Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 33 additions & 1 deletion samples/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ The following samples are categorized by CrowdStrike product, and further catego
| [ML Exclusions](#ml-exclusions-samples) | ML Exclusion Audit |
| [Prevention Policies](#prevention-policies-samples) | Clone Prevention Policy<BR/>Create Host Group and attach Prevention Policies<BR/>Prevention Policy Hawk |
| [Incidents](#incidents-samples) | CrowdScore QuickChart<BR/>Incident Triage |
| [Real Time Response](#real-time-response-samples) | Bulk execute a command<BR/>Bulk execute a command (queued)<BR/>Get file from multiple hosts<BR/>Get host uptime<BR/>Get RTR result<BR/>Dump memory for a running process<BR/>My Little RTR<BR/>Remotely restart a sensor while taking a capture<BR/>RTR Script Manager |
| [Real Time Response](#real-time-response-samples) | Bulk execute a command<BR/>Bulk execute a command (queued)<BR/>Get file from multiple hosts<BR/>Get host uptime<BR/>Get RTR result<BR/>Dump memory for a running process<BR/>My Little RTR<BR/>Remotely restart a sensor while taking a capture<BR/>RTR Script Manager<BR/>Stream file download |
| [Sensor Visibility Exclusions](#sensor-visibility-exclusions-samples) | Sensor Visibility Exclusion Audit |
| [Firewall Management](#firewall-management-samples) | Export Firewall events to a file |

Expand Down Expand Up @@ -1277,6 +1277,7 @@ These samples focus on CrowdStrike's Real Time Response and Real Time Response A
- [My Little RTR](#my-little-rtr)
- [Remotely restart a sensor while taking a capture](#remotely-restart-a-sensor-while-taking-a-capture)
- [Script Manager](#script-manager)
- [Streaming file download](#streaming-file-download)

#### Bulk execute a command
Using this [demonstration](rtr#bulk-execute-a-command-on-matched-hosts), you can execute a command on multiple hosts that have a hostname matching a search string you provide.
Expand Down Expand Up @@ -1480,6 +1481,37 @@ This sample demonstrates the following CrowdStrike Flight Control API operations
| [getChildren](https://www.falconpy.io/Service-Collections/MSSP.html#getchildren) | Get child customer detail by child CID(s). |
| [queryChildren](https://www.falconpy.io/Service-Collections/MSSP.html#querychildren) | Query for customers linked as children. |

---

#### Streaming file download
This [example](rtr#streaming-file-download) demonstrates stream downloading a target binary file from a host.

[![Real Time Response](https://img.shields.io/badge/Service%20Class-Streaming_File_Download-silver?style=for-the-badge&labelColor=C30A16&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](rtr#streaming-file-download)
[![Real Time Response](https://img.shields.io/badge/Uber%20Class-Streaming_File_Download-silver?style=for-the-badge&labelColor=maroon&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==)](rtr#streaming-file-download)


##### Hosts API operations discussed
This sample demonstrates the following CrowdStrike Hosts API operation:

| Operation | Description |
| :--- | :--- |
| [CombinedDevicesByFilter](https://falconpy.io/Service-Collections/Hosts.html#combineddevicesbyfilter) | Search for hosts in your environment by platform, hostname, IP, and other criteria. Returns full device records. |

##### Real Time Response API operations discussed
This sample demonstrates the following CrowdStrike Real Time Response API operations:

| Operation | Description |
| :--- | :--- |
| [RTR_InitSession](https://falconpy.io/Service-Collections/Real-Time-Response.html#rtr_initsession) | Initialize a new session with the RTR cloud. |
| [RTR_DeleteSession](https://falconpy.io/Service-Collections/Real-Time-Response.html#rtr_deletesession) | Delete a session. |
| [RTR_ExecuteActiveResponderCommand](https://falconpy.io/Service-Collections/Real-Time-Response.html#rtr_executeactiverespondercommand) | Execute an active responder command on a single host. |
| [RTR_CheckActiveResponderCommandStatus](https://falconpy.io/Service-Collections/Real-Time-Response.html#rtr_executeactiverespondercommand) | Get status of an executed active-responder command on a single host. |
| [RTR_ListFilesV2](https://falconpy.io/Service-Collections/Real-Time-Response.html#rtr_listfilesv2) | Get a list of files for the specified RTR session. |
| [RTR_GetExtractedFileContents](https://falconpy.io/Service-Collections/Real-Time-Response.html#rtr_getextractedfilecontents) | Get RTR extracted file contents for specified session and sha256. |
| [RTR_DeleteFileV2](https://falconpy.io/Service-Collections/Real-Time-Response.html#rtr_deletefilev2) | Delete a RTR session file. |


---

</details>

Expand Down
145 changes: 145 additions & 0 deletions samples/rtr/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ The examples within this folder focus on leveraging CrowdStrike's Real Time Resp
- [Script Manager](#script-manager) - Upload and delete RTR scripts for use on endpoints.
- [Dump Process Memory](pid-dump) - Dumps the memory for a running process on a target system.
- [My Little RTR](pony) - Retrieve System Information and draws ASCII art.
- [Streaming File Download](#streaming-file-download) - Stream download a file from a target host.


## Bulk execute a command on matched hosts
Expand Down Expand Up @@ -761,4 +762,148 @@ Required arguments:
### Example source code
The source code for this example can be found [here](script_manager.py).

---

## Streaming File Download
This sample creates an RTR session with a target host, and stream downloads the specified file.

### Running the program
In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:

| Service Collection | Scope |
| :---- | :---- |
| Hosts | __READ__ |
| Real Time Response | __READ__, __WRITE__ |

> [!NOTE]
> This program can be executed using an API key that is not scoped for the Hosts service collection. Users will need to provide an AID value for the target host instead of a hostname.

### Execution syntax
This sample leverages simple command-line arguments to implement functionality.

#### Basic usage
Streaming download a specified file from a host by hostname.

```shell
python3 streaming_download_service.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -n TARGET_HOSTNAME -f TARGET_FILENAME
```

Streaming download a specified file from a host by host AID.

```shell
python3 streaming_download_service.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -a TARGET_HOST_AID -f TARGET_FILENAME
```

> [!TIP]
> This sample supports [Environment Authentication](https://falconpy.io/Usage/Authenticating-to-the-API.html#environment-authentication), meaning you can execute any of the command lines shown without providing credentials if you have the values `FALCON_CLIENT_ID` and `FALCON_CLIENT_SECRET` defined in your environment.

```shell
python3 streaming_download_service.py -n TARGET_HOSTNAME -f TARGET_FILENAME
```

Specify the name of the save file used to store the resulting download.

```shell
python3 streaming_download_service.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -n TARGET_HOSTNAME -f TARGET_FILENAME -sf SAVE_FILENAME
```

Disable the pre-existence check for the save file.

> [!NOTE]
> This will overwrite the existing save file with the newly downloaded file.

```shell
python3 streaming_download_service.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -n TARGET_HOSTNAME -f TARGET_FILENAME -o
```

Adjust the chunk size used for streaming the download.

```shell
python3 streaming_download_service.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -n TARGET_HOSTNAME -f TARGET_FILENAME -c CHUNK_SIZE
```

> Activate debugging with the `-d` argument.

```shell
python3 streaming_download_service.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -n TARGET_HOSTNAME -f TARGET_FILENAME -d
```

#### Command-line help
Command-line help is available via the `-h` argument.

```shell
usage: streaming_download_service.py [-h] [-c CHUNK_SIZE] [-o] [-d] -f FILENAME [-sf SAVE_FILE]
(-n HOSTNAME | -a AID) [-k FALCON_CLIENT_ID]
[-s FALCON_CLIENT_SECRET]

Real Time Response API streaming download sample.

._____________._.______ ._______.______ ._____.___ .___ .______ ._____
| ___/\__ _:|: __ \ : .____/: \ : |: __|: \ :_ ___\
|___ \ | :|| \____|| : _/\ | . || \ / || : || || |___
| / | || : \ | / \| : || |\/ || || | || / |
|__:___/ | || |___\|_.: __/|___| ||___| | || ||___| ||. __ |
: |___||___| :/ |___| |___||___| |___| :/ |. |
: :/
:
.______ ._______ ___ .______ .___ ._______ .______ .______ .________
:_ _ \ : .___ \ .___ | |: \ | | : .___ \ : \ :_ _ \ | ___/
| | || : | |: | /\| || || | | : | || . || | ||___ \
| . | || : || |/ : || | || |/\ | : || : || . | || /
|. ____/ \_. ___/ | / ||___| || / \ \_. ___/ |___| ||. ____/ |__:___/
:/ :/ |______/|___| |___||______/ :/ |___| :/ :
: : : : :
:
FalconPy v1.5.0

This sample demonstrates how to perform a streaming download from the
CrowdStrike Real Time Response API. Files are saved as 7-zip archives.

Requirements:
crowdstrike-falconpy v1.5.0+

Creation: 04.23.2025 - jshcodes@CrowdStrike

options:
-h, --help show this help message and exit

behavior:
Download and API behavior arguments.

-c, --chunk_size CHUNK_SIZE
Streaming download chunk size
-o, --overwrite Force overwritting of a pre-existing save file
-d, --debug Enable API debugging

filename:
You must specify a filename to download.
If you do not specify a save filename, it will be saved as "result.7z".

-f, --filename FILENAME
Target filename
-sf, --save_file SAVE_FILE
Name of the saved file

host:
One of the two following arguments must be specified.

-n, --hostname HOSTNAME
Target hostname (use instead of AID)
-a, --aid AID Target host AID (use instead of hostname)

authentication:
If these arguments are not specified, Environment Authentication will be attempted.
Environment Authentication: https://falconpy.io/Usage/Authenticating-to-the-API.html#environment-authentication

-k, --falcon_client_id FALCON_CLIENT_ID
CrowdStrike Falcon API Client ID
-s, --falcon_client_secret FALCON_CLIENT_SECRET
CrowdStrike Falcon API Client Secret
```

### Example source code
The source code for this example can be found [here](streaming_download_service.py).

The source code for the Uber Class version of this example can be found [here](streaming_download_uber.py).

---
Loading
Loading