Skip to main content
CrowdStrike

Integrate CrowdStrike with Torq to automate event response workflows using webhooks and API key configurations.

Updated yesterday

CrowdStrike provides endpoint protection, threat intelligence, and response services.

Torq enables quick and easy integration with CrowdStrike, so you can automate anything and everything within moments. Torq's pre-built CrowdStrike steps include:

  • Add Host to Group

  • Contain Host

  • Create Indicator

  • Create RTR Session

  • Create Session

  • Delete Host

  • Delete Indicator

  • Delete RTR Session

  • Download Intel Report

  • Download MTRE Report

  • +50 more...

As always, if you don't see a step you need, you can create your own steps using Torq's custom step builder and share them within your workspace or organization.

To trigger a Torq workflow based on events sent from CrowdStrike, look here.

To use CrowdStrike steps in Torq workflows, look here.

Trigger a Torq Workflow from Crowdstrike Events

To ingest CrowdStrike incidents as events in Torq, you need to create a CrowdStrike trigger integration and use the generated webhook to configure a plugin and workflow in CrowdStrike.

Step One: Create a CrowdStrike Trigger Integration in Torq

  1. Add the Integration: Go to Build > Integrations > Triggers > CrowdStrike and click Add.

  2. Name the Integration: Give the integration a unique and meaningful name. This cannot be changed later.

  3. Add HMAC Headers: Toggle on HMAC validation.

    1. Click Generate Random Secret, or paste your own generated secret.

    2. Copy this secret - you will need it for later.

  4. Finalize: Click Add.

  5. Generate the Webhook: Copy the webhook created to use later.

Step Two: Create a Webhook Plugin in CrowdStrike

In CrowdStrike, you must create a webhook plugin that defines where to send events, detections, etc., and which data to include.

  1. Go to CrowdStrike Store: Go to Menu > CrowdStrike Store > All Apps.

  2. Find the Webhook: In the Plugins section, locate the CrowdStrike Webhook card click on it, and then click Configure.

  3. Configure Webhook: Click Add configuration.

    1. Name: Give the webhook a meaningful name.

    2. Webhook URL: Paste the URL you generated in Torq earlier.

    3. HMAC Secret Key: Paste the HMAC secret you generated earlier.

  4. Finalize: Click Save configuration.

  5. Create a Workflow in CrowdStrike: Follow the steps below to create a workflow for which notifications will be sent to the webhook.

Step Three: Create a Workflow in CrowdStrike

The workflow in CrowdStrike defines which alerts/detections and data to send to Torq via the webhook plugin.

Follow these steps, or see the YAML attached at the bottom of this article, which you can upload to CrowdStrike as a pre-configured webhook workflow.

  1. Navigate to Workflows: In CrowdStrike, go to Next Gen SIEM > Fusion SOAR > Workflows.

  2. Create Workflow: Click Create a Workflow > Create a Workflow from Scratch and click Next.

  3. Pick a Trigger: Select a trigger for the action (Event, Schedule, or On Demand).

    1. Under Event triggers, choose a relevant trigger category, such as Alert, and a subcategory.

  4. Define the Workflow:

    1. Click the arrow on the trigger and add an Action.

    2. From the Action drop-down menu, type Call webhook and then select the webhook you created to send events to Torq.

  5. Select Data: Select the data to include from the Data to Include drop-down menu.

    1. The below list is a recommendation of Data to Include selections to add:

      1. Under Category - Alert:

        1. Alert ID

        2. Description

        3. Name

        4. Product

        5. Severity

        6. Status

        7. Tags

        8. Tactics

        9. Techniques

      2. Under Category - Trigger:

        1. Category

        2. Customer ID

        3. Observed event time

        4. Source event ID

        5. Source event URL

        6. Trigger ID

        7. Trigger name

      3. Under Category - Workflow:

        1. Execution ID

        2. Workflow name

        3. Workflow execution timestamp

  6. Finalize: Click Save.

Now that you've successfully created a CrowdStrike trigger, you can build your first CrowdStrike-initiated workflow!

In Torq, go to Build > Workflows > Create a Workflow > New Blank Workflow, and select the trigger type: Integrations > CrowdStrike. Find your new trigger, and automate away!


Use CrowdStrike Steps in a Torq Workflow

To use CrowdStrike steps in a workflow, you must first generate a CrowdStrike API key. This key will be required when configuring the CrowdStrike steps integration in Torq.

Step One: Generate a CrowdStrike API Key

  1. Navigate to API Clients and Keys: Click the menu and go to Support > Resources and tools > API Clients and Keys.

  2. Create a Client: Click Create API client.

    1. Give the client a unique and meaningful name. For example, TorqWorkflows.

    2. Give the client a relevant description. For example, This key is used in Torq workflows to automate investigations of CrowdStrike detections.

    3. Select one or more scopes for the key. You must apply relevant scopes to perform desired actions within Torq workflows. For example, if you want to modify or edit a detection within a workflow, you need to apply the Read and Write scope for Detections.

  3. Finalize: Click Create.

  4. Save Information: Copy and save the values for the following fields, which you must enter when configuring the CrowdStrike steps integration in Torq. Be sure to save them somewhere - you will not be able to access them again.

    1. CLIENT ID

    2. SECRET

    3. BASE URL

Step Two: Create a CrowdStrike Steps Integration in Torq

  1. Navigate to Integration: In Torq, go to Build > Integrations > Steps > CrowdStrike and click Add.

  2. Set Up Integration:

    1. Give the integration a unique and meaningful name - you cannot change this later.

    2. Add the Base URL created earlier.

    3. Add the Client ID created earlier.

    4. Add the Clicent Secret created earlier.

  3. Finalize: Click Add to save.

Step Three: Use CrowdStrike Steps in a Workflow

  1. Access Token: CrowdStrike requires an access token for API call sessions.

  2. Add Step: Before using CrowdStrike steps in a workflow, you must add the CrowdStrike step Create a session to your canvas.

  3. Automate Token Creation: This generates an access token, which will then be used as an input parameter for subsequent CrowdStrike steps within that workflow.

    1. A new access token is created per workflow execution.

Did this answer your question?