RTR Scripts

Real Time Response (RTR) scripts execute commands on endpoints directly. Foundry apps can include RTR scripts that are deployed and managed as part of the app lifecycle.

Supported platforms

Platform	Script type
Windows	PowerShell
macOS	Shell (bash/zsh)
Linux	Shell (bash)

Creating an RTR script

RTR scripts are created using the Foundry CLI (not available in the Falcon console App Builder).

Add an RTR script to your app

foundry rtr create --name my-script --platform windows

This creates:

rtr/my-script/
├── script.ps1           # The RTR script
└── config.json          # Metadata and permissions

Script configuration

The config.json file specifies:

• Platform — Target operating system (windows, mac, linux)
• Permission — Required RTR permission level
• Description — What the script does
• Content — The script content (can also be in a separate file)

Manifest configuration

RTR scripts are declared in manifest.yml:

rtr_scripts:
  - name: my-script
    platform: windows
    permission_type: RTR_ACTIVE_RESPONDER
    description: "Collects forensic artifacts from Windows endpoints"
    content_file: rtr/my-script/script.ps1

Permission levels

Level	Description
RTR_READ_ONLY	Read-only commands (file listing, process listing, registry queries)
RTR_ACTIVE_RESPONDER	Active response commands (file operations, process management, registry edits)
RTR_ADMIN	Administrative commands (script execution, put files, custom scripts)

Using RTR scripts in workflows

Once deployed, RTR scripts can be called from Fusion SOAR workflows using the Run RTR script action. This enables automated endpoint remediation triggered by security events.

Deployment

RTR scripts are deployed with the rest of the app:

foundry apps deploy

After deployment and release, the scripts are available in the RTR console and callable from workflows.