Torq

CrowdStrike provides endpoint protection, threat intelligence, and response services. 

Torq enables quick and easy integration with CrowdStrike, so you can automate anything and everything within moments. Torq's pre-built CrowdStrike steps include: 

- Add Host to Group
- Contain Host
- Create Indicator 
- Delete Host
- Download MTRE Report
- +55 more... 

If you don't see a step you need, you can <a href="https://kb.torq.io/en/articles/9183207-creating-custom-steps-in-torq-automate-anything">create your own</a> in various ways, such as using the Send an HTTP Request step or Torq’s Step Builder, and share it across your organization.

To <a href="https://kb.torq.io/en/articles/9130865-integration-triggers-in-torq-ingest-data">trigger</a> a Torq workflow based on events sent from CrowdStrike, look <a href="https://kb.torq.io/en/articles/9138382-crowdstrike#h_710a158d57">here</a>. ​

To use CrowdStrike <a href="https://kb.torq.io/en/articles/9122841-explore-torq-steps-workflow-building-blocks">steps</a> in Torq workflows, look <a href="#h_4e8aa3a543">here</a>.

Use CrowdStrike Steps in a Torq Workflow

This method of creating a CrowdStrike integration requires a Create a session step whenever you use <a href="https://kb.torq.io/en/articles/9138382-crowdstrike#h_30f9193ea5">CrowdStrike steps</a>. It has been replaced with the <a href="https://kb.torq.io/en/articles/9138382-crowdstrike#h_0a64cdded1">CrowdStrike </a><a href="https://kb.torq.io/en/articles/9138382-crowdstrike#h_0a64cdded1">API Client steps integration</a>. To use the API-key method, please <a href="https://kb.torq.io/en/articles/9094913-grant-temporary-workspace-access-to-torq-support">contact Torq support</a>.

Step One: Generate a CrowdStrike API Key

Navigate to API Clients and Keys: Click the menu and go to Support &gt; Resources and tools &gt; API Clients and Keys.

Create a Client: Click Create API client.

1. Give the client a unique and meaningful name. For example, <code>TorqWorkflows</code>.
2. Give the client a relevant description. For example, <code>This key is used in Torq workflows to automate investigations of CrowdStrike detections</code>.
3. Select one or more scopes for the key. You must apply relevant scopes to perform desired actions within Torq workflows. For example, if you want to modify or edit a detection within a workflow, you need to apply the <code>Read</code> and <code>Write</code> scope for <code>Detections</code>.

Save Information: Copy and save the values for the following fields, which you must enter when configuring the CrowdStrike steps integration in Torq. Be sure to save them somewhere - you will not be able to access them again.

1. Navigate to API Clients and Keys: Click the menu and go to Support &gt; Resources and tools &gt; API Clients and Keys.
2. Create a Client: Click Create API client.
 1. Give the client a unique and meaningful name. For example, <code>TorqWorkflows</code>.
 2. Give the client a relevant description. For example, <code>This key is used in Torq workflows to automate investigations of CrowdStrike detections</code>.
 3. Select one or more scopes for the key. You must apply relevant scopes to perform desired actions within Torq workflows. For example, if you want to modify or edit a detection within a workflow, you need to apply the <code>Read</code> and <code>Write</code> scope for <code>Detections</code>. 
3. Finalize: Click Create.

4. Save Information: Copy and save the values for the following fields, which you must enter when configuring the CrowdStrike steps integration in Torq. Be sure to save them somewhere - you will not be able to access them again. 
 1. CLIENT ID
 2. SECRET
 3. BASE URL

Step Two: Create a CrowdStrike Steps Integration in Torq

Navigate to Integration: In Torq, go to Build &gt; Integrations &gt; Steps &gt; CrowdStrike and click Add.

1. Give the integration a unique and meaningful name - you cannot change this later.
2. Add the Base URL created <a href="https://kb.torq.io/en/articles/9138382-crowdstrike#h_d9b440d4bb">earlier</a>. 
3. Add the Client ID created earlier. 
4. Add the Clicent Secret created earlier.

Finalize: Click Add to save.

1. Navigate to Integration: In Torq, go to Build &gt; Integrations &gt; Steps &gt; CrowdStrike and click Add.
2. Set Up Integration:
 1. Give the integration a unique and meaningful name - you cannot change this later.
 2. Add the Base URL created <a href="https://kb.torq.io/en/articles/9138382-crowdstrike#h_d9b440d4bb">earlier</a>. 
 3. Add the Client ID created earlier. 
 4. Add the Clicent Secret created earlier. 
3. Finalize: Click Add to save.

Step Three: Use CrowdStrike Steps in a Workflow

Access Token: CrowdStrike requires an <a href="https://auth0.com/docs/secure/tokens/access-tokens" rel="nofollow noopener noreferrer" target="_blank">access token</a> for API call sessions.

Add Step: Before using CrowdStrike steps in a workflow, you must add the CrowdStrike step <code>Create a session</code> to your canvas.

Automate Token Creation: This generates an access token, which will then be used as an input parameter for subsequent CrowdStrike steps within that workflow.

1. A new access token is created per workflow execution. 

1. Access Token: CrowdStrike requires an <a href="https://auth0.com/docs/secure/tokens/access-tokens" rel="nofollow noopener noreferrer" target="_blank">access token</a> for API call sessions. 
2. Add Step: Before using CrowdStrike steps in a workflow, you must add the CrowdStrike step <code>Create a session</code> to your canvas. 

3. Automate Token Creation: This generates an access token, which will then be used as an input parameter for subsequent CrowdStrike steps within that workflow. 
 
 1. A new access token is created per workflow execution.

Now that you've added your integration check out these specially crafted templates by Torq's security experts. Visit Torq's template library for <a href="https://app.torq.io/templates?" rel="nofollow noopener noreferrer" target="_blank">more</a>.

<a href="https://app.torq.io/templates?id=f03eea1d-cf7a-462d-86bb-7b4490b4d45f" rel="nofollow noopener noreferrer" target="_blank">Create Cases from Crowdstrike Detections found in Splunk</a>

<a href="https://app.torq.io/templates?id=9b5458f7-8854-460f-823a-470c6138a20d" rel="nofollow noopener noreferrer" target="_blank">Create IOCs on Malicious Files from a CrowdStrike Incident</a>

<a href="https://app.torq.io/templates?id=e798353d-7858-438a-a337-ac61e0c82391" rel="nofollow noopener noreferrer" target="_blank">Request File Download From CrowdStrike Using Real-Time Response</a>

- <a href="https://app.torq.io/templates?id=f03eea1d-cf7a-462d-86bb-7b4490b4d45f" rel="nofollow noopener noreferrer" target="_blank">Create Cases from Crowdstrike Detections found in Splunk</a>
- <a href="https://app.torq.io/templates?id=9b5458f7-8854-460f-823a-470c6138a20d" rel="nofollow noopener noreferrer" target="_blank">Create IOCs on Malicious Files from a CrowdStrike Incident</a>
- <a href="https://app.torq.io/templates?id=e798353d-7858-438a-a337-ac61e0c82391" rel="nofollow noopener noreferrer" target="_blank">Request File Download From CrowdStrike Using Real-Time Response</a>

Integrate CrowdStrike with Torq to automate event response workflows using API key configurations.