Real Time Response Admin
| API Function | Description |
|---|---|
| BatchAdminCmd | Batch executes a RTR administrator command across the hosts mapped to the given batch ID. |
| RTR_CheckAdminCommandStatus | Get status of an executed RTR administrator command on a single host. |
| RTR_ExecuteAdminCommand | Execute a RTR administrator command on a single host. |
| RTR_GetPut_Files | Get put-files based on the ID's given. These are used for the RTR put command. |
| RTR_CreatePut_Files | Upload a new put-file to use for the RTR put command. |
| RTR_DeletePut_Files | Delete a put-file based on the ID given. Can only delete one file at a time. |
| RTR_GetScripts | Get custom-scripts based on the ID's given. These are used for the RTR runscript command. |
| RTR_CreateScripts | Upload a new custom-script to use for the RTR runscript command. |
| RTR_DeleteScripts | Delete a custom-script based on the ID given. Can only delete one script at a time. |
| RTR_UpdateScripts | Upload a new scripts to replace an existing one. |
| RTR_ListPut_Files | Get a list of put-file ID's that are available to the user for the put command. |
| RTR_ListScripts | Get a list of custom-script ID's that are available to the user for the runscript command. |
Batch executes a RTR administrator command across the hosts mapped to the given batch ID.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| timeout | query | integer | Timeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 10 minutes. | |
| timeout_duration | query | string | Timeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 10 minutes. |
|
| ✅ | body | body | string | Use this endpoint to run these real time response commands: - cat - cd - clear - cp - encrypt - env - eventlog - filehash - get - getsid - help - history - ipconfig - kill - ls - map - memdump - mkdir - mount - mv - netstat - ps - put - reg query - reg set - reg delete - reg load - reg unload - restart - rm - run - runscript - shutdown - unmap - update history - update install - update list - update query - xmemdump - zip base_command Active-Responder command type we are going to execute, for example: get or cp. Refer to the RTR documentation for the full list of commands. batch_id Batch ID to execute the command on. Received from /real-time-response/combined/init-sessions/v1. command_string Full command string for the command. For example get some_file.txt optional_hosts List of a subset of hosts we want to run the command on. If this list is supplied, only these hosts will receive the command. |
from falconpy import real_time_response_admin as FalconRTRAdmin
falcon = FalconRTRAdmin.Real_Time_Response_Admin(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'timeout': integer,
'timeout_duration': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.BatchAdminCmd(parameters=PARAMS, body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'timeout': integer,
'timeout_duration': 'string'
}
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('BatchAdminCmd', parameters=PARAMS, body=BODY)
print(response)
falcon.deauthenticate()Get status of an executed RTR administrator command on a single host.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | cloud_request_id | query | string | Cloud Request ID of the executed command to query |
| ✅ | sequence_id | query | integer | Sequence ID that we want to retrieve. Command responses are chunked across sequences |
from falconpy import real_time_response_admin as FalconRTRAdmin
falcon = FalconRTRAdmin.Real_Time_Response_Admin(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'cloud_request_id': 'string',
'sequence_id': integer
}
response = falcon.RTR_CheckAdminCommandStatus(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'cloud_request_id': 'string',
'sequence_id': integer
}
response = falcon.command('RTR-CheckAdminCommandStatus', parameters=PARAMS)
print(response)
falcon.deauthenticate()Execute a RTR administrator command on a single host.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | body | body | string | Use this endpoint to run these real time response commands: - cat - cd - clear - cp - encrypt - env - eventlog - filehash - get - getsid - help - history - ipconfig - kill - ls - map - memdump - mkdir - mount - mv - netstat - ps - put - reg query - reg set - reg delete - reg load - reg unload - restart - rm - run - runscript - shutdown - unmap - update history - update install - update list - update query - xmemdump - zip Required values. The rest of the fields are unused. base_command Active-Responder command type we are going to execute, for example: get or cp. Refer to the RTR documentation for the full list of commands. command_string Full command string for the command. For example get some_file.txt session_id RTR session ID to run the command on |
from falconpy import real_time_response_admin as FalconRTRAdmin
falcon = FalconRTRAdmin.Real_Time_Response_Admin(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.RTR_ExecuteAdminCommand(body=BODY)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
BODY = {
'Body Payload': 'See body description above'
}
response = falcon.command('RTR-ExecuteAdminCommand', body=BODY)
print(response)
falcon.deauthenticate()Get put-files based on the ID's given. These are used for the RTR put command.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | array (string) | File IDs |
from falconpy import real_time_response_admin as FalconRTRAdmin
falcon = FalconRTRAdmin.Real_Time_Response_Admin(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
IDS = 'ID1,ID2,ID3'
response = falcon.RTR_GetPut_Files(ids=IDS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
IDS = 'ID1,ID2,ID3'
response = falcon.command('RTR-GetPut-Files', ids=IDS)
print(response)
falcon.deauthenticate()Upload a new put-file to use for the RTR put command.
- Consumes: multipart/form-data
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | file | formData | file | put-file to upload |
| ✅ | description | formData | string | File description |
| name | formData | string | File name (if different than actual file name) | |
| comments_for_audit_log | formData | string | The audit log comment |
from falconpy import real_time_response_admin as FalconRTRAdmin
falcon = FalconRTRAdmin.Real_Time_Response_Admin(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PAYLOAD = {
'description': 'string',
'name': 'string',
'comments_for_audit_log': 'string'
}
response = falcon.RTR_CreatePut_Files(data=PAYLOAD, files=[('file', ('testfile.jpg', open('testfile.jpg','rb').read(), 'image/jpg'))])
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PAYLOAD = {
'description': 'string',
'name': 'string',
'comments_for_audit_log': 'string'
}
response = falcon.command('RTR-CreatePut-Files', data=PAYLOAD, files=[('file', ('testfile.jpg', open('testfile.jpg','rb').read(), 'image/jpg'))])
print(response)
falcon.deauthenticate()Delete a put-file based on the ID given. Can only delete one file at a time.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | string | File id |
from falconpy import real_time_response_admin as FalconRTRAdmin
falcon = FalconRTRAdmin.Real_Time_Response_Admin(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
IDS = 'ID1,ID2,ID3'
response = falcon.RTR_DeletePut_Files(ids=IDS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
IDS = 'ID1,ID2,ID3'
response = falcon.command('RTR-DeletePut-Files', ids=IDS)
print(response)
falcon.deauthenticate()Get custom-scripts based on the ID's given. These are used for the RTR runscript command.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | array (string) | File IDs |
from falconpy import real_time_response_admin as FalconRTRAdmin
falcon = FalconRTRAdmin.Real_Time_Response_Admin(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
IDS = 'ID1,ID2,ID3'
response = falcon.RTR_GetScripts(ids=IDS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
IDS = 'ID1,ID2,ID3'
response = falcon.command('RTR-GetScripts', ids=IDS)
print(response)
falcon.deauthenticate()Upload a new custom-script to use for the RTR runscript command.
- Consumes: multipart/form-data
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| file | formData | file | custom-script file to upload. These should be powershell scripts. | |
| ✅ | description | formData | string | File description |
| name | formData | string | File name (if different than actual file name) | |
| comments_for_audit_log | formData | string | The audit log comment | |
| ✅ | permission_type | formData | string | Permission for the custom-script. Valid permission values: - private, usable by only the user who uploaded it - group, usable by all RTR Admins - public, usable by all active-responders and RTR admins |
| content | formData | string | The script text that you want to use to upload | |
| platform | formData | array (string) | Platforms for the file. Currently supports: windows, mac, linux, . If no platform is provided, it will default to 'windows' |
from falconpy import real_time_response_admin as FalconRTRAdmin
falcon = FalconRTRAdmin.Real_Time_Response_Admin(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PAYLOAD = {
'description': 'string',
'name': 'string',
'comments_for_audit_log': 'string',
'permission_type': 'string',
'content': 'string',
'platform': [
'string',
'string'
]
}
response = falcon.RTR_CreateScripts(data=PAYLOAD, files=[('file', ('testfile.jpg', open('testfile.jpg','rb').read(), 'image/jpg'))])
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PAYLOAD = {
'description': 'string',
'name': 'string',
'comments_for_audit_log': 'string',
'permission_type': 'string',
'content': 'string',
'platform': [
'string',
'string'
]
}
response = falcon.command('RTR-CreateScripts', data=PAYLOAD, files=[('file', ('testfile.jpg', open('testfile.jpg','rb').read(), 'image/jpg'))])
print(response)
falcon.deauthenticate()Delete a custom-script based on the ID given. Can only delete one script at a time.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | ids | query | string | File id |
from falconpy import real_time_response_admin as FalconRTRAdmin
falcon = FalconRTRAdmin.Real_Time_Response_Admin(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
IDS = 'ID1,ID2,ID3'
response = falcon.RTR_DeleteScripts(ids=IDS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
IDS = 'ID1,ID2,ID3'
response = falcon.command('RTR-DeleteScripts', ids=IDS)
print(response)
falcon.deauthenticate()Upload a new scripts to replace an existing one.
- Consumes: multipart/form-data
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| ✅ | id | formData | string | ID to update |
| file | formData | file | custom-script file to upload. These should be powershell scripts. | |
| description | formData | string | File description | |
| name | formData | string | File name (if different than actual file name) | |
| comments_for_audit_log | formData | string | The audit log comment | |
| permission_type | formData | string | Permission for the custom-script. Valid permission values: - private, usable by only the user who uploaded it - group, usable by all RTR Admins - public, usable by all active-responders and RTR admins |
|
| content | formData | string | The script text that you want to use to upload | |
| platform | formData | array (string) | Platforms for the file. Currently supports: windows, mac, |
from falconpy import real_time_response_admin as FalconRTRAdmin
falcon = FalconRTRAdmin.Real_Time_Response_Admin(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PAYLOAD = {
'id': 'string',
'description': 'string',
'name': 'string',
'comments_for_audit_log': 'string',
'permission_type': 'string',
'content': 'string',
'platform': [
'string',
'string'
]
}
response = falcon.RTR_UpdateScripts(data=PAYLOAD, files=[('file', ('testfile.jpg', open('testfile.jpg','rb').read(), 'image/jpg'))])
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PAYLOAD = {
'id': 'string',
'description': 'string',
'name': 'string',
'comments_for_audit_log': 'string',
'permission_type': 'string',
'content': 'string',
'platform': [
'string',
'string'
]
}
response = falcon.command('RTR-UpdateScripts', data=PAYLOAD, files=[('file', ('testfile.jpg', open('testfile.jpg','rb').read(), 'image/jpg'))])
print(response)
falcon.deauthenticate()Get a list of put-file ID's that are available to the user for the put command.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| filter | query | string | Optional filter criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon. | |
| offset | query | string | Starting index of overall result set from which to return ids. | |
| limit | query | integer | Number of ids to return. | |
| sort | query | string | Sort by spec. Ex: 'created_at |
from falconpy import real_time_response_admin as FalconRTRAdmin
falcon = FalconRTRAdmin.Real_Time_Response_Admin(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'filter': 'string',
'offset': 'string',
'limit': integer,
'sort': 'string'
}
response = falcon.RTR_ListPut_Files(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'filter': 'string',
'offset': 'string',
'limit': integer,
'sort': 'string'
}
response = falcon.command('RTR-ListPut-Files', parameters=PARAMS)
print(response)
falcon.deauthenticate()Get a list of custom-script ID's that are available to the user for the runscript command.
- Produces: application/json
| Required | Name | Type | Datatype | Description |
|---|---|---|---|---|
| filter | query | string | Optional filter criteria in the form of an FQL query. For more information about FQL queries, see our FQL documentation in Falcon. | |
| offset | query | string | Starting index of overall result set from which to return ids. | |
| limit | query | integer | Number of ids to return. | |
| sort | query | string | Sort by spec. Ex: 'created_at |
from falconpy import real_time_response_admin as FalconRTRAdmin
falcon = FalconRTRAdmin.Real_Time_Response_Admin(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
})
PARAMS = {
'filter': 'string',
'offset': 'string',
'limit': integer,
'sort': 'string'
}
response = falcon.RTR_ListScripts(parameters=PARAMS)
print(response)from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
PARAMS = {
'filter': 'string',
'offset': 'string',
'limit': integer,
'sort': 'string'
}
response = falcon.command('RTR-ListScripts', parameters=PARAMS)
print(response)
falcon.deauthenticate()
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- ASPM
- CAO Hunting
- Certificate Based Exclusions
- Cloud AWS Registration
- Cloud Azure Registration
- Cloud OCI Registration
- Cloud Connect AWS (deprecated)
- Cloud Security Assets
- Cloud Snapshots
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Image Compliance
- Container Images
- Container Packages
- Container Vulnerabilities
- Content Update Policies
- Correlation Rules
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- DataScanner (deprecated)
- Delivery Settings
- Deployments
- Detects
- Device Content
- Device Control Policies
- Discover
- Downloads
- Drift Indicators
- Event Streams
- Exposure Management
- FaaS Execution
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Host Migration
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- Intelligence Feeds
- Intelligence Indicator Graph
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- NGSIEM
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Quick Scan Pro
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Usage
- Sensor Visibility Exclusions
- Serverless Vulnerabilities
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust
