This guide is the first step of a larger process to enable auto remediations. After completing the steps on this page, you will be instructed to return to the Enable an Auto Remediation in Workbench guide to finish your setup.

This guide helps you set up your CrowdStrike device so that you can enable the Delete Malicious Files auto remediation in Workbench. During the setup process, you will grant Expel all necessary permissions for the remediation to work.

Prerequisites

1. You must have enabled read and write permissions for the Real Time Response OAuth2 API client. See Step 1 of CrowdStrike Falcon® Setup for Workbench for instructions and/or to verify your permissions.
2. You must have admin access in Workbench, as auto remediations are enabled at the organization level.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

1. Edit the Response Policy in Crowdstrike
2. Update Your Context
3. Return to the Main Setup Guide

Step 1: Edit the Response Policy in Crowdstrike

If you have already enabled other auto remediations for CrowdStrike Falcon, some of the response policy settings may already be in place. Make sure to verify the sensor settings in your response policy as described below.

For this auto remediation to work, you must enable both Real Time Response and the get command on the appropriate response policies in the Sensor Settings. The get command allows Expel to extract your files from a remote host. Refer to the Crowdstrike documentation for additional help with this step.

Before you begin, remember that you must have already enabled read and write permissions for Real Time Response for the OAuth2 API client in CrowdStrike. 

1. Log in to CrowdStrike Falcon.
2. In the top left menu, navigate to Host setup and management > Response and containment > Response policies.
3. Select the response policy that contains the hosts you want to enable for this auto remediation.
4. In the policy's Sensor Settings:
   • Select the Real Time Response checkbox to enable it.
   • Select the get checkbox to enable the get command.
   • Select Save.
5. Repeat these steps for any additional response policies that contain hosts that need this auto remediation enabled, and be sure to do this for all three platforms (Windows, MacOS, Linux).

Step 2: Update Your Context

If you do not want to specify any files for a "do not delete" or "always delete" list, and instead wish for Expel to automatically delete all identified files, skip to Step 3.

Working with your engagement manager, prepare to create an allow or deny list by adding files as context for your environment. You will then be able to select those files as "Never delete" or "Always delete" assets when you enable the auto remediation in Workbench.

Note

If our SOC identifies files that must be deleted and you have created either an allow ("Always delete") or deny ("Never delete") list in Workbench, any files falling outside of those parameters are assigned to you as actions rather than being deleted automatically.

Step 3: Return to the Main Setup Guide

Your CrowdStrike device is now ready for the Delete Malicious Files auto remediation. You should now do one of the following:

• If you do not need to set up any other devices for this auto remediation, you can return to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process.
• If you need to set up additional devices for this auto remediation, or wish to use this device with multiple auto remediations, be sure to complete those setup guides as well before returning to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process. Make sure to follow the setup guide that is specific to your auto remediation, as device setup instructions are unique to each auto remediation and device.