Automated Containment
Isolate compromised hosts the moment a critical detection fires.
Automate Response
Adversaries move fast - eCrime breakout times average under 30 minutes. Manual response can’t keep up. The Falcon platform gives you Real-Time Response (RTR) for live endpoint access, host containment to isolate compromised machines, and workflow orchestration to chain response actions together. Foundry samples show you working patterns. The SDKs and MCP Server let you trigger it all programmatically or through AI.
Scale Real Time Response
Execute forensic collection, file remediation, or registry checks across thousands of endpoints.
SOAR Playbooks
Integrate Falcon response actions into your security orchestration platform.
Bulk Remediation
Push scripts, patches, or configuration changes to targeted host groups.
Response Runbooks
Execute predefined response sequences based on detection type.
API Service Collections
Section titled “API Service Collections”Real-Time Response
Section titled “Real-Time Response”Execute commands on live endpoints - run scripts, collect files, manage processes, and investigate in real time.
- Real Time Response - Establish RTR sessions, execute commands, and retrieve results from individual hosts.
- Real Time Response Admin - Manage RTR scripts, upload put files, and configure admin-level response capabilities.
- Real Time Response Audit - Review RTR session history and command execution logs for compliance and forensics.
Host Actions
Section titled “Host Actions”Contain, restore, and manage endpoint state programmatically.
- Hosts - Perform containment actions (
contain,lift_containment), hide/restore hosts, and suppress detections via thePerformActionV2operation. - Alerts - Update alert status and assignment as part of response workflows.
- Incidents - Manage incident lifecycle - assign, update status, and close incidents programmatically.
Workflows & Automation
Section titled “Workflows & Automation”Orchestrate multi-step response sequences and schedule recurring operations.
- Workflows - Build and execute automated security workflows within the Falcon platform.
- IT Automation - Automate IT operations tasks across your endpoint fleet.
- On Demand Scan (ODS) - Trigger on-demand malware scans on targeted hosts.
- Quick Scan - Submit files for rapid malware analysis.
- Quick Scan Pro - Advanced file scanning with deeper analysis capabilities.
- Scheduled Reports - Automate recurring reports on response metrics and containment status.
Quarantine & Samples
Section titled “Quarantine & Samples”Manage quarantined files and submit samples for analysis.
- Quarantine - Query and manage quarantined files on endpoints.
- Sample Uploads - Upload malware samples for analysis and intelligence enrichment.
Developer Resources
Section titled “Developer Resources”Falcon Foundry
Section titled “Falcon Foundry”Two Foundry samples demonstrate response automation patterns directly. The Rapid Response sample patches, uploads, and removes files from hosts using RTR scripts combined with Fusion SOAR workflows and a UI extension for operator control. The Scalable RTR sample orchestrates file and registry verification across Windows endpoints at scale - a pattern for any bulk remediation workflow.
Falcon MCP
Section titled “Falcon MCP”The Falcon MCP supports response actions directly through AI assistants:
- Hosts module - contain and lift containment on compromised hosts via
PerformActionV2 - IOC module - create, search, and remove blocking indicators of compromise
- Detections module - query detections to assess scope before taking action
An analyst can contain a host, create blocking IOCs, and verify containment status without leaving their AI assistant. See editor setup for Claude Desktop, VS Code, or Gemini CLI.