Skip to main content
CrowdStrike

Integrate CrowdStrike with Torq to automate event response workflows using webhooks and API key configurations.

Updated over a week ago

CrowdStrike provides endpoint protection, threat intelligence, and response services.

Trigger Torq Workflows from Crowdstrike

To ingest CrowdStrike cloud security alerts, detections, incidents, or policies as events in Torq, you need to create a CrowdStrike trigger integration and use the generated webhook URL (Torq endpoint) to configure a webhook plugin and workflow in CrowdStrike.

In Torq - Create a CrowdStrike Trigger Integration

  1. Go to Build > Integrations > Trigger > CrowdStrike.

  2. Set Up Integration:

    • Click Add.

    • Name the integration - you cannot change this later, so ensure you pick a meaningful name.

    • Optionally add HAC headers and authentication headers.

    • Click Add to finalize.

  3. Copy the webhook created to use later.

In CrowdStrike - Send Events to Torq

In CrowdStrike, you must create a Webhook plugin that defines where to send events, detections, etc., and which data to include. When getting started, we recommend using a single CrowdStrike workflow to send all events to Torq and apply trigger conditions to focus the workflow events on the Torq side.

Create a Webhook Plugin in CrowdStrike

The webhook plugin you create will be the action you define for the workflow.

  1. Click the CrowdStrike icon and go to the CrowdStrike Store (All Apps).

  2. In the Plugins section, locate the Webhook card and click Enable.

  3. On the Webhook page, click Configure.

  4. Click Add Configuration.

  5. Enter a meaningful name for the webhook, such as Send CS detections to Torq.

  6. Paste the Torq webhook URL you created earlier and click Save Configuration.

Create a Workflow in Crowdstrike

The workflow defines which alerts/detections and data to send to Torq via the webhook plugin.

  1. In CrowdStrike, go to Host setup and management > Automated workflows > Fusion workflows.

  2. Select a trigger for the action (Audit event, Cloud security assessment, New detection, New incident, or Workflow execution).

    1. (Optional) Click the + icon next to the trigger and select Add condition to define trigger conditions. We recommend sending all trigger events and applying conditions in the Torq workflow trigger.

  3. Define the workflow action.

    1. Click the + icon next to the trigger and select Add action.

    2. From the Action type drop-down menu, select Notifications.

    3. From the Action drop-down menu, select Call webhook and then select the webhook you created to send events to Torq.

    4. Select the data to include from the Data to Include drop-down menu. If you're sending detections, you need to select Detection ID. You might also want to select Detection URL, this way you can easily send the detection URL as part of a Torq workflow.

Use CrowdStrike Steps in a Workflow in Torq

To use CrowdStrike steps in a workflow, you must first generate a CrowdStrike API key. This key will be required when configuring the CrowdStrike steps integration in Torq.

Generate a CrowdStrike API Key

  1. Click the CrowdStrike icon.

  2. In the Support section, click API Clients and Keys.

  3. In the CLIENT NAME field, type a meaningful name for the API key. For example, TorqWorkflows.

  4. In the DESCRIPTION field, type a meaningful description for the API key. For example, This key is used in Torq workflows to automate investigations of CrowdStrike detections.

  5. Select one or more scopes for the key. You must apply scopes to enable you to perform the actions you need in your Torq workflows. For example, if you want to modify or edit a detection as part of a workflow (e.g., update the detection status), you'll need to apply the Write scope for Detections. If you do not have sufficient permissions to perform a step in a workflow, you'll receive an error explaining the same.

  6. Click ADD.

  7. Copy and save the values for the following fields, which you must enter when configuring the CrowdStrike steps integration in Torq.

    1. CLIENT ID

    2. SECRET

    3. BASE URL

Create a CrowdStrike Steps Integration in Torq

  1. Prepare Integration:

  2. Navigate to Integration Settings:

    • Go to Build > Integrations > Steps > CrowdStrike.

  3. Set Up Integration:

    • Click Add.

    • Name the integration - you cannot change this later, so ensure you pick a meaningful name.

    • Add the Base URL created earlier.

    • Add the Client ID created earlier.

    • Add the Clicent Secret created earlier.

    • Click Add to finalize.

Use CrowdStrike Steps in a Workflow

To use CrowdStrike steps in your workflow, you first need to add the step Create a session. An access token is generated, which will be used as an input parameter for subsequent CrowdStrike steps in the workflow.

Premade Steps

  • Add Host to Group

  • Contain Host

  • Create Indicator

  • Create RTR Session

  • Create Session

  • Delete Host

  • Delete Indicator

  • Delete RTR Session

  • Download Intel Report

  • Download MTRE Report

  • Execute RTR Command

  • Get Actor Details

  • Get Alert Details

  • Get Detection Details

  • Get Device Details

  • Get Device ID by FQL

  • Get Device ID by Hostname

  • Get Device ID by Serial Number

  • Get Falcon Report

  • Get Indicator Details

  • Get Intel Indicator Details

  • Get Remediation Details

  • Get Report Details

  • Get RTR Command Status

  • Get RTR File Contents

  • Get Submission IOC Pack

  • Get Submissions Status

  • Get User UUID by Email

  • Indicator Search for Hosts

  • Indicator Search for Processes

  • Lift Containment on Host

  • List Actor IDs

  • List Actors

  • List Detection IDs

  • List Device IDs

  • List Host Group Members

  • List Host Groups

  • List Intel Indicator IDs

  • List Report IDs

  • List Reports

  • List RTR Session Files

  • List User UUIDs

  • Query Intel Indicators

  • Query Spotlight Vulnerabilities

  • Remove Host from Group

  • Request File Download

  • Restore Host

  • Send RTR Runscript Command

  • Submit Sample to SAndbox

  • Update Alert

  • Update Detection

  • Update Indicator Upload File to Falcon Sandbox

Templates

Did this answer your question?