This guide is the first step of a larger process to enable auto remediations. After completing the steps on this page, you will be instructed to return to the Enable an Auto Remediation in Workbench guide to finish your setup.

This guide helps you set up your CrowdStrike device so that you can enable the Kill Processes auto remediation in Workbench. During the setup process, you will grant Expel all necessary permissions for the remediation to work.

Prerequisites

1. You must have enabled read and write permissions for the Real Time Response OAuth2 API client. See Step 1 of CrowdStrike Falcon® Setup for Workbench for instructions and/or to verify your permissions.
2. You must have admin access in Workbench, as auto remediations are enabled at the organization level.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

1. Edit the Response Policy in Crowdstrike
2. Update Your Context
3. Return to the Main Setup Guide

Step 1: Edit the Response Policy in Crowdstrike

For this auto remediation to work, you must enable Real Time Response on the appropriate response policies in the Sensor Settings. Refer to the Crowdstrike documentation for additional help with this step.

Before you begin, remember that you must have already enabled read and write permissions for Real Time Response for the OAuth2 API client in CrowdStrike. 

1. Log in to CrowdStrike Falcon.
2. In the top left menu, navigate to Support and Resources > Host Setup and Management section > Response Policies.
3. Locate the response policy that contains the hosts you want to enable for this auto remediation, and select it. 
   • In the Sensor Settings, select the Real Time Response checkbox to enable it.
   • Select Save.
   • Repeat these steps for any additional response policies that contain hosts that need this auto remediation enabled, and be sure to do this for all three platforms (Windows, MacOS, Linux).

Step 2: Update Your Context

If you do not want to specify any processes for a "do not kill" list, skip to Step 3.

Working with your engagement manager, add any processes that should be on the "do not kill" list as context for your environment. You will then be able to select those processes as "Never kill" assets when you enable the auto remediation in Workbench.

Note

If our SOC identifies a process that must be killed, any processes added as "Never kill" assets are assigned to you as actions rather than being killed automatically.

Step 3: Return to the Main Setup Guide

Your CrowdStrike device is now ready for the Kill Processes auto remediation. You should now do one of the following:

• If you do not need to set up any other devices for this auto remediation, you can return to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process.
• If you need to set up additional devices for this auto remediation, or wish to use this device with multiple auto remediations, be sure to complete those setup guides as well before returning to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process. Make sure to follow the setup guide that is specific to your auto remediation, as device setup instructions are unique to each auto remediation and device.