommand -Command ls -Argument 'C:\\Temp' `
  -SessionId $Session.session_id -Wait

# Get file hash
$Hash = Invoke-FalconCommand -Command filehash `
  -Argument 'C:\\Temp\\suspicious.exe' `
  -SessionId $Session.session_id -Wait
3

Review Results

Examine command output for investigation findings.
Write-Host "Process List:"
$Processes.stdout

Write-Host "Files Found:"
$Files.stdout

Write-Host "File Hash:"
$Hash.stdout
4

Clean Up

Always close sessions to free resources.
Remove-FalconSession -Id $Session.session_id

Batch Session Workflow

Complete Batch Investigation
# Investigate multiple hosts simultaneously
$HostIds = Get-FalconHost -Filter "platform_name:'Windows'+last_seen:>'2024-01-01'" | 
  Select-Object -ExpandProperty device_id -First 10

# Start batch session
$Batch = Start-FalconSession -Id $HostIds -QueueOffline $true

# Execute command across all hosts in batch
$BatchResult = Invoke-FalconCommand -Command netstat `
  -Argument '-ano' `
  -BatchId $Batch.batch_id

# Review results for each host
foreach ($Host in $BatchResult) {
  Write-Host "Host: $($Host.aid)"
  if ($Host.stdout) {
    Write-Host $Host.stdout
  } elseif ($Host.errors) {
    Write-Warning "Error: $($Host.errors.message)"
  }
}

# Clean up
Remove-FalconSession -Id $Batch.batch_id

Best Practices

Session Management
  • Sessions expire after 5 minutes of inactivity
  • Use Update-FalconSession to refresh long-running sessions
  • Always close sessions with Remove-FalconSession when done
  • Use QueueOffline for hosts that may be offline
Command Execution
  • Use the -Wait parameter for automatic result polling
  • Always confirm commands to acknowledge completion
  • Batch commands return per-host results
  • Check for errors in command output before proceeding

Error Handling

Robust RTR Workflow
try {
  # Start session
  $Session = Start-FalconSession -Id $HostId
  
  if ($Session.session_id) {
    # Execute command with error checking
    $Result = Invoke-FalconCommand -Command ps `
      -SessionId $Session.session_id -Wait
    
    if ($Result.complete) {
      # Process results
      Write-Host $Result.stdout
    } else {
      Write-Warning "Command did not complete"
    }
  } else {
    Write-Error "Failed to create session"
  }
} catch {
  Write-Error "RTR Error: $_"
} finally {
  # Always clean up session
  if ($Session.session_id) {
    Remove-FalconSession -Id $Session.session_id
  }
}
  • RTR Admin - Administrative commands with write access
  • RTR Scripts - Custom script management and execution

Build docs developers (and LLMs) love

Get started for freeTalk to us