Skip to main content

Create IOCs on Malicious Files from a CrowdStrike Alert - Workflow Template

For each new EDR alert, validate the files involved with threat intelligence, add to global block list if found to be malicious

Updated over 3 weeks ago

This workflow template enables organizations to streamline their incident response process for Endpoint Detection and Response (EDR) alerts from CrowdStrike. By automatically validating suspicious files against VirusTotal, the workflow promptly identifies potential threats and updates a global block list to prevent future incidents. It correlates alerts and delivers grouped notifications via Slack for enhanced communication and swift decision-making.

Take Me to the Template

Trigger

CrowdStrike

Use Cases

Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Receive an event from CrowdStrike.

  2. Use Alert ID to fetch behavior details.

  3. Loop over resources that were found in the alert.

  4. Check the SHA256 signature of a behavior with VirusTotal.

  5. If found to be malicious, add to the IOC to the block list for the platform specified.

  6. Correlate Alerts and group Slack notifications in a Thread.

Vendors

Utils, VirusTotal, CrowdStrike

Tips

  • Modify the first "Workflow Parameters" variable step to match your information.

Related Articles
Open a PagerDuty Incident on Host Detection (CrowdStrike) - Workflow Template
Create IOCs on Malicious Files from a CrowdStrike Incident - Workflow Template
Enrich SentinelOne Threat Finding and Run Singularity XDR Search - Workflow Template
Request File Download From CrowdStrike Using Real Time Response - Workflow Template
Create Cases from Crowdstrike Detections found in Splunk - Workflow Template
Did this answer your question?