Link

CrowdStrike is a global cybersecurity leader with an advanced cloud-native platform for protecting endpoints, cloud workloads, identities and data.

What can Zenduty do for CrowdStrike users?

CrowdStrike provides security and IT operations capabilities including IT hygiene, vulnerability management, and patching. All of this gets enriched by world-class threat intelligence, including capabilities to conduct malware searching and sandbox analysis that are fully integrated and automated to deliver security teams deep context and predictive capabilities.

With the Zenduty-CrowdStrike integration, you would be able to create new Incidents/Alerts in Zenduty whenever any Alerts are triggered or New Endpoints are detected in CrowdStrike.

You can also use Alert Rules to custom route specific CrowdStrike alerts to specific users, teams or escalation policies, write suppression rules, auto add notes, responders and incident tasks.

To integrate CrowdStrike with Zenduty, complete the following steps:

In Zenduty:

  1. To add a new CrowdStrike integration, go to ‘Teams’ on Zenduty and click on the team you want to add the integration to.

  2. Next, go to ‘Services’ and click on the relevant Service.

  3. Go to ‘Integrations’ and then ‘Add New Integration’. Give it a name and select the application ‘CrowdStrike’ from the dropdown menu.

  4. Go to ‘Configure’ under your Integrations and copy the generated Webhook URL & Integration Key.

In CrowdStrike:

  1. Log into CrowdStrike, and head to the CrowdStrike Store from Menu. Select All apps and search for ‘Webhook’.

  2. Configure the Webhook application by clicking on the ‘Configure’ and then ‘Add configuration’ button. Give a name for this configuration, e.g. Zenduty. Paste the copied URL under ‘Webhook URL’, copy the ‘Integration Key’ from Zenduty and paste it under ‘HMAC Secret Key’. Save the Configuration.

  3. Head to ‘Falcon Workflows’ by following path ‘Host setup and management’ > ‘Automated workflows’. Edit an existing workflow or create new as per your requirement, select notification as ‘Call Webhook’ and select the webhook which was created in the previous step.

  4. Select the fields which you want to be included in the JSON payload. Below listed fields are required to be selected in order to create an incident with accurate details.

    Mandatory Data fields to include for ‘Workflow Execution’ trigger

     Workflow Description
     Workflow Status
     Workflow Name
    

    Mandatory Data fields to include for ‘New endpoint detection’ trigger

     Hostname
     Local IP
     Mac Address
     Sensor ID
     Command Line
     Detection ID
     Severity
     Endpoint detection status
    

    Mandatory Data fields to include for ‘Audit event > Policy’ trigger

     Created by email
     Modified by email
     PolicyDetail description
     PolicyDetail name
     Policy type
     PolicyDetail platform
    

    Mandatory Data fields to include for ‘Audit event > Endpoint detection > Comment’ trigger

     Endpoint Detection ID
     Comment text
    

    Mandatory Data fields to include for ‘Audit event > Endpoint detection > Status’ trigger

     Endpoint Detection ID
     Endpoint detection severity
     Endpoint detection status
    

    It is recommended to add all fields if possible. With the available payload fields, Alert Rules can be configured for custom actions fine tuning your incident response with CrowdStrike.

    Note: We are replcaing ”.” with “___“ (3 underscores) in payload keys - so it can be used in Alert Rules.

    e.g.

     Original value: detections.severity 
     Replaced value: detections___severity
    
  5. CrowdStrike is now integrated with Zenduty.


Respond to CrowdStrike Integration alerts faster

Looking for a better way to get real-time alerts from CrowdStrike Integration, setup a solid incident escalation and incident response pipeline and minimize response and resolution times for CrowdStrike Integration incidents?

Signup for a free trial


Copyright Zenduty 2020. Product of YellowAnt