Skip to main content
All CollectionsTemplatesBasic
Create IOCs on Malicious Files from a CrowdStrike Detection - Workflow Template
Create IOCs on Malicious Files from a CrowdStrike Detection - Workflow Template

For each new EDR detection, validate the files involved with threat intelligence, add to global block list if found to be malicious

Updated over 6 months ago

This workflow template automates the process of handling new Endpoint Detection and Response (EDR) detections from CrowdStrike. Upon receiving an event, it decodes the detection ID, retrieves detailed information, and checks each related file's SHA256 signature against VirusTotal's threat intelligence. Files confirmed as malicious are automatically added to a global block list, enhancing an organization's defense by preventing the execution or access of such files across their platform. This streamlines the process of managing and neutralizing threats identified by CrowdStrike.

Take Me to the Template

Trigger

CrowdStrike

Use Cases

Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Receive an event from CrowdStrike

  2. Decode the detection ID and pull the details based on the ID

  3. Loop over the resources and behaviors that were found in the detection

  4. Check the SHA256 signature of all behaviors with VirusTotal

  5. If found to be malicious, add to the IOC to the block list for the platform specified

Vendors

Slack, Utils, VirusTotal, CrowdStrike

Tips

Modify the first \"Set Workflow Variables\" step to match your information

Related Articles
Enrich New Cybereason MalOps File Hash Detail - Workflow Template
Open a PagerDuty Incident on Host Detection (CrowdStrike) - Workflow Template
Create IOCs on Malicious Files from a CrowdStrike Incident - Workflow Template
Enrich SentinelOne Threat Finding and Run Singularity XDR Search - Workflow Template
Create Cases from Crowdstrike Detections found in Splunk - Workflow Template
Did this answer your question?