Skip to main content

CrowdStrike Falcon - Get Endpoint Forensics Data

This Playbook is part of the CrowdStrike Falcon Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is part of the 'Malware Investigation And Response' pack. For more information, refer to This playbook extracts data from the host using RTR commands. For example, commands for getting a list of running processes and network connections.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • CrowdStrikeFalcon


This playbook does not use any scripts.


  • cs-falcon-search-device
  • cs-falcon-rtr-list-network-stats
  • cs-falcon-rtr-list-processes

Playbook Inputs#

NameDescriptionDefault ValueRequired
DeviceIdThe ID of the host to use.Optional

Playbook Outputs#

CrowdStrike.CommandThe results of the forensics commands.string
CrowdStrike.DeviceCrowdStrike Device's information.unknown
EndpointDevice's information.unknown

Playbook Image#

CrowdStrike Falcon - Get Endpoint Forensics Data