Skip to main content
All CollectionsTemplatesBasic
Create IOCs on Malicious Files from a CrowdStrike Incident - Workflow Template
Create IOCs on Malicious Files from a CrowdStrike Incident - Workflow Template

For each new EDR incident, validate the files involved with threat intelligence, and add to the global block list if found to be malicious

Updated over 7 months ago

This workflow template is designed to automate the handling of incidents detected by CrowdStrike's Endpoint Detection and Response (EDR) system. Upon receiving an incident event, the workflow extracts detection IDs and gathers detailed information for each ID. It then loops over resources and behaviors associated with the detection to check files' SHA256 signatures against VirusTotal's threat intelligence database. If any file is confirmed as malicious, it is automatically added to the global block list in CrowdStrike, preventing further access or execution on the endpoint. The workflow streamlines the process of identifying and mitigating threats, enhancing an organization's cybersecurity response capabilities.

Trigger

CrowdStrike

Use Cases

Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Receive an event from a CrowdStrike Incident

  2. Pull the detection IDs and pull the details based on each ID that is found

  3. Loop over the resources and behaviors that were found in the detection

  4. Check the SHA256 signature of all behaviors with VirusTotal

  5. If found to be malicious, add to the IOC to the block list for the platform specified

Vendors

Slack, Utils, VirusTotal, CrowdStrike

Workflow Output

New IOCs in CrowdStrike on Malicious file findings

Did this answer your question?