This workflow template enables organizations to streamline their incident response process for Endpoint Detection and Response (EDR) alerts from CrowdStrike. By automatically validating suspicious files against VirusTotal, the workflow promptly identifies potential threats and updates a global block list to prevent future incidents. It correlates alerts and delivers grouped notifications via Slack for enhanced communication and swift decision-making.
Trigger
CrowdStrike
Use Cases
Endpoint Detection and Response (EDR)
Workflow Breakdown
Receive an event from CrowdStrike.
Use Alert ID to fetch behavior details.
Loop over resources that were found in the alert.
Check the SHA256 signature of a behavior with VirusTotal.
If found to be malicious, add to the IOC to the block list for the platform specified.
Correlate Alerts and group Slack notifications in a Thread.
Vendors
Utils, VirusTotal, CrowdStrike
Tips
Modify the first "Workflow Parameters" variable step to match your information.