Skip to main content

Overview

Real-time Response (RTR) policies control the level of access administrators have when performing remote operations on endpoints. These policies determine which RTR commands are available for incident response and system management tasks.
Required API Scope: Response policies: Read (for read operations) or Response policies: Write (for write operations)

Get Response Policies

Search for and retrieve Real-time Response policies.
Get-FalconResponsePolicy
Get-FalconResponsePolicy [[-Filter] <string>] [[-Sort] <string>] [[-Limit] <int>] [[-Include] <string[]>] [[-Offset] <int>] [-Detailed] [-All] [-Total]

Parameters

Id
string[]
Policy identifier(s). Pattern: ^[a-fA-F0-9]{32}$
Filter
string
Falcon Query Language (FQL) expression to limit resultsExample: platform_name:'Windows'+enabled:true
Sort
string
Property and direction to sort resultsValid values: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc
Limit
int32
Maximum number of results per request (1-5000)
Include
string[]
Include additional propertiesValid values: members
Offset
int32
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results

Examples

Get-FalconResponsePolicy -All -Detailed

Create Response Policy

Create new Real-time Response policies.
New-FalconResponsePolicy
New-FalconResponsePolicy -Name <string> -PlatformName <string> [[-Description] <string>] [[-Setting] <object[]>]

Parameters

Name
string
required
Policy name
PlatformName
string
required
Operating system platformValid values: Windows, Mac, Linux
Description
string
Policy description
Setting
object[]
Policy settings controlling RTR capabilities. Each setting should include id and value properties.
InputObject
object[]
One or more policies to create in a single request (for batch operations, max 100 per request)

Examples

$Settings = @(
    @{ id = 'RESPONSE_GET_COMMAND'; value = 'ENABLED' },
    @{ id = 'RESPONSE_PUT_COMMAND'; value = 'ENABLED' },
    @{ id = 'RESPONSE_RUNSCRIPT_COMMAND'; value = 'ENABLED' }
)
New-FalconResponsePolicy -Name 'Admin RTR Access' -PlatformName 'Windows' -Description 'Full RTR access for administrators' -Setting $Settings

Edit Response Policy

Modify existing Real-time Response policies.
Edit-FalconResponsePolicy
Edit-FalconResponsePolicy -Id <string> [[-Name] <string>] [[-Description] <string>] [[-Setting] <object[]>]

Parameters

Id
string
required
Policy identifier. Pattern: ^[a-fA-F0-9]{32}$
Name
string
Policy name
Description
string
Policy description
Setting
object[]
Policy settings to update. Each setting should contain id and value.
InputObject
object[]
One or more policies to modify in a single request (for batch operations, max 100 per request)

Examples

Edit-FalconResponsePolicy -Id <policy_id> -Description 'Updated RTR policy description'

Remove Response Policy

Remove Real-time Response policies.
Remove-FalconResponsePolicy
Remove-FalconResponsePolicy -Id <string[]>

Parameters

Id
string[]
required
Policy identifier(s) to remove. Pattern: ^[a-fA-F0-9]{32}$

Example

Remove-FalconResponsePolicy -Id <policy_id>

Policy Actions

Perform actions on Real-time Response policies such as enabling/disabling or assigning to host groups.
Invoke-FalconResponsePolicyAction
Invoke-FalconResponsePolicyAction -Name <string> [[-GroupId] <string>] -Id <string>

Parameters

Name
string
required
Action to performValid values: add-host-group, disable, enable, remove-host-group
GroupId
string
Host group identifier. Pattern: ^[a-fA-F0-9]{32}$Required for: add-host-group, remove-host-group
Id
string
required
Policy identifier. Pattern: ^[a-fA-F0-9]{32}$

Examples

Invoke-FalconResponsePolicyAction -Name enable -Id <policy_id>

Get Policy Members

Search for members (hosts) assigned to Real-time Response policies.
Get-FalconResponsePolicyMember
Get-FalconResponsePolicyMember [[-Id] <string>] [[-Filter] <string>] [[-Sort] <string>] [[-Limit] <int>] [[-Offset] <int>] [-Detailed] [-All] [-Total]

Parameters

Id
string
Policy identifier. Pattern: ^[a-fA-F0-9]{32}$
Filter
string
Falcon Query Language expression to limit results
Sort
string
Property and direction to sort results
Limit
int32
Maximum number of results per request (1-5000)
Offset
int32
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results

Example

Get-FalconResponsePolicyMember -Id <policy_id> -Detailed -All

Set Policy Precedence

Set Real-time Response policy precedence order for a specific platform.
Set-FalconResponsePrecedence
Set-FalconResponsePrecedence -PlatformName <string> -Id <string[]>

Parameters

PlatformName
string
required
Operating system platformValid values: Windows, Mac, Linux
Id
string[]
required
Policy identifiers in desired precedence order (highest to lowest priority). Pattern: ^[a-fA-F0-9]{32}$
All policy identifiers must be supplied in order, with the exception of the platform_default policy.

Example

$PolicyOrder = @('<policy_id_1>', '<policy_id_2>', '<policy_id_3>')
Set-FalconResponsePrecedence -PlatformName 'Windows' -Id $PolicyOrder

RTR Policy Settings

Real-time Response policies control which commands are available during RTR sessions. Common settings include:
  • Basic Commands: Always available (e.g., ls, cd, ps)
  • Get Commands: File retrieval from endpoints
  • Put Commands: File upload to endpoints
  • RunScript Commands: Execute scripts on endpoints
  • Admin Commands: Advanced system commands (e.g., registry modifications)
Grant RTR permissions carefully. Higher privilege levels allow significant system changes and should be restricted to authorized administrators.

Prevention Policies

Manage Prevention policies

Firewall Policies

Configure firewall rules and policies

Build docs developers (and LLMs) love

Get started for freeTalk to us