This workflow template automates the process of handling new Endpoint Detection and Response (EDR) detections from CrowdStrike. Upon receiving an event, it decodes the detection ID, retrieves detailed information, and checks each related file's SHA256 signature against VirusTotal's threat intelligence. Files confirmed as malicious are automatically added to a global block list, enhancing an organization's defense by preventing the execution or access of such files across their platform. This streamlines the process of managing and neutralizing threats identified by CrowdStrike.
Trigger
CrowdStrike
Use Cases
Endpoint Detection and Response (EDR)
Workflow Breakdown
Receive an event from CrowdStrike
Decode the detection ID and pull the details based on the ID
Loop over the resources and behaviors that were found in the detection
Check the SHA256 signature of all behaviors with VirusTotal
If found to be malicious, add to the IOC to the block list for the platform specified
Vendors
Slack, Utils, VirusTotal, CrowdStrike
Tips
Modify the first \"Set Workflow Variables\" step to match your information