CrowdStrike provides endpoint protection, threat intelligence, and response services.
Trigger Torq Workflows from Crowdstrike
To ingest CrowdStrike cloud security alerts, detections, incidents, or policies as events in Torq, you need to create a CrowdStrike trigger integration and use the generated webhook URL (Torq endpoint) to configure a webhook plugin and workflow in CrowdStrike.
In Torq - Create a CrowdStrike Trigger Integration
Go to Build > Integrations > Trigger > CrowdStrike.
Set Up Integration:
Click Add.
Name the integration - you cannot change this later, so ensure you pick a meaningful name.
Optionally add HAC headers and authentication headers.
Click Add to finalize.
Copy the webhook created to use later.
In CrowdStrike - Send Events to Torq
In CrowdStrike, you must create a Webhook plugin that defines where to send events, detections, etc., and which data to include. When getting started, we recommend using a single CrowdStrike workflow to send all events to Torq and apply trigger conditions to focus the workflow events on the Torq side.
Create a Webhook Plugin in CrowdStrike
The webhook plugin you create will be the action you define for the workflow.
Click the CrowdStrike icon and go to the CrowdStrike Store (All Apps).
In the Plugins section, locate the Webhook card and click Enable.
On the Webhook page, click Configure.
Click Add Configuration.
Enter a meaningful name for the webhook, such as Send CS detections to Torq.
Paste the Torq webhook URL you created earlier and click Save Configuration.
Create a Workflow in Crowdstrike
The workflow defines which alerts/detections and data to send to Torq via the webhook plugin.
In CrowdStrike, go to Host setup and management > Automated workflows > Fusion workflows.
Select a trigger for the action (Audit event, Cloud security assessment, New detection, New incident, or Workflow execution).
(Optional) Click the + icon next to the trigger and select Add condition to define trigger conditions. We recommend sending all trigger events and applying conditions in the Torq workflow trigger.
Define the workflow action.
Click the + icon next to the trigger and select Add action.
From the Action type drop-down menu, select Notifications.
From the Action drop-down menu, select Call webhook and then select the webhook you created to send events to Torq.
Select the data to include from the Data to Include drop-down menu. If you're sending detections, you need to select Detection ID. You might also want to select Detection URL, this way you can easily send the detection URL as part of a Torq workflow.
Use CrowdStrike Steps in a Workflow in Torq
To use CrowdStrike steps in a workflow, you must first generate a CrowdStrike API key. This key will be required when configuring the CrowdStrike steps integration in Torq.
Generate a CrowdStrike API Key
Click the CrowdStrike icon.
In the Support section, click API Clients and Keys.
In the CLIENT NAME field, type a meaningful name for the API key. For example,
TorqWorkflows
.In the DESCRIPTION field, type a meaningful description for the API key. For example,
This key is used in Torq workflows to automate investigations of CrowdStrike detections
.Select one or more scopes for the key. You must apply scopes to enable you to perform the actions you need in your Torq workflows. For example, if you want to modify or edit a detection as part of a workflow (e.g., update the detection status), you'll need to apply the
Write
scope for Detections. If you do not have sufficient permissions to perform a step in a workflow, you'll receive an error explaining the same.Click ADD.
Copy and save the values for the following fields, which you must enter when configuring the CrowdStrike steps integration in Torq.
CLIENT ID
SECRET
BASE URL
Create a CrowdStrike Steps Integration in Torq
Prepare Integration:
Log in to your Torq workspace.
Navigate to Integration Settings:
Go to Build > Integrations > Steps > CrowdStrike.
Set Up Integration:
Click Add.
Name the integration - you cannot change this later, so ensure you pick a meaningful name.
Add the Base URL created earlier.
Add the Client ID created earlier.
Add the Clicent Secret created earlier.
Click Add to finalize.
Use CrowdStrike Steps in a Workflow
To use CrowdStrike steps in your workflow, you first need to add the step Create a session
. An access token is generated, which will be used as an input parameter for subsequent CrowdStrike steps in the workflow.
Premade Steps
Add Host to Group
Contain Host
Create Indicator
Create RTR Session
Create Session
Delete Host
Delete Indicator
Delete RTR Session
Download Intel Report
Download MTRE Report
Execute RTR Command
Get Actor Details
Get Alert Details
Get Detection Details
Get Device Details
Get Device ID by FQL
Get Device ID by Hostname
Get Device ID by Serial Number
Get Falcon Report
Get Indicator Details
Get Intel Indicator Details
Get Remediation Details
Get Report Details
Get RTR Command Status
Get RTR File Contents
Get Submission IOC Pack
Get Submissions Status
Get User UUID by Email
Indicator Search for Hosts
Indicator Search for Processes
Lift Containment on Host
List Actor IDs
List Actors
List Detection IDs
List Device IDs
List Host Group Members
List Host Groups
List Intel Indicator IDs
List Report IDs
List Reports
List RTR Session Files
List User UUIDs
Query Intel Indicators
Query Spotlight Vulnerabilities
Remove Host from Group
Request File Download
Restore Host
Send RTR Runscript Command
Submit Sample to SAndbox
Update Alert
Update Detection
Update Indicator Upload File to Falcon Sandbox
Templates