Login
Contents x
CrowdStrike
  • 06 Mar 2023
  • 4 Minutes to read
  • Dark
    Light
Contents

CrowdStrike

  • Updated on 06 Mar 2023
  • 4 Minutes to read
  • Dark
    Light
Article Summary

CrowdStrike provides endpoint protection, threat intelligence, and response services.

Use CrowdStrike to trigger Torq workflows

In order to ingest CrowdStrike cloud security alerts, detections, incidents, or policies as events in Torq, you need to create a CrowdStrike trigger integration and use the generated webhook URL (Torq endpoint) to configure a webhook plugin and workflow in CrowdStrike.

In Torq - Create a CrowdStrike trigger integration

     1. Go to the Integrations page, locate the CrowdStrike card in the Triggers section, and click Add.
     2. Type a meaningful name for the integration instance and click Add.
     3. Locate the integration in the table and copy the webhook URL.

image.png

CrowdStrike trigger integration in Torq

In CrowdStrike - Send events to Torq

In CrowdStrike you have to create a Webhook plugin, which defines where to send events, detections, etc., and which data to include for them. When getting started, we recommend using a single CrowdStrike workflow to send all events to Torq and apply trigger conditions to focus the workflow events on the Torq side.

Create a webhook plugin in CrowdStrike

The webhook plugin that you create will be the action you define for the workflow.

     1. Click the CrowdStrike icon and go to CrowdStrike Store (All Apps).
     2. In the Plugins section, locate the Webhook card, and click Enable.
     3. On the Webhook page, click Configure.
     4. Click Add Configuration.
     5. Enter a meaningful name for the webhook, such as, Send CS detections to Torq.
     6. Paste the Torq webhook URL you created earlier and click Save configuration.

Create a workflow

The workflow defines which alerts/detections and data to send to Torq via the webhook plugin.

  1. In CrowdStrike, go to Host setup and management > Automated workflows > Fusion workflows.
  2. Select a trigger for the action (Audit event, Cloud security assessment, New detection, New incident, or Workflow execution).
  3. (Optional) Click the + icon next to the trigger and select Add condition to define trigger conditions. We recommend you send all trigger events and apply conditions in the Torq workflow trigger.
  4. Define the workflow action.
    1. Click the + icon next to the trigger and select Add action.
    2. From the Action type drop-down menu select Notifications.
    3. From the Action drop-down menu select Call webhook and then select the webhook you created to send events to Torq. In our example, Send CS detections to Torq.
    4. Select the data to include from the Data to include drop-down menu. If you're sending detections, you need to select Detection ID. You might also want to select Detection URL, this way you can easily send the detection URL as part of a Torq workflow.\

Use CrowdStrike steps in a workflow in Torq

In order to use CrowdStrike steps as part of a workflow, you first need to generate a CrowdStrike API key. This key will be required when configuring the CrowdStrike steps integration in Torq.

Generate a CrowdStrike API Key

     1. Click the CrowdStrike icon.
2. In the Support section, click API Clients and Keys.
3. In the CLIENT NAME field, type a meaningful name for the API key. For example, TorqWorkflows.
4. In the DESCRIPTION field, type a meaningful description for the API key. For example, This key is used in Torq workflows to automate investigations of CrowdStrike detections.
5. Select one or more scopes for the key. It's important that you apply scopes that will enable you to perform the actions you need in your Torq workflows. For example, if you want to modify or edit a detection as part of a workflow (e.g., update the detection status), for Detections you'll need to apply the Write scope. If you do not have sufficient permissions to perform a step in a workflow, you'll receive an error explaining the same.
6. Click ADD.
     7. Copy and save the values for the following fields, which you will need to enter when configuring the CrowdStrike steps integration in Torq.
          a. CLIENT ID
          b. SECRET
          c. BASE URL

Create a CrowdStrike steps integration in Torq

     1. Go to the Integrations page, locate the CrowdStrike card in the Steps section, and click Add
     2. Type a meaningful name for the integration.
     3. Enter the values for the following fields. You copied and saved these in earlier steps.
          a. CLIENT ID
          b. SECRET
          c. BASE URL
4. Click Add.

Use CrowdStrike steps in a workflow

In order to use CrowdStrike steps in your workflow, you first need to add the step Create a session. An access token is generated, which will be used as in input parameter for subsequent CrowdStrike steps in the workflow.

In the example below, we create a session and then pass the generated token as an input parameter for the step Get a list of actors.

image.png

Templates

Was this article helpful?
What's Next
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout