Skip to main content
Real-Time Response (RTR) enables interactive command execution on hosts for investigation, remediation, and file collection.

Understanding RTR Sessions

RTR uses sessions to execute commands on hosts. Sessions can be:
  • Single-host sessions: Interactive session with one host
  • Batch sessions: Execute commands across multiple hosts simultaneously

Session Types and Permissions

1

Read-Only Commands

Requires Real time response: Read permission. Commands like ls, ps, netstat.
2

Active Responder Commands

Requires Real time response: Write permission. Adds get, cp, rm, mkdir.
3

Admin Commands

Requires Real time response (admin): Write permission. Adds put, run, runscript, kill.

Starting RTR Sessions

Single-Host Session

# Start a session with a host
$HostId = 'a1b2c3d4e5f6789012345678901234ab'
$Session = Start-FalconSession -Id $HostId

# Session object contains session_id for subsequent commands
$SessionId = $Session.session_id

Batch Session

# Start batch session with multiple hosts
$HostIds = @('a1b2c3d4...', 'b2c3d4e5...', 'c3d4e5f6...')
$BatchSession = Start-FalconSession -Id $HostIds -QueueOffline

$BatchId = $BatchSession.batch_id
The -QueueOffline parameter queues the session for offline hosts. They will execute commands when they come online.

Executing Commands

Read-Only Commands

# Execute 'ps' command
$Command = Invoke-FalconCommand -Command ps -SessionId $SessionId -Wait

# View results
$Command.stdout

Active Responder Commands

# Retrieve a file from the host
$GetCmd = Invoke-FalconResponderCommand -Command get `
  -Argument 'C:\\Temp\\suspicious.exe' `
  -SessionId $SessionId -Wait

# Check get command status
Confirm-FalconGetFile -SessionId $SessionId -Sha256 $GetCmd.sha256

# Download the file (password: 'infected')
Receive-FalconGetFile -SessionId $SessionId -Sha256 $GetCmd.sha256 -Path './evidence/'
Files retrieved via RTR are downloaded as password-protected .7z archives with password infected. Handle retrieved files according to your security policies.

Admin Commands

# First, upload a 'put' file
Send-FalconPutFile -Path './tools/scanner.exe' -Name 'scanner' -Description 'Security scanner'

# Use put-and-run to execute it
Invoke-FalconAdminCommand -Command 'put-and-run' `
  -Argument 'scanner --quick-scan' `
  -SessionId $SessionId -Wait

Batch Command Execution

Execute Commands Across Multiple Hosts

# Start batch session
$HostIds = Get-FalconHost -Filter "hostname:'WEB-*'" | Select-Object -ExpandProperty device_id
$Batch = Start-FalconSession -Id $HostIds

# Execute command on all hosts
$Results = Invoke-FalconCommand -Command ps `
  -BatchId $Batch.batch_id `
  -Timeout 60

# Process results from each host
foreach ($HostResult in $Results) {
    Write-Host "Host: $($HostResult.aid)"
    Write-Host $HostResult.stdout
    Write-Host "---"
}

Batch File Retrieval

# Retrieve file from multiple hosts
$GetRequest = Invoke-FalconBatchGet -FilePath 'C:\\Logs\\application.log' `
  -BatchId $BatchId `
  -Wait

# Check status
Confirm-FalconGetFile -BatchGetCmdReqId $GetRequest.batch_get_cmd_req_id

# Download files from each host
foreach ($Host in $GetRequest.hosts) {
    if ($Host.sha256) {
        Receive-FalconGetFile -SessionId $Host.session_id `
          -Sha256 $Host.sha256 `
          -Path "./evidence/$($Host.aid)_"
    }
}

Target Specific Hosts in Batch

# Execute on subset of batch hosts using OptionalHostId
$TargetHosts = @('a1b2c3d4...', 'b2c3d4e5...')

Invoke-FalconCommand -Command ls `
  -Argument 'C:\\Temp' `
  -BatchId $BatchId `
  -OptionalHostId $TargetHosts

Managing RTR Assets

Put Files

Put files are uploaded to CrowdStrike and can be deployed to hosts: 
# Upload a put file
Send-FalconPutFile -Path './tools/collector.exe' `
  -Name 'collector' `
  -Description 'Evidence collector tool' `
  -Comment 'IR tool for incident 2024-001'

# List put files
Get-FalconPutFile -Detailed -All

# Download a put file
Get-FalconPutFile -Filter "name:'collector'" | Receive-FalconPutFile -Path './backup/'

# Delete a put file
Remove-FalconPutFile -Id 'abc123_def456'

Custom Scripts

Upload and manage custom scripts for RTR: 
# Upload a script
Send-FalconScript -Path './scripts/memory-dump.ps1' `
  -Name 'memory-dump' `
  -Description 'Capture process memory' `
  -Platform @('windows') `
  -PermissionType group `
  -Comment 'Memory forensics script'

# List scripts
Get-FalconScript -Detailed -All

# Update a script
Edit-FalconScript -Id 'abc123_def456' `
  -Path './scripts/memory-dump-v2.ps1' `
  -Description 'Updated memory capture tool'

# Delete a script
Remove-FalconScript -Id 'abc123_def456'

FalconScript Library

CrowdStrike provides pre-built scripts in the FalconScript library: 
# List available library scripts
Get-FalconLibraryScript -Detailed -All

# Find specific script
Get-FalconLibraryScript -Filter "name:*'network'*" -Detailed

Session Management

List Active Sessions

# List all your sessions
Get-FalconSession -All

# Search sessions by filter
Get-FalconSession -Filter "created_at:>='now-1h'" -Detailed

# View sessions across entire CID (requires audit permission)
Get-FalconSession -Cid -Filter "user_id:'api-client-*'" -All

Queued Sessions

# List queued sessions (for offline hosts)
Get-FalconSession -Id $SessionId -Queue

# Delete queued command
Remove-FalconCommand -SessionId $SessionId -CloudRequestId $CommandId

Close Sessions

# Close a session
Remove-FalconSession -Id $SessionId

# Clean up batch session
Remove-FalconSession -Id $BatchId
Sessions automatically timeout after inactivity. Always close sessions when finished to free resources.

Command Confirmation

Confirm command execution status: 
# For read-only commands
Confirm-FalconCommand -CloudRequestId $Command.cloud_request_id -SequenceId 0

# For active responder commands
Confirm-FalconResponderCommand -CloudRequestId $Command.cloud_request_id

# For admin commands
Confirm-FalconAdminCommand -CloudRequestId $Command.cloud_request_id

Practical Investigation Workflow

1

Identify Suspicious Host

$Host = Get-FalconHost -Filter "hostname:'DESKTOP-INFECTED'" -Detailed
2

Start RTR Session

$Session = Start-FalconSession -Id $Host.device_id
$SessionId = $Session.session_id
3

Gather Process Information

$Processes = Invoke-FalconCommand -Command ps -SessionId $SessionId -Wait
Write-Host $Processes.stdout
4

Check Network Connections

$Network = Invoke-FalconCommand -Command netstat -SessionId $SessionId -Wait
Write-Host $Network.stdout
5

Retrieve Suspicious File

$File = Invoke-FalconResponderCommand -Command get `
  -Argument 'C:\\Users\\Public\\malware.exe' `
  -SessionId $SessionId -Wait

Receive-FalconGetFile -SessionId $SessionId -Sha256 $File.sha256
6

Contain Host

Invoke-FalconHostAction -Name contain -Id $Host.device_id
7

Close Session

Remove-FalconSession -Id $SessionId

Next Steps

Managing Policies

Configure prevention and response policies

Working with Hosts

Query and organize your host inventory

Build docs developers (and LLMs) love

Get started for freeTalk to us