What are the Falcon user roles for real time response?
User Role: Falcon users must have one of the three Real Time Responder roles to remotely connect to a host. The Falcon Administrator role does not include access to real time response by default. You must assign the appropriate role to each user that needs access to Real Time Response.
What is inversion of control in Falcon?
Similar to other frameworks, Falcon employs the inversion of control (IoC) pattern to coordinate with app methods in order to respond to HTTP requests. Resource responders, middleware methods, hooks, etc. receive a reference to the request and response objects that represent the current in-flight HTTP request.
What is the use of HTTP request object in Falcon?
The app can use these objects to inspect the incoming HTTP request, and to manipulate the outgoing HTTP response. Falcon uses different types to represent HTTP requests and responses for WSGI ( falcon.App) vs. ASGI ( falcon.asgi.App ).
Introduction
This document and video will demonstrate how to use Real Time Response to access and remediate an endpoint with Falcon Insight. Real Time Response provides the tools to limit exposure, remediate systems, and protect the larger environment.
Establish the Session
In the Falcon UI, navigate to Activity > Detections. Commonly, a new detection will be the event that triggers a need for remediation.Directly from a given detection, the “Connect to Host” button allows you to remotely connect and take action.
Run Commands
Once connected, you will be presented with a list of commands and capabilities available in Real Time Response. With the ability to run commands, executables and scripts, the possibilities are endless. A few examples are listed below.
Edit and Run Scripts
In the Real Time Response session, you also have the option to edit and run scripts.
Stage scripts and executables
As a real time response administrator, you also have the option to create and save scripts for repeated use. By opening the summary panel, you see all of the scripts and executables readily available for deployment within your organization.
End the Session
After remediating the system in question and gathering any forensic evidence, you can close the session.
Real Time Response Policies
The default Real Time Response policy allows for basic functionality on managed endpoints. Falcon administrators can create and modify those policies to enable the right level of response actions as needed within the organization or for specific endpoint groups. Detailed documentation on Real Time Response policies is available in the Falcon UI.