Documentation forSolarWinds Incident Response

Crowdstrike Falcon

Crowdstrike Falcon helps to secure the most critical areas of enterprise risk – endpoints, cloud workloads, identities, and data.

Route detailed alerts from Crowdstrike Falcon to the right users in Incident Response.

Using Crowdstrike Falcon as an Alert Source

  1. Navigate to Services -> Service Overview -> select or search for your Service. Expand the accordion -> In the Alert Sources section, click Add.

  2. Select Crowdstrike Falcon. Copy the displayed Webhook URL to configure it within Crowdstrike Falcon. Finish by clicking Add Alert Source -> Done.

When an alert source turns Active, it’ll show up under Configured Alert Sources. You can either generate a test alert from the integration or wait for a real-time alert to be generated by the Alert Source.

An Alert Source is active if there is a recorded incident via that Alert Source for the Service.

Create a Incident Response Webhook URL REST Endpoint in Crowdstrike Falcon

  1. Login to your Crowdstrike Falcon dashboard. Head over to Workflows

  2. Click on Create Workflow. Select trigger as New detection or New incident and then under workflow diagram choose condition. Choose Parameter as Detection status or Incident status, Operator as is equal to & Value as New. Then click on + and add Action. Choose Notifications as Action type and Call webhook as Action.

Add webhook by clicking to Go to Store. Click on Configure and then add Incident Response as Name. Paste the previously copied Incident Response Webhook URL in the placeholder for Webhook URL. Then click on Save configuration.

Choose Incident Response as Webhook name and add the data you want to send to Incident Response.

Configuration of Crowdstrike Falcon

Note:
Incident Response does not validate HMAC Secret Key, so the user can send any random secret key of their choice.

  • For New Detection :

Always add Detection Id and Detection Status in the data you want to send to Incident Response.

  • For New Incident :

Always add Incident Id and Incident Status in the data you want to send to Incident Response.

Again add a condition after the Trigger event. Choose Parameter as Detection status or Incident status, Operator as is equal to & Value as Closed. Then click on + and add Action. Choose Notifications as Action type and Call webhook as Action. Choose Incident Response as Webhook name and add the data you want to send to Incident Response.

Then click on Finish. Give it a name and set the Workflow Status as On. Then click on Save workflow

That's it, you are good to go! Your Crowdstrike Falcon integration is now complete. Whenever Crowdstrike Falcon fires an alert, an incident will be created in Incident Response for it. Also, when an status has changed to Closed, the corresponding incident gets auto-resolved in Incident Response.