- 22 Sep 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
CrowdStrike Falcon - RTR Run Command
- Updated on 22 Sep 2024
- 2 Minutes to read
- Print
- DarkLight
- PDF
Crowdstrike Falcon - RTR Run Command runs a Real-Time-Response command on hosts with a CrowdStrike agent installed. Refer to CrowdStrike RTR documentation for a list of valid commands and their syntax. This Enforcement Action uses the selected query to return a list of assets with CrowdStrike agents installed. Or the Action is run on assets selected on the relevant asset page.
- Not all asset categories are supported for all Enforcement Actions.
- See Actions supported for Activity Logs, Adapters Fetch History, and Asset Investigation modules.
- See Actions supported for Vulnerabilities.
- See Actions supported for Software.
General Settings
- Action name - The name of this Enforcement Action. The system sets a default name. You can change the name.
- Configure Dynamic Values - Toggle on to enter a Dynamic Value statement. See Creating Enforcement Action Dynamic Value Statements to learn more about Dynamic Value statement syntax.
Use stored credentials from CrowdStrike Falcon Adapter - Select this option to use CrowdStrike Falcon connected adapter credentials.
- When you select this option, the Select Adapter Connection drop-down is available, and you can choose which adapter connection to use for this Enforcement Action.
To use this option, you must successfully configure a CrowdStrike Falcon adapter connection.
Required Fields
These fields must be configured to run the Enforcement Set.
- RTR Command - The RTR command that the Enforcement Action will run. The default comment is:
runscript -CloudFile=test_script -CommandLine=```-TestArg 'semi_colon;_in_arg'```
Compute Node - The Axonius node to use when connecting to the specified host. For more details, see Connecting Additional Axonius Nodes.
Additional Fields
These fields are optional.
- CrowdStrike Domain - The hostname of the API server – this could be one of the following:
- https://falconapi.crowdstrike.com (for "legacy" API)
- https://api.crowdstrike.com or https://api.us-2.crowdstrike.com (for the latest API)
- User Name / Client ID and API Key / Secret - The credentials for a user account that has the Required Permissions to run RTR commands.
- Member CID - The Customer ID of the CrowdStrike member.
- Verify SSL (optional) - Select whether to verify the SSL certificate of the server against the CA database inside of Axonius. For more details, see SSL Trust & CA Settings.
- HTTPS Proxy (optional) - Connect the adapter to a proxy instead of directly connecting it to the domain.
- Gateway Name - Select the Gateway through which to connect to perform the action.
APIs
Axonius uses the CrowdStrike API.
Required Ports
Axonius must be able to communicate via the following ports:
- TCP Port 443
Required Permissions
The values supplied in Username / Client ID and API Key / Secret must have host-group write permissions.
For more details about other Enforcement Actions available, see Action Library.