Skip to main content
All CollectionsTemplatesBasic
Open a PagerDuty Incident on Host Detection (CrowdStrike) - Workflow Template
Open a PagerDuty Incident on Host Detection (CrowdStrike) - Workflow Template

Receive an event from CrowdStrike, if event is critical or high, open an incident with PagerDuty and enrich the IOC details with VirusTotal

Updated over 6 months ago

This Torq workflow template offers a robust response to critical cybersecurity threats. When CrowdStrike detects a high or critical threat incident, the workflow triggers, extracting event details to determine the severity. If the event is graded as high or critical, VirusTotal further enriches Indicator of Compromise (IOC) details. Finally, the workflow automates the creation of an incident in PagerDuty with the appropriate service ID and escalation policy, ensuring rapid response and resolution of the security threat.

Take Me to the Template

Trigger

CrowdStrike

Optional Triggers

Webhook

Use Cases

Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Receive an event from CrowdStrike

  2. Pull the event details from the detection ID in CrowdStrike

  3. If event is either Critical or High enrich the event IOC with VirusTotal

  4. Open incident with PagerDuty with the configured escalation policy and service id

Vendors

PagerDuty, Utils, VirusTotal, CrowdStrike

Workflow Output

Incident creation in PagerDuty

Tips

Modify the first \"Set Workflow Variables\" step to match your environment

Related Articles
PagerDuty
Create IOCs on Malicious Files from a CrowdStrike Incident - Workflow Template
Open a TheHive case triggered by SentinelOne findings - Workflow Template
Create IOCs on Malicious Files from a CrowdStrike Detection - Workflow Template
Cache VirusTotal Threat Intelligence Findings on an IOC - Workflow Template
Did this answer your question?