Skip to main content

Create IOCs on Malicious Files from a CrowdStrike Alert - Workflow Template

For each new EDR alert, validate the files involved with threat intelligence, add to global block list if found to be malicious

Updated this week

This workflow template enables organizations to streamline their incident response process for Endpoint Detection and Response (EDR) alerts from CrowdStrike. By automatically validating suspicious files against VirusTotal, the workflow promptly identifies potential threats and updates a global block list to prevent future incidents. It correlates alerts and delivers grouped notifications via Slack for enhanced communication and swift decision-making.

Trigger

CrowdStrike

Use Cases

Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Receive an event from CrowdStrike.

  2. Use Alert ID to fetch behavior details.

  3. Loop over resources that were found in the alert.

  4. Check the SHA256 signature of a behavior with VirusTotal.

  5. If found to be malicious, add to the IOC to the block list for the platform specified.

  6. Correlate Alerts and group Slack notifications in a Thread.

Vendors

Utils, VirusTotal, CrowdStrike

Tips

  • Modify the first "Workflow Parameters" variable step to match your information.

Did this answer your question?