This guide is the first step of a larger process to enable auto remediations. After completing the steps on this page, you will be instructed to return to the Enable an Auto Remediation in Workbench guide to finish your setup.

This guide helps you set up your CrowdStrike device so that you can enable the Delete Registry Key auto remediation in Workbench. During the setup process, you will grant Expel all necessary permissions for the remediation to work.

How It Works

If our SOC identifies a registry key that must be deleted, Workbench completes the action automatically unless the registry path, value, or hostname is specifically designated as a "Never delete" asset (these assets must be added as context and then configured in Workbench; see Step 2).

Scope and Limitations

When choosing to enable this auto remediation, remember the following:

• Expel can only create a backup of your registry before deletion if you give us permission to run custom scripts in your response policy (optional), as described in this guide.
• This auto remediation will only work on Windows-based operating systems, and cannot be configured for Mac or Linux.

Prerequisites

1. You must have already enabled read and write permissions for the Real Time Response OAuth2 API client. See Step 1 of CrowdStrike Falcon® Setup for Workbench for instructions and/or to verify your permissions.
2. You must have admin access in Workbench, as auto remediations are enabled at the organization level.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

1. Edit the Response Policy in CrowdStrike
2. Update Your Context
3. Return to the Main Setup Guide

Step 1: Edit the Response Policy in CrowdStrike

If you have already enabled other auto remediations for CrowdStrike Falcon, some of the response policy settings may already be in place. Make sure to verify the sensor settings in your response policy as described below.

For this auto remediation to work, you must enable both Real Time Response and the get command on the appropriate response policies in the Sensor Settings. The get command allows Expel to extract your files from a remote host. You may also choose to enable custom scripts (optional) to allow us to create a backup of the registry before deletion.

Before you begin, remember that you must have already enabled read and write permissions for Real Time Response for the OAuth2 API client in CrowdStrike. 

1. Log in to CrowdStrike Falcon.
2. In the top left menu, navigate to Host setup and management > Response and containment > Response policies.
3. Make sure you are in the Windows platform (this auto remediation does not work for Mac or Linux).
4. Select the response policy that contains the hosts you want to enable for this auto remediation.
5. In the policy's Sensor Settings:
   • Select the Real Time Response checkbox to enable it.
   • Select the custom scripts checkbox (optional) to enable running custom scripts. This permission is required if you want us to create a backup of the registry before deletion; if you do not wish to use this feature, skip this setting.
   • Select the get checkbox to enable the get command.
   • Select Save.
6. Repeat these steps for any additional response policies that contain hosts that need this auto remediation enabled.

Step 2: Update Your Context

If you do not want to specify any registry paths, values, or hosts for a "do not delete" list, and instead wish for Expel to automatically delete all identified registries, skip to Step 3.

Working with your engagement manager, add any registry paths, values, or hosts that should be on the "do not delete" list as context for your environment. You will then be able to select them as "Never delete" assets when you enable the auto remediation in Workbench.

Note

If our SOC identifies a registry that must be deleted, any registries with associated paths, values, or hosts that were added as "Never delete" assets are assigned to you as actions rather than being deleted automatically.

Step 3: Return to the Main Setup Guide

Your CrowdStrike device is now ready for the Delete Registry Key auto remediation. You should now do one of the following:

• If you do not need to set up any other devices for this auto remediation, you can return to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process.
• If you need to set up additional devices for this auto remediation, or wish to use this device with multiple auto remediations, be sure to complete those setup guides as well before returning to the Enable an Auto Remediation in Workbench guide to finish Step 2 of the process. Make sure to follow the setup guide that is specific to your auto remediation, as device setup instructions are unique to each auto remediation and device.