Skip to main content
All CollectionsTemplatesIntermediate
Create Cases from Crowdstrike Detections found in Splunk - Workflow Template
Create Cases from Crowdstrike Detections found in Splunk - Workflow Template

Query Splunk for new Crowdstrike detections and create Torq cases for events that are detected including host and user details.

Updated over 2 months ago

This workflow, scheduled to regularly query Splunk, identifies new CrowdStrike detections and creates a detailed Torq case for each incident. It enriches each detection with comprehensive information on the affected device and user, obtained directly from CrowdStrike, ensuring that every Torq case is packed with valuable context for thorough incident investigation and response. This integration optimizes case management and enhances an organization's Endpoint Detection and Response (EDR) capabilities through streamlined detection, enrichment, and response automation.

Use Cases

Case Management , Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Query Splunk on a schedule to find new Crowdstrike detections

  2. Loop over each detection and enrich details from Crowdstrike on the device and user

  3. Open a Torq case with the details from each Crowdstrike detection and create observables and custom fields as part of the Torq case

Vendors

Utils, CrowdStrike, Splunk, Torq, Torq Cases

Workflow Output

New Torq cases for Crowdstrike detections from events sent to Splunk

Did this answer your question?