Skip to main content
All CollectionsTemplatesIntermediate
Create Cases from Crowdstrike Detections found in Splunk - Workflow Template
Create Cases from Crowdstrike Detections found in Splunk - Workflow Template

Query Splunk for new Crowdstrike detections and create Torq cases for events that are detected including host and user details.

Updated over a month ago

This workflow, scheduled to regularly query Splunk, identifies new CrowdStrike detections and creates a detailed Torq case for each incident. It enriches each detection with comprehensive information on the affected device and user, obtained directly from CrowdStrike, ensuring that every Torq case is packed with valuable context for thorough incident investigation and response. This integration optimizes case management and enhances an organization's Endpoint Detection and Response (EDR) capabilities through streamlined detection, enrichment, and response automation.

Take Me to the Template

Use Cases

Case Management , Endpoint Detection and Response (EDR)

Workflow Breakdown

  1. Query Splunk on a schedule to find new Crowdstrike detections

  2. Loop over each detection and enrich details from Crowdstrike on the device and user

  3. Open a Torq case with the details from each Crowdstrike detection and create observables and custom fields as part of the Torq case

Vendors

Utils, CrowdStrike, Splunk, Torq, Torq Cases

Workflow Output

New Torq cases for Crowdstrike detections from events sent to Splunk

Related Articles
Open a PagerDuty Incident on Host Detection (CrowdStrike) - Workflow Template
Create IOCs on Malicious Files from a CrowdStrike Incident - Workflow Template
Enrich SentinelOne Threat Finding and Run Singularity XDR Search - Workflow Template
Create Cases from SentinelOne Events found in Azure Sentinel - Workflow Template
Create Torq Cases from SentinelOne Threats Reported in Chronicle - Workflow Template
Did this answer your question?