This workflow template is designed to automate the handling of incidents detected by CrowdStrike's Endpoint Detection and Response (EDR) system. Upon receiving an incident event, the workflow extracts detection IDs and gathers detailed information for each ID. It then loops over resources and behaviors associated with the detection to check files' SHA256 signatures against VirusTotal's threat intelligence database. If any file is confirmed as malicious, it is automatically added to the global block list in CrowdStrike, preventing further access or execution on the endpoint. The workflow streamlines the process of identifying and mitigating threats, enhancing an organization's cybersecurity response capabilities.
Trigger
CrowdStrike
Use Cases
Endpoint Detection and Response (EDR)
Workflow Breakdown
Receive an event from a CrowdStrike Incident
Pull the detection IDs and pull the details based on each ID that is found
Loop over the resources and behaviors that were found in the detection
Check the SHA256 signature of all behaviors with VirusTotal
If found to be malicious, add to the IOC to the block list for the platform specified
Vendors
Slack, Utils, VirusTotal, CrowdStrike
Workflow Output
New IOCs in CrowdStrike on Malicious file findings