Skip to content
CrowdStrike Developer Center

Real Time Response

The Real Time Response service collection provides operations for managing and executing real-time response sessions on CrowdStrike Falcon-protected hosts. Initialize single or batch RTR sessions, execute read-only and active-responder commands, retrieve command status, manage session files, handle queued sessions, and query session IDs.

LanguageLast Update
Pythonv1.5.0
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

This service collection has code examples posted to the repository.

Table of Contents

Section titled “Table of Contents”
OperationDescription
RTR_AggregateSessions
aggregate_sessions		Get aggregates on session data.
BatchActiveResponderCmd
batch_active_responder_command		Batch executes a RTR active-responder command across the hosts mapped to the given batch ID.
BatchCmd
batch_command		Batch executes a RTR read-only command across the hosts mapped to the given batch ID.
BatchGetCmdStatus
batch_get_command_status		Retrieves the status of the specified batch get command. Will return successful files when they are finished processing.
BatchGetCmd
batch_get_command		Batch executes get command across hosts to retrieve files. After this call is made BatchGetCmdStatus is used to query for the results.
BatchInitSessions
batch_init_sessions		Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.
BatchRefreshSessions
batch_refresh_sessions		Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 5 minutes unless refreshed.
RTR_CheckActiveResponderCommandStatus
check_active_responder_command_status		Get status of an executed active-responder command on a single host.
RTR_ExecuteActiveResponderCommand
execute_active_responder_command		Execute an active responder command on a single host.
RTR_CheckCommandStatus
check_command_status		Get status of an executed command on a single host.
RTR_ExecuteCommand
execute_command		Execute a command on a single host.
RTR_GetExtractedFileContents
get_extracted_file_contents		Get RTR extracted file contents for specified session and sha256.
RTR_ListFiles
list_files		Get a list of files for the specified RTR session.
RTR_ListFilesV2
list_files_v2		Get a list of files for the specified RTR session. (Expanded output detail.)
RTR_DeleteFile
delete_file		Delete a RTR session file.
RTR_DeleteFileV2
delete_file_v2		Delete a RTR session file. (Expanded output detail, use with RTR_ListFilesV2.)
RTR_ListQueuedSessions
list_queued_sessions		Get queued session metadata by session ID.
RTR_DeleteQueuedSession
delete_queued_session		Delete a queued session command.
RTR_PulseSession
pulse_session		Refresh a session timeout on a single host.
RTR_ListSessions
list_sessions		Get session metadata by session id.
RTR_InitSession
init_session		Initialize a new session with the RTR cloud.
RTR_DeleteSession
delete_session		Delete a session.
RTR_ListAllSessions
list_all_sessions		Get a list of session_ids.

RTR_AggregateSessions

Section titled “RTR_AggregateSessions”

Get aggregates on session data.

POST /real-time-response/aggregates/sessions/GET/v1
Scope Real Time Response: READ Consumes · Produces application/json
PEP 8 aggregate_sessions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodylist of dictionariesFull body payload in JSON format.
date_rangesbodylist of dictionariesApplies to date_range aggregations.

Example:
[
  {
    “from”: “2016-05-28T09:00:31Z”,
    “to”: “2016-05-30T09:00:31Z”
  },
  {
    “from”: “2016-06-01T09:00:31Z”,
    “to”: “2016-06-10T09:00:31Z”
  }
]
excludebodystringElements to exclude.
fieldbodystringThe field on which to compute the aggregation.
filterbodystringFQL syntax formatted string to use to filter the results.
frombodyintegerStarting position.
includebodystringElements to include.
intervalbodystringTime interval for date histogram aggregations. Valid values include: year, month, week, day, hour, minute.
max_doc_countbodyintegerOnly return buckets if values are less than or equal to the value here.
min_doc_countbodyintegerOnly return buckets if values are greater than or equal to the value here.
missingbodystringMissing is the value to be used when the aggregation field is missing from the object. In other words, the missing parameter defines how documents that are missing a value should be treated. By default they will be ignored, but it is also possible to treat them as if they had a value.
namebodystringName of the aggregate query, as chosen by the user. Used to identify the results returned to you.
qbodystringFull text search across all metadata fields.
rangesbodylist of dictionariesApplies to range aggregations. Ranges values will depend on field.

For example, if max_severity is used, ranges might look like:
[
  {
    “From”: 0,
    “To”: 70
  },
  {
    “From”: 70,
    “To”: 100
  }
]
sizebodyintegerThe max number of term buckets to be returned.
sub_aggregatesbodylist of dictionariesA nested aggregation, such as:
[
  {
    “name”: “max_first_behavior”,
    “type”: “max”,
    “field”: “first_behavior”
  }
]

There is a maximum of 3 nested aggregations per request.
sortbodystringFQL syntax string to sort bucket results. _count - sort by document count, _term - sort by the string value alphabetically. Supports asc and desc using | format.

Example: _count|desc
time_zonebodystringTime zone for bucket results.
typebodystringType of aggregation. Valid values include:
date_histogram — Aggregates counts on a specified time interval. Requires use of “interval” field.
date_range — Aggregates counts on custom defined date range buckets. Can include multiple ranges. (Similar to time series, but the bucket sizes are variable). Date formats to follow ISO 8601.
terms — Buckets alerts by the value of a specified field.
range — Buckets alerts by specified (numeric) ranges of a specified field.
cardinality — Returns the count of distinct values in a specified field.
max — Returns the maximum value of a specified field.
min — Returns the minimum value of a specified field.
avg — Returns the average value of the specified field.
sum — Returns the total sum of all values for the specified field.
percentiles — Returns the following percentiles for the specified field: 1, 5, 25, 50, 75, 95, 99.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


ranges = [
    {
        "From": 0,
        "To": 0
    }
]


response = falcon.aggregate_sessions(date_ranges="string",
                                     exclude="string",
                                     field="string",
                                     filter="string",
                                     from=integer,
                                     include="string",
                                     interval="string",
                                     max_doc_count=integer,
                                     min_doc_count=integer,
                                     missing="string",
                                     name="string",
                                     q="string",
                                     ranges=ranges,
                                     size=integer,
                                     sort="string",
                                     sub_aggregates=["string"],
                                     time_zone="string",
                                     type="string")
print(response)

BatchActiveResponderCmd

Section titled “BatchActiveResponderCmd”

Batch executes a RTR active-responder command across the hosts mapped to the given batch ID.

POST /real-time-response/combined/batch-active-responder-command/v1
Scope Real Time Response: WRITE Consumes · Produces application/json
PEP 8 batch_active_responder_command

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
base_commandbodystringActive Responder base command to perform. For example: get or cp. Refer to the Available Commands table below for a complete listing of available commands.
batch_idbodystringRTR Batch ID to execute the command against. Received from batch_init_session.
command_stringbodystringFull command line of the command to execute. Example: get some_file.txt.
host_timeout_durationquerystringTimeout duration for how long a host has time to complete processing. Default value is a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is < 5 minutes. Example, 10s. Valid units: ns, us, ms, s, m, h.
optional_hostsbodystring or list of stringsList of the subset of hosts we want to impact by this command. Allows for filtering of hosts from execution within the same batch.
persist_allbodybooleanFlag indicating if this command should be executed when the host returns to service.
timeoutqueryintegerTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 5 minutes.
timeout_durationquerystringTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 5 minutes.
parametersquerydictionaryFull query string parameters payload in JSON format.
Available Commands
Section titled “Available Commands”
CommandDescriptionOperating System
catView file contentsAll
cdChange directoryAll
clearClear the screenAll
cpCopy a fileAll
encryptEncrypt a fileAll
envDisplay environment variablesAll
eventlogInspect the event log. Subcommands: list, view, export, backup. eventlog backup is the recommended solution as opposed to eventlog export.Windows
filehashCalculate a file hash (MD5 or SHA256)All
getRetrieve a fileAll
getsidRetrieve the current SIDWindows, macOS
helpAccess help for a specific command or sub-commandAll
historyReview command history for the current userAll
ipconfigReview TCP configurationWindows
killKill a running processAll
lsList the contents of a directoryAll
mapMap a UNC (SMB) path to a drive letterWindows
memdumpDump memory of a running processWindows
mkdirCreate a directoryAll
mountMount a file system (macOS, Linux) or list available drives (Windows)All
mvMove a fileAll
netstatRetrieve network connection detailAll
psList running processesAll
regRegistry operations. Subcommands: query, set, delete, load, unload.Windows
restartRestart the systemAll
rmRemove a fileAll
runscriptRun a scriptAll
shutdownShutdown the systemAll
unmapUnmap a UNC (SMB) path from a drive letterWindows
updateInstall patches through Windows Update. Subcommands: history, install, list, query.Windows
xmemdumpDump complete memory (kernel) for the systemWindows
zipCreate a zip archiveAll

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.batch_active_responder_command(base_command="string",
                                                 batch_id="string",
                                                 command_string="string",
                                                 host_timeout_duration="string",
                                                 optional_hosts=["string"],
                                                 persist_all=boolean,
                                                 timeout="string",
                                                 timeout_duration="string")
print(response)

BatchCmd

Section titled “BatchCmd”

Batch executes a RTR read-only command across the hosts mapped to the given batch ID.

POST /real-time-response/combined/batch-command/v1
Scope Real Time Response: READ Consumes · Produces application/json
PEP 8 batch_command

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
base_commandbodystringActive Responder base command to perform. For example: get or cp. Refer to the Available Commands table below for a complete listing of available commands.
batch_idbodystringRTR Batch ID to execute the command against. Received from batch_init_session.
command_stringbodystringFull command line of the command to execute. Example: cat some_file.txt.
host_timeout_durationquerystringTimeout duration for how long a host has time to complete processing. Default value is a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is < 5 minutes. Example, 10s. Valid units: ns, us, ms, s, m, h.
optional_hostsbodystring or list of stringsList of the subset of hosts we want to impact by this command. Allows for filtering of hosts from execution within the same batch.
persist_allbodybooleanFlag indicating if this command should be executed when the host returns to service.
timeoutqueryintegerTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 5 minutes.
timeout_durationquerystringTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 5 minutes.
parametersquerydictionaryFull query string parameters payload in JSON format.
Available Commands (Read only)
Section titled “Available Commands (Read only)”
CommandDescriptionOperating System
catView file contentsAll
cdChange directoryAll
clearClear the screenAll
csrutilGet system integrity protection statusmacOS
envDisplay environment variablesAll
eventlogInspect the event log. Subcommands: list, view.Windows
filehashCalculate a file hash (MD5 or SHA256)All
getsidRetrieve the current SIDWindows, macOS
helpAccess help for a specific command or sub-commandAll
historyReview command history for the current userAll
ipconfigReview TCP configurationWindows
lsList the contents of a directoryAll
mountMount a file system (macOS, Linux) or list available drives (Windows)All
netstatRetrieve network connection detailAll
psList running processesAll
regRegistry operations. Subcommands: query.Windows

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.batch_command(base_command="string",
                                batch_id="string",
                                command_string="string",
                                host_timeout_duration="string",
                                optional_hosts=["string"],
                                persist_all=boolean,
                                timeout="string",
                                timeout_duration="string")
print(response)

BatchGetCmdStatus

Section titled “BatchGetCmdStatus”

Retrieves the status of the specified batch get command. Will return successful files when they are finished processing.

GET /real-time-response/combined/batch-get-command/v1
Scope Real Time Response: WRITE Consumes · Produces application/json
PEP 8 batch_get_command_status

Parameters

Section titled “Parameters”
NameTypeData typeDescription
batch_get_cmd_req_idquerystringBatch Get Command Request ID (usually retrieved when making a call to BatchGetCmd).
parametersquerydictionaryFull query string parameters payload in JSON format.
timeoutqueryintegerTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 5 minutes.
timeout_durationquerystringTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 5 minutes.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.batch_get_command_status(timeout="string",
                                           timeout_duration="string",
                                           batch_get_cmd_req_id="string")
print(response)

BatchGetCmd

Section titled “BatchGetCmd”

Batch executes get command across hosts to retrieve files. After this call is made BatchGetCmdStatus is used to query for the results.

POST /real-time-response/combined/batch-get-command/v1
Scope Real Time Response: WRITE Consumes · Produces application/json
PEP 8 batch_get_command

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
batch_idbodystringRTR Batch ID to execute the get command against. Received from batch_init_session.
file_pathbodystringFull path to the file that is to be retrieved from each host in the batch.
host_timeout_durationquerystringTimeout duration for how long a host has time to complete processing. Default value is a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is < 5 minutes. Example, 10s. Valid units: ns, us, ms, s, m, h.
optional_hostsbodystring or list of stringsList of the subset of hosts we want to impact by this command. Allows for filtering of hosts from execution within the same batch.
parametersquerydictionaryFull query string parameters payload in JSON format.
timeoutqueryintegerTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 5 minutes.
timeout_durationquerystringTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 5 minutes.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.batch_get_command(batch_id="string",
                                    file_path="string",
                                    host_timeout_duration="string",
                                    optional_hosts=["string"],
                                    timeout="string",
                                    timeout_duration="string")
print(response)

BatchInitSessions

Section titled “BatchInitSessions”

Batch initialize a RTR session on multiple hosts. Before any RTR commands can be used, an active session is needed on the host.

POST /real-time-response/combined/batch-init-session/v1
Scope Real Time Response: READ Consumes · Produces application/json
PEP 8 batch_init_sessions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
existing_batch_idbodystringOptional existing RTR batch ID. Use this to initialize new hosts and add them to the existing batch.
host_idsbodystring or list of stringsList of host agent IDs to initialize a RTR session on.
host_timeout_durationquerystringTimeout duration for how long a host has time to complete processing. Default value is a bit less than the overall timeout value. It cannot be greater than the overall request timeout. Maximum is < 5 minutes. Example, 10s. Valid units: ns, us, ms, s, m, h.
parametersquerydictionaryFull query string parameters payload in JSON format.
queue_offlinebodybooleanFlag indicating if the command should be queued for execution when the host returns to service.
timeoutqueryintegerTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 5 minutes.
timeout_durationquerystringTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 5 minutes.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.batch_init_sessions(existing_batch_id="string",
                                      host_ids=id_list,
                                      host_timeout_duration="string",
                                      queue_offline=boolean,
                                      timeout="string",
                                      timeout_duration="string")
print(response)

BatchRefreshSessions

Section titled “BatchRefreshSessions”

Batch refresh a RTR session on multiple hosts. RTR sessions will expire after 5 minutes unless refreshed.

POST /real-time-response/combined/batch-refresh-session/v1
Scope Real Time Response: READ Consumes · Produces application/json
PEP 8 batch_refresh_sessions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
batch_idbodystringExisting RTR batch ID to refresh.
host_to_removebodystring or list of stringsList of host agent IDs to remove from the batch.
parametersquerydictionaryFull query string parameters payload in JSON format.
timeoutqueryintegerTimeout for how long to wait for the request in seconds, default timeout is 30 seconds. Maximum is 5 minutes.
timeout_durationquerystringTimeout duration for for how long to wait for the request in duration syntax. Example, 10s. Valid units: ns, us, ms, s, m, h. Maximum is 5 minutes.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.batch_refresh_sessions(batch_id="string",
                                         hosts_to_remove="string",
                                         timeout="string",
                                         timeout_duration="string")
print(response)

RTR_CheckActiveResponderCommandStatus

Section titled “RTR_CheckActiveResponderCommandStatus”

Get status of an executed active-responder command on a single host.

GET /real-time-response/entities/active-responder-command/v1
Scope Real Time Response: WRITE Consumes · Produces application/json
PEP 8 check_active_responder_command_status

Parameters

Section titled “Parameters”
NameTypeData typeDescription
cloud_request_idquerystringCloud Request ID of the executed command to query.
parametersquerydictionaryFull query string parameters payload in JSON format.
sequence_idqueryintegerSequence ID that we want to retrieve. Command responses are chunked across sequences.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.check_active_responder_command_status(cloud_request_id="string",
                                                        sequence_id="string")
print(response)

RTR_ExecuteActiveResponderCommand

Section titled “RTR_ExecuteActiveResponderCommand”

Execute an active responder command on a single host.

POST /real-time-response/entities/active-responder-command/v1
Scope Real Time Response: WRITE Consumes · Produces application/json
PEP 8 execute_active_responder_command

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
base_commandbodystringActive Responder base command to perform. For example: get or cp. Refer to the Available Commands table below for a complete listing of available commands.
command_stringbodystringFull command line of the command to execute. Example: get some_file.txt.
persistbodybooleanFlag indicating if this command should be executed when the host returns to service. Unused
session_idbodystringRTR Session ID.
Available Commands
Section titled “Available Commands”
CommandDescriptionOperating System
catView file contentsAll
cdChange directoryAll
clearClear the screenAll
cpCopy a fileAll
encryptEncrypt a fileAll
envDisplay environment variablesAll
eventlogInspect the event log. Subcommands: list, view, export, backup. eventlog backup is the recommended solution as opposed to eventlog export.Windows
filehashCalculate a file hash (MD5 or SHA256)All
getRetrieve a fileAll
getsidRetrieve the current SIDWindows, macOS
helpAccess help for a specific command or sub-commandAll
historyReview command history for the current userAll
ipconfigReview TCP configurationWindows
killKill a running processAll
lsList the contents of a directoryAll
mapMap a UNC (SMB) path to a drive letterWindows
memdumpDump memory of a running processWindows
mkdirCreate a directoryAll
mountMount a file system (macOS, Linux) or list available drives (Windows)All
mvMove a fileAll
netstatRetrieve network connection detailAll
psList running processesAll
regRegistry operations. Subcommands: query, set, delete, load, unload.Windows
restartRestart the systemAll
rmRemove a fileAll
runscriptRun a scriptAll
shutdownShutdown the systemAll
unmapUnmap a UNC (SMB) path from a drive letterWindows
updateInstall patches through Windows Update. Subcommands: history, install, list, query.Windows
xmemdumpDump complete memory (kernel) for the systemWindows
zipCreate a zip archiveAll

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.execute_active_responder_command(base_command="string",
                                                   command_string="string",
                                                   device_id="string",
                                                   id=integer,
                                                   persist=boolean,
                                                   session_id="string")
print(response)

RTR_CheckCommandStatus

Section titled “RTR_CheckCommandStatus”

Get status of an executed command on a single host.

GET /real-time-response/entities/command/v1
Scope Real Time Response: READ Consumes · Produces application/json
PEP 8 check_command_status

Parameters

Section titled “Parameters”
NameTypeData typeDescription
cloud_request_idquerystringCloud Request ID of the executed command to query.
parametersquerydictionaryFull query string parameters payload in JSON format.
sequence_idqueryintegerSequence ID that we want to retrieve. Command responses are chunked across sequences.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.check_command_status(cloud_request_id="string",
                                       sequence_id="string")
print(response)

RTR_ExecuteCommand

Section titled “RTR_ExecuteCommand”

Execute a command on a single host.

POST /real-time-response/entities/command/v1
Scope Real Time Response: READ Consumes · Produces application/json
PEP 8 execute_command

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
base_commandbodystringRead-only base command to perform. For example: ls or ps. Refer to the Available Commands table below for a complete listing of available commands.
command_stringbodystringFull command line of the command to execute. Example: cat some_file.txt.
persistbodybooleanFlag indicating if this command should be executed when the host returns to service.
session_idbodystringRTR Session ID to execute the command against.
Available Commands (Read only)
Section titled “Available Commands (Read only)”
CommandDescriptionOperating System
catView file contentsAll
cdChange directoryAll
clearClear the screenAll
csrutilGet system integrity protection statusmacOS
envDisplay environment variablesAll
eventlogInspect the event log. Subcommands: list, view.Windows
filehashCalculate a file hash (MD5 or SHA256)All
getsidRetrieve the current SIDWindows, macOS
helpAccess help for a specific command or sub-commandAll
historyReview command history for the current userAll
ipconfigReview TCP configurationWindows
lsList the contents of a directoryAll
mountMount a file system (macOS, Linux) or list available drives (Windows)All
netstatRetrieve network connection detailAll
psList running processesAll
regRegistry operations. Subcommands: query.Windows

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.execute_command(base_command="string",
                                  command_string="string",
                                  device_id="string",
                                  id=integer,
                                  persist=boolean,
                                  session_id="string")
print(response)

RTR_GetExtractedFileContents

Section titled “RTR_GetExtractedFileContents”

Get RTR extracted file contents for specified session and sha256.

GET /real-time-response/entities/extracted-file-contents/v1
Scope Real Time Response: WRITE Consumes · Produces application/x-7z-compressed
PEP 8 get_extracted_file_contents

Parameters

Section titled “Parameters”
NameTypeData typeDescription
parametersquerydictionaryFull query string parameters payload in JSON format.
filenamequerystringFilename to use for the archive name and the file within the archive.
session_idquerystringRTR Session ID.
sha256querystringExtracted SHA256.
streamquerybooleanEnable streaming download of the returned file.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.get_extracted_file_contents(session_id="string",
                                              sha256="string",
                                              filename="string",
                                              stream=boolean)
print(response)

RTR_ListFiles

Section titled “RTR_ListFiles”

Get a list of files for the specified RTR session.

GET /real-time-response/entities/file/v1
Scope Real Time Response: WRITE Consumes · Produces application/json
PEP 8 list_files

Parameters

Section titled “Parameters”
NameTypeData typeDescription
parametersquerydictionaryFull query string parameters payload in JSON format.
session_idquerystringRTR Session ID.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.list_files(session_id="string")
print(response)

RTR_ListFilesV2

Section titled “RTR_ListFilesV2”

Get a list of files for the specified RTR session.

GET /real-time-response/entities/file/v2
Scope Real Time Response: WRITE Consumes · Produces application/json
PEP 8 list_files_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
parametersquerydictionaryFull query string parameters payload in JSON format.
session_idquerystringRTR Session ID.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.list_files_v2(session_id="string")
print(response)

RTR_DeleteFile

Section titled “RTR_DeleteFile”

Delete a RTR session file.

DELETE /real-time-response/entities/file/v1
Scope Real Time Response: WRITE Consumes · Produces application/json
PEP 8 delete_file

Parameters

Section titled “Parameters”
NameTypeData typeDescription
parametersquerydictionaryFull query string parameters payload in JSON format.
idsquerystringRTR Session file ID (SHA256).
session_idquerystringRTR Session ID.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.delete_file(ids=id_list, session_id="string")
print(response)

RTR_DeleteFileV2

Section titled “RTR_DeleteFileV2”

Delete a RTR session file.

DELETE /real-time-response/entities/file/v2
Scope Real Time Response: WRITE Consumes · Produces application/json
PEP 8 delete_file_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
parametersquerydictionaryFull query string parameters payload in JSON format.
idsquerystringRTR Session file ID (SHA256).
session_idquerystringRTR Session ID.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.delete_file_v2(ids=id_list, session_id="string")
print(response)

RTR_ListQueuedSessions

Section titled “RTR_ListQueuedSessions”

Get queued session metadata by session ID.

POST /real-time-response/entities/queued-sessions/GET/v1
Scope Real Time Response: READ Consumes · Produces application/json
PEP 8 list_queued_sessions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
idsbodystring or list of stringsList of RTR sessions to retrieve. Will only return sessions created by the calling user.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.list_queued_sessions(ids=id_list)
print(response)

RTR_DeleteQueuedSession

Section titled “RTR_DeleteQueuedSession”

Delete a queued session command.

DELETE /real-time-response/entities/queued-sessions/command/v1
Scope Real Time Response: READ Consumes · Produces application/json
PEP 8 delete_queued_session

Parameters

Section titled “Parameters”
NameTypeData typeDescription
cloud_request_idquerystringCloud Request ID of the executed command to query.
parametersquerydictionaryFull query string parameters payload in JSON format.
session_idquerystringRTR Session ID.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.delete_queued_session(cloud_request_id="string",
                                        session_id="string")
print(response)

RTR_PulseSession

Section titled “RTR_PulseSession”

Refresh a session timeout on a single host.

POST /real-time-response/entities/refresh-session/v1
Scope Real Time Response: READ Consumes · Produces application/json
PEP 8 pulse_session

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
device_idbodystringThe host agent ID to refresh the RTR session on. RTR will retrieve an existing session for the calling user on this host.
originbodystringOrigin of the request.
queue_offlinebodybooleanFlag indicating if this should be queued to pulse after the host returns to service.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.pulse_session(device_id="string",
                                origin="string",
                                queue_offline=boolean)
print(response)

RTR_ListSessions

Section titled “RTR_ListSessions”

Get session metadata by session id.

POST /real-time-response/entities/sessions/GET/v1
Scope Real Time Response: READ Consumes · Produces application/json
PEP 8 list_sessions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
idsbodystring or list of stringsList of RTR sessions to retrieve. Will only return sessions created by the calling user.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.list_sessions(ids=id_list)
print(response)

RTR_InitSession

Section titled “RTR_InitSession”

Initialize a new session with the RTR cloud.

POST /real-time-response/entities/sessions/v1
Scope Real Time Response: READ Consumes · Produces application/json
PEP 8 init_session

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
device_idbodystringThe host agent ID to refresh the RTR session on. RTR will retrieve an existing session for the calling user on this host.
originbodystringOrigin of the request.
queue_offlinebodybooleanFlag indicating if this should be queued to pulse after the host returns to service.
timeoutbodyintegerTimeout for how long to wait for the request in seconds.
Default: 30
Maximum: 600
timeout_durationbodystringTimeout duration for how long to wait for the request in duration syntax.
Example: 10s Valid units: ns, us, ms, s, m, h
Maximum timeout is 5 minutes.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.init_session(device_id="string",
                               origin="string",
                               queue_offline=boolean,
                               timeout=integer,
                               timeout_duration="string")
print(response)

RTR_DeleteSession

Section titled “RTR_DeleteSession”

Delete a session.

DELETE /real-time-response/entities/sessions/v1
Scope Real Time Response: READ Consumes · Produces application/json
PEP 8 delete_session

Parameters

Section titled “Parameters”
NameTypeData typeDescription
parametersquerydictionaryFull query string parameters payload in JSON format.
session_idquerystringRTR Session ID.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.delete_session(session_id="string")
print(response)

RTR_ListAllSessions

Section titled “RTR_ListAllSessions”

Get a list of session_ids.

You will only be able to retrieve sessions that were created using the same API credentials.

GET /real-time-response/queries/sessions/v1
Scope Real Time Response: READ Consumes · Produces application/json
PEP 8 list_all_sessions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringFQL query expression that should be used to limit the results.

Available filters: id, created_at, updated_at, deleted_at, aid, hostname, user_id, origin, cloud_request_id, command_string, base_command, offline_queued, commands_queued. user_id can accept a special value ‘@me’ which will restrict results to records with current user’s ID.
limitqueryintegerMaximum number of records to return. Max: 5000.
offsetquerystringStarting index of overall result set from which to return ids.
sortquerystringThe property to sort by.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import RealTimeResponse


falcon = RealTimeResponse(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )


response = falcon.list_all_sessions(filter="string",
                                    limit=integer,
                                    offset=integer,
                                    sort="string")
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use